Embed Size (px)
DESCRIPTION
How to conduct meaningful security testing with a reduced budget - an ethical hacker's view.
Citation preview
Security Testingin an Age of Austerity
Peter WoodChief Executive Officer
First•Base Technologies
An Ethical Hacker’s View
Slide 2 © First Base Technologies 2011
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First•Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’Chair of Advisory Board at CSA UK & IrelandVice Chair of BCS Information Risk Management and Audit GroupDirector UK/Europe Global Institute for Cyber Security + ResearchMember of ISACA London Security Advisory GroupCorporate Executive Programme ExpertIISP Interviewer
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2011
How do you decide what to test?
1. External infrastructure penetration tests2. Remote access tests3. External web application tests4. Internal network discovery and penetration
tests5. Internal Windows penetration tests6. Server security reviews7. Database and internal applications tests8. Wireless penetration tests9. Endpoint penetration tests10. Social engineering tests
Slide 4 © First Base Technologies 2011
Consider the Risks
Threat
Vulnerability
Impact
Slide 5 © First Base Technologies 2011
Risk Example
Hacktivist
Insecure web site
Reputational damage
Slide 8 © First Base Technologies 2011
Example threats
Slide 9 © First Base Technologies 2011
Example vulnerabilities
Slide 10 © First Base Technologies 2011
Example impacts
Slide 11 © First Base Technologies 2011
Preventative controls?
Slide 12 © First Base Technologies 2011
List threats and vulnerabilities
1. Inadequate logging and analysis2. Inadequate firewalling
2. Remote access1. Disaffected employees
1. Poor quality passwords2. Systems not patched up to date3. Inadequate logging and analysis
1. Windows privilege escalation
1. Disaffected employees
Vulnerability analysisThreat vector and scopeThreat source
Slide 13 © First Base Technologies 2011
Rate the impact of each event
1. Destruction of selected information (A3)
2. Corruption of selected information (I3)
3. Theft of selected information (C3)
1. Inadequate logging and analysis
2. Inadequate firewalling
2. Remote access
Disaffected employees
1. Widespread destruction of information (A5)
2. Widespread corruption of information (I5)
3. Theft of sensitive information (C5)
4. Fraud (I5)
1. Poor quality passwords
2. Systems not patched up to date
3. Inadequate logging and analysis
1. Windows privilege escalation
Disaffected employees
Impact analysisVulnerability analysis
Threat vector and
scope
Threat source
Slide 14 © First Base Technologies 2011
What to test?
• Threat analysis
- What are the real threats with high impact?
• Legal, policy and audit requirements
- What must we do to remain compliant?
• Incidents
- What has happened that worries us?
• Budgets
- How can we get the most from our budgets?
Slide 15 © First Base Technologies 2011
What to fix?
• Vulnerability analysis
- What are the real vulnerabilities with high impact?
• Legal, policy and audit requirements
- What must we do to remain compliant?
• Incidents
- What must we fix to prevent a recurrence?
• Budgets
- What can we afford to fix?
Slide 16 © First Base Technologies 2011
Peter WoodChief Executive Officer
First•Base Technologies LLP
Twitter: peterwoodx
Blog: fpws.blogspot.com
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Need more information?
