0-days are a lot of fun. Whether it’s an overlooked buffer overflow, a poorly implemented encryption algorithm, or something downright bizarre, the thrill of breaking things is the reason most of us get hooked. That’s why Trustwave’s Global Security report is a bit sobering. Why are so many of these systems still vulnerable to SQL injection, LANMAN hash recovery, and default password guessing? And is an NFS exploit considered a 7665-day?
But this isn’t about getting bent out of shape about the state of information security. Without being too preachy, this talk is about what we can do to help turn things around. Because if there’s one thing that is clear, the need for information security will only increase. And we’re all feeling the growing pains.
The end of 2009 brought with it a great deal of controversy over the effectiveness of information security. We’re all pretty frustrated about it. But that’s the thing about growing up – you start to realize your own limitations. Like dieticians and dentists, we watch people make bad choices and wonder where we went wrong. And like them, we need to focus on the fundamentals: eating healthy, brushing your teeth, and blocking port 139. But man, that sounds pretty boring.
So maybe it’s time for a new approach. Maybe it’s not so much about the message, but how it’s getting delivered. And maybe there’s something we can do about that. After all, we’re pretty secure folks – we can handle the touchy-feely stuff, right?
Trustwave Steve Ocepek is the Director of Security Research at SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. Steve has been messing around with network security since 2001, when he unintentionally connected his new wireless card to an Oracle database cluster. From there, he started one of the first NAC companies, authored four patents, and got bought out twice. Steve holds a CISSP, and can be talked into almost anything that involves robots and PBR.
Trustwave Charles Henderson is the Director of Application Security Services at Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture. Charles routinely speaks at various conferences around the world on various subject matters relating to application security. Charles's team of deviants can be found at most Black Hat events where alcohol is served.