Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Security

No description
by

Dustin Dykes

on 7 September 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Security

University of North Texas (20130903)
Introduction
Dustin Dykes, CISSP
17-years in security consulting
Former military and law enforcement
Over 200 penetration tests
Primary focus: government and education
Overview
Lessons Learned
Physical Security and Social Engineering
Electronic Access Controls
Physical Locks
Drop Boxes
The Security Process
“Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.”

--Bruce Schneier (Security Futurologist for BT)

Bad Processes
Equal
Bad Security
Security is NOT Static
“The search for static security - in the law and elsewhere - is misguided. The fact is security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts.”

--William Osler (Canadian Physician, 1849-1919)

Security IS Dynamic
“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.”

--Charles Darwin (British Naturalist, 1809-1882)

Castle Defenses
New Attack Vector
Game Over
“…there is only
opportunity”
--General Douglas MacArthur
1. Adage: Paraphrase without citation.
“There is no security
on this earth…”
1
Roles
Attacker vs. Defender
White Hats vs. Black Hats
Security is Illusory
"Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing."

--Helen Keller (American author, political activist, and lecturer, 1880-1968)
DEFENDER
1,000’s of systems
10,000’s of services
100,000’s patches
99.99% SUCCESS rate = FAILURE
New vulnerabilities announced daily
0-day exploits
Social engineering
99.99% FAILURE rate = SUCCESS
ATTACKER
Security Lexicon
Process vs. Product
Static vs. Dynamic
Unobtanium
Attack and Penetration Testing
Definition, Purpose, and Limitations
Physical Security and Social Engineering
External Internet Testing
Internal Network Testing
Wireless Testing
LOCATION

Internal

Local

Remote
TRUST LEVEL

Untrusted

Limited Trust

Full Trust
MOTIVATION

Opportunistic

Determined

Obsessive
Resources

Unfunded

to

Nation State
Purpose
Validation vs. Discovery

"In theory, there is no difference between theory and practice. But, in practice, there is."

"Доверяй, но проверяй"
--Russian Proverb (trust, but verify)
Definition
Penetration Testing

A coordinated and methodical effort to bypass security controls and obtain unauthorized access to systems, resources, or information.
Penetration Tester

A specialized defender who uses SOME of the tools and methodologies employed by attackers.
Limitations
External Internet Testing
Default Configurations
Web Server Directory Browsing
Poorly Designed Web Applications
Internal Network Testing
Unpatched Applications/Systems
Weak Passwords
Overly Permissive Shares
Wireless Testing
WEP!
Weak WPA2 PSK
Misconfigured WPA2 Enterprise
Questions & Opinions

Dustin Dykes
dustin@wirefall.com
http://www.wirefall.com

Dallas Hackers Association
http://www.meetup.com/Dallas-Hackers-Association/
Full transcript