WEBVTT

00:07.190 --> 00:08.960
Within any organization.

00:08.960 --> 00:15.080
We have networks which include firewalls, servers, routers, switches, clients, you name it.

00:15.110 --> 00:16.730
If it's in the network, it's there.

00:16.760 --> 00:18.230
We also have buildings.

00:18.230 --> 00:20.870
These can include doors, windows, parking lots.

00:20.900 --> 00:23.810
We even include fences and block cages.

00:23.810 --> 00:27.410
It can include all kinds of different aspects on the physical world.

00:27.410 --> 00:32.660
An attack surface management takes into place all of those different structures within the network,

00:32.690 --> 00:37.940
i.e. the logical world as well as the physical world, i.e. the buildings and the manpower.

00:37.970 --> 00:44.120
We take a comprehensive approach to identify and eliminate as many of these attack vectors as humanly

00:44.120 --> 00:44.870
possible.

00:44.870 --> 00:50.690
Sometimes we can't always eliminate them, but can we mitigate the opportunity that attackers can utilize

00:50.690 --> 00:53.660
that vector in order to attack our organization?

00:54.860 --> 01:01.320
Often when we look at edge discovery, we look at the overall perspective of the router on the internet,

01:01.320 --> 01:03.720
what is the edge of our network?

01:03.720 --> 01:10.350
And in most cases, it's going to be that one single router with redundancy at the edge of our computer

01:10.350 --> 01:10.890
network.

01:10.890 --> 01:17.580
This logical device that provides network address translation is the demarc between us and the rest

01:17.580 --> 01:21.330
of the world, and we need to identify it to adequately protect it.

01:21.360 --> 01:28.470
Edge discovery is the process of understanding how much of the information the attacker can gather from

01:28.470 --> 01:32.790
that edge point of view, whether it's the router or the server proxy.

01:32.820 --> 01:39.540
We need to understand what can the attacker see within our network from the edge on end into our organization,

01:39.540 --> 01:44.670
and how do we eliminate their perspective of seeing all that information inside of our network?

01:45.810 --> 01:52.650
We can often use security control testing to identify and eliminate certain controls within our within

01:52.650 --> 01:58.560
our enterprise environment, we often look at security scanning and we scan our assets, which we've

01:58.590 --> 02:01.410
talked about before We do an a risk assessment.

02:01.440 --> 02:03.000
Vulnerability scanning.

02:03.000 --> 02:09.690
We can also do what's called penetration testing, security auditing, ethical hacking, or even a posture

02:09.690 --> 02:15.150
assessment to find out how is our organization doing in comparison to where we would like to be.

02:15.180 --> 02:20.130
All of these scans and tests that we perform all have the same function in mind.

02:20.160 --> 02:26.250
How do I eliminate as many of the attack vectors as many of the vulnerabilities accessible from an outside

02:26.250 --> 02:27.840
threat as humanly possible?

02:27.870 --> 02:29.670
And now I said outside threat.

02:29.670 --> 02:32.790
But we also have to be looking at our internal employees as well.

02:32.790 --> 02:38.610
It's not uncommon to have an internal employee plug in a USB drive or get mad at our company and decide

02:38.610 --> 02:42.480
they're going to attack us from a different perspective inside of our own network.

02:42.480 --> 02:45.150
How do we identify that and how do we deal with it?

02:46.380 --> 02:52.530
Pentesting, or penetration testing, is utilization of hacking to identify different vulnerabilities

02:52.530 --> 02:56.700
inside of our network and take advantage or exploit those vulnerabilities.

02:56.730 --> 03:02.890
A pentesting is a contractual agreement between the organization and a team of pentesters, whether

03:02.890 --> 03:09.400
inside your own company and hired or outside your company i.e. a third party to evaluate your network,

03:09.400 --> 03:13.240
evaluate the vulnerabilities, and then go through and actually exploit them.

03:13.240 --> 03:19.660
Their job is to take an outside look of your organization and figure out where your weakest inside your

03:19.660 --> 03:20.290
stance.

03:20.290 --> 03:26.110
They often require a scope of work, which clearly identifies what they're allowed to do and what they're

03:26.110 --> 03:27.100
not allowed to do.

03:27.130 --> 03:31.240
Certain things that they may not be allowed to do is maybe social engineering your employees.

03:31.240 --> 03:35.500
Maybe you as an organization, don't want your employees dealing with that, and it could provide some

03:35.500 --> 03:37.840
legal parameters or legal problems for you.

03:37.870 --> 03:43.570
There was a pen test created in Texas years and years ago where a pen testing company went through,

03:43.570 --> 03:49.300
and they were hired by a city to perform a pen test on their organization's computer system.

03:49.300 --> 03:54.970
They took it a step too far and broke into the physical records room to show that they were vulnerable

03:54.970 --> 03:56.980
to physical penetration testing.

03:56.980 --> 03:58.420
The cops caught up to them.

03:58.420 --> 03:59.350
They laughed it off.

03:59.380 --> 04:05.470
They showed their contract, However, their scope of work did not detail physical access to their records

04:05.470 --> 04:05.890
room.

04:05.920 --> 04:11.680
This problem, within their contractual obligation, meant that they were actually charged and fined

04:11.680 --> 04:15.370
for breaking and entering into an area they were not allowed to be in.

04:15.400 --> 04:18.040
Penetration testing is very identified.

04:18.040 --> 04:24.130
It is a very thin scope of work and is clearly defined with what they can and cannot do.

04:24.160 --> 04:29.290
If you're interested in pen testing, one of the first things I tell everyone go get a lawyer.

04:29.290 --> 04:32.890
Make sure they're reviewing your contract and make sure you're being legal about it.

04:32.920 --> 04:37.240
It's very easy to cross that line and end up in jail if you're not careful.

04:38.080 --> 04:43.750
Bug bounty programs offer an efficient method for rapidly identifying vulnerabilities through a crowdsourced

04:43.750 --> 04:44.440
approach.

04:44.440 --> 04:47.140
There's many companies that have bug bounty programs.

04:47.140 --> 04:50.140
Within a bug bounty program, you're often go to their website.

04:50.140 --> 04:52.330
You sign up to identify yourself.

04:52.360 --> 04:54.610
You fill out some paperwork and some emails.

04:54.610 --> 04:59.170
You correspond with them, and then you're certified as a bug bounty tester.

04:59.170 --> 05:03.080
Once you've identified, you then to go through and test their website.

05:03.110 --> 05:08.720
Now, a bug bounty is sort of a penetration tester perspective, but it's much more crowdsourced.

05:08.750 --> 05:10.190
It's much more open source.

05:10.190 --> 05:12.170
You can test their web applications.

05:12.170 --> 05:15.860
You can test their internal systems if you have permission.

05:15.860 --> 05:21.260
Again, make sure you're identifying what your scope of work includes with a bug bounty program.

05:21.260 --> 05:26.630
Once you've identified a flaw, you're contractually obligated to turn that flaw over to them, and

05:26.630 --> 05:29.600
in return, they pay you for identifying the flaw.

05:29.630 --> 05:34.850
This often occurs where the higher severity of the flaw is, or the more technical the flaw is, the

05:34.850 --> 05:36.050
more money they pay you.

05:36.050 --> 05:40.730
It's not uncommon to have bug bounty programs and companies like Tesla or even Microsoft.

05:40.760 --> 05:45.200
Now, I would look on those websites and make sure they're still active before I go out there and start

05:45.200 --> 05:51.170
randomly testing or performing web penetration testing on their mobile sites, you could get yourself

05:51.170 --> 05:53.960
in a lot of trouble with different legal problems.

05:55.730 --> 06:01.460
Reduction of the attack surface to a system or organization is paramount for any Organization.

06:01.460 --> 06:04.880
We want to do surface reduction for the attacker's perspective.

06:04.880 --> 06:06.680
We want to do control testing.

06:06.710 --> 06:08.360
We're testing how it works.

06:08.360 --> 06:11.330
We're testing hey, what does the attacker have access to?

06:11.360 --> 06:17.540
What can they see as much of that attack surface that we can eliminate or eliminate is good for us as

06:17.540 --> 06:18.080
a whole.

06:18.080 --> 06:20.000
We want to do vulnerability assessments.

06:20.000 --> 06:21.830
How is the vulnerability interacting?

06:21.830 --> 06:24.920
What can the attacker see as far as vulnerabilities go?

06:24.950 --> 06:28.970
Can I eliminate all or as many of those vulnerabilities as possible?

06:29.000 --> 06:31.670
A vulnerability assessment can teach us those perspectives.

06:31.670 --> 06:33.410
We talked about penetration testing.

06:33.410 --> 06:35.210
We talked about bug bounty programs.

06:35.210 --> 06:40.400
We really want to understand what is our attack surface, and how can I eliminate that attack surface

06:40.430 --> 06:44.690
so that people can't see what my internal workings of my programs or my infrastructure is?

06:44.690 --> 06:47.630
But this goes beyond just our enterprise environment.

06:47.630 --> 06:48.980
What about our gates?

06:49.010 --> 06:50.390
What about our doors?

06:50.390 --> 06:56.090
If I have a physical access into a system, then I've eliminated all the technical approaches that you

06:56.090 --> 06:56.960
can handle.

06:56.990 --> 07:03.180
I had a company that I worked for where their server room was at the bottom floor of this installation,

07:03.180 --> 07:08.040
and at the time we had employees that smoked to get into our building, you had to go through a gate

07:08.040 --> 07:10.050
and that gate had a problem.

07:10.050 --> 07:11.220
It was often broken.

07:11.220 --> 07:12.630
People were always working on it.

07:12.660 --> 07:17.670
It wasn't uncommon in 2 or 3 days out of the week to have that gate wide open with nobody guarding it,

07:17.670 --> 07:22.950
no pen code required, but it would usually be fixed by the middle of next week, only to have it break

07:22.980 --> 07:25.140
again another week and being standing wide open.

07:25.140 --> 07:26.160
This was a problem.

07:26.160 --> 07:27.990
It opened up our attack surface.

07:28.020 --> 07:31.500
Once you went in, you went into the parking lot and you had to go through a gate.

07:31.500 --> 07:34.590
You had to keycard yourself into the main entry point.

07:34.590 --> 07:39.600
There was a security guard standing there waiting to take anybody that didn't have the proper code or

07:39.600 --> 07:41.100
the proper identification.

07:41.100 --> 07:46.470
We would have vendors showing up all the time, and it wasn't uncommon to have a vendor come in, identify

07:46.470 --> 07:51.720
themselves, and then meet with somebody to have them take to the appropriate building or the appropriate

07:51.720 --> 07:54.090
office to meet with the person they were going with.

07:54.120 --> 07:57.330
However, you could easily tailgate in those areas.

07:57.330 --> 08:02.040
I remember one time I was literally carrying 2 or 3 boxes and somebody just let me right in.

08:02.040 --> 08:07.080
I had no idea who they were, and the security guard didn't even check my verification of my ID to make

08:07.110 --> 08:08.220
sure that I worked there.

08:08.250 --> 08:12.360
Now, I had seen that security guard 2 or 3 times, so maybe he saw me.

08:12.360 --> 08:13.410
Maybe he didn't.

08:13.410 --> 08:17.700
But the fact is that the man that he didn't check my security credentials, I could have been fired

08:17.700 --> 08:21.780
yesterday or even 2 or 3 weeks ago, and he probably wouldn't have been the wiser.

08:21.810 --> 08:25.860
The problem is, is that I didn't have to go through any of that if I wanted to break into the company

08:25.890 --> 08:31.710
server room, because on the back door, smokers would often prop that door open so they could easily

08:31.710 --> 08:36.960
access the building, smoke their cigarette, and then they would just leave it open willy nilly, especially

08:36.960 --> 08:38.640
during a nice spring day.

08:38.640 --> 08:44.220
So without having those controls in place, I've opened my entire server room to physical access.

08:44.250 --> 08:51.510
Physical access means that I can bypass firewalls, I can bypass IDs, I can bypass millions, if not

08:51.510 --> 08:55.410
billions of technical controls just by plugging a USB into the server.

08:55.440 --> 08:56.610
This is a problem.

08:56.610 --> 09:01.920
We need to identify all attack surfaces and make sure our policies are being followed to the T.