1 / 19

Advanced Security Center Overview

Advanced Security Center Overview. Northern Illinois University. Who am I?. Nathan McFeters Senior Security Advisor Ernst & Young ’ s ASC Based out of Chicago, serving as a Security Evangelist for the Midwest region Noted public speaker including:

Download Presentation

Advanced Security Center Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Advanced Security Center Overview Northern Illinois University

  2. Who am I? Nathan McFeters Senior Security Advisor Ernst & Young’s ASC Based out of Chicago, serving as a Security Evangelist for the Midwest region Noted public speaker including: Black Hat Europe (2008), Black Hat Federal (2008), Black Hat Japan (2007) ToorCon 9 (2007) DEFCON 15 (2007) Hack in the Box Malaysia (2007) Speaking at ToorCon Seattle next week Blogger on ZDNet’s Zero Day Security Blog (http://blogs.zdnet.com/security) Security Researcher with numerous vulnerabilities reported to vendors

  3. Dedicated Team Cost Efficient and Scalable Physical and Logical Controls Collaborative Environment Centralized Management & Operations Standardized Methodologies and Tools Consistent Quality Control Procedures Knowledge Transfer Advanced Security Center Overview

  4. Global Locations • Houston • New York • London • Dublin • Paris • Buenos Aires • Singapore

  5. Network Security Tools HackNotes Linux and Unix Security Portable Reference Defending the Digital Frontier Hacking Exposed: Web Applications - Contributing Author Hacking Exposed: Windows 2000 - Contributing Author Ajax Security Basics, SecurityFocus.com Thought Leadership – Publications

  6. Thought Leadership – Public Speaking • Black Hat Europe: 2008 • Black Hat Federal: 2008 • RSA: 2008 • Hack in the Box - Malaysia: 2007 • ToorCon 9: 2007 • Tecnofin Info Security Forum – Mexico City: 2007 • DEFCON 15: 2007 • Black Hat Europe: 2007 • Black Hat Las Vegas: 2005 • Vanguard Security Conference: 2005 & 2006 • New York Software Industry Association: 2006

  7. Thought Leadership – Security Advisories • Adobe Security Advisory published two days ago – DNS Rebinding Flaw in Adobe Flash’s URLLoader class due to DNS canonicalization handling • Macintosh Apple Security Bulletin 2008 – Format String Vulnerability in iPhoto on Mac OS X Leopard • CVE-2007-4041 – Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 allow remote attackers to execute arbitrary commands • CVE 2007-3670 – Firefox "firefoxurl://" URI Handler Registration Vulnerability • CVE 2007-3294 - Netscape "navigatorurl://" URI Handler Registration Vulnerability • Security Focus bid 24927 – Trillian is Vulnerable to Remote Command and Remote Code Execution through “aim://” URI • Microsoft Security Bulletin MS07-035 – Integer Overflow Condition in “res://” URI Handler • Microsoft Security Bulletin MS06-056 – XSS Exposure in .NET Framework

  8. Testing Data Collection • We captured 551 tests with 4200 individual findings • 29% of the reports are Infrastructure, and 71% are application • We identified an average of 68.5 instances of issues across all tests • More than 37755 instances of findings • More than 15156 instances (40%) of high risk findings

  9. Overall Metrics • 88% of our tests have at least one high risk finding • 58% of all high risk issues require a low level of effort to exploit • 54% of all identified issues require only a low level of effort to remediate

  10. Infrastructure Metrics • Only 1% of all issues identified during infrastructure testing could be remediated by implementing a patch • 67% of all issues identified during infrastructure testing could be remediated by a configuration change • “Vulnerable service open” and “Weak Database Administrator Password” are the two most common high risk infrastructure vulnerabilities and make up 58% of all high risk infrastructure issues

  11. Application Metrics • 93% of our application tests have at least one high risk finding • 70% of the high risk issues identified during application testing require a low level of effort to exploit • 46% of high risk issues identified during application testing require only a low level of effort to remediate • 57% of the high risk issues identified during application tests require changes to the application code to be remediated

  12. Web Application (In)Security

  13. The Problem

  14. The Cause 10 Most Critical Web Application Vulnerabilities Data Cross Site Scripting (XSS) Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage & Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access Application Server/Services Traditional Security Operating System Root Cause: Developers without security experience Infrastructure Source: www.owasp.org

  15. Web Application Security: The Solution • Application Security Testing • Methodology and Tools • Black Box • WebSmack • XS-Sniper • Grey Box • Prohpet • DBHoldup • Education • Leverage Test Results • Hands-On • Integration of Both into our Client’s Systems Development Lifecycle (SDLC)

  16. ASC Application Assessment Tools

  17. ASC Application Assessment Tools (cont.)

  18. ASC Application Assessment Tools

  19. ASC Application Assessment Tools (cont.)

More Related