Date post: | 29-Jan-2018 |
Category: |
Software |
Upload: | core-security |
View: | 30 times |
Download: | 0 times |
CONNECT 2017 Security Consulting Services, Which is the best option for me ?
Understanding the offering
AGENDA
• Who we are • Security Consulting Services• Penetration Test and Red Team• Software Security Assessment
L E A R N M O R E
Diego SorSecurity Consulting Services,
Director
Core Security
About meTechnical• Started experimenting with 8-‐bit home computers• BASIC was my first approach to programming• Hardware and communications fan• Electronic engineer degree• In 1998 Joined a mobile phone fraud prevention company• In 2001 Joined Core Security as windows device driver developer• In 2006 Moved to the SCS team as a security consultant• Have been managing Consulting team since 2012
Not so Technical• DYI, Music, Architecture and playing with my daughter
Security Consulting ServiceWho we are
We are a group of security engineers working along with customers to secure their information technology systems
• SCS conduct security consulting service since 1997• We think and act like attackers • We do vulnerability research• We keep up to date
Security Consulting ServiceWhy do customers call us ?
• Recent public breaches made them understand that real attackers are targets organizations like them
• Want to protect PHI or other sensitive information• Stakeholders want to understand their security posture• Interested in exercising their security team • New application features will be put in production soon• Want to measure their security operations center capabilities• Deployed new systems information infrastructure• Stick to compliance programs
Security Services TermsTerminology nightmare
SECURITY SERVICES
RED TEAM
PENETRATION TEST
SOFTWARE SECURITY ASSESSMENT
Security Consulting ServicesOur Services
SECURITY SERVICES
RED TEAM
PENETRATION TEST
Security Consulting ServicesRed Team and Penetration Test
S C O P E
Systems and components under test. Things you want to secure
O B J E C T I V E S
Something to achieve. Concerns you may have and want to be
evaluated
Initial Information Key conversation between consultants and customers
A C TO R S
Are the individuals carrying out actions. Consultants will mimic attackers using defined profiles
Red TeamYou know you secured your environment
Evaluate the resilience of your organization against real-‐world attackers. Consultants will find and exploit vulnerabilities while using tactics an techniques (TTP) to avoid detection and persist.
INCLUSIVE
SCOPE
Attackers move freely. Include as many components as possible.Scope limitations create artificial barriers.
THINK OF THREATS
OBJECTIVES
Think of worst case scenarios:
1. Cloud admin creds stolen2. IP documents extracted
ATTACKERS
ACTORS
Consultants acting mimicking attacker’s techniques and tactics. Liaison with internal security team is optional
F INAL REPORT
OUTCOME
Vulnerabilities exploited and attacks paths. Description of techniques and tacticsLevel of readiness of you defense teamFixes and mitigations
Red TeamSteps to success
• Process is iterative
• Achieve defined objectives while minimizing noise and detection
• May or may not fine tune repetitive by liaising security staff
reconnaissance compromise then escalate persist lateral
move/pivoting cleanup
reconnaissance
report
Penetration TestWant to challenge your security posture
Evaluate the resilience of your organization against real-‐world attacks. Consultants will find and exploit vulnerabilities to get access to privileged systems and information
INCLUSIVE
SCOPE
Enumerate components and systems. Networks, applications and users are usual targets
THINK ON THREATS
OBJECTIVES
Think of worst case scenarios
1. Cloud admin creds stolen2. IP documents extracted
ATTACKERS
ACTORS
Consultants mimicking attacker’s techniques
FINAL REPORT
OUTCOME
Vulnerabilities exploited and attacks paths. Description of techniques and tacticsFixes and mitigations
Red Team vs Penetration TestI see a lot similarities
• It is about challenging the security of an organization• Attackers can be external and internal to the organization (insider threat)• Red Team revisits the initial penetration test concept, where noise and
detection avoidance were part of the equation• Penetration Test has evolved in many different practices creating a softer
definition and leaving space for Red Team to create some additional specification
• Key concept is mimicking the attacks you find in real-‐world scenarios• A sophisticated real-‐world attacker will leverage trust relationships to gain
access to more valuable information assets• Liaison with internal security staff lead to the Purple Team concept
Red Team and Penetration TestWhat is in scope ?
• Time-‐boxed• You get X hours of attackers challenging your security, let’s see what they can do!
• Attackers do not ask for permission, the use any available means• External facing servers and services• Internal servers and services• Hybrid systems – Cloud and on premise• Organization individuals
• Phishing campaigns• Social engineering activities
KNOWLEDGE
VULNERABILITY ASSESSMENT
Initial steps to secure your organization. It finds as many vulnerabilities as possible. Mostly automatic tests.
RESILLIANCE
PENETRATIONTEST
You know you secured your organization. Sophisticated attackers will challenge you security posture
RESILLIANCE AND READINESS
RED TEAM
More sophisticated attackers will challenge the security and readiness of your organization
Security Services Lifecycle
AUDITORS ATTACKERS
MATURITY LEV
EL
TIME
SECURITY SERVICES
SOFTWARE SECURITY ASSESSMENT
Security Consulting ServicesSoftware Security Assessment
Software Security AssessmentDefinition and key objectives
Assess the security of an application or group of applications, their ability to resist attacks. Evaluate your defensive programming practices
• In this context an application is a system or groups of systems that are logically connected and cooperate to do something
• Consultants to find as many vulnerabilities as possible• Consultants to evaluate the code quality in terms of security• Consultants to create running proof-‐of-‐concepts of the findings• Assessing a single isolated application is not exactly a Penetration Test
Software Security AssessmentBy Approach
Dynamic Analysis• Tests carried out on a running application• May or may not have access to source code• Consultants mimicking attackers with no or some level of knowledge of
the applicationStatic Analysis• Full access to the source code and application design• Deep level of understanding of the source code being tested• Consultants mimicking attacker full source code knowledge• Consultants acting as security quality assurance
Software Security AssessmentBy Source Code Access
White-‐box
• Consultants have access to source code and documentationGray-‐box
• Consultants have some access to source code and documentation• Source code for sensitive functions crypto, storage, authorization and
authenticationBlack-‐box
• Consultants have zero access to source code and documentation• Focused on the exposed interfaces
Software Security AssessmentVulnerability Categories
Design
• Fundamental mistake, the application does what is supposed to do, but it is wrong due to failed specification
Implementation
• The code usually doing that it should do but there is a security problem in the way specific action is carried out
Operational
• These problems arise when looking at context in which the software operation. Has to do with the code but also with the operation and environment
DESIGN
OPERATIONALIMPLEMENTATION
Software Security AssessmentWhite-‐box Assessment
• Project setup cost can be high• Code isolation from 3rd party• Sharing intellectual property• Interaction with developers
• Time and cost intensive • Testers looking for security bugs and bad code practices• More in-‐depth analysis than black-‐box counterpart• Include the following tasks
• Code analysis tools• Check the code and then….check the code again
Software Security AssessmentBlack-‐box Security Assessment AKA Application Penetration Test
• Uncover what is visible and exposed• Short time frame and quick results• QA or testing environment can be used for testing• Works better having access to source code• Uncovering Vulnerabilities may include
• Dynamic analysis tools• Fuzzing• Reverse engineering / Decompiling• Debugging• Instrumentation
Application Types
Web Mobile Desktop IoT
Final WordsApproach that works for you
• Consultants to understand customer needs and maturity level• Think about threats
• The ones you envision should work as initial objectives
• Do not force a hard scope definition when you do not know• Unless you are sure, be as broad as possible
• Be incremental and continuous• Combine services and approaches• Services should be able to adapt to your SDLC
THANK YOU