Peter Wood IRMA SG

Tips to Protect Your Organisation

Peter Wood Chief Executive Officer

First Base Technologies LLP

An Ethical Hacker’s Casebook

Slide 3 © First Base Technologies 2014

Who is Peter Wood?

Worked in computers & electronics for 45 years

Founded First Base in 1989 (the first ethical hackers in UK)

Ethical hacker, security evangelist and public speaker

•Fellow of the BCS, the Chartered Institute for IT

•Chartered IT Professional

•Deputy Chair of the BCS Information Risk Management and Audit Group

•Member of the BCS Register of Security Specialists

•CISSP

•Senior Member of the Information Systems Security Association (ISSA)

•15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group

•Member of the Institute of Information Security Professionals

•UK Programme Chair for the Corporate Executive Programme

•Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors

•Member of Mensa

Slide 4 © First Base Technologies 2014

Who are First Base Technologies?

• Web Application Testing

• Infrastructure Testing

• Network Security Testing

• Server Security Audits

• SCADA Security Testing

• PCI Penetration Testing

• Endpoint Testing

• Social Engineering

• Red Teaming

• Risk Assurance

• Transformation Consultancy

• Cloud Security

• Architectural Reviews

• Awareness Consultancy

• Keynote Seminars

• Security Evangelism

• Multimedia Training

• White-hats.co.uk User Group

Penetration Testing & Ethical Hacking Security Consultancy & Awareness

Slide 5 © First Base Technologies 2014

Yada yada yada

• People have always talked about work to their friends

• What has changed is the nature of how we interact

• We talk about our lives on our blogs, on social networking sites such as Facebook and Twitter, and on message boards pertaining to the work we're doing

• What was once intimate and ephemeral is now available to the whole world, indexed by Google, and archived for posterity

• A good open-source intelligence gatherer can learn a lot about what a company is doing by monitoring its employees’ online activities

Bruce Schneier

Slide 6 © First Base Technologies 2014

Tips to Minimise Your Exposure

• Don’t reveal personal or sensitive information in social

networking sites or blogs

• Set the privacy options in social networking sites

• Don’t discuss confidential information online

• Don’t ‘friend’ people you don’t know

Remember – what goes on the Internet, stays on the Internet!

Slide 7 © First Base Technologies 2014

Email spear phishing

• Emails that look as if they are from your employer or

from a colleague

• The email sender information has been faked

• Malicious attachment or link to drive-by web site

• The payload can steal credentials or install a Trojan

• Or even simple form filling to capture user details

Slide 8 © First Base Technologies 2014

Tips to Avoid Email Attacks

• Never reveal personal or sensitive information in response to an

email, no matter who appears to have sent it

• If you receive a suspicious email, call the person or organisation in

the ‘From’ field before you respond or open any attached files

• Never click links in an email that requests personal or sensitive

information. Enter the web address into your browser instead

• Report any email that you suspect might be a spear phishing

campaign within your company

Slide 9 © First Base Technologies 2014

Telephone social engineering

Not every hacker is sitting

alone with their computer,

hacking into a corporate VPN

Sometimes all they have to do

is call up and ask!

Slide 10 © First Base Technologies 2014

Telephone social engineering

Previous calls gave access to:

• CEO’s email and calendar

• IT manager’s desktop

• Remote access to a network

• … and cloud services!

Slide 11 © First Base Technologies 2014

Tips to Avoid Telephone Attacks

• If you receive a suspicious phone call, hang up and call back

on a number you know is legitimate

• Never reveal personal or sensitive information in response to

a phone call unless you have verified the caller

• Don’t answer questions about your organisation or

colleagues unless it’s your job to do so

• Report any phone calls that you suspect might be social

engineering attacks

Slide 12 © First Base Technologies 2014

On Premises Attacks

• People security is weak in most organisations

• If an attacker has confidence, they will succeed

• If an attacker is in the building, they’re trusted

• If an attacker is in a meeting room, they’re trusted

• People are helpful

• People are polite

• People are trusting

• Security guards may not be secure!

Slide 13 © First Base Technologies 2014

Tips to Avoid On Premises Attacks

• Always confirm an appointment before letting anyone in

• Don’t allow “tailgating” unless you know them personally

• Don’t leave any visitor unattended at any time

• If you see someone you don’t recognise, ask to see their visitor’s

pass or report them

• If you find a USB stick, always report it (and don’t plug it in!)

• Don't leave confidential papers on your desk

• Don’t leave your computer logged on overnight

• Lock your screen when you leave your desk

Slide 14 © First Base Technologies 2014

• Interception of your web browsing

• Logon name and password theft

• Hijacking your personal email

• Stealing your social network accounts

• Infection of your computer with malware

Public wireless networks

Slide 15 © First Base Technologies 2014

Tips to Avoid Wireless Attacks

• Remember: open and WEP-encrypted WiFi networks are

visible to almost anyone

• Never use public WiFi for sensitive information

• Don’t use the same password for web sites and for corporate

systems

• Make sure your email connections are encrypted

(like the company VPN and settings on company iPhones)

Slide 16 © First Base Technologies 2014

Password ‘Quality’

Slide 17 © First Base Technologies 2014

Case study: Password Crack

• 26,310 passwords from a Windows domain

• 11,279 (42.9%) cracked in 2½ minutes

• It’s not a challenge!

Slide 18 © First Base Technologies 2014

Tips to Avoid Password Theft

• Don’t use passwords based on dictionary words and names

• Use complex passphrases for service accounts

• Tailor password policies to specific environments

(e.g. Windows vs. web sites)

• Remember: old fashioned rules no longer apply

(rainbow tables, parallel cracking, video processors)

• Never re-use passwords: “one password to rule them all …”

• Use a ‘password safe’ such as Password Agent to make it easy

Slide 19 © First Base Technologies 2014

The Human firewall

• Train staff to recognise attacks from every angle

• Invest in continual awareness campaigns

Slide 20 © First Base Technologies 2014

Think like an attacker!

Hacking is a way of thinking:

- A hacker is someone who thinks outside the box

- It's someone who discards conventional wisdom, and does

something else instead

- It's someone who looks at the edge and wonders what's

beyond

- It's someone who sees a set of rules and wonders what

happens if you don't follow them

[Bruce Schneier]

Hacking applies to all of life - not just computers

Slide 21 © First Base Technologies 2014

Summary Advice

Awareness … Training … Awareness …

• Limit information leakage and don’t over-share

• Don’t be a victim of social engineering

• Protect your computer and your workplace

• Minimise your network vulnerabilities

• Choose strong passphrases

• Secure and patch your servers

• Encrypt confidential information

• Understand the need for a layered approach

Peter Wood Chief Executive Officer

First Base Technologies LLP

peter@firstbase.co.uk

http://firstbase.co.uk

http://white-hats.co.uk

http://peterwood.com

Twitter: @peterwoodx

Need more information?