The need to evolve defensive security to offensive security

Posted on March 24, 2014 by Simon Roses

This morning I saw a job offer from Facebook looking for offensive security engineers and I thought it would be a wonderful opportunity to explore this idea and its application in corporate security.

Traditionally information security in enterprises has a defensive role based on different products (firewall, anti-virus, IDS, etc.). But when week after week we read in the media as businesses of all sizes are attacked and owned, something is wrong here!

Internet and its dangers have evolved but corporate security has not: too many companies follow decades old security schemes to protect their information.

As Nation-States develop not only their defensive capabilities but also their offensive capabilities, businesses should also enhance their offensive capabilities, not to attack other companies but to assess their own security effectively.

It is impossible that security consultants / pentesters with a limited time are able to truly verify the security of a company, which unfortunately is the model that most companies follow. No one presses the doctor when operating or the plumber when fixing a problem, but we press all the time security consultants to obtain compressive results in a short space of time.

It is necessary that corporate security evolves with offensive staff who truly understand the attackers (attacker mindset), who are capable of attacking systems and applications and have some freedom to do this in the company. These individuals are who can raise security to the next level.

Their objective is to constantly attack the company using actual techniques to discover the weak points and strengthen them, analyze malware identified in the company and even set traps to the attackers (honeypots). We should not confuse with Counter-Hacking, the idea that if we are attacked we must respond by attacking. No company should use its offensive capabilities to counter attack as this can unleash all kind of problems (legal and ethical). We must only use offensive capabilities internally to improve security, period.

Companies that do not evolve their security to a defensive and offensive model and enhance not only the technology but also its processes and people (the famous pyramid: people, processes, and technologies) are doomed to be owned for lifetime.

Has your company offensive security capabilities? How are they used?

— Simon Roses Femerling

Posted in Pentest, Security | Tagged , , , | 2 Comments

VULNEX Award and RSA USA speaker experience!

Posted on March 5, 2014 by Simon Roses

February has been both very interesting and busy! On February 17th I had the pleasure of collecting the first award of VULNEX by Spanish security magazine Red Seguridad for IT Innovation for our collaboration with DARPA (Defense Advanced Research Projects Agency of the Department of Defense, USA) which produced BinSecSweeper, a technology that allows us to verify the security posture of any binary.

You can find a great chronicle of the event here and below I am including a photo of the trophy :)

Trofeo_VULNEX

On 24-28 February I did attend for the first time the legendary RSA USA conference in San Francisco, in which I participated with a talk on security in software development and using BinSecSweeper to assess binaries entitled: “Writing Secure Software is hard, but at least add mitigations!“. I take this opportunity to thank attendees for the good feedback, I’m glad that so many liked my presentation! And of course also thank the organization for a great event.

RSA

The presentation is already available on VULNEX website.

BinSecSweeper_RSAUSA2014_1
BinSecSweeper_RSAUSA2014_2

It was my first time at RSA USA but certainly won’t be the last! In my opinion a must-attend event for all cybersecurity professionals.

Until next year!

— Simon Roses Femerling

Posted in Conference, Privacy, Security, Technology | Tagged , , , , , | Leave a comment

Enterprise Computer Security must CHANGE

Posted on December 5, 2013 by Simon Roses

Last week I had the pleasure of giving a talk entitled “Cyber Security: time for change” on my vision of corporate cyber security posture during an event organized by Page Personnel Spain (thanks for having me!), and I already advance that a change is much needed to combat the constant threats on the Internet.

The talk began with a description of the different attacker profiles from casual attackers, employees, hacktivists and cybercrime to Nation-State attackers and how security defenses are less effective depending on the attacker.

Every week we can read in the media about companies being compromised. If we look back in recent years companies like Google, Sony, Citi, RSA, Northrup Grumman, and the list continues, have been successfully attacked. These are companies with large resources and possibly a decent level of security (firewalls, IDS, anti-virus, patches policy, etc.) and still have not been able to defend themselves.

Much is being said about APT as sophisticated attackers, but it is not correct: they just know how to use their offensive capabilities more efficiently and only need one security flaw to compromise systems.

There is a security principle which I call “Reverse Continuous Assessment” that I usually speak about to my clients. It means that any computer connected to the Internet is “audited” at least once a week by some actor, what means that every system on the Internet is constantly “audited”; hence companies can no longer use the lame excuse: “we have no enemies; no one wants to attack us”. I always recommend performing periodic security assessment to know the status of our security and where to improve.

It is clear that we need a change to effectively protect ourselves. Today too many companies solely base their security strategy on the purchase of products such as firewall, IDS, antivirus, etc., which are technologies of earlier decades and clearly inadequate. There is a quote from Albert Einstein that shows this need for change: “Insanity: doing the same thing over and over again and expecting different results.”

In my view, organizations must create a true security strategy involving the entire company and changing their mentality. First of all, they must be clear on what information is valuable, what classification it has and where it is located (usually scattered throughout the organization). Only after this exercise they can begin to design their security strategy. How are they going to protect themselves when they do not know what or from who?

The security strategy should target three fronts: technology, processes and people. Just buying security products is not a real security strategy since it only applies to technology, neglecting processes and people who are equally or even more important.

Instead of intelligence I prefer to talk about vision, getting to know our organization and knowing what must be protected and from whom. Some aspects that our security strategy should address are the following:

  1. 100% dedicated security team: I understand that it is difficult for many organizations, but security is much more than managing anti-virus and firewalls. It is absolutely necessary to have qualified and dedicated staff to this task. Their training should be defensive in nature and periodic (at least annual), and it is also recommended that they have some basic offensive training to understand where attackers can come from and how to repel them.

  2. Training: the entire organization must receive security awareness training tailored to their jobs so they understand and avoid the dangers of the Internet, malicious documents, social networks risks, etc. Today the cost of online training is very affordable so there is no excuse.

  3. Active defenses: security defenses tend to be passive, waiting to be attacked, but they should be active. It doesn’t mean to attack the attackers -which may be even illegal because we don’t know if we counterattack the attacker itself or another victim-, but make them lose their time, waste resources or even detect and identify them by using technology such as honeypots. A fantastic project for this concept is Active Defense Harbinger Distribution (ADHD).

  4. Evaluate software security posture: companies have many applications installed on their systems and the security is entrusted to the software developer, but IT and/or security staff should be able to assess all these software. Security verification technologies such as VULNEX BinSecSweeper help in this regard.

  5. Secure development: I will never get tired of talking about the need of developing secure software, be it a website, a mobile App or other software, since today most attacks are due to insecure applications. Much to improve in this area!

  6. Greater use of security Open Source software: organizations have a tendency to buy commercial security products since they have often a better interface; however there are many security fantastic open source solutions (IDS, antivirus, firewall, etc.) that combined with commercial security products can greatly improve corporate security.

No doubt there are many more areas for improvement in the security strategy, but the ones described here are a good start. To achieve this without dying, we must have a capable team (people) and document everything (processes). Do not write hundreds and hundreds of pages that no one is going to read, but simple and well-structured documents describing the security processes and tasks.

Nobody says it is easy, but for sure it is necessary if we want to improve corporate security and protect ourselves from threats on the Internet; meanwhile we will continue watching in the media companies of any kind being compromised…

What is your opinion of the security strategy in organizations: works or not?

— Simon Roses Femerling

Posted in Pentest, Privacy, Security, Technology | Tagged , , , , , | Leave a comment