verticale

Cyber security: evoluzione delle metodologie negli ultimi anni

(in lingua inglese)
Full control of each SCADA network system and apparatus and air-gap bypass.
Lessons learned:
Air-gap is an ineffective approach and compartmentalized security testing not highlight real life attacks.
Customer actions:
The customer has mitigated most critical issues during the assessment and later as started a complete redesign of their infrastructure security, prioritizing remediation efforts according to findings classification.

Scarica il PDF Scarica il PDF
Aggiungi ai preferiti Aggiungi ai preferiti


Atti di convegni o presentazioni contenenti case history
mcT Petrolchimico Milano novembre 2016 Quale futuro per la Cyber Security?

Pubblicato
da Alessia De Giosa
mcT Petrolchimico Milano 2016Segui aziendaSegui




Settori: 

Parole chiave: 


Estratto del testo
Milano, 24 novembre 2016 Gli atti dei convegni e più di 8.000 contenuti su www.verticale.net Improving performance,
reducing risk Cyber security: evoluzione delle metodologie negli ultimi anni Daniele Baudone, Cyber security expert LRQA Improving performance,
reducing risk Introductions Improving performance,
reducing risk Shopping for Security [Into the customer''s mind]
' Do I need a security test'
' How often do I need a security test'
' Who should do the security test'
' Is it better to have a consultant do it or train some people to do it internally' ' What do I need to know about hiring a consultant'
' (and) I need to spend as less as possible! Improving performance,
reducing risk Mindsets and backgrounds '' Depending on the country, your referent at the client''s side will be: '' xperienced IT guy (NOT InfoSec guy)
'' Unexperienced IT guy
'' Unexperienced InfoSec guy
'' Auditor''s background
'' Risk Officer
'' Privacy Officer
'' Management background
'' Former Law Enforcement Officer
'' Experienced Infosec guy (rare as the white truffles and black swans!) '' Most of them (80%) will NOT understand you (different languages): lingo (slang),
terminologies, acronyms, etc' ' '' Most of them (95%) will not know enough about pentesting. Improving performance,
reducing risk «Security (Vulnerability) Assessment» '' It just doesn''t mean something really '' It leads to misunderstandings (i.e. Automated testings VS manual ones) '' It may lead to poor security testing (i.e. False Positives/Negatives) '' It helps those market''s players without real experiences and skills '' It helps those who just takes care about the economical aspects and to speculate over Information Security ' '' If YOU (your organization, your ISP, your country) are insecure, I will be insure (my ISP, my organization, my country). '' That''s why when it''s about security testing, budget should NOT limit the overall quality of the project. «TERMINOLOGIES» (a little bit more, actually!) [aka: when terminologies impact on quality, security, budget] Improving performance,
reducing risk ' 'we had different ''schools' (way of thinking) - Automated Testings (Vulnerability Scanning/Assessment) ''our scanner uses A.I. over neural networks and everything it''s under HA'' - Manual Testings (Ethical Hacking, Pentesting, Unconventional Security Testing)
''the most advanced & up-to-date hacking techniques'
''we have the best hackers in the world (or whatever)'
''...Uh, yeah, you know, we use Latvia hackers!' - Security through Obscurity Security Testing '''You should not be interested about how we get our job done'let us think
about these kind of things'it''s our job, after all ! '
YESTERDAY Improving performance,
reducing risk TODAY KEY DIFFERENCES: ' Execution costs ' Execution times
'we got ''methodologies'
Improving performance,
reducing risk Proactive Security Square (1/7) (1) Vulnerability Scanning/Assessment:
' Automated verifications ' Final report ''english-only' ' High percentage of false positives/negatives
(false alarms, false ''sense of security') ' It just works on the ''IP' area YOU ARE H E R E Improving performance,
reducing risk Proactive Security Square (2/7) (2) Security Scanning:

' Automated scannings; manual verifications ' Final Report can be in other languages than English ' Manual Tuning of False Positives/Negatives ' It just works on the ''IP' area YOU ARE H E R E Improving performance,
reducing risk Proactive Security Square (3/7) (3) Penetration Testing:
' ''Manually executed' verification actions, under proprietary
roadmaps / approaches (the personal background of the
pentester or of the Attack Team) ' Final Report is written in client''s language by the Tiger Team ' The client can choose addictional options such as Social
Engineering, Trashing, Physical Intrusion, Web Applications
SecurityTesting, etc... ' It doesn''t work on the ''IP' area only ' Execution time grows considerally on each single asset YOU ARE H E R E Improving performance,
reducing risk Proactive Security Square (4/7) (4) Risk Assessment:
' Evaluation-and-correlation actions between the datas obtained
from the security testing operations and the company''s risk
value ' The results could have been generated from the previous 3
methodologies for the risk''s technical analysis ' It needs a long execution-time ' If the technical testing''s results failed, all the risk analysis will
pay the consequences (and the investments too') YOU ARE H E R E Improving performance,
reducing risk Proactive Security Square (5/7) (5) Security Auditing:
' Auditing actions - typically inside ones - on the whole IT
infrastructure, executed from the project and implementation point
of view (not ROI or Financial Auditings) ' Normally, it is manually executed and the Security Report output
must meet the specific needs of the Client and/or must consider
specific and pointed-out assets ' This can be generated as the result of different methodologies for
the proactive security, matched with the standard''s risk analysis
methodologies YOU ARE H E R E Improving performance,
reducing risk Proactive Security Square (6/7) (6) Ethical Hacking:
' 360° verification actions, targetted toward specific assets
or infrastrucutures ' It requires FULL OPERATIN AUTHORIZAZION + ''Free to
Jail' (needed for the testings listed at point 3) ' Is is executed throught the following - conjucted - actions: 1. Penetration Testing (IP, xSDN, X.25/X.121, SAT, ') 2. Phreaking 3. Social Engineering, Physical Intrusion, Trashing
4. Reverse Engineering
5. Black Box Testing
YOU ARE H E R E Improving performance,
reducing risk Proactive Security Square (7/7) (7) Posture Assessment & Security Testing:

' Repeated actions of ''verify and compare' (follow-up) executed during a specific
time-period agreeded with the Client
' The analysis are based on initial knowledge factors - that are expressed in the ''Final
Considerations & Practical Suggestions' generated from the previous security testing''s
actions - and are execlusively based on the OSSTMM methodology, that is repeteable and
quantificable (RAVs) ' The Security Report is manually reported by the Tiger Team in the Client''s native language
and respects the international standard guidelines (legislations and best practices) such as
ISO/IEC 27001, 27005, GAO, FISCAM, PCI-DSS, etc ' The Security Report is OSSTMM certified YOU ARE H E R E Improving performance,
reducing risk Issue # 4 The methodology Improving performance,
reducing risk Before the next slide ' How many of you here ever hired a (Red, Tiger, whatever) Team in order to execute a
Penetration
Test at your company or agency' ' How many of you perform Penetration Tests as a job ' ' In both cases, which was the Penetration Testing methodology used ' Improving performance,
reducing risk Pentesting methodology ' This is the very first, key issue when it''s about pentesting.
' Clients get crazy when trying to «compare» different security reports from different pentesting companies. ' Most pentesting companies claim to use their «own, internal pentesting methodology». ' And, «we cannot disclose it with you [customer], sorry!» ' WTH'!' ' Improving performance,
reducing risk OSSTMM: test typologies The OSSTMM is an high-level methodology. It does not supply a difference
between a Vulnerability Assessment and a Penetration Test, while it supplies values
and roadmaps about «how to» run complete Security Verifications. Common Test Methods Common Test Types Improving performance,
reducing risk OSSTMM: details '' An International Standard for Security Testing and Security Analysis '' A methodology based on a scientific approach '' A resource in order to be really measure the Operational Security '' A way to totally reduce false positives and false negatives (forget «Vulnerability Assessments!!) '' A concrete process to be functional and really secure '' An Ethics code with clearly-defined Rules of Engagement Improving performance,
reducing risk OSSTMM Manual OSSTMM The Open Source Security Testing Methodology Manual
(OSSTMM) is an open standard methodology for performing
security tests.

Since it''s inception in January 2001, the OSSTMM has
become the most widely used, peer-reviewed,
comprehensive security testing methodology in existence.

The OSSTMM provides testing methodologies for the
following six security areas: Information Security, Process
Security, Internet Technology Security, Communications
Security, Wireless Security, and Physical Security.
Improving performance,
reducing risk OSSTMM: how it works ' The OSSTMM is an international methodology focused on Proactive Security Testings, developed by
ISECOM (Institute for Security and Open Methodologies, USA): the output can be repeated, compared
and evaluated in a numerical manner (RAVs). ' The OSSTMM defines rules and guidelines, as well as the RAVs (technical risk level) ' The OSSTMM doesn''t substitute the Risk Analysis field, but works on the process that creates its results: ' ' Open Source project, +200 contributors worldwide, free use of the methodology ' Works on apparals, infrastructures, single targets ' Cross-standard: IP(v4/V6), xSTN (PSTN, ISDN), X.25, mobile, Wireless (IEEE 802.11*, Bluetooth, Zigbee,
'.)
' Adopted by governative and private organizations all around the world ' Modular logic: 6 operating areas (modules) Improving performance,
reducing risk (since OSSTMM 2.0): the modules Physical Security Communications Security Internet Security Wireless Security Process
Security
(Social Engineering) Information Security ' Internet Security
' Information Security
' Physical Security
' Communications Security
' Wireless Security
' Process Security Improving performance,
reducing risk (since OSSTMM 2.0): operating areas Internet Security
' Network Surveying
' Port Scanning
' Services Identification
' System Identification
' Vulnerability Research and Verification
' Internet Application Testing
' Router Testing ' Trusted Systems Testing ' Firewall Testing ' Intrusion Detection System Testing
' Containment Measures Testing ' Password Cracking
' Denial of Service Testing
Information Security
' Competitive Intelligence Scouting
' Privacy Review ' Document Grinding
Social Engineering (Process Security)
' Request Testing
' Guided Suggestion Testing
' Trusted Persons Testing Improving performance,
reducing risk (since OSSTMM 2.0): operating areas (2) Wireless Security
' Wireless Networks Testing
' Cordless Communications Testing
' Privacy Review
' Infrared Systems Testing

Communications Security
' PBX Testing
' Voicemail Testing
' FAX review
' Modem Testing

Physical Security
' Access Control Testings
' Perimeter Review
' Monitoring Review
' Alarm Response Review
' Location Review
' Environment Review
Improving performance,
reducing risk P h ys
ic
al Se
curity
Wireless Information Se curity OSSTMM 3.0: Attack Channels (paths) Each channel foreseen a set of verifications, which allows you to verify ALL of the relevant aspects to your security goals, such as: Data Networks:
' Network Surveying
' Port Scanning
' Services Identification
' System Identification
' Vulnerability Research & Verification
' Internet Application Testing ' Router Testing ' Trusted Systems Testing ' Firewall Testing ' Intrusion Detection System Testing
' Containment Measures Testing ' Password Cracking
' Denial of Service Testing Improving performance,
reducing risk The OSSTMM 3.0 '' Download it from www.osstmm.org '' Designed for e-book readers and
double-sided printing (we love the
earth) '' 211 pages '' Open Source: Creative Commons 3.0
Attribution Non-commercial derives
2010 Improving performance,
reducing risk The future: OSSTMM 4.0 '' Still in draft '' Available only for ISECOM GOLD or
PLATINUM Team Members
'' 254 pages '' Open Source: Creative Commons 3.01
Attribution-NoDerivs 2013 Improving performance,
reducing risk OSSTMM going ISO the new ISO ''Hacking Standard' Improving performance,
reducing risk OSSTMM going ISO: the new ISO ''Hacking Standard' Mixing all together: different views and approaches, from ISO/IEC to
OSSTMM and NIST
'' The next section will highlight how ISECOM is closely working with
ISO/IEC Committee and NIST Board of Directors in order to build a new,
shared methodology for Security Testing and Product''s Security
Evaluation.
'' You will recognize many of the aspects we''ve spoken about today, into a
''big picture'.
'' All of the following process should have been completed by 2015: this
means we are already showing you what will came next.
'' All the following slides belong to ISECOM and ISO/IEC JTC1/SC27
Working Group (content Copyright © ISECOM Institute)
Improving performance,
reducing risk Case study Improving performance,
reducing risk And now all these things applied in real life: Case study Background An Italian multi-utility hired a security firm that use the OSSTMM Methodology. Purpouse Assess SCADA security Proposed approach Comprehensive Security Review of whole infrastructure to access to SCADA
network (Control Room, air gapped systems, ICSs) Timing 2 months Improving performance,
reducing risk And now all these things applied in real life: Case study Main findings The presence of several vulnerabilities as allowed full control of almost
each system and apparatus and also bypassing the air-gap. Improving performance,
reducing risk And now all these things applied in real life: Case study Results Full control of each SCADA network system and apparatus and air-gap
bypass. Lessons learned Air-gap is an ineffective approach and compartmentalized security testing
not highlight real life attacks. Customer actions The customer has mitigated most critical issues during the assessment
and later as started a complete redesign of their infrastructure
security, prioritizing remediation efforts according to findings classification Improving performance,
reducing risk Conclusions Improving performance,
reducing risk End of story
Now that we have all this useful information, it would be nice to do
something with it
. (Actually, it can be
emotionally fulfilling just to get the
information. This is usually only true,
however, if you have the social life of a
glass of water
.)
Unix Programmer's Manual. Lloyd''s Register and variants of it are trading names of Lloyd''s Register Group Limited, its subsidiaries and affiliates.
Copyright © Lloyd''s Register Quality Assurance Limited 2014. A member of the Lloyd''s Register group. Improving performance,
reducing risk Cyber security: evoluzione delle metodologie negli ultimi anni. Daniele Baudone, Cyber security expert LRQA

Document Outline

Cyber security: evoluzione delle metodologie negli ultimi anni Slide Number 2 Shopping for Security Mindsets and backgrounds «Security (Vulnerability) Assessment» Slide Number 6 Slide Number 7 Proactive Security Square (1/7) Proactive Security Square (2/7) Proactive Security Square (3/7) Proactive Security Square (4/7) Proactive Security Square (5/7) Proactive Security Square (6/7) Proactive Security Square (7/7) Issue # 4 Before the next slide Pentesting methodology OSSTMM: test typologies OSSTMM: details OSSTMM Manual OSSTMM: how it works (since OSSTMM 2.0): the modules (since OSSTMM 2.0): operating areas (since OSSTMM 2.0): operating areas (2) OSSTMM 3.0: Attack Channels (paths) The OSSTMM 3.0 The future: OSSTMM 4.0 Slide Number 28 OSSTMM going ISO: the new ISO ''Hacking Standard' Slide Number 30 And now all these things applied in real life: Case study And now all these things applied in real life: Case study And now all these things applied in real life: Case study Slide Number 34 Slide Number 35 Cyber security: evoluzione delle metodologie negli ultimi anni.


© Eiom - All rights Reserved     P.IVA 00850640186