En dag i livet til en sikkerhetsanalyst
| Av: | Erik Inge Bolsø & Kacper Wysocki |
|---|---|
| Kontakt: | kwy@redpill-linpro.com & knan@redpill-linpro.com |
| Dato: | 26.oktober, 2010 |
Attacks
- physical
- social
- virii & worms
- trojans
all because of bugs!
Better security
(or: Sleep well at night with:)
- Security Reviews
- Application reviews
- Black box Pentesting (automation
- Secure design
Better security continued
- Infrastructure improvements
- Host-based Intrusion Detection
- Network Access Control
- (Firewall with egress filters)
- Web Application Firewall
Sleep better by being better
- Intrusion Prevention System
- Across the board training!
- it's easy to attack, hard to defend
Infrastructure
The incident...
- 15:30:16 - Web Client alert, XSS attempt
- priority: high, impact: may be vulnerable
- Incidence Response team assesses the alert...
The incident... explained
- 15:30:16 - Web Client aWeb Client alert, XSS attempt
- priority: high, impact: may be vulnerable
- Incidence Response team assesses the alert...
- 15:30:33 - Portable executable binary file transfer
- 15:39:01 - Analyst responds to event
- 15:42:05 - not a FP, must escalate.
Change of POV:: The attack
- attacker sends an email to HR address
- business hours indicate high probability mail will be read
- mail read on backoffice station, on internal network
- attacker may ring in to support
Change of POV:: The victim
- poor victim :-(
Protecting the victim
- IPS drops the attack packets
- What if...
- ... no IPS, just IDS?
- ... IPS has no rule for attack?
Protecting the innocent
- HTTP Proxy
- might not block -> honeypot?
- Host-based intrusion detection
- White lists, compliance
Protecting the innocent
- HTTP Proxy
- might not block -> honeypot?
- Host-based intrusion detection
- Passive detection (RNA) + white list compliance
- Full Packet Capture
Questions?
We like questions!