Bt tower v1.1


Published on

During Waking Shark II, some impromptu testing was conducted against a very well-known 'core' Bank with test Phishing Attacks. Having located a user e-mail address, which was extracted from an object which had suffered some Data Leakage, with association with UK Government GSX account, it was simply a matter of sending them an email with a text like ‘Hi, we recently met as a Government Forum in London, and just wanted to get back in touch’ The response was almost immediate with a ‘Yes, probably, what can I do for you’. . It was that easy. The same deployment had also suffered having a connection in place, out to a [Chinese set of Servers].
There is no doubt that when it comes to the Logical Environment being compromised, there is a lot of association with what the user does, or does not click upon.

This presentation looks at some of those issues:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Bt tower v1.1

  1. 1. Risk appetite vs. resilience   Professor John Walker MFSoc CRISC CISM ITPC CITP FBCS FRSA Director of CSIRT & Cyber Forensics INTEGRAL SECURITY XSSURANCE Ltd 24 Lime Street | London | EC3M 7HS Mobile: +44 (0) 7881 625140 Office: +44 (0) 2032 894449 © INTEGRAL SECURITY XSSURANCE Ltd
  2. 2. Just thinking! Circa - 2008 Circa - 1984 © INTEGRAL SECURITY XSSURANCE Ltd
  3. 3. Über-Secret Handbook Basic Rule: Blend in with the crowd, disperse into the stream. Keep a low profile. Don't try to be special. Remember, when in Rome, do as Romans do. Don't try to be a smart ass. Feds are many, Anonymous is Legion, but you are only one. Heroes only exist in comic books keep that in mind! There are no old heroes; there are only young hero's, and dead hero's! Anonymous – The Über-Secret Handbook Version 2.0 - Date 20.02.11 © INTEGRAL SECURITY XSSURANCE Ltd
  4. 4. We are secure – echo, echo We here it all of the time – companies claiming they are secure – but if that is the case, how can we account for example, consider what is to come in this presentation - and: • The PCI-DSS Compliant deployment which was insecure, and hosting vulnerabilities and exposures [which were not in scope of the assessment – ‘As advised by the attending QSA’] – it was not thus important that the environment was insecure – the weighting was based on the fact that ‘it had ticked-the-box’. © INTEGRAL SECURITY XSSURANCE Ltd
  5. 5. examples Company 1: Compromised by Modem Installation! Company 2: Hosting a Paedophile Global Share on their Internal Network! Company 3: Leaking their entire Membership Database! Company 4: Hosting a complexly insecure SMABA Share! Company 5: Connected to .mz Domains, with Remote Access Enabled! Company 6: Compromised by Microsoft Office 2010 installation! © INTEGRAL SECURITY XSSURANCE Ltd
  6. 6. Misplaced appetite With a business financial deal, considering the Risk Appetite, the assessment may be something like: a+b=d <> R=x [x-Ra=y] y-e =m However, with Cyber Risks, they are not as quantifiable of Financial Risk, and thus the calculations can be flawed, and thus hold higher potential for uncontrolled escalations of exposure – and they continually occur! © INTEGRAL SECURITY XSSURANCE Ltd
  7. 7. the route to insecurity This point cannot be emphasized enough - the real hackers exploit the subliminal, & grey spaces all of the time (the areas of the unknown) using Advanced Google Command Line Strings) to discover rich targets. An example is the ‘filetype’ operator, which opens up an interesting playground for the true hacker. Consider the query: (filetype:pdf | filetype:xls)-inurl:pdf or © INTEGRAL SECURITY XSSURANCE Ltd
  8. 8. More Examples . . . Obama-Care – Web Site impact on Reputation! Cyber Monday – Lack of Investment . . What does the indicate?
  9. 9. The imposition of metadata One BIG misunderstood element of insecurity, is that of MetaData – many businesses still do not understand the implications of Data Leakage! An example of 22 leaks. And see: © INTEGRAL SECURITY XSSURANCE Ltd
  10. 10. Reporting – a mix of ethics The missing element can be that of Reporting [or NOT] as may be the case – where companies make their own internal judgment call as to the important, and exposure of the incident – take the company who had their own way of dealing with this – Discuss: The full account is published in: © INTEGRAL SECURITY XSSURANCE Ltd
  11. 11. The feeding of cyber crime What needs to be appreciated is, where there is variance with obligations, and standards, there will be exposure – and it is here where, by inference, business actually works hand-in-hand, to feed the world of Cyber Crime – Where there is Corporate Negligence, there will also be the poetical for insecurity, and exposure! © INTEGRAL SECURITY XSSURANCE Ltd
  12. 12. ultimatum Ultimately, security needs to change approaches to influence behaviour, and drive change in the organization. Why? When a group of accomplished German Hackers were asked, ‘how they got so smart to be able to compromise, and infiltrate corporate environment’ they responded: ‘We aren't that smart, it’s the business who are leaving silly exposures in place, and not ‘doing’ security properly!’ © INTEGRAL SECURITY XSSURANCE Ltd
  13. 13. To conclude • Possibly there is need to instil more ethics in those organisations who have failed to meet their obligations. • • Maybe it’s a case of Less ‘Tick Box’ Compliance, and More Operational Security. • Above all, has the time arrived which dictates that we need to rethink what security is, how it can be best accomplished, and how we can serve our public better, without the need for such government, or EU enforcement? • However, it really is about understanding, and appreciating what Cyber Risk really is 2014 >>, and the associated ramifications of what uninformed exposure could mean to the business Could it be that we have reached the time where the levels of Insecurity and Security Braches are implying we need to get Back-to-Basics. Donald Rumsfeld - There are known unknowns; that is to say, there are things that we now know we don't know. . . . . . © INTEGRAL SECURITY XSSURANCE Ltd
  14. 14. Thank you for Watching INTEGRAL SECURITY XSSURANCE Ltd 24 Lime Street | London | EC3M 7HS Mobile: +44 (0) 7881 625140 Office: +44 (0) 2032 894449 © INTEGRAL SECURITY XSSURANCE Ltd