Hackers, Attack Anatomy & Security Trends by Ted Harrington of ISE

ISE Proprietary

H A C K E R S & A T T A C K A N A T O M Y

Ted Harrington, Executive Partner | [email protected]

mailto:[email protected]

Why is this important?

ISE Proprietary

Attacks

III. Security vs. Functionality

ISE Confidential - not for distribution

I. Assets vs. Perimeters

About ISE

II. Black Box vs. White Box IV. Build In vs. Bolt On

ISE Proprietary

ISE Proprietary

ISE Proprietary

About ISE

ISE Proprietary

Analysts

• White box

Perspective

• Hackers; Cryptographers; RE

Research

• Routers; NAS; Healthcare

Customers

• Companies w/ valuable assets to protect

Exploits

• iPhone; Android; Ford; Exxon; Diebold

ISE Proprietary

ISE Proprietary

I. Secure Assets, Not Just Perimeters

ISE Proprietary


Traditional Attacks Traditional Defenses

1

1

ISE Proprietary


1

2

ISE Proprietary


1

3

ISE Proprietary

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

II. Black Box Penetration Tests == Good

ISE Proprietary

White box vulnerability assessment == GOOD!

II. Black Box vs. White Box

ISE Proprietary

• Access Level

• Black Box

• White Box

• Evaluation Types

• Penetration Test

• Vulnerability Assessment


ISE Proprietary

Black Box Perspective


ISE Proprietary

White Box Perspective


ISE Proprietary


ISE Proprietary

Black Box

2 mo. / 200 hrs.

4 potential issues

1 confirmed

none

no recommendations

very low

200+ hrs.

White Box

2 mo. / 200 hrs.

11 confirmed

10 confirmed

21+ mitigation strategies

high

~9 hrs.

~9 hrs.

Time/cost

Severe issues

Other issues

Results

Completeness/Confidence

Cost/issue

Cost/solution

8

ISE Proprietary

SOHO Routers: Outcomes

ISE Proprietary

Goals Results

10 13

Any Remote, Local, Both

>30% 100% Broken

Models

Attacks

Compromise

ISE Proprietary

ISE Proprietary

ISE Proprietary


ISE Proprietary


ISE Proprietary

EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR ...

IT FUNCTIONALITY IT SECURITY


ISE Proprietary

EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE

SALES IT HR SECURITY

IT FUNCTIONALITY IT SECURITY

…


ISE Proprietary

CONFLICT IS GOOD!


ISE Proprietary

I. Security Separated From Functionality






ISE Proprietary

ISE Proprietary



IV. “Build It In,” Not “Bolt It On”

ISE Proprietary


ISE Proprietary


ISE Proprietary

REQUIREMENTS

DESIGN

IMPLEMENTATION

TESTING

DEPLOYMENT

MAINTENANCE

Determine business &

user needs

Define architecture

Coding

System testing

Customer roll-out

Resolve bugs

Develop threat model

Design defense in depth

Audit code

White box vulnerability

assessment

Configuration Guidance

Iteration Hardening


ISE Proprietary

Built In

90%

- - -

1x

Bolted On

100%

- - -

25x : application

300x : infrastructure

Assessment cost

Assessment overhead

Mitigation cost / issue

Get Involved

ISE Proprietary

Ted Harrington Executive Partner

[email protected]

ISE Proprietary

Hackers, Attack Anatomy & Security Trends by Ted Harrington of ISE

Technology

perimeters ise proprietary

ise proprietary iv

ise proprietary attacks

ise proprietary h

ise proprietary bui

ise proprietary soho

functionality ise confidential

distribution ise confidential