SlideShare a Scribd company logo

Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program

Security Weekly
Security Weekly

The document discusses the complexities of vulnerability management, using whimsical metaphors like robots, ninjas, and pirates to illustrate various roles within IT security and the challenges they face. It emphasizes the importance of thorough and proactive vulnerability management practices, cautioning against shortcuts and highlighting the necessity of awareness and continuous monitoring. The presentation concludes with guidance and goals for effective vulnerability management and encourages engaging with ongoing security discussions and resources.

Technology
1 of 57
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program © Copyright Defensive Intuition, LLC 2004-2015 Paul Asadoorian Day: Product Strategist, Tenable Network Security Nights & Weekends: Founder & CEO, Security Weekly
© Copyright Defensive Intuition, LLC 2004-2015 Slide 2 About Paul
Agenda • Some slides with random pictures from the Internet • Paul talks about vulnerability management over said slides • Folks may have questions or challenge my thoughts/ideas (please do) • More random Internet pictures • Paul ranting a bit more while laughing at ridiculous pictures • These are the only bullets in this presentation… • End with tips on how to be successful © Copyright Defensive Intuition, LLC 2004-2015 Slide 3
Vulnerability Management… © Copyright Defensive Intuition, LLC 2004-2015 Slide 4 You have all the right tools…
A Robot, Ninja & Pirate Get Into a Fight, Who Wins? © Copyright Defensive Intuition, LLC 2004-2015 Slide 5 We have arguments like this all the time. ! Sometimes they center around vulnerability management…
Why Do We Need Vulnerability Management? © Copyright Defensive Intuition, LLC 2004-2015 Slide 6 You The Internet
Don’t Be Blind… You can’t fix what you don’t know is broken… © Copyright Defensive Intuition, LLC 2004-2015
Meet The Robots, Ninjas and Pirates in the Security Dept. © Copyright Defensive Intuition, LLC 2004-2015
The Robot Without a care in the world… © Copyright Defensive Intuition, LLC 2004-2015 “Going to scan the network!”
The Robot Cares even less how long the report will be… © Copyright Defensive Intuition, LLC 2004-2015 File -> Print… Reporting!!!!
The Robot What your network looks like after the scan… © Copyright Defensive Intuition, LLC 2004-2015
The Robot What the sysadmins, network admins, developers, help desk and operations are saying about you… © Copyright Defensive Intuition, LLC 2004-2015
Robots reporting to management © Copyright Defensive Intuition, LLC 2004-2015 “The chances of cross-site scripting being exploited are 725 to 1. Its quite possible the buffer overflow attacks aren’t quite stable.The odds of successfully surviving an attack on the Apache web server are…[Shut up 3po!].They’ve encased the web server in a WAF, it should be quite well protected, unless there is a bypass. I noticed the IPS pre-processor rules are damaged, its impossible to block attacks.”
Moral of the story… © Copyright Defensive Intuition, LLC 2004-2015
The Ninjas © Copyright Defensive Intuition, LLC 2004-2015 Wrote Nmap script to patch everything and disable TELNET.
The Report © Copyright Defensive Intuition, LLC 2004-2015
The Network Problems can be mysterious…. © Copyright Defensive Intuition, LLC 2004-2015
Sysadmins be like… Sysadmins be like… © Copyright Defensive Intuition, LLC 2004-2015
Ninjas be like… © Copyright Defensive Intuition, LLC 2004-2015
Pirates To find the booty… © Copyright Defensive Intuition, LLC 2004-2015 I’m gonna scan your network. Hard.
During the scan… © Copyright Defensive Intuition, LLC 2004-2015
The Report © Copyright Defensive Intuition, LLC 2004-2015 +
Pirate in meeting after report has been distributed © Copyright Defensive Intuition, LLC 2004-2015 Patch your shit! Aaaaaaaaaarrgh!! Pirates Lack Social Skillz
Sysadmins: Fear them… © Copyright Defensive Intuition, LLC 2004-2015
Meet the Robots, Ninja and Pirate Attackers © Copyright Defensive Intuition, LLC 2004-2015
Perception Of Scanning Even a broken clock is right twice a day © Copyright Defensive Intuition, LLC 2004-2015 “Your slave?” “You wish!You'll do shitwork, scan, crack copyrights…"
Attackers, like robots, automate… Attacks above are common, but less severe (typically) © Copyright Defensive Intuition, LLC 2004-2015
Or APT, or Cyber<something> © Copyright Defensive Intuition, LLC 2004-2015
Ninjas © Copyright Defensive Intuition, LLC 2004-2015
Cyber Pirate Attackers Pirates will steal bandwidth, often very loud. © Copyright Defensive Intuition, LLC 2004-2015
Now We Understand Some Of The Dynamics What we learned up to this point: ! Vulnerability Management is HARD, attackers will not let up. © Copyright Defensive Intuition, LLC 2004-2015
© Copyright Defensive Intuition, LLC 2004-2015 Slide 32 Shortcuts Are Trouble
“We’ll just scan once per quarter” ! “We can just use the default scan policy” ! “We can just scan parts of the network” © Copyright Defensive Intuition, LLC 2004-2015
© Copyright Defensive Intuition, LLC 2004-2015 “We don’t care about finding all the vulnerabilities. Just show me the important ones. I can’t fix everything, so don’t bother showing me everything.”
5 Reasons Why This Will End Badly © Copyright Defensive Intuition, LLC 2004-2015
#1 What you don’t know will probably be the thing that hurts you © Copyright Defensive Intuition, LLC 2004-2015
#2 Ask any evil bad guy or penetration tester and they will tell you “we string together seemingly low severity vulnerabilities to achieve a goal” © Copyright Defensive Intuition, LLC 2004-2015 Example: Chris Gates from Low to Pwned (2012) https:// www.youtube.com/watch?v=u68QvWXYW_Q
#3 External conditions change, so not patching a vulnerabilities because there is no public exploit today doesn’t mean there will not be an exploit in the future (or someone has it already) © Copyright Defensive Intuition, LLC 2004-2015
#4 Internal conditions change. Not discovering vulnerabilities in XYZ software because you don’t use XYZ software is dangerous ! Someone could be installing XYZ software as we speak © Copyright Defensive Intuition, LLC 2004-2015
For Example… © Copyright Defensive Intuition, LLC 2004-2015
#5 Vulnerability management is a historical reference. ! You may not care which USB device were plugged into your systems today, but when malware spreads via USB devices tomorrow… © Copyright Defensive Intuition, LLC 2004-2015
Malware Here? © Copyright Defensive Intuition, LLC 2004-2015
! “Just send them the raw results” ! “Just patch CVSS > 8.0” Goals & Results Matter… © Copyright Defensive Intuition, LLC 2004-2015
Results Matter, Don’t Be Lazy No one reads raw results © Copyright Defensive Intuition, LLC 2004-2015
Can You Make That 8 a 7? CVSS is subjective © Copyright Defensive Intuition, LLC 2004-2015
Vulnerability Management Goals © Copyright Defensive Intuition, LLC 2004-2015
Goal: Prevention – prevent bad things with the resources you have © Copyright Defensive Intuition, LLC 2004-2015 Stop waiting around for the perfect solution!
Goal: Detection ! Know where you are vulnerable and monitor © Copyright Defensive Intuition, LLC 2004-2015
Goal: React - Define priorities and enable people to take action Vulnerability management is a repeatable process. © Copyright Defensive Intuition, LLC 2004-2015
Goal: Do it yourself. ! Vulnerability scanning is not what a pen tester should do for you Tools have matured to allow for continuous scanning. © Copyright Defensive Intuition, LLC 2004-2015
Goal: Evaluate tools – Define the evaluation criteria Virtualization, Cloud, Mobile, Patch Management, Agents, Web Apps. © Copyright Defensive Intuition, LLC 2004-2015
Goal: Checks and Balances: How are my other defenses working or not? Anti-Virus, Firewalls, Compliance/System Hardening Programs © Copyright Defensive Intuition, LLC 2004-2015
Goal: Metrics: Don’t Give Up On Them © Copyright Defensive Intuition, LLC 2004-2015 Searches for “dating tips” Searches for “fleshlight” What does management want to see?
Goal: Threat Modeling © Copyright Defensive Intuition, LLC 2004-2015
Goal: Don’t just find a standard or copy what may work for others Be a LEADER and set your own standards. © Copyright Defensive Intuition, LLC 2004-2015
Goal: Get people to understand and change their behavior Become a remarkable IT Security Leader © Copyright Defensive Intuition, LLC 2004-2015
Some Fun Facts Podcasts/Blogs/Videos: http://securityweekly.com Contact Me: paul@securityweekly.com © Copyright Defensive Intuition, LLC 2004-2015 http://securityweekly.com/attend Security Weekly & Tenable are always hiring. ! You can some to our studio on Thursday nights and watch the show live. ! I post all my slides to http://slideshare.net/securityweekly ! Larry really does have a tattoo in “that place”. ! Jack is really old. ! Also, Ninja is the winner.

More Related Content

What's hot (20)

PDF
Building a low cost hack lab
Joe McCray
 
PDF
Let's Hack a House
Synack
 
PPTX
So you wanna be a pentester - free webinar to show you how
Joe McCray
 
PPTX
Wireless Pentesting: It's more than cracking WEP
Joe McCray
 
PPTX
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
PDF
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Duo Security
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PDF
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 
PDF
terry-gilsenan-pie-operating.10433
Terry Gilsenan
 
PDF
Life as an enterprise security geek from underground. (What enterprises want ...
LINE Corporation
 
PDF
AusCERT - Developing Secure iOS Applications
eightbit
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
PPTX
Advanced SQL Injection
Joe McCray
 
PDF
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
Verein FM Konferenz
 
PPTX
Cybereason - behind the HackingTeam infection server
Amit Serper
 
PPTX
RPS/APS vulnerability in snom/yealink and others - slides
Cal Leeming
 
PDF
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
ODP
Web application-security-and-why-you-should-review-yours
David Busby, CISSP
 
PPTX
How an Attacker "Audits" Your Software Systems
Security Innovation
 
PPTX
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Building a low cost hack lab
Joe McCray
 
Let's Hack a House
Synack
 
So you wanna be a pentester - free webinar to show you how
Joe McCray
 
Wireless Pentesting: It's more than cracking WEP
Joe McCray
 
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Duo Security
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 
terry-gilsenan-pie-operating.10433
Terry Gilsenan
 
Life as an enterprise security geek from underground. (What enterprises want ...
LINE Corporation
 
AusCERT - Developing Secure iOS Applications
eightbit
 
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Advanced SQL Injection
Joe McCray
 
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
Verein FM Konferenz
 
Cybereason - behind the HackingTeam infection server
Amit Serper
 
RPS/APS vulnerability in snom/yealink and others - slides
Cal Leeming
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
Web application-security-and-why-you-should-review-yours
David Busby, CISSP
 
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 

Viewers also liked (20)

PDF
How To Do A Podcast - Bsides RI 2013
Security Weekly
 
PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PPT
Transportation broker kpi
jomyefv
 
PPT
Hoskins lecture: Coastal Citizens - a Brief Primer of the Goergia Coast
Asa H Gordon Library/Savannah State University
 
PPT
Transportation clerk kpi
jomyefv
 
PPTX
The politics of harris neck justice movement 1
Asa H Gordon Library/Savannah State University
 
PPT
Secretary of transportation kpi
jomyefv
 
PPT
Transportation engineer kpi
jomyefv
 
PPT
Transportation driver kpi
jomyefv
 
PPT
Warehouse clerk kpi
jomyefv
 
PPT
Transportation director kpi
jomyefv
 
PPT
Transportation officer kpi
jomyefv
 
PPT
Transportation aide kpi
jomyefv
 
PPT
Transportation assistant kpi
jomyefv
 
PPT
Transportation technician kpi
jomyefv
 
PPTX
Photos from confucius institute
Asa H Gordon Library/Savannah State University
 
PPTX
Institutional Repositories @ Savannah State
Asa H Gordon Library/Savannah State University
 
PPT
Warehouse worker kpi
jomyefv
 
PPTX
Black lives matter
Asa H Gordon Library/Savannah State University
 
PPT
Warehouse supervisor kpi
jomyefv
 
How To Do A Podcast - Bsides RI 2013
Security Weekly
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
Transportation broker kpi
jomyefv
 
Hoskins lecture: Coastal Citizens - a Brief Primer of the Goergia Coast
Asa H Gordon Library/Savannah State University
 
Transportation clerk kpi
jomyefv
 
The politics of harris neck justice movement 1
Asa H Gordon Library/Savannah State University
 
Secretary of transportation kpi
jomyefv
 
Transportation engineer kpi
jomyefv
 
Transportation driver kpi
jomyefv
 
Warehouse clerk kpi
jomyefv
 
Transportation director kpi
jomyefv
 
Transportation officer kpi
jomyefv
 
Transportation aide kpi
jomyefv
 
Transportation assistant kpi
jomyefv
 
Transportation technician kpi
jomyefv
 
Photos from confucius institute
Asa H Gordon Library/Savannah State University
 
Institutional Repositories @ Savannah State
Asa H Gordon Library/Savannah State University
 
Warehouse worker kpi
jomyefv
 
Black lives matter
Asa H Gordon Library/Savannah State University
 
Warehouse supervisor kpi
jomyefv
 
Ad

Similar to Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program (20)

PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
PPTX
Vulnerability Management
justinkallhoff
 
PDF
Understanding Vulnerability Management | USCSI®
United States Cybersecurity Institute (USCSI®)
 
PPTX
Vulnerability_Management.pptx
Shriya Rai
 
PDF
Patch and Vulnerability Management
Marcelo Martins
 
PDF
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
PPTX
Cyber Attack Survival: Are You Ready?
Radware
 
PDF
All these vulnerabilities, rarely matter
Jeremiah Grossman
 
PDF
NTXISSACSC3 - Vulnerability Management Isn't Simple ... (or How to Make Your ...
North Texas Chapter of the ISSA
 
PDF
Best Practices to Cybersecurity Vulnerability Management,.pdf
Tuan Yang
 
PPTX
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
PDF
CyberCentral Summit 2018 in Prague
Alexander Leonov
 
PPTX
Securing Systems - Still Crazy After All These Years
Adrian Sanabria
 
PDF
CEH v12 Lesson 5 _ Vulnerability Assessment To (1).pdf
TrungNguyn964221
 
PPTX
Enterprise Class Vulnerability Management Like A Boss
rbrockway
 
PDF
Wrangle Your Defense Using Offensive Tactics - ISSA May Meeting
Matt Dunn
 
PDF
Managed Vulnerability Scan
Shawn Jordan
 
PDF
Security Testing for Blue Teamers
Ben Finke
 
PDF
Is Your Vulnerability Management Program Irrelevant?
Skybox Security
 
PDF
Sexy defense
Iftach Ian Amit
 
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
Vulnerability Management
justinkallhoff
 
Understanding Vulnerability Management | USCSI®
United States Cybersecurity Institute (USCSI®)
 
Vulnerability_Management.pptx
Shriya Rai
 
Patch and Vulnerability Management
Marcelo Martins
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
Cyber Attack Survival: Are You Ready?
Radware
 
All these vulnerabilities, rarely matter
Jeremiah Grossman
 
NTXISSACSC3 - Vulnerability Management Isn't Simple ... (or How to Make Your ...
North Texas Chapter of the ISSA
 
Best Practices to Cybersecurity Vulnerability Management,.pdf
Tuan Yang
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
CyberCentral Summit 2018 in Prague
Alexander Leonov
 
Securing Systems - Still Crazy After All These Years
Adrian Sanabria
 
CEH v12 Lesson 5 _ Vulnerability Assessment To (1).pdf
TrungNguyn964221
 
Enterprise Class Vulnerability Management Like A Boss
rbrockway
 
Wrangle Your Defense Using Offensive Tactics - ISSA May Meeting
Matt Dunn
 
Managed Vulnerability Scan
Shawn Jordan
 
Security Testing for Blue Teamers
Ben Finke
 
Is Your Vulnerability Management Program Irrelevant?
Skybox Security
 
Sexy defense
Iftach Ian Amit
 
Ad

Recently uploaded (20)

PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 

Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program

  • 1. Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program © Copyright Defensive Intuition, LLC 2004-2015 Paul Asadoorian Day: Product Strategist, Tenable Network Security Nights & Weekends: Founder & CEO, Security Weekly
  • 2. © Copyright Defensive Intuition, LLC 2004-2015 Slide 2 About Paul
  • 3. Agenda • Some slides with random pictures from the Internet • Paul talks about vulnerability management over said slides • Folks may have questions or challenge my thoughts/ideas (please do) • More random Internet pictures • Paul ranting a bit more while laughing at ridiculous pictures • These are the only bullets in this presentation… • End with tips on how to be successful © Copyright Defensive Intuition, LLC 2004-2015 Slide 3
  • 4. Vulnerability Management… © Copyright Defensive Intuition, LLC 2004-2015 Slide 4 You have all the right tools…
  • 5. A Robot, Ninja & Pirate Get Into a Fight, Who Wins? © Copyright Defensive Intuition, LLC 2004-2015 Slide 5 We have arguments like this all the time. ! Sometimes they center around vulnerability management…
  • 6. Why Do We Need Vulnerability Management? © Copyright Defensive Intuition, LLC 2004-2015 Slide 6 You The Internet
  • 7. Don’t Be Blind… You can’t fix what you don’t know is broken… © Copyright Defensive Intuition, LLC 2004-2015
  • 8. Meet The Robots, Ninjas and Pirates in the Security Dept. © Copyright Defensive Intuition, LLC 2004-2015
  • 9. The Robot Without a care in the world… © Copyright Defensive Intuition, LLC 2004-2015 “Going to scan the network!”
  • 10. The Robot Cares even less how long the report will be… © Copyright Defensive Intuition, LLC 2004-2015 File -> Print… Reporting!!!!
  • 11. The Robot What your network looks like after the scan… © Copyright Defensive Intuition, LLC 2004-2015
  • 12. The Robot What the sysadmins, network admins, developers, help desk and operations are saying about you… © Copyright Defensive Intuition, LLC 2004-2015
  • 13. Robots reporting to management © Copyright Defensive Intuition, LLC 2004-2015 “The chances of cross-site scripting being exploited are 725 to 1. Its quite possible the buffer overflow attacks aren’t quite stable.The odds of successfully surviving an attack on the Apache web server are…[Shut up 3po!].They’ve encased the web server in a WAF, it should be quite well protected, unless there is a bypass. I noticed the IPS pre-processor rules are damaged, its impossible to block attacks.”
  • 14. Moral of the story… © Copyright Defensive Intuition, LLC 2004-2015
  • 15. The Ninjas © Copyright Defensive Intuition, LLC 2004-2015 Wrote Nmap script to patch everything and disable TELNET.
  • 16. The Report © Copyright Defensive Intuition, LLC 2004-2015
  • 17. The Network Problems can be mysterious…. © Copyright Defensive Intuition, LLC 2004-2015
  • 18. Sysadmins be like… Sysadmins be like… © Copyright Defensive Intuition, LLC 2004-2015
  • 19. Ninjas be like… © Copyright Defensive Intuition, LLC 2004-2015
  • 20. Pirates To find the booty… © Copyright Defensive Intuition, LLC 2004-2015 I’m gonna scan your network. Hard.
  • 21. During the scan… © Copyright Defensive Intuition, LLC 2004-2015
  • 22. The Report © Copyright Defensive Intuition, LLC 2004-2015 +
  • 23. Pirate in meeting after report has been distributed © Copyright Defensive Intuition, LLC 2004-2015 Patch your shit! Aaaaaaaaaarrgh!! Pirates Lack Social Skillz
  • 24. Sysadmins: Fear them… © Copyright Defensive Intuition, LLC 2004-2015
  • 25. Meet the Robots, Ninja and Pirate Attackers © Copyright Defensive Intuition, LLC 2004-2015
  • 26. Perception Of Scanning Even a broken clock is right twice a day © Copyright Defensive Intuition, LLC 2004-2015 “Your slave?” “You wish!You'll do shitwork, scan, crack copyrights…"
  • 27. Attackers, like robots, automate… Attacks above are common, but less severe (typically) © Copyright Defensive Intuition, LLC 2004-2015
  • 28. Or APT, or Cyber<something> © Copyright Defensive Intuition, LLC 2004-2015
  • 29. Ninjas © Copyright Defensive Intuition, LLC 2004-2015
  • 30. Cyber Pirate Attackers Pirates will steal bandwidth, often very loud. © Copyright Defensive Intuition, LLC 2004-2015
  • 31. Now We Understand Some Of The Dynamics What we learned up to this point: ! Vulnerability Management is HARD, attackers will not let up. © Copyright Defensive Intuition, LLC 2004-2015
  • 32. © Copyright Defensive Intuition, LLC 2004-2015 Slide 32 Shortcuts Are Trouble
  • 33. “We’ll just scan once per quarter” ! “We can just use the default scan policy” ! “We can just scan parts of the network” © Copyright Defensive Intuition, LLC 2004-2015
  • 34. © Copyright Defensive Intuition, LLC 2004-2015 “We don’t care about finding all the vulnerabilities. Just show me the important ones. I can’t fix everything, so don’t bother showing me everything.”
  • 35. 5 Reasons Why This Will End Badly © Copyright Defensive Intuition, LLC 2004-2015
  • 36. #1 What you don’t know will probably be the thing that hurts you © Copyright Defensive Intuition, LLC 2004-2015
  • 37. #2 Ask any evil bad guy or penetration tester and they will tell you “we string together seemingly low severity vulnerabilities to achieve a goal” © Copyright Defensive Intuition, LLC 2004-2015 Example: Chris Gates from Low to Pwned (2012) https:// www.youtube.com/watch?v=u68QvWXYW_Q
  • 38. #3 External conditions change, so not patching a vulnerabilities because there is no public exploit today doesn’t mean there will not be an exploit in the future (or someone has it already) © Copyright Defensive Intuition, LLC 2004-2015
  • 39. #4 Internal conditions change. Not discovering vulnerabilities in XYZ software because you don’t use XYZ software is dangerous ! Someone could be installing XYZ software as we speak © Copyright Defensive Intuition, LLC 2004-2015
  • 40. For Example… © Copyright Defensive Intuition, LLC 2004-2015
  • 41. #5 Vulnerability management is a historical reference. ! You may not care which USB device were plugged into your systems today, but when malware spreads via USB devices tomorrow… © Copyright Defensive Intuition, LLC 2004-2015
  • 42. Malware Here? © Copyright Defensive Intuition, LLC 2004-2015
  • 43. ! “Just send them the raw results” ! “Just patch CVSS > 8.0” Goals & Results Matter… © Copyright Defensive Intuition, LLC 2004-2015
  • 44. Results Matter, Don’t Be Lazy No one reads raw results © Copyright Defensive Intuition, LLC 2004-2015
  • 45. Can You Make That 8 a 7? CVSS is subjective © Copyright Defensive Intuition, LLC 2004-2015
  • 47. Goal: Prevention – prevent bad things with the resources you have © Copyright Defensive Intuition, LLC 2004-2015 Stop waiting around for the perfect solution!
  • 48. Goal: Detection ! Know where you are vulnerable and monitor © Copyright Defensive Intuition, LLC 2004-2015
  • 49. Goal: React - Define priorities and enable people to take action Vulnerability management is a repeatable process. © Copyright Defensive Intuition, LLC 2004-2015
  • 50. Goal: Do it yourself. ! Vulnerability scanning is not what a pen tester should do for you Tools have matured to allow for continuous scanning. © Copyright Defensive Intuition, LLC 2004-2015
  • 51. Goal: Evaluate tools – Define the evaluation criteria Virtualization, Cloud, Mobile, Patch Management, Agents, Web Apps. © Copyright Defensive Intuition, LLC 2004-2015
  • 52. Goal: Checks and Balances: How are my other defenses working or not? Anti-Virus, Firewalls, Compliance/System Hardening Programs © Copyright Defensive Intuition, LLC 2004-2015
  • 53. Goal: Metrics: Don’t Give Up On Them © Copyright Defensive Intuition, LLC 2004-2015 Searches for “dating tips” Searches for “fleshlight” What does management want to see?
  • 54. Goal: Threat Modeling © Copyright Defensive Intuition, LLC 2004-2015
  • 55. Goal: Don’t just find a standard or copy what may work for others Be a LEADER and set your own standards. © Copyright Defensive Intuition, LLC 2004-2015
  • 56. Goal: Get people to understand and change their behavior Become a remarkable IT Security Leader © Copyright Defensive Intuition, LLC 2004-2015
  • 57. Some Fun Facts Podcasts/Blogs/Videos: http://securityweekly.com Contact Me: [email protected] © Copyright Defensive Intuition, LLC 2004-2015 http://securityweekly.com/attend Security Weekly & Tenable are always hiring. ! You can some to our studio on Thursday nights and watch the show live. ! I post all my slides to http://slideshare.net/securityweekly ! Larry really does have a tattoo in “that place”. ! Jack is really old. ! Also, Ninja is the winner.