Professional Documents
Culture Documents
VoIP Telephony With Asterisk (Paul Mahler)
VoIP Telephony With Asterisk (Paul Mahler)
Agenda
The ages of security
Why do you need to this?
Type of Security Assessments
¾ Vulnerability Scanning
¾ Penetration Testing
¾ IT Audits
Conclusion
1
Assessing Security
Defense in depth:
1000 years ago
2
Ages of Security
Information
Stone Age Bronze Age
Age
3
Fundamental Tradeoff
Secure
Usable Cheap
Assessing Security
Type of Security
Assessments
4
3 Basic Types
Vulnerability Scanning
z Focuses on known weaknesses
z Of the three, requires the least expertise
z Generally easy to automate
Penetration Testing
z Focuses on unknown weaknesses
z Requires advanced technical expertise
z Carries tremendous legal burden in certain
countries/organizations
IT Security Audits
z Focuses on security policies and procedures
z Of the three, requires the most expertise
z When done right is the most effective type of assessment
Vulnerability Scanning
Looks for:
The same mistakes that everyone else
makes
The kind of things that get easily
missed
¾ Service packs, hot fixes, weak passwords
Common settings on software you are
not familiar with
Susceptibility to attack
¾ Known weaknesses with known attacks
(think DOS attacks)
5
Vulnerability Scanning Tools
6
Vulnerability Scans Miss The
Biggest Threat To Your Security
Problem
In
Chair
Not
In
Computer
7
MBSA 1.2: What It Does
Helps identify vulnerable Windows systems
¾ Scans for missing security patches and
common security mis-
mis-configurations
¾ Scans various versions of Windows and other
Microsoft applications, incl. Office
¾ Scans local or multiple remote systems via
GUI or command line invocation
¾ Generates XML scan reports on each scanned
system
Microsoft
Download Center
MBSA
Computer
SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
8
MBSA: How It Works*
MSSecure.xml contains
1. Run MBSA on Admin • Security Bulletin names
system, specify targets • Product specific updates
Microsoft • Version and checksum info
Download Center • Registry keys changed
• KB article numbers
MSSecure.xml
• Etc.
MBSA
Computer
SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
MBSA
Computer
SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
9
MBSA: How It Works*
MSSecure.xml contains
1. Run MBSA on Admin • Security Bulletin names
system, specify targets • Product specific updates
Microsoft • Version and checksum info
2. Downloads CAB file with • Registry keys changed
MSSecure.xml & verifies Download Center
• KB article numbers
digital signature MSSecure.xml
• Etc.
3. Scans target systems for
OS, OS components, &
applications
MBSA
Computer
SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
10
MBSA: How It Works*
MSSecure.xml contains
1. Run MBSA on Admin • Security Bulletin names
system, specify targets • Product specific updates
Microsoft • Version and checksum info
2. Downloads CAB file with • Registry keys changed
MSSecure.xml & verifies Download Center
• KB article numbers
digital signature MSSecure.xml
• Etc.
3. Scans target systems for
OS, OS components, &
applications
4. Parses MSSecure
to see if updates
available
5. Checks if
required updates
are missing MBSA
6. Generates time Computer
stamped report of
missing updates
SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
Demo
Using MBSA
The good
The bad
The ugly
11
How to Measure Security With
Vulnerability Scanning
Pick metrics and start tracking
¾ Compliance with baseline security
¾ Security features enabled and up to date (Anti-
(Anti-
virus)
¾ Days from patch release to application
Divide networks by segment to better
detect unmanaged systems
Create bonuses for IT staff based on
metrics
Compare metrics to previous time periods
or other divisions
Penetration Testing
Looks for:
Unknown weaknesses
Locating unpredictable sequences of
vulnerability exploit that lead bigger
exploits
Help illustrate the consequences of
exploits
Helps answer the “big” question
12
Penetration Testing 101
There are no rules
Think physical
Think low hanging fruit
¾ Avoid the myth of the movie
Remember that people make the same
mistakes
¾ Unpatched systems, weak passwords
It is all about getting trust
13
IT Security Audits
1st rule of security:
¾ You cannot have strong security over a
reasonably sized network without security
policy
2nd rule of security:
¾ A security policy without assessment is only
slightly better than no security policy
14
Security design model
Operations
Documentation
Implementation
Technology
Policy
Process
Start with policy
Build process
Apply technology
Policy Passwords
15
Measuring Security Policy
Documented
Security Policy Operations
Procedures
16