open security - chad cravens

Open SecurityHow Open Source Dominates InfoSec

Chad CravensOpen Source Systems

www.ossys.com

About The Speaker

1Open Source Systems – www.ossys.com

2007 - Graduate of New Mexico Institute of Mining and Technology(Scholarship for Service Recipient)

2007 – 2011 Federal Employee at SPAWAR(Space and Naval Warfare Systems Center)

2012 – Software Engineer at Small Wall St Firm2014 – Founded Open Source Systems

Chad CravensCharleston, SC

Software Fanatic

Stickler for Software Quality and Security!

What to Expect from Today’s Talk

2Open Source Systems – www.ossys.com

A Pragmatic and Realistic View of the Landscape

• What is the problem?• What are the open source tools available?• How have these tools been used and/or exploited?• How is open source a double-edged sword?

Questions during presentation are welcomed!

Information Security

3Open Source Systems – www.ossys.com

The practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

- Confidentiality- Availability- Integrity

The Pillars of InfoSechttps://en.wikipedia.org/wiki/Information_security

A Brief History of Modern InfoSec

4Open Source Systems – www.ossys.com

1970 – John Draper uses famous Captain Crunch Whistle (2600 Mhz) to hack AT&T lines (Phreaking)

1986 – The “Brain” Computer Virus was released against MS-DOS. Computer Fraud and Abuse Act of 1986 was passed as law.

1988 – The Morris Worm was one of the first Internet-distributed worms to pop up

1990’s – As the popularity of the Internet grows, so do the complexity and frequencies of attacks, in particular viruses

2000’s – Unprecedented levels of hacks, rise of Application-layer attacks and self-propagating malware

What is Open Source?

5Open Source Systems – www.ossys.com

Open Source is Collaborative Development

We are all standing on the shoulders of giants

Programming Languages, a Foundation

6Open Source Systems – www.ossys.com

Gnu Compiler Collection (GCC)Arguably one of the most widely-adopted compilers used by the hacker community. Supports C, C++, Objective C, Java and Ado. Can be used to:- Create tools- Create exploits / shellcode- Analyze (network / system calls / encryption / etc)- Supports Linux / Unix variants, Mac OSX and Windows

PythonA go-to tool for hackers that is supported by default by a large number of systems:- Create tools- Create exploits / shellcode- Simply perform network operations

And more open source languages…

7Open Source Systems – www.ossys.com

Some of the most popular open source languages

And better late to the party than never…Welcome Microsoft!

Open Standards

8Open Source Systems – www.ossys.com

A standard that is publicly available and has various rights associated with it, and may also have various properties of how it was designed (e.g. open process).

https://en.wikipedia.org/wiki/Open_standard

Hackers Can Exploit These Standards

9Open Source Systems – www.ossys.com

Transmission Control Protocol (TCP)RFC 793 Exploit an Open Standard

Using Open Source Programming Languages

To create one of the most popular open source network

reconnaissance tools available and used by hackers

And this is how it starts…

10Open Source Systems – www.ossys.com

Open the flood gates for open source network security tools!

Real-time analysis of network trafficFiltering and color-coding

Network and vulnerability reconAnalyze firewall rules and routing

Run exploits on remote systemsCreate backdoors / control remote systems

Scan networks for vulnerable systemsRun exploits on remote systems

But wait, there’s more…

Open Source Systems – www.ossys.com

Open the flood gates for open source network security tools!

Real-time analysis of network trafficFiltering and color-coding

Used to pipe network streams“Swiss army knife” of network tools

Run exploits on remote systemsCreate backdoors / control remote systems

Real-time analysis of network traffic

11

Open Source Security Distro

Open Source Systems – www.ossys.com

Kali LinuxIncludes more than 600 open source security tools, just like the ones previously mentioned!!

Includes all the aforementioned tools and much more installed and ready to rock

• Vulnerability Scanning• Service Discovery• Password Cracking• Security Tool Development• WiFi Cracking• … and much much more

12

Additional Open Standards / Groups

Open Source Systems – www.ossys.com

Open Source VulnerabilityDatabase

Open Web ApplicationSecurity Project

Open Vulnerability andAssessment Language

Organization for the Advancement of Structured Information Standards

And many more not mentioned here….

13

OSVDB - Searching Vulnerabilities

Open Source Systems – www.ossys.com

OSVDB’s goal is to provide accurate, detailed, current, and unbiased technical security information. The project

currently covers 120,980 vulnerabilities, spanning 198,976 products from 4,735 researchers, over 113 years.

14

Application LayerSecurity

Open Source Systems – www.ossys.com 15

Multiple Layers of Attack

Open Source Systems – www.ossys.com

All aforementioned tools attack at this layer

We have not yet touched this layer

Like an Onion

16

Application Layer vs Network Layer Attacks

Open Source Systems – www.ossys.com

Network Layer Attacks Application Layer Attacks

Open StandardsReviewed Over YearsBy The Best in the Industry

Open Source ImplementationReviewed by dozens or hundreds of developers over years

Open Source ImplementationReviewed by dozens or hundredsof developers over years

Hire a Team of DevelopersUsually the lowest bidder

Knowledge and Skills..?

Deploy Your Custom AppUsually not reviewed

Hackers Exploit Your AppDirect Access to Your Data

17

Debunking the Myths

Open Source Systems – www.ossys.com

“My App is Closed Source, Therefore It’s Secure”Reality:- Source code is not needed to circumvent security- Licensing has little effect on the security of software

“We Use Open Source, Therefore we Are Secure”Reality:- Open-sourcing bad / insecure code will not make it secure- Only good coding practices will create secure code- Having more reviewers may benefit the security of a project

18

Tools to Debunk the Myths

Open Source Systems – www.ossys.com

A tool used to exploit proprietary and custom-developed applications

A tool used to exploit proprietary and custom-developed applications

Nikto

Zed Attack Proxy (ZAP)

Proxy-based application vulnerability assessment

19

Application Vulnerabilities

Open Source Systems – www.ossys.com

OWASP Top 10A1 – InjectionA2 – Broken Authentication and Session ManagementA3 – Cross-Site ScriptingA4 – Insecure Direct Object ReferencesA5 – Security MisconfigurationA6 – Sensitive Data ExposureA7 – Missing Function Level Access ControlA8 – Cross-Site Request ForgeryA9 – Using Components with Known VulnerabilitiesA10 – Unvalidated Redirects and Forwards

20

The Other Side of the Coin

Open Source Systems – www.ossys.com

Open Standards along with Open Source IS SecurityOpen Source Security Tools

OpenSSH – De-facto Standard to Connect Securely to Remote ComputersOpenSSL – De-facto Standard for Secure Web SSL/TLS Communicationand much much much more…

Open Security StandardsSAML – Open Standard for Secure Web-Based Single Sign On (SSO)CVE – Common Vulnerabilities and Exposures ListPCI DSS – Payment Card Industry Data Security StandardAES – Advanced Encryption Standardand much much much more…

US Federal LawFISMA – Federal Information Security Management ActHIPAA – Health Information Portability and Accountability Act

21

Open Source Digital Forensics

Open Source Systems – www.ossys.com 22

Open Source Forensics

Open Source Systems – www.ossys.com

… a branch of forensic science encompassing the recover and investigation of material found in digital devices, often in relation to computer crime.

Sleuthkit & Autopsy

https://en.wikipedia.org/wiki/Digital_forensics

23

Open Source Security Training

Open Source Systems – www.ossys.com 24

What’s the Missing Link?

Open Source Systems – www.ossys.com 25

Knowledge!!

Unlimited Learning Opportunities!!

Open Source Systems – www.ossys.com 26

Open Security Traininghttp://opensecuritytraining.info/

SecurityTubehttp://www.securitytube.net/

MIT OCWhttp://ocw.mit.edu/

Courserahttp://coursera.org/

The Open Source Security Ecosystem

Open Source Systems – www.ossys.com

Open Standards

Open StandardsOrganizations

Open SourceLanguages

Open SourceSecurity Tools

27

KSA

Open Source Breaks Barriers

Open Source Systems – www.ossys.com

Unlimited Opportunites / Unlimited Resources

- Learn About Cyber Security- Implement Security in Your Organization- Research Cyber Security- Attend Cyber Security Conferences- Start an Open Source Security Project- Information Security Scholarship Programs

28

To make a career or….

Questions?

Open Source Systems – www.ossys.com

Thank you!chad.cravens@ossys.com

29