(My) BruCON 2015 notes (2)

Here are my quick notes from the BruCON 2015 conference.All the slides can be found here.

cve-search a free software to collect search and analyze common vulnerabilities and exposures in software

Some of the goals of the tool: bruCon

  • do vulnerability search on off-line local search.
  • fast lookup of vulnerabilities on different criteria.
  • allow localized classification of vulnerabilities; localization geographically or from the business perspective.
  •  build new tools based on local database of software and hardware vulnerabilities.

Some of the components/features of the tool:

  • db_updater.py
    • the goal of the script is to fetch vulnerabilities from different data-sources.
    • the data sources used are: NIST NVD, D2SEC, Microsoft Bulletin, vFeed.
    • the scrript can be extended to easily fetch other sources.
  • MongoDB
    • is the DB used to store the info.
  • search.py
    • used to search for vulnerabilities in the DB.
  • web interface
    • you can see, search
    • color scheme for vulnerabilities
  • you can use your own tagging system to weight the critical software/vendors in your constituency.
  • you can use statistics using external tools/languages like R
ex: searh.py -p oracle.....| jq -r '.cvss' | Rscript .........

Problems that face the application:

  • some vendors do not publish vulnerabilities information in a parsable way.
  • some vendors do not support the CPE naming convention.

Software using cve-search:

  • CVE-Portal
  • CVE-Scan
  • NorthernSec Vulnerability-Management (still under development)

Roadmap and future:

  • add vulnerabilities data sources from software and hardware vendors
  • expand cve-search to include vulnerabilities whitout CVE assignment.

(My) BruCON 2015 notes (1)

Here are my quick notes from the BruCON 2015 conference.All the slides can be found here.

Nightmares of a Pentester bruCon

The goal is to present some (basic) that the operational security teams (a.k.a Blue Team) can use in order to make the life harder to the pen-testers.

Some numbers about the security breaches :

  • Verizon report: Quantify the impact of a data breach with new data from the 2015 DBIR
  • top 3 industries that are under attack: public sector, it sector, financial services
  • 70% of the attacks are targeting a second victim; so the first victim is a step stone to reach the target
  • 90% off the incidents have as root cause the peoples (the weakest link).

Good security programs are built in and not bolt on.

External defenses tips and tricks:

Don’t talk to strangers:

  • implement blocks from all the emerging cyber-threats lists.
  • reject specific user agent strings.
  • ban the port scanning.

If you are going to talk be sure to know who is it

  • disable smtp/verify/validation.
  • analyze the certificates and (external) domain age.
  • use SPF for the email validation
  • use DNS analysis
  • don’t forward DNS

Internal defenses tips and tricks:

Your internal network is an hostile environment; treat it as such

  • monitor inside more than outside.
  • segmentation of all servers from users.
  • never use VPN pools; always tie a user to a specific IP address.
  • remove your network default route.
  • intercept all http/s requests.

Users have the ability to use the company resources

  • white-list the approved and managed software.
  • disallow local admin privileges.
  • users should only be allowed to go to categorized sites; any other traffic must be denied.
  • host based firewals, ids and behavioral analysis.
  • scans all hosts for vulnerabilities on a regular basis.
  • randomize all the local admin passwords.

Servers have specific purposes

  • do not install workstation software.
  • manage updates centrally.
  • segment the servers.
  • standards images should have no additional services installed.
  • do not allow the use of local account to log in remotely.