1 / 24

That’s Really not the Point…

That’s Really not the Point…. haroon meer | charl van der walt SensePost. Who we are. SensePost {charl|haroon} @ sensepost.com What we do… Time…. How many blondes does it take to change a lightbulb?. Who is this bad for?. A market for lemons. The Question of Incentives.

monicaferguson
Download Presentation

That’s Really not the Point…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. That’s Really not the Point… haroon meer | charl van der walt SensePost

  2. Who we are • SensePost • {charl|haroon} @ sensepost.com • What we do… • Time…

  3. How many blondes does it take to change a lightbulb? Who is this bad for? A market for lemons The Question of Incentives An informed customer is better for everyone Only one really – the rest is all just marketing… The industry is flooded with snake-oil

  4. Agenda • Introduction • A very funny joke • This really isn’t the point • My scanner can beat up your scanner! • We have firewalls! • We have SSL / Encryption! • We have IPS / IDS ! • Im safe, I use Vista / OSX / Plan9! • 0i-Wey its 0-Day. First time vulnerability release • Conclusion. • Questions ?

  5. My scanner can beat up your scanner! Detect security vulnerabilities on your network !!!!!! makes use of of state of the art vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network is scanned. !!!!!! gives you the information and tools you need to perform multi-platform scans across all …

  6. But that’s really not the point

  7. My firewall is bigger than yours!

  8. Watch how that’s done

  9. So what is the point? • Your firewall choice IS still important: • Management • Support • Performance • Etc • Understand that the perimeter is actuallyalready dead • Remember defense in depth • Remember the problem you’re actually solving • Alligators in the swamp

  10. WITH WITHOUT Luckily we have SSL…

  11. Luckily we have SSL… • Another comment that just wont die.. • Robert Morris (Snr.) on Encryption: • “If you think encryption will solve your problem, you probably don’t understand encryption or you don’t understand your problem”. • The only difference between us attacking your HTTP server and your HTTPS server is that the 2nd option gives us privacy. • We were going to do a demo for this, but decided not to insult you..

  12. So what is the point? We are not saying: • That you should stop buying certificates.. • That SSL is pointless • That you should run all your sensitive apps over HTTP We are saying: • Make sure you know what it buys you • Make sure you understand where it poses a threat • Quoting Dr. Mudge: • “A security device isn't necessarily a secure device”.

  13. IDS / IPS / *buzzword* will save us • A very “human” problem • By its nature reactive • Our track record with IDS…

  14. That’s really not the point

  15. So what is the point? We are not saying: • Its always useless • “always” is “always” incorrect We are saying: • Is an IPS any better ? • A little. • Is it a panacea? • Anyone? Anyone? • A good solution (to 1994’s problems?) • Does dismally against custom web applications • In the end, its a case of man vs. machine.. • (hint: (till 2045) bet on the man) • Know what it buys you.. • Know its limitations..

  16. Vista / OSX / Plan9 will keep me safe • Defenses are constantly evolving • Sadly so are the attackers.. • “Nothing” is 100% secure.. • Should that be “SAID A LITTLE LOUDER” • Vista / OSX • The non-admin / non-root user fallacy • Why its really not the point.. • Ultimately.. • An improvement - sure! • A panacea • anyone? anyone?

  17. THAT’s REALLY NOT THE POINT!!!

  18. So what is the point? • Defenses are constantly evolving • Sadly so are the attackers.. • “Nothing” is 100% secure.. • Should that be “SAID A LITTLE LOUDER” • Vista / OSX • The non-admin / non-root user fallacy • Ultimately.. • An improvement - sure! • A panacea • anyone? anyone?

  19. 0i-Wey its an 0-Day! • What is a 0-day? A threat that exposes undisclosed or unpatched computer application vulnerabilities • All the cool kids are into it! • Is it the end of the world as we know it?

  20. Watch this 0-day attack in action!

  21. But do you want to know what really happened? • LM-Hashes • “Weak passwords always trump strong security” • Shared passwords

  22. So what is the point? • There will always be another 0-day • You can’t stop the 0-day problem • Understand where on the vulnerability life cycle you’ll burn • 0-day is probably not how you will be owned • Security is equal parts people, technology and process • Make sure you have the basics covered • Remember defense in depth

  23. Pay attention to who is paying for the “independent research”.. • Investigate the credentials of your experts.. • Make sure that you are spending money solving problems you actually have.. • Acknowledge that its not just the “sexy” problems that need fixing! • The next time your vendor says “It does <foo>”, ask yourself, if that is actually the point.. In conclusion…

  24. Thank You Questions?

More Related