Vulnerabilities and Threats: The Past, Present and Future - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

Vulnerabilities and Threats: The Past, Present and Future

Description:

Present information to help you understand your information security strategy ... [Ira Winkler & Dan Ryan] Toronto Area Security Klatch. Definitions ... – PowerPoint PPT presentation

Number of Views:230
Avg rating:3.0/5.0
Slides: 48
Provided by: timke8
Category:

less

Transcript and Presenter's Notes

Title: Vulnerabilities and Threats: The Past, Present and Future


1
Vulnerabilities and Threats The Past, Present
and Future
  • Mike Murray - Director of Vulnerability Research
  • March 29, 2006

2
Intro
  • The Past Pen-Testing and Vulnerability
    Assessment
  • The Present Vulnerability Management
  • The Future
  • Disclaimers
  • Information Technology Focused
  • Vendor Neutral
  • Objectives
  • Present information to help you understand your
    information security strategy today and tomorrow

3
The Birth of Vulnerability Assessment
4
The Birth of Vulnerability Assessment
5
Security Configuration Weaknesses
  • The Earliest Discovery
  • Exploits mostly human weakness in setting up
    operating systems
  • Simple class of attacks
  • Exploiting access control failures
  • Improper Directory permissions
  • Unrestricted access to servers
  • Failures in trust relationships
  • Grabbing password files
  • Incorrect program behavior
  • Debug Interfaces
  • Attackers were unsophisticated

6
The Buffer Overflow
  • Phrack 49 - November 8, 1996.
  • Aleph1 - Smashing the Stack for Fun and Profit
  • The first real sophisticated vulnerabilities
    start to emerge
  • A buffer overflow required knowledge of assembly
    and coding skill
  • Hackers now had to be more technical
  • Readily available exploit code actually makes
    breaking in to computers easier
  • The golden age of server hacking begins.

7
Past Vulnerability Assessment
8
The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
9
The Birth of Vulnerability Management (agent-less)
Lightning Console/Nessus
2004
Buffer Overflows Increase Sophistication
New Attack Vectors emerge
10
Memory Attack Sophistication
  • Buffer overflows become more sophisticated
  • Polymorphic shell-code
  • More advanced use of memory spaces
  • Design to evade detective controls
  • Other memory-based attacks
  • Format String attacks
  • Integer Overflow attacks

11
New Attack Vectors Emerge
  • Web-based applications become a target
  • As web-apps become common, researchers target web
    apps
  • SQL Injection, XSS, access control breaches
  • Data driven attacks
  • Begin to see browser attacks
  • Internet Explorer proves vulnerable

12
From the Past to the Present
13
From the Past to the Present
14
From the Past to the Present
15
From the Past to the Present
16
From the Past to the Present
17
From the Past to the Present
18
From the Past to the Present
19
From the Past to the Present
20
From the Past to the Present
21
From the Past to the Present
22
From the Past to the Present
23
From the Past to the Present
24
The Present
nTellect Product
SIH Product
2005
2007
2006
Client Side Attacks Are Key
Human attacks increase
25
Client-side attacks
  • Microsoft hardens their operating systems
  • As massive server-based vulnerabilities
    disappear, client interaction becomes key
  • We see the majority of issues affect the client
  • Major exploits require user-interaction
  • Email
  • Web-page viewing
  • Opening of attachments

26
Human Weakness
  • Attacks rely on social engineering
  • Phishing
  • Spyware/Adware/bot installations
  • Exploiting by providing value
  • We have come full-circle
  • Humans are, in general, weaker than computers.

27
Present Vulnerability Management
  • Gartners "grand unified theory of security," has
    defined Vulnerability Management as one of four
    high-level security processes that are key to the
    effectiveness and efficiency of enterprise
    security.

28
Creating a Balanced Security Ecosystem
29
Measure, Manage, Reduce Risk
  • Obstacles
  • Enumeration of Vulnerabilities is an insufficient
    set
  • The consumer of this information is no longer the
    security geeks
  • Risk related information is fragmented and out of
    sync
  • Requirements for the future
  • Risk related Intelligence that allows for proper
    preemptive, preventive, and protective actions to
    be taken.
  • Risk related Intelligence integrated with both
    other technologies and the processes of the
    enterprise
  • Risk related Intelligence that drives the
    decision-making ability of the business
  • Less is more

30
Managing Risk Across the Enterprise
Ira Winkler Dan Ryan
31
Definitions
  • Vulnerability \VulnerabilIty\, n.
  • The quality or state of being vulnerable
  • Threat \thret\, n.
  • Intelligence of something that is a source of
    danger
  • Countermeasures \Countermeasure\, n.
  • an action taken to offset another action
  • Valuation \Valuation\, n.
  • the act of estimating value or worth the value
    set upon a thing

32
From the Present to the Future
33
From the Present to the Future
34
From the Present to the Future
35
From the Present to the Future
36
From the Present to the Future
37
From the Present to the Future
38
From the Present to the Future
39
From the Present to the Future
40
From the Present to the Future
41
From the Present to the Future
42
From the Present to the Future
43
From the Present to the Future
44
Requirements for Future Security Intelligence
  • Considerations
  • Breadth of data to be considered
  • Depth of knowledge to be understood
  • Speed required for decision making
  • Functional Objectives
  • Remote Discovery of IP, Ports, Services,
    Applications, Vulnerabilities, Operating Systems
  • Discovery of Network Transit Paths and
    Countermeasures (vertices for all nodes)
  • Target System Valuations
  • Integrated Counterintelligence of the Threat
  • Continuous, Scheduled, Triggered, and Adhoc
    discovery
  • Use of Baseline and Benchmarks (SP-800-70)
  • Open Bi-directional Integration of Functionality
    and Intelligence
  • Complete and Total Integration with the Business
    Intelligence Systems

45
Requirements for Future Security Intelligence
  • Measure, Manage, and Reduce Operational Risk
    through Security Intelligence

46
Foreshadowing
  • The biggest upcoming threat is mobile devices
  • Pod Slurping
  • Mobile Manager devices
  • Massive storage, low profile devices
  • Generally developed without security controls in
    place
  • Designed for the mass market
  • We are not prepared.

47
Thank you
  • mmurray_at_ncircle.com
  • http//blog.ncircle.com
Write a Comment
User Comments (0)
About PowerShow.com