hackers & attack anatomy - snia · 2020-04-10 · ii. black box vs. white box ise proprietary...

ISE Proprietary

H A C K E R S & A T T A C K A N A T O M Y

Ted Harrington, Executive Partner | [email protected]

mailto:[email protected]

Why is this important?

ISE Proprietary

Attacks

III. Security vs. Functionality

ISE Confidential - not for distribution

I. Assets vs. Perimeters

About ISE

II. Black Box vs. White Box V. Ongoing vs. Periodic

IV. Build In vs. Bolt On

ISE Proprietary

About ISE

ISE Proprietary

Analysts

• White box

Perspective

• Hackers; Cryptographers; RE

Research

• Routers; NAS; Healthcare Customers

• Companies w/ valuable assets to protect

Exploits

• iPhone; Android; Ford; Exxon; Diebold

ISE Proprietary

I. Secure Assets, Not Just Perimeters

ISE Proprietary


Traditional Attacks Traditional Defenses

11

ISE Proprietary


12

ISE Proprietary


13

ISE Proprietary

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

White box vulnerability assessment == GOOD!

II. Black Box vs. White Box

ISE Proprietary

• Access Level

• Black Box

• White Box

• Evaluation Types

• Penetration Test

• Vulnerability Assessment


ISE Proprietary

Black Box Perspective


ISE Proprietary

White Box Perspective


ISE Proprietary


ISE Proprietary

Black Box

2 mo. / 200 hrs.

4 potential issues

1 confirmed

none

no recommendations

very low

200+ hrs.

White Box

2 mo. / 200 hrs.

11 confirmed

10 confirmed

21+ mitigation strategies

high

~9 hrs.

~9 hrs.

Time/cost

Severe issues

Other issues

Results

Completeness/Confidence

Cost/issue

Cost/solution

8

ISE Proprietary

SOHO Routers: Outcomes

ISE Proprietary

Goals Results 10 13 Any Remote, Local, Both >30% 100% Broken

Models Attacks

Compromise

ISE Proprietary


ISE Proprietary

EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR ...

IT FUNCTIONALITY IT SECURITY


ISE Proprietary

EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR SECURITY

IT FUNCTIONALITY IT SECURITY

…


ISE Proprietary

CONFLICT IS GOOD!


ISE Proprietary

I. Security Separated From Functionality


ISE Proprietary

IV. “Build It In,” Not “Bolt It On”

ISE Proprietary


ISE Proprietary

REQUIREMENTS

DESIGN

IMPLEMENTATION

TESTING

DEPLOYMENT

MAINTENANCE

Determine business & user needs

Define architecture

Coding

System testing

Customer roll-out

Resolve bugs

Develop threat model

Design defense in depth

Audit code

White box vulnerability assessment

Configuration Guidance

Iteration Hardening


ISE Proprietary

Built In

90%

- - -

1x

Bolted On

100%

- - -

25x : application

300x : infrastructure

Assessment cost

Assessment overhead

Mitigation cost / issue

ISE Proprietary

V. Security as Ongoing Process

ISE Proprietary

V. Security as Ongoing Process

ISE Proprietary

Yearly

X

90-95%

1

X (0.9)

Quarterly

X

20-30%

4

X (0.8)

Initial assessment cost

Full scope reassessment cost

Full assessments / year

Cost / year

Bi-yearly

X

35-45%

2

X (0.7)

Actionable Guidance

Do:

• Protect assets

• Get 3rd party security

assessments

• Have a security person/team

• Build security in

• Perform security ongoing

ISE Proprietary

Don’t:

• Focus just on perimeter

• Rely on black box

• Have security & IT as same

• Bolt security on

• Assess longer than biannually

Get Involved

ISE Proprietary

Ted Harrington Executive Partner

[email protected]

ISE Proprietary

hackers & attack anatomy - snia · 2020-04-10 · ii. black box vs. white box ise proprietary...

Documents