Boris Sverdlik, 100% Paper Certified

@Jadedsecurity

Boris.sverdik@jadedsecurity.com

YOUR PERIMETER SUCKS AND YOUR USERS KEEP CLICKING SHIT

WHO AM I???

• Jaded Security Guy

• Got some paper certifications

• Have strong feelings against ISC2

• I SELL SHIT!!! (Pay attention there will be a quiz!)

QUICK NOTE ON THE CISSP

IF YOU ARE A CISSP.. VOTE FOR WIM REMES

#WIMMING!!!

DON’T VOTE FOR THIS DUDE!

DISCLAIMER• JADEDSECURITY IN NO WAY CONDONES THE USE OF

TECHNIQUES OUTLINED WITHIN THE CONTENTS OF THIS PRESENTATION OUTSIDE OF A CLIENT ENGAGEMENT. FOR YOUR OWN PROTECTION, ENSURE THAT THE YOU HAVE THE “GET OUT OF JAIL” FREE CARD ON YOUR PERSON AT ALL TIMES DURING TESTING.

• USE COMMON SENSE AND BE CAREFUL OF ARMED RENT A COPS, THEY LIKE TO PLAY WITH TOYS AS MUCH AS WE DO, THEIR TOYS ARE DANGEROUS

• DON’T DO IT FOR LULZ!

IF THE DHS SUCKS YOU THINK YOU ARE BETTER?

WAIT I GOT A FIREWALL, AV AND IDS

• If your application sucks, a layer 4 firewall allowing me to connect to it is moot

• Intrusion detection is easy to bypass

• Intrusion prevention is just as bad

• Acts as a deterrent for the casual script kiddy

• Doesn’t keep out this guy

DO NOT BUY THIS MAGIC BOX (DON’T BUY SHIT)

EVEN THOUGH THEY SAY IT WILL PROTECT YOU FROM

• APT

• LULZ

• CHINA

• AND THIS GUY

I JUST BOUGHT A DLP APPLIANCE, MY DATA IS SAFE

• DLP is a program not an appliance

• No Magic Solution

• Do you believe in Unicorns?

WILL YOUR BLINKY DLP BOX PROTECT YOU FROM?

• I’m going to take all my work home with me

CHECK OUT HER……

OR MY PERSONAL FAVORITE…

FINALLY THIS BRAINIAC

ALL YOUR DATA BELONGS TO US!!

• You go to conferences and rant about your vendors not doing enough

• <sarcasm>Hackers have the upper hand because their tools rock</sarcasm>

KEEP IT SIMPLE STUPID!

• Stop buying shit!!

• Optimize your current shit!• Stop attending conferences and bitching about

misconfigurations..

• SQLi should not be on the top 10 threats for 2011

• Magic Quadrants are for buying shit you don’t NEED

YAY.. NO MORE LULZ.. HOW ABOUT BOB?

• He want’s you

• Has 1337 skillz

• Determined

• Not a skid

• Has had time to plan

BOB IS MORE CREATIVE

• So your network is “Protected by the Firewall” hmm.. Ok.. Let’s look at another way in..

• NYC hosts a fun site called the “Buildings Information Systems” see where am I going with this?

• Let’s look at the fun ways an attacker can just walk in despite your so called security measures.

PASSIVE RECONNAISSANCE

• We have a whole list of potential 3rd party targets that can lead to physical access.

• Permits, Blue Prints, Electrical Diagrams, Elevator Records, complaints, etc...

• We can gather a lot from open source searches

PASSIVE RECONNAISSANCE

• We have a whole list of potential 3rd party targets that can lead to physical access.

• Permits, Blue Prints, Electrical Diagrams, Elevator Records, complaints, etc...

• We can gather a lot from open source searches

3RD PARTIES ARE ALWAYS LESS SECURE

• A good attacker will gather as much information about the potential target as they possibly can

• If we know who the contractors and vendors are, we can start to plan wardrobe

• Uniforms are a must to get you through the door

• Fit the part, you can’t stand out if you are going to attempt an office hours walkthrough

• Contractors typically place ads on craigslist, tribune, etc..

• Hang out in common areas

• Schmooze the secretary

WARDROBE???

• Attackers typically will have multiple costumes, uniforms and clothing sets

• The key is to either blend in, or overtly gain access through trickery and deceit

• Pizza boy might just be the James Bond of Corporate Espionage

• Trust but verify

EXTERNAL LAYOUT?

• Google is Your friend

• Map out all entrances as potential points of Egress/ingress

BUSY LOBBY AREAS ARE FUN

• A busy lobby should be a nightmare for the physical security specialist:

• Attackers can hide in plain sight

• Reception is busy people watching at rush hour (9, 12 and 5)

• An attacker can take his sweet time mapping out floor layout, camera position, etc.

WE LOCK EVERYTHING…

• I’m going to assume that I don’t have to go through all the fun we can have with locks? Do I??

• Keys can be:

• Replicated

• Printed (Yay MakerBot)

• Locks can be:

• Picked

• Bumped

• Broken

CAN YOU TELL THEY ARE LYING? HINT.. LOOK AT LEFT UPPER LIP

HE CAN’T….

• Security Guards are a great deterrent for the casual attacker, not so much for a dedicated one..

• Humans are susceptible to all kinds of distractions

• Security guards are trained to be helpful

• They are very easy to social engineer

WE SCREEN OUR VISITORS

• IDs are very easy to forge

• Receptionists are only half looking

• They aren’t trained to handle security

• They are easily intimidated

• They are also very easy to social engineer

WHEN WE AREN’T BUSY WITH

IE. CLICKING SHIT!!!MORE TO FOLLOW…

BARCODES ARE SECURE RIGHT?

• Attackers will typically wander common areas looking for commonalities in the visitor registration process

• Bar Codes are easy to replicate

• Most mobile platform camera modules can photograph a guest pass and provide a mechanism to replicate the id card in minutes

WE USE MAGNETIC CARD READERS

• We carry around devices that can read and write

Step #1 swipe Card Step #3 Put card BackStep #2 Copy Card

WE GOT THAT FANCY RFID THING…

• Need I say more???

Step #1 Bump Step #3 EnterStep #2 Magic

WE SHOULD ALL MOVE TO SOME TYPE OF NFC

WE HAVE TURNSTILES

• Do I need to explain why this is not secure????

• A timed distraction during busy hours and you’re in

IF THE MTA GETS IT, SHOULDN’T YOU?

CAMERAS

• Cameras are a detective control in most organizations

• They are great to identify who did what in most instances

• A good attacker can spot blind spots and use them to avoid detection

• Camera Operators are typically not well trained to spot erroneous activity.

YEP, HE’S PAYING ATTENTION!

TAILGATING

• Attackers will use the busiest times of the day to follow legitimate users through ingress points

• A typical scenario of an attack exploits the need of people to be helpful. Always be weary of an unknown party that seems to be irate on a phone call in common area outside of the secure area.

HEY, IT WORKS AT OUR BORDERS RIGHT?

MOST CONTROLS ARE DETERRENTS FOR CASUAL ATTACKER

• How many times have you seen card readers protecting a secured area?

• Drywall can be cut

• Suspended ceilings circumvented

• Motion detectors bypassed

OH NO, AN ATTACKER IS INSIDE..

• Your Data Center is no longer a physical target. The “Cloud”

• Your Network Access Control system has exceptions;

• VOIP

• Printers

• Etc…

• Users love to leave confidential data on their desks..

OK I GET IT WE SUCK! HOW DO WE FIX IT?

FORGET TECHNOLOGY.. BLASPHEMOUS? OK PARTIALLY FORGET.

• Segregation of Duties.. Separate reception/security function

• Verify suspicious visitors (hey, we didn’t call phone company)

• Rotate visitor passes daily (change color, shapes, sizes, etc..)

• And the #1 mitigating control???????

LAYER 8….

• Uhm..my CISSP tells me we only have 7 layers

• Can you count?

87654321

WAIT??? THAT’S JUST A USER..

USERS AREN’T AS DUMB AS WE THINK THEY ARE!

• Yes.. They typically click on shit!

• Yes.. They surf porn

• Yes.. They are the reason you get malware

SOMETIMES IT WILL FEEL LIKE THIS

AND MOSTLY ALL YOU WANT TO DO IS THIS

SHOW THEM THE LIGHT

STOP CLICKING SHIT!!!!

AND MOST IMPORTANTLY..