This document provides tips and tricks for security assessments in a fictionalized cyberpunk fairytale format. It discusses various methodologies for assessments, the importance of scoping, and strategies for effective teamwork and communication. Visualization techniques and tools for data are presented, as well as tips for organizing documentation, prototyping ideas, automating reporting processes, and tailoring results for different audiences. The overall goal is to provide high-level concepts and philosophies for planning, managing and crafting effective security assessments and reports.
5. advancedmonitoring.ru
@kchln
Why Struggle? More Secure Less Secure
Insecurity
System
Evolution
Incidents
System
Complexity
???
Positive link
Negative link
Enforcing loop
Tool: System Diagrams
Introduce
Controls
Response
6. advancedmonitoring.ru
Wanna skip to Ninjas part?
1. Choose methodology
Technology specific OWASP
Task specific PTES
Domain specific OSSTMM
Result-oriented CSC
2. Scoping
…
n. Rock’n’Roll!
@kchln
9. advancedmonitoring.ru
@kchln
When are you? Understand Their protocols
Enterprise runs hundreds of projects
and processes when you happen’
… not going to stop
Plan – Identify & Analyze
Do- Develop Solution
Check- …and Improve Solution
Act – Implement Solution
You better know Their context
Tool: Deming cycle and whatever follows PMBOK, TIL, ISO9000
10. advancedmonitoring.ru
@kchln
Pareto-zation. The benefit of hindsight
20%
effort
80%
$$$
Proves to be correct over and over
Rarely used in planning
Why?
No Data
Tool: Pareto, Knapsack problem
Log don’t memorize
Work out logs and use in planning
12. advancedmonitoring.ru
@kchln
Broken communication – any project’s issue
Phone call – I’ll call you back
E-mail – ignored, maybe in spam?
Checklist – too big – please e-mail
Interview –please send checklist
Discussion – I will do my way
AaaRghh!!!
13. advancedmonitoring.ru
Communicating in and out tricks
Fight fears
Appreciative Inquiry (5Ds)
Too sweet? Criticize!
Constructive Controversy
Explore causes
5 Whys
Overcome egos
Six Hats
Tool: Communications scenarios. It’s not always the same
@kchln
15. advancedmonitoring.ru
Skimming documentation
Don’t read or rewrite or annotate
Review and analyze
Structure - what’s there, not there
Any logic in bundle?
Check consistency
How up-to-date documents are?
Authors available for comments?
Tool: Structure schemes, Sequence Diagrams
@kchln
16. advancedmonitoring.ru
Organize Chaos
Track and Log *
List *
List of received documents
List of created documents for the project
UID * – use ID’s across artifacts
ID’s used by customer are inconsistent… often
Translation tables
ID!=UID IP is not UID, MAC -?
Don’t stop hallway through:
Brainstorm Mindmap? Actions!
Tool: Affinity Diagram & workflow
@kchln
17. advancedmonitoring.ru
@kchln
Almost there? Report.Create
Outline first – don’t generate texts
List items and give Definitions
Structure and facts
Width/Depth Switching prototyping
Get approval/corrections
Get clarification
Tool: Outline & Example first, WDS Prototype (am)
18. advancedmonitoring.ru
@kchln
Avoid extremes
Data and trends Visualization
ex.#1
Obvious Preconceived
Simple Complicated
Boring Fancy
Report Texts
Full description Screenshots/logs only
Boasting vulns Hug problems
Hack Slang Baby talk
ex.#2
Demonstrate. Communicate. Avoid
25. advancedmonitoring.ru
Report.Automate – Build your System
Store Data (received/generated)
Human readable
Machine readable
Itemized (lists)
Well named
Actionable
Edit, Snippets takings
Filters, Sorting
Manage and service
@kchln
27. advancedmonitoring.ru
Hurling results to “Them”
Pitches that should’ve made it
but could as well fail
SQLi up to RCE for any registered
user
Any scary words like XSS
Database vulnerability leads to
full compromise
Critical vulnerability in AAA
config
Doh! You’re gonna get hacked
soon
@kchln
29. That’s all, folks!
Summary
Philosophy and high-level concepts
Planning and management
Report crafting
Communication tweaks
Visualization demystified
Organize chaos and keep tracking
Craft tools and build Your own System
Interpret results for presentation