Security Testing in an Age of Austerity

  • 411 views
Uploaded on

How to conduct meaningful security testing with a reduced budget - an ethical hacker's view.

How to conduct meaningful security testing with a reduced budget - an ethical hacker's view.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
411
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
16
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Security Testingin an Age of Austerity An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
  • 2. Who is Peter Wood? Worked in computers & electronics since 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Chair of Advisory Board at CSA UK & Ireland Vice Chair of BCS Information Risk Management and Audit Group Director UK/Europe Global Institute for Cyber Security + Research Member of ISACA London Security Advisory Group Corporate Executive Programme Expert IISP Interviewer FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, MensaSlide 2 © First Base Technologies 2011
  • 3. How do you decide what to test? 1. External infrastructure penetration tests 2. Remote access tests 3. External web application tests 4. Internal network discovery and penetration tests 5. Internal Windows penetration tests 6. Server security reviews 7. Database and internal applications tests 8. Wireless penetration tests 9. Endpoint penetration tests 10. Social engineering testsSlide 3 © First Base Technologies 2011
  • 4. Consider the Risks Threat Vulnerability ImpactSlide 4 © First Base Technologies 2011
  • 5. Risk Example Hacktivist Insecure web site Reputational damageSlide 5 © First Base Technologies 2011
  • 6. Example threatsSlide 8 © First Base Technologies 2011
  • 7. Example vulnerabilitiesSlide 9 © First Base Technologies 2011
  • 8. Example impactsSlide 10 © First Base Technologies 2011
  • 9. Preventative controls?Slide 11 © First Base Technologies 2011
  • 10. List threats and vulnerabilities Threat vector and Threat source Vulnerability analysis scope 1. Poor quality passwords 1. Disaffected 1. Windows privilege 2. Systems not patched up to date employees escalation 3. Inadequate logging and analysis 1. Disaffected 1. Inadequate logging and analysis 2. Remote access employees 2. Inadequate firewallingSlide 12 © First Base Technologies 2011
  • 11. Rate the impact of each event Threat Threat Vulnerability vector and Impact analysis source analysis scope 1. Widespread destruction of 1. Poor quality information (A5) passwords 1. Windows 2. Widespread corruption of Disaffected 2. Systems not information (I5) privilege employees patched up to date escalation 3. Theft of sensitive 3. Inadequate logging information (C5) and analysis 4. Fraud (I5) 1. Destruction of selected 1. Inadequate logging information (A3) Disaffected 2. Remote and analysis 2. Corruption of selected employees access 2. Inadequate information (I3) firewalling 3. Theft of selected information (C3)Slide 13 © First Base Technologies 2011
  • 12. What to test? • Threat analysis - What are the real threats with high impact? • Legal, policy and audit requirements - What must we do to remain compliant? • Incidents - What has happened that worries us? • Budgets - How can we get the most from our budgets?Slide 14 © First Base Technologies 2011
  • 13. What to fix? • Vulnerability analysis - What are the real vulnerabilities with high impact? • Legal, policy and audit requirements - What must we do to remain compliant? • Incidents - What must we fix to prevent a recurrence? • Budgets - What can we afford to fix?Slide 15 © First Base Technologies 2011
  • 14. Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.comSlide 16 © First Base Technologies 2011