際際滷

際際滷Share a Scribd company logo

Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1

Fabrizio Cilli
Fabrizio Cilli

The document outlines an agenda for an event called "Code & Cannoli" taking place on January 13th, 2016. It includes a schedule of talks on vulnerability assessment and penetration testing processes. One talk discusses assessing vulnerabilities and managing them as part of a governance process. Another discusses the importance of integrating periodic testing with cyclic vulnerability assessments. The document also provides an example case study about the vulnerability and sinking of the Japanese battleship Yamato during World War II to illustrate vulnerability assessment, exploitation and management concepts.

1 of 38
Download to read offline
Code & Cannoli < Security > 13th January 2016 @DevMob #CodeCannoli
Code & Cannoli < Security > 17:30 - 18:15 Drinks, pasta & cannoli 18:15 - 19:00 Fabrizio Cilli: "Vulnerability: Assessing and Managing A dive into the unexpected weaknesses 19:00 20:00 Jacco van Tuijl: "Penetration Testing Process - part 1 20:00 - 20:15 Break 20:15 - 21:15 Jacco van Tuijl: "Penetration Testing Process - part 2 21:15 Drinks @DevMob #CodeCannoli
Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1
Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1
Vulnerability: Assessing & Managing Assessing the exposures wont close the circle
Vulnerable A vulnerability is a weakness in an asset or group of assets. An assets weakness could allow it to be exploited and harmed by one or more threat vectors. In the cyclic ticker of a PDCA wheel: Assessing is a phase we can execute at will. Managing its results, is an endeavour, impacting Governance, IT Operations, adding workload.
Surface and Core We expose our business to external (Surface) attackers and internal (Core) malicious users. The Attack Vectors are a myriad, from network to hosts, and to their virtual counterparts. The concept of Attack Vector is vital when it comes to evaluate the gravity of the vulnerabilities we are assessing in our environment: And the best way to understand it is by breaking down the CVSS score of found vulnerability!
CVSS Access Vector BaseScore= round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)-1.5)*f(Impact)) Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact)) Exploitability = 20* AccessVector*AccessComplexity*Authentication f(impact)= 0 if Impact=0, 1.176 otherwise AccessVector = case AccessVector of requires local access: 0.395 adjacent network accessible: 0.646 network accessible: 1.0
Attack Surface
Attack Surface
Cyclic checks The best exercise to achieve a capable response mechanism when a 0-Day happens to be announced into the wild, is to have your test cycle, in line with your asset base. The limit in security operations is completeness, nothing can be measured as absolute, given the changing environment IT OPS manage. To react to emerging threats the identification and sanitization needs to be fast and precise.
Tools or Subscriptions ? A sound vulnerability management program does not cost in itself due to the technology requirements, it costs as it is a part of a GRC program, one step to obtain a smart governance and to maintain regulatory compliance. Cyclic checks, synced with an asset manager not only require IT Operations to be fast reacting, but the Assessment results (or reports) to be intelligently filtered and analysed against threat intel and frequently updated feeds.
Integrating Testing and Assessment Security Programme: This unknown. Well not 100% unknown, we know we should commit to long term integration between periodic (application and infrastructure) tests, and cyclic vulnerability assessments but the lack is to achieve it and maintain that commitment. Everything in IT is most probably identifiable as a SYSTEM, with an INPUT, TRANSFORMATION and an OUTPUT. Penetration Testing is a fundamental input to the Vulnerability Management Process and together these can boost your Threat Response (and ROI).
Static analysis and Dynamic testing Another element of a sound Vulnerability Management Process especially in Enterprise environments lies in the certainty of a qualitative analysis of algorithms, before moving application architectures to production environment. Let me say that its most likely that unsafe or lazy coding habits end writing 0-Days, instead of saving from them. Weak code will facilitate access to back-ends, data, and impair your vulnerability management program adding what we call make future Zero Days.
Weakness Awareness Security Program Integration Get the most, stay safe! Combining the following actions we DO get the most with a measurable return on our security programme investment. Achievement
Security Programme Investment Wheel 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Weakness Awareness Security ProgramIntegration Achievement Weakness to Achievement Insecurity ROI START Investment Returns Effects 0% Open Attack Surface 5% Increasing Awareness 15% Plans and deployments 25% Enabling interchange 30% Achieving returns Exposure Factor Effects 99% Easily violated by any vector 85% Understanding attack surface 75% Reducing exposure by means of special tools 50% Integrating diverse tools to achieve intelligence 25% Only 0-Days and unknow threats can hurt
A practical case study. What happens when.
The Battleship Yamato !
The Battleship Yamato ! oops thats the ! ehm lets get back to !
The Battleship Yamato
The Battleship Yamato Assessing: While in home waters after the winter 1944-1945 refitting (more anti- aircraft weapons), she was spotted and attacked by U.S. Navy carrier planes in March 1945. She escaped with light damage, but her vulnerability against the swarming American aircrafts was now clear. []
The Battleship Yamato Q1: By looking at the battleship architecture and defense, what can you assess the Battleship to be considered vulnerable in your opinion?
The Battleship Yamato Exploit: [] At 1220 on 7 Apr 1945, while still some 270 miles north of Okinawa, after being tracked by American reconnaissance aircraft and submarines almost the entire way, Yamato was attacked by waves and waves of American carrier planes. []
The Battleship Yamato Q2: By what attack vector, the vulnerability could have been exploited?
The Battleship Yamato Pwnage: [] After an agonizing two hours, the largest battleship in the world sank as the list reached nearly 90 degrees. []
The Battleship Yamato Q3: To adapt to the upcoming pwonage, what do you think it was possible to do, on-the-fly? or maybe after the inevitable happened?
The Battleship Yamato Zero-Day: [] She then exploded twice under water; the cause of the explosion was likely the shells from the primary and secondary magazines falling off their shelves and detonating their fuses against the overhead. []
The Battleship Yamato Q4: What do you think was the reason for all the opponents forces to concentrate a huge set of resources just against this single target ?
The Battleship Yamato Loss: Only 269 men survived the sinking super battleship. (Out of 2750 original crewlist)
Resilient Definition and Substantial meaning
OPEN TALK SESSION : R SAY ON TOPIC ! Few topics for you to Join the Talk [Before the third beer J] !
Assessment R SAY ON
Code Security R SAY ON
Code Security R SAY ON OWASP ASVS v.3.0
Disclosure R SAY ON
Going home by Train? R SAY ON http://trainwatch.u0d.de/
Thanks for your time ! We hope our message in a bottle left the shores ! Send your feedback with the reference #CODECANNOLI on our Social Channels ! To get in touch use instead @DEVMOB !
Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1

More Related Content

Code&Cannoli - 150113 - Feeling Vulnerable is Good! - v.1.1