That - PowerPoint PPT Presentation

About This Presentation
Title:

That

Description:

That s Really not the Point haroon meer | charl van der walt SensePost Who we are SensePost {charl|haroon} _at_ sensepost.com What we do Time – PowerPoint PPT presentation

Number of Views:102
Avg rating:3.0/5.0
Slides: 25
Provided by: marie89
Category:

less

Transcript and Presenter's Notes

Title: That


1
Thats Really not the Point
  • haroon meer charl van der walt
  • SensePost

2
Who we are
  • SensePost
  • charlharoon _at_ sensepost.com
  • What we do
  • Time

3
How many blondes does it take to change a
lightbulb?
Who is this bad for?
A market for lemons
The Question of Incentives
An informed customer is better for everyone
Only one really the rest is all just marketing
The industry is flooded with snake-oil
4
Agenda
  • Introduction
  • A very funny joke
  • This really isnt the point
  • My scanner can beat up your scanner!
  • We have firewalls!
  • We have SSL / Encryption!
  • We have IPS / IDS !
  • Im safe, I use Vista / OSX / Plan9!
  • 0i-Wey its 0-Day. First time vulnerability
    release
  • Conclusion.
  • Questions ?

5
My scanner can beat up your scanner!
Detect security vulnerabilities on your
network !!!!!! makes use of of state of the art
vulnerability check databases based on OVAL and
SANS Top 20, providing over 15,000 vulnerability
assessments when your network is scanned. !!!!!!
gives you the information and tools you need to
perform multi-platform scans across all
6
But thats really not the point
7
My firewall is bigger than yours!
8
Watch how thats done
9
  • Your firewall choice IS still important
  • Management
  • Support
  • Performance
  • Etc
  • Understand that the perimeter is actuallyalready
    dead
  • Remember defense in depth
  • Remember the problem youre actually solving
  • Alligators in the swamp

So what is the point?
10
Luckily we have SSL
11
Luckily we have SSL
  • Another comment that just wont die..
  • Robert Morris (Snr.) on Encryption
  • If you think encryption will solve your problem,
    you probably dont understand encryption or you
    dont understand your problem.
  • The only difference between us attacking your
    HTTP server and your HTTPS server is that the 2nd
    option gives us privacy.
  • We were going to do a demo for this, but decided
    not to insult you..

12
  • We are not saying
  • That you should stop buying certificates..
  • That SSL is pointless
  • That you should run all your sensitive apps over
    HTTP
  • We are saying
  • Make sure you know what it buys you
  • Make sure you understand where it poses a threat
  • Quoting Dr. Mudge
  • A security device isn't necessarily a secure
    device.

So what is the point?
13
IDS / IPS / buzzword will save us
  • A very human problem
  • By its nature reactive
  • Our track record with IDS

14
Thats really not the point
15
  • We are not saying
  • Its always useless
  • always is always incorrect
  • We are saying
  • Is an IPS any better ?
  • A little.
  • Is it a panacea?
  • Anyone? Anyone?
  • A good solution (to 1994s problems?)
  • Does dismally against custom web applications
  • In the end, its a case of man vs. machine..
  • (hint (till 2045) bet on the man)
  • Know what it buys you..
  • Know its limitations..

So what is the point?
16
Vista / OSX / Plan9 will keep me safe
  • Defenses are constantly evolving
  • Sadly so are the attackers..
  • Nothing is 100 secure..
  • Should that be SAID A LITTLE LOUDER
  • Vista / OSX
  • The non-admin / non-root user fallacy
  • Why its really not the point..
  • Ultimately..
  • An improvement - sure!
  • A panacea
  • anyone? anyone?

17
THATs REALLY NOT THE POINT!!!
18
  • Defenses are constantly evolving
  • Sadly so are the attackers..
  • Nothing is 100 secure..
  • Should that be SAID A LITTLE LOUDER
  • Vista / OSX
  • The non-admin / non-root user fallacy
  • Ultimately..
  • An improvement - sure!
  • A panacea
  • anyone? anyone?

So what is the point?
19
0i-Wey its an 0-Day!
  • What is a 0-day? A threat that exposes
    undisclosed or unpatched computer application
    vulnerabilities
  • All the cool kids are into it!
  • Is it the end of the world as we know it?

20
Watch this 0-day attack in action!
21
But do you want to know what really happened?
  1. LM-Hashes
  2. Weak passwords always trump strong security
  3. Shared passwords

22
  • There will always be another 0-day
  • You cant stop the 0-day problem
  • Understand where on the vulnerability life cycle
    youll burn
  • 0-day is probably not how you will be owned
  • Security is equal parts people, technology and
    process
  • Make sure you have the basics covered
  • Remember defense in depth

So what is the point?
23
  • Pay attention to who is paying for the
    independent research..
  • Investigate the credentials of your experts..
  • Make sure that you are spending money solving
    problems you actually have..
  • Acknowledge that its not just the sexy problems
    that need fixing!
  • The next time your vendor says It does ltfoogt,
    ask yourself, if that is actually the point..

In conclusion
24
Thank You
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com