Date post: | 28-Nov-2014 |
Category: |
Technology |
Upload: | hurricane-labs |
View: | 819 times |
Download: | 0 times |
Tom Kopchak
Forensics for the Defense (of your network)
•Who am I?
•Why am I here, and what got me here?
•Why I am passionate about computer security?
About the Presenter – Who am I?
You do "forensics"?!? That sounds awesome!!
The Truth• Evidence can be hard to come by
• Any and all evidence must be carefully accounted for and documented
• Cases involving movie-like circumstances are few and far between
Forensics = Valuable• Traditional - Law enforcement
• Emerging - Security
Traditional Forensics – Disks
Next Steps – Memory
Expanding the Scope
Leveraging Forensics for Business
Commonalities
Practical Applications
• Forensic Verification
• Forensic Penetration Testing
• Malware/Exploit/Breach Analysis
Practical Applications
A word of caution...• Permission!
Why Forensics?• Security is not a checkbox
• Simulate attack
• Identify shortcomings
Forensic Verification• Applications might store temporary/cached data
• PCI implications
Test Configuration• Control image
• Test Cases
• Analysis
Encrypted Laptop – Stolen!
It’s safe, right?
The Solution – Forensics Penetration Testing
Zero Knowledge vs. Authenticated Testing
The Real Test
Fully Encrypted – Administrator Confidence 100%
Starting the Attack
Machine Powered Off – Full Disk Images Created
Breakthrough
• Grace period for pre-boot authentication lockout
Mounting the attack
Downgrade memory – Leverage DMA – Exploit OS
Result: Full Admin Access to Entire System
Failure of Encryption?
• Encryption Did Not Fail!
• Convenience vs. Security
• Zero knowledge attack
Forensics for the Defense – One System at a Time
• System vulnerabilities unknown until tested
• Forensic Penetration testing = same purpose as traditional penetration test
• Learn and improve from mistakes
Conclusions• Forensic techniques are
not just for law enforcement
• Supplement your existing security package
• Provide evidence of due diligence in the event of an incident
• Test your security before someone else does
Wrap Up/QA