What you Need to Know About Security Vulnerability ... ?· What you Need to Know About Security Vulnerability…

  • Published on

  • View

  • Download


What you Need to Know AboutSecurity Vulnerability Assessments that no one is willing to shareKevin Beaver, CISSPIndependent Information Security Consultant + Writer + Speaker TechTarget 2013A bit about Kevin Beaver Independent consultant- 24 years experience in IT 18 years in information security- Focus on performing security assessments Professional Speaker Creator/author of Security On Wheelsaudiobooks & blog (securityonwheels.com) Writer TechTarget 2013Kevins latest book: Hacking for Dummies TechTarget 2013Alls well in ITRight? TechTarget 2013Not so fastWell, if marketing says so TechTarget 2013 TechTarget 2013Dont worry. Well find the flaws if you dont. TechTarget 2013To think youll find everything is delusional. TechTarget 2013Pen testsv. Auditsv.Vulnerability Assessments TechTarget 2013Who am I? TechTarget 20132013 Verizon Data Breach Investigations Report TechTarget 20132013 Verizon Data Breach Investigations Report TechTarget 2013 TechTarget 2013 TechTarget 2013Minimal testing. De facto standard. TechTarget 2013A definitionequivocal \ih-KWIV-uh-kul\ adjective1 a: subject to two or more interpretations and usually used to mislead or confuse b: uncertain as an indication or sign2 a: of uncertain nature or classification b: of uncertain disposition toward a person or thing : undecided c: of doubtful advantage, genuineness, or moral rectitude-Merriam-Webster TechTarget 2013Critical to your vendor.Meaningless to your business. TechTarget 2013 TechTarget 2013Its all in your perspective. TechTarget 2013 TechTarget 2013Look for the vulnerabilities that count. TechTarget 2013Most urgent flaws.on yourMost important systems. TechTarget 2013Scanners wont easily find Open shares exposing PII to groups who dont need access Missing whole disk encryption Improperly secured phones and tablets Default passwords on physical security systems Network protocol anomalies TechTarget 2013But they may uncover BIG flaws that arent a problem Data in transit weaknesses that will likely never be exploited Zero-day vulnerabilities with no known fixes TechTarget 2013Focus on the givens. TechTarget 2013Only you will know. TechTarget 2013Think reasonable. TechTarget 2013Common sense is a virtue. TechTarget 2013A definitionUNequivocal \n-ih-KWIV-uh-kul\ adjective1 a: leaving no doubtb: clear, unambiguous2 : unquestionable-Merriam-Webster TechTarget 2013Apathy is the enemy TechTarget 2013Underimplemented TechTarget 2013Lack of perceived risk does not mean no risk TechTarget 2013Never assume the right people know all the right things. TechTarget 2013 TechTarget 2013Never assume the right people are talking to one another. TechTarget 2013 TechTarget 2013When was the last time? TechTarget 2013 TechTarget 2013What are you trying to do?What are you trying to protect? What are you trying to protect against?What audit requirements do you have? What regulations are you up against? Are you assessing what matters? What do your policies say? Contracts & SLAs? TechTarget 2013TechnicalOperationalPhysicalHolistic Vulnerability Assessment TechTarget 2013PHASE 1: PlanningPHASE 2: TestingPHASE 3: Analyzing PHASE 4: ReportingPHASE 5: Implementing ChangesThe five phases TechTarget 2013Planning things out What will be tested? Dates/times? How often? Blind or knowledge assessments? Denial of service testing? Whos the sponsor? Its all about expectations. TechTarget 2013Whats your scope? Network hosts Servers Workstations Websites Web applications (cloud included!) Databases Storage Mobile devices Mobile apps Physical security controls TechTarget 2013If it has an IP addressor a URL, its fair game...eventually. TechTarget 2013STEP 1: ReconnaissanceSTEP 2: EnumerationSTEP 3: Vulnerability Identification STEP 4: ProofCarrying out your tests TechTarget 2013Demonstrate rather than exploit. TechTarget 2013Implement policies/plansEnforce with technologyKnow what youve gotKnow how its at riskRefine and repeatUnder-scoping projects Relying only on manual analysisRelying only on scansAssuming that a completed scan = completionBelieving that a failed scan = good enoughOnly scanning systems running on default/assumed portsThings Ive learned the hard way TechTarget 2013Web Security Testing.Things to ConsiderBrowser-specific flawsUser-specific flawsAuthentication mechanismDoS susceptibilityPossible SQL injectionsWAFs & SSL = false sense of securityEverything below layer 7Multiple scanners are required TechTarget 2013Multiple Web vulnerability scanners are required. TechTarget 2013Tools I Often Use (Network, OS) NetScanTools Pro QualysGuard Nexpose GFI LanGuard Metasploit OmniPeek Cain & Abel AlgoSec Firewall Analyzer TechTarget 2013Tools I Often Use (Web) QualysGuard Nexpose WebInspect Acunetix Web Vulnerability Scanner Netsparker NTOspider Firefox Web Developer Checkmarx CxDeveloper TechTarget 2013Authenticatedtesting is critical. TechTarget 2013 TechTarget 2013 TechTarget 2013 TechTarget 2013Tools I Often Use (Mobile) IdentityFinder CommView for WiFi Reaver Pro Ophcrack Elcomsoft System Recovery Elcomsoft Forensic Disk Decryptor Elcomsoft iOS Forensic Toolkit Oxygen Forensic Suite Passware Kit Forensic TechTarget 2013Your tools willbe an enableror a hindrance. TechTarget 2013Owning the tool knowing how to properly use the tool. TechTarget 2013Only You!(never forget this) TechTarget 2013Look for the vulnerabilities that count. TechTarget 2013 TechTarget 2013Operational andTechnical TechTarget 2013Respect the law of diminishing returns. TechTarget 2013Logic and Reasoning TechTarget 2013Report your findings. TechTarget 2013Follow-up on your findings. TechTarget 2013Get to know your networkUnderstand the risk requirementsLearn your existing toolsTry out new toolsStay sharpChecklist TechTarget 2013Test now.Test often. TechTarget 2013Prevention is easier than repair. TechTarget 2013Unless anduntil TechTarget 2013You cannot secure what you dont acknowledge. TechTarget 2013Hacking for Dummies:Downloadable sample chaptersHacking For Dummies (4th ed.) Chapter 7 Passwords http://searchenterprisedesktop.techtarget.com/feature/Chapter-excerpt-Defending-the-enterprise-from-password-hackingIT Knowledge Exchange Book excerpts: Hacking for Dummieshttp://itknowledgeexchange.techtarget.com/bookworm/book-excerpt-hacking-for-dummieshttp://itknowledgeexchange.techtarget.com/bookworm/book-excerpt-hacking-for-dummies-part-2Hacking For Dummies (1st ed.) Chapter 10 Wireless LANs http://searchsecurity.techtarget.com/tip/Hacking-for-Dummies-Chapter-10-Wireless-LANs TechTarget 2013About Kevin Beaver My website: principlelogic.com/resources My blog: securityonwheels.com/blog My audio programs: securityonwheels.com@kevinbeaverPrincipleLogicwww.linkedin.com/in/kevinbeaver TechTarget 2013Live Q&A with Kevin Beaver Submit questions for Kevin via the text chat area Kevin will answer questions during and/or after his presentation At the end of todays webcast, participants who ask the best questions (as determined by Kevin) will receive a free copy of Hacking for Dummies Those selected should contactus at: editor@searchsecurity.com TechTarget 2013


View more >