hackers & attack anatomy - snia · 2020-04-10 · ii. black box vs. white box ise proprietary...

ISE Proprietary

H A C K E R S & A T T A C K A N A T O M Y

Ted Harrington, Executive Partner | Ted.Harrington@securityevaluators.com

Why is this important?

ISE Proprietary

Attacks

III. Security vs. Functionality

ISE Confidential - not for distribution

I. Assets vs. Perimeters

About ISE

II. Black Box vs. White Box V. Ongoing vs. Periodic

IV. Build In vs. Bolt On

ISE Proprietary

About ISE

ISE Proprietary

Analysts

• White box

Perspective

• Hackers; Cryptographers; RE

Research

• Routers; NAS; Healthcare Customers

• Companies w/ valuable assets to protect

Exploits

• iPhone; Android; Ford; Exxon; Diebold

ISE Proprietary

I. Secure Assets, Not Just Perimeters

ISE Proprietary

Traditional Attacks Traditional Defenses

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

White box vulnerability assessment == GOOD!

II. Black Box vs. White Box

ISE Proprietary

• Access Level

• Black Box

• White Box

• Evaluation Types

• Penetration Test

• Vulnerability Assessment

ISE Proprietary

Black Box Perspective

ISE Proprietary

White Box Perspective

ISE Proprietary

Black Box

2 mo. / 200 hrs.

4 potential issues

1 confirmed

no recommendations

very low

200+ hrs.

White Box

2 mo. / 200 hrs.

11 confirmed

10 confirmed

21+ mitigation strategies

~9 hrs.

Time/cost

Severe issues

Other issues

Results

Completeness/Confidence

Cost/issue

Cost/solution

ISE Proprietary

SOHO Routers: Outcomes

ISE Proprietary

Goals Results 10 13 Any Remote, Local, Both >30% 100% Broken

Models Attacks

Compromise

ISE Proprietary

EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR ...

IT FUNCTIONALITY IT SECURITY

ISE Proprietary

EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR SECURITY

IT FUNCTIONALITY IT SECURITY

ISE Proprietary

CONFLICT IS GOOD!

ISE Proprietary

I. Security Separated From Functionality

ISE Proprietary

IV. “Build It In,” Not “Bolt It On”

ISE Proprietary

REQUIREMENTS

DESIGN

IMPLEMENTATION

TESTING

DEPLOYMENT

MAINTENANCE

Determine business & user needs

Define architecture

Coding

System testing

Customer roll-out

Resolve bugs

Develop threat model

Design defense in depth

Audit code

White box vulnerability assessment

Configuration Guidance

Iteration Hardening

ISE Proprietary

Built In

Bolted On

25x : application

300x : infrastructure

Assessment cost

Assessment overhead

Mitigation cost / issue

ISE Proprietary

V. Security as Ongoing Process

ISE Proprietary

Yearly

90-95%

X (0.9)

Quarterly

20-30%

X (0.8)

Initial assessment cost

Full scope reassessment cost

Full assessments / year

Cost / year

Bi-yearly

35-45%

X (0.7)

Actionable Guidance

• Protect assets

• Get 3rd party security

assessments

• Have a security person/team

• Build security in

• Perform security ongoing

ISE Proprietary

Don’t:

• Focus just on perimeter

• Rely on black box

• Have security & IT as same

• Bolt security on

• Assess longer than biannually

Get Involved

ISE Proprietary

Ted Harrington Executive Partner

ted.harrington@securityevaluators.com

ISE Proprietary

hackers & attack anatomy - snia · 2020-04-10 · ii. black box vs. white box ise proprietary...

Documents

black box & white-box testing technique

snia ddfv1.2 snia common disk format

opening black box

black box presentation

black-box ripper: copying black-box models using ... ·...

black box experiment

white box vs black box testing

black box catalog

black box and white box testing

white box and black box testing

black box thinking

black box micro

black box and white box examples

black-box testing

black box testing.pdf

the black box

black box testing methodology sans.ppt · pdf filewhite box...

jit- black box

black box seminar

black box report