Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
ISE Proprietary
H A C K E R S & A T T A C K A N A T O M Y
Ted Harrington, Executive Partner | Ted.Harrington@securityevalu...
Why is this important?
ISE Proprietary
Attacks
III. Security vs. Functionality
ISE Confidential - not for distribution
I. Assets vs.Perimeters
About ISE
II. Blac...
ISE Proprietary
ISE Proprietary
ISE Proprietary
About ISE
ISE Proprietary
Analysts
• White box
Perspective
• Hackers; Cryptographers; RE
Research
• Routers; NAS; Healthca...
ISE Proprietary
ISE Proprietary
I. SecureAssets, Not Just Perimeters
ISE Proprietary
I. Secure Assets, Not Just Perimeters
Traditional Attacks Traditional Defenses
1
1
ISE Proprietary
I. Secure Assets, Not Just Perimeters
1
2
ISE Proprietary
I. Secure Assets, Not Just Perimeters
1
3
ISE Proprietary
ISE Proprietary
II.Black Box Penetration Tests == Good
ISE Proprietary
II.Black Box Penetration Tests == Good
ISE Proprietary
Whiteboxvulnerability assessment== GOOD!
II. Black Box vs. White Box
ISE Proprietary
• Access Level
• Black Box
• WhiteBox
• Evaluation Types
• PenetrationTest
• V...
II. Black Box vs. White Box
ISE Proprietary
Black Box Perspective
II. Black Box vs. White Box
ISE Proprietary
White Box Perspective
II. Black Box vs. White Box
ISE Proprietary
II. Black Box vs. White Box
ISE Proprietary
BlackBox
2mo./200hrs.
4 potentialissues
1confirmed
none
norecommendations
very...
ISE Proprietary
SOHORouters: Outcomes
ISE Proprietary
Goals Results
10 13
Any Remote, Local, Both
>30% 100% Broken
Models
Attacks
Compromi...
ISE Proprietary
ISE Proprietary
ISE Proprietary
III. Security vs. Functionality
ISE Proprietary
III. Security vs. Functionality
ISE Proprietary
EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE
SALES IT HR ...
IT FUNCT...
III. Security vs. Functionality
ISE Proprietary
EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE
SALES IT HR SECURITY
IT ...
III. Security vs. Functionality
ISE Proprietary
CONFLICT IS GOOD!
III. Security vs. Functionality
ISE Proprietary
I. Security SeparatedFrom Functionality
ISE Confidential - not for distribution
I. Security SeparatedFrom Functionality
ISE Confidential - not for distribution
I. Security SeparatedFrom Functionality
ISE Confidential - not for distribution
ISE Proprietary
ISE Proprietary
ISE Confidential - not for distribution
ISE Confidential - not for distribution
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
REQUIREMENTS
DESIGN
IMPLEMENTATION
TESTING
DEPLOYMENT
MAINTENANCE
Dete...
IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
BuiltIn
90%
- - -
1x
BoltedOn
100%
- - -
25x: application
300x: infras...
Get Involved
ISE Proprietary
Ted Harrington
Executive Partner
ted.harrington@securityevaluators.com
ISE Proprietary
Prochain SlideShare
Chargement dans…5
×

Hackers, Attack Anatomy & Security Trends by Ted Harrington of ISE

476 vues

Publié le

Presented by the elite organization of white hat hackers most widely known for being first to break the iPhoneand the only security consulting firm engaged in the security team of USC’s Project Cloud initiative, this session will analyze the anatomies of real world attacks against high profile systems. It will extract lessons from these attack anatomies to provide a framework to account for these modern attackers, articulate context to the Media & Entertainment industry, and supply attendees with key takeaways, including immediately actionable guidance.

Publié dans : Technologie
  • Soyez le premier à commenter

Hackers, Attack Anatomy & Security Trends by Ted Harrington of ISE

  1. 1. ISE Proprietary H A C K E R S & A T T A C K A N A T O M Y Ted Harrington, Executive Partner | Ted.Harrington@securityevaluators.com
  2. 2. Why is this important? ISE Proprietary
  3. 3. Attacks III. Security vs. Functionality ISE Confidential - not for distribution I. Assets vs.Perimeters About ISE II. Black Box vs.White Box IV. Build In vs.Bolt On
  4. 4. ISE Proprietary
  5. 5. ISE Proprietary
  6. 6. ISE Proprietary
  7. 7. About ISE ISE Proprietary Analysts • White box Perspective • Hackers; Cryptographers; RE Research • Routers; NAS; Healthcare Customers • Companies w/ valuable assets to protect Exploits • iPhone; Android; Ford; Exxon; Diebold
  8. 8. ISE Proprietary
  9. 9. ISE Proprietary
  10. 10. I. SecureAssets, Not Just Perimeters ISE Proprietary
  11. 11. I. Secure Assets, Not Just Perimeters Traditional Attacks Traditional Defenses 1 1 ISE Proprietary
  12. 12. I. Secure Assets, Not Just Perimeters 1 2 ISE Proprietary
  13. 13. I. Secure Assets, Not Just Perimeters 1 3 ISE Proprietary
  14. 14. ISE Proprietary
  15. 15. II.Black Box Penetration Tests == Good ISE Proprietary
  16. 16. II.Black Box Penetration Tests == Good ISE Proprietary Whiteboxvulnerability assessment== GOOD!
  17. 17. II. Black Box vs. White Box ISE Proprietary • Access Level • Black Box • WhiteBox • Evaluation Types • PenetrationTest • Vulnerability Assessment
  18. 18. II. Black Box vs. White Box ISE Proprietary Black Box Perspective
  19. 19. II. Black Box vs. White Box ISE Proprietary White Box Perspective
  20. 20. II. Black Box vs. White Box ISE Proprietary
  21. 21. II. Black Box vs. White Box ISE Proprietary BlackBox 2mo./200hrs. 4 potentialissues 1confirmed none norecommendations verylow 200+hrs. WhiteBox 2mo./200hrs. 11confirmed 10confirmed 21+mitigationstrategies high ~9hrs. ~9hrs. Time/cost Severeissues Otherissues Results Completeness/Confidence Cost/issue Cost/solution 8
  22. 22. ISE Proprietary
  23. 23. SOHORouters: Outcomes ISE Proprietary Goals Results 10 13 Any Remote, Local, Both >30% 100% Broken Models Attacks Compromise
  24. 24. ISE Proprietary
  25. 25. ISE Proprietary
  26. 26. ISE Proprietary
  27. 27. III. Security vs. Functionality ISE Proprietary
  28. 28. III. Security vs. Functionality ISE Proprietary EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE SALES IT HR ... IT FUNCTIONALITY IT SECURITY
  29. 29. III. Security vs. Functionality ISE Proprietary EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE SALES IT HR SECURITY IT FUNCTIONALITY IT SECURITY …
  30. 30. III. Security vs. Functionality ISE Proprietary CONFLICT IS GOOD!
  31. 31. III. Security vs. Functionality ISE Proprietary
  32. 32. I. Security SeparatedFrom Functionality ISE Confidential - not for distribution
  33. 33. I. Security SeparatedFrom Functionality ISE Confidential - not for distribution
  34. 34. I. Security SeparatedFrom Functionality ISE Confidential - not for distribution
  35. 35. ISE Proprietary
  36. 36. ISE Proprietary
  37. 37. ISE Confidential - not for distribution
  38. 38. ISE Confidential - not for distribution
  39. 39. IV. “Build It In,” Not “Bolt It On” ISE Proprietary
  40. 40. IV. “Build It In,” Not “Bolt It On” ISE Proprietary
  41. 41. IV. “Build It In,” Not “Bolt It On” ISE Proprietary REQUIREMENTS DESIGN IMPLEMENTATION TESTING DEPLOYMENT MAINTENANCE Determine business & user needs Define architecture Coding System testing Customer roll-out Resolve bugs Develop threat model Design defense in depth Audit code White box vulnerability assessment Configuration Guidance Iteration Hardening
  42. 42. IV. “Build It In,” Not “Bolt It On” ISE Proprietary BuiltIn 90% - - - 1x BoltedOn 100% - - - 25x: application 300x: infrastructure Assessment cost Assessment overhead Mitigationcost / issue
  43. 43. Get Involved ISE Proprietary
  44. 44. Ted Harrington Executive Partner ted.harrington@securityevaluators.com ISE Proprietary

×