Presented by the elite organization of white hat hackers most widely known for being first to break the iPhoneand the only security consulting firm engaged in the security team of USC’s Project Cloud initiative, this session will analyze the anatomies of real world attacks against high profile systems. It will extract lessons from these attack anatomies to provide a framework to account for these modern attackers, articulate context to the Media & Entertainment industry, and supply attendees with key takeaways, including immediately actionable guidance.
3. Attacks
III. Security vs. Functionality
ISE Confidential - not for distribution
I. Assets vs.Perimeters
About ISE
II. Black Box vs.White Box IV. Build In vs.Bolt On
7. About ISE
ISE Proprietary
Analysts
• White box
Perspective
• Hackers; Cryptographers; RE
Research
• Routers; NAS; Healthcare
Customers
• Companies w/ valuable assets to protect
Exploits
• iPhone; Android; Ford; Exxon; Diebold
28. III. Security vs. Functionality
ISE Proprietary
EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE
SALES IT HR ...
IT FUNCTIONALITY IT SECURITY
29. III. Security vs. Functionality
ISE Proprietary
EMBARRASSINGLY OVERSIMPLIFIED CORPORATE STRUCTURE
SALES IT HR SECURITY
IT FUNCTIONALITY IT SECURITY
…
41. IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
REQUIREMENTS
DESIGN
IMPLEMENTATION
TESTING
DEPLOYMENT
MAINTENANCE
Determine business &
user needs
Define architecture
Coding
System testing
Customer roll-out
Resolve bugs
Develop threat model
Design defense in depth
Audit code
White box vulnerability
assessment
Configuration Guidance
Iteration Hardening
42. IV. “Build It In,” Not “Bolt It On”
ISE Proprietary
BuiltIn
90%
- - -
1x
BoltedOn
100%
- - -
25x: application
300x: infrastructure
Assessment cost
Assessment overhead
Mitigationcost / issue