Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Testing in an Age of Austerity

610 views

Published on

How to conduct meaningful security testing with a reduced budget - an ethical hacker's view.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Testing in an Age of Austerity

  1. 1. Security Testingin an Age of Austerity An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
  2. 2. Who is Peter Wood? Worked in computers & electronics since 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Chair of Advisory Board at CSA UK & Ireland Vice Chair of BCS Information Risk Management and Audit Group Director UK/Europe Global Institute for Cyber Security + Research Member of ISACA London Security Advisory Group Corporate Executive Programme Expert IISP Interviewer FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, MensaSlide 2 © First Base Technologies 2011
  3. 3. How do you decide what to test? 1. External infrastructure penetration tests 2. Remote access tests 3. External web application tests 4. Internal network discovery and penetration tests 5. Internal Windows penetration tests 6. Server security reviews 7. Database and internal applications tests 8. Wireless penetration tests 9. Endpoint penetration tests 10. Social engineering testsSlide 3 © First Base Technologies 2011
  4. 4. Consider the Risks Threat Vulnerability ImpactSlide 4 © First Base Technologies 2011
  5. 5. Risk Example Hacktivist Insecure web site Reputational damageSlide 5 © First Base Technologies 2011
  6. 6. Example threatsSlide 8 © First Base Technologies 2011
  7. 7. Example vulnerabilitiesSlide 9 © First Base Technologies 2011
  8. 8. Example impactsSlide 10 © First Base Technologies 2011
  9. 9. Preventative controls?Slide 11 © First Base Technologies 2011
  10. 10. List threats and vulnerabilities Threat vector and Threat source Vulnerability analysis scope 1. Poor quality passwords 1. Disaffected 1. Windows privilege 2. Systems not patched up to date employees escalation 3. Inadequate logging and analysis 1. Disaffected 1. Inadequate logging and analysis 2. Remote access employees 2. Inadequate firewallingSlide 12 © First Base Technologies 2011
  11. 11. Rate the impact of each event Threat Threat Vulnerability vector and Impact analysis source analysis scope 1. Widespread destruction of 1. Poor quality information (A5) passwords 1. Windows 2. Widespread corruption of Disaffected 2. Systems not information (I5) privilege employees patched up to date escalation 3. Theft of sensitive 3. Inadequate logging information (C5) and analysis 4. Fraud (I5) 1. Destruction of selected 1. Inadequate logging information (A3) Disaffected 2. Remote and analysis 2. Corruption of selected employees access 2. Inadequate information (I3) firewalling 3. Theft of selected information (C3)Slide 13 © First Base Technologies 2011
  12. 12. What to test? • Threat analysis - What are the real threats with high impact? • Legal, policy and audit requirements - What must we do to remain compliant? • Incidents - What has happened that worries us? • Budgets - How can we get the most from our budgets?Slide 14 © First Base Technologies 2011
  13. 13. What to fix? • Vulnerability analysis - What are the real vulnerabilities with high impact? • Legal, policy and audit requirements - What must we do to remain compliant? • Incidents - What must we fix to prevent a recurrence? • Budgets - What can we afford to fix?Slide 15 © First Base Technologies 2011
  14. 14. Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.comSlide 16 © First Base Technologies 2011

×