SlideShare ist ein Scribd-Unternehmen logo

Cloud, social networking and BYOD collide!

Als PPTX, PDF herunterladen
Peter Wood
Peter Wood

Working with a variety of multi-national organisations has shown Peter Wood that conventional security thinking has failed to address the challenge that the product of these areas has presented us - so how do we deal with this brave new world?

Technologie
1 von 38
Cloud, social networking and BYOD collide! Peter Wood Chief Executive Officer First•Base Technologies
Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Member of ISACA Security Advisory Group Vice Chair of BCS Information Risk Management and Audit Group UK Chair, Corporate Executive Programme FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, Mensa Slide 2 © First Base Technologies 2012
Cloud Slide 3 © First Base Technologies 2012
What's Different in Cloud Security ~ THEM Security ~ YOU SaaS Software as a Service IaaS PaaS Platform as a Service Infrastructure as a Service Slide 4 © First Base Technologies 2012
What's Different in Cloud Slide 5 © First Base Technologies 2012
What's Different in Cloud Slide 6 © First Base Technologies 2012
Just a little brainstorm Slide 7 © First Base Technologies 2012
Social Networking Slide 8 © First Base Technologies 2012
Yada yada yada • People have always talked about work to their friends • What has changed is the nature of how we interact • We talk about our lives on our blogs, on social networking sites such as Facebook and Twitter, and on message boards pertaining to the work we're doing • What was once intimate and ephemeral is now available to the whole world, indexed by Google, and archived for posterity • A good open-source intelligence gatherer can learn a lot about what a company is doing by monitoring its employees’ online activities Bruce Schneier Slide 9 © First Base Technologies 2012
Social networks vulnerabilities Slide 10 © First Base Technologies 2012
Social networks vulnerabilities Slide 11 © First Base Technologies 2012
Why APT works Slide 12 © First Base Technologies 2012
BYOD Slide 13 © First Base Technologies 2012
Data loss • Unencrypted storage and backup • Poor or missing passwords and PINs • No automatic screen lock • Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords Slide 14 © First Base Technologies 2012
Network spoofing • Mobile devices use wireless communications exclusively and often public WiFi • SSL can fall victim to a downgrade attack if app allows degrading HTTPS to HTTP • SSL could also be compromised if app does not fail on invalid certificates, enabling MITM attacks Slide 15 © First Base Technologies 2012
Spyware http://www.f-secure.com/en/web/labs_global/whitepapers/reports Slide 16 © First Base Technologies 2012
UI impersonation • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application • Victim is asked to authenticate and ends up sending their credentials to an attacker http://blogs.mcafee.com/mcafee-labs/android-malware-pairs-man-in-the-middle-with-remote-controlled-banking-trojan Slide 17 © First Base Technologies 2012
BYOD risks • Data loss: a stolen or lost phone with unprotected memory allows an attacker to access the data on it • Unintentional data disclosure: most apps have privacy settings but many users are unaware that data is being transmitted, let alone know of the existence of the settings to prevent this • Network spoofing attacks: an attacker deploys a rogue network access point and intercepts user’s data or conducts MITM attacks • Phishing: an attacker collects user credentials using fake apps or messages that seem genuine. • Spyware: the smartphone has spyware installed allowing an attacker to access or infer personal data • Surveillance: spying using open microphone and/or camera • Diallerware: an attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers. • Financial malware: malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions. Slide 18 © First Base Technologies 2012
The Collision Slide 19 © First Base Technologies 2012
How Security sees Management? Slide 20 © First Base Technologies 2012
How Management sees Security? Slide 21 © First Base Technologies 2012
The Solution? Slide 22 © First Base Technologies 2012
Make it real! Identify real threats Identify real impact Demonstrate the risk Slide 23 © First Base Technologies 2012
Now for the science bit … Slide 24 © First Base Technologies 2012
Business Impact Level A successful exploit will result in compromise of Confidentiality, Integrity or Availability of an asset • Level 1: negligible impact • Level 2: limited consequences • Level 3: significant impact • Level 4: very high impact, requiring external assistance and possible financial support • Level 5: major risk which seriously endangers business processes and prevents continuity Slide 25 © First Base Technologies 2012
Threat Actors • System and Service Users - Regular users, admins, end users, shared service users • Direct Connections - Service providers, other business units • Indirect Connections - Network users, internet users • Supply Chain - Developers, hardware support • Physically Present - Regular users, admins, visitors, war drivers, intruders Slide 26 © First Base Technologies 2012
Threat Actor Capability 1. Very little: almost no capabilities or resources 2. Little: an average untrained computer user 3. Limited: a trained computer user 4. Significant: a full-time well-educated computer expert using publicly available tools 5. Formidable: a full-time well-educated computer expert using bespoke attacks Slide 27 © First Base Technologies 2012
Threat Actor Motivation 1. Very low: Indifferent 2. Low: Curious 3. Medium: Interested 4. High: Committed 5. Very high: Focused Slide 28 © First Base Technologies 2012
Threat = Capability x Motivation Slide 29 © First Base Technologies 2012
Example Threat Actor Analysis Slide 30 © First Base Technologies 2012
Risk = Impact x Threat Slide 31 © First Base Technologies 2012
Example Risk for Impact Level of 3 Slide 32 © First Base Technologies 2012
Example Prioritised Risk List Slide 33 © First Base Technologies 2012
Run a Workshop Slide 34 © First Base Technologies 2012
Now you’ve added value! Slide 35 © First Base Technologies 2012
Or … Management Security Slide 36 © First Base Technologies 2012
Which results in … Slide 37 © First Base Technologies 2012
Need more information? Peter Wood Chief Executive Officer First Base Technologies LLP peterw@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Twitter: peterwoodx Slide 38 © First Base Technologies 2012

Empfohlen

Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security LandscapePeter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewPeter Wood
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security SuiteCharles McNeil
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on LaptopsProduct Marketing Services
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceCourtland Smith
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 

Empfohlen

Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security LandscapePeter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewPeter Wood
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security SuiteCharles McNeil
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on LaptopsProduct Marketing Services
 
White Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceWhite Paper: Securing Nomadic Workforce
White Paper: Securing Nomadic WorkforceCourtland Smith
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Team Sistemi
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Applied mobile chaos theory
Applied mobile chaos theoryApplied mobile chaos theory
Applied mobile chaos theorySecureITExperts
 
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyDevelop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyOracleIDM
 
Distance Learning Technologies
Distance Learning TechnologiesDistance Learning Technologies
Distance Learning Technologiespquinn1
 
The Darkside of Mobile Applications
The Darkside of Mobile ApplicationsThe Darkside of Mobile Applications
The Darkside of Mobile ApplicationsWirehead Technology
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareGFI Software
 
Threat model express agile 2012
Threat model express agile 2012Threat model express agile 2012
Threat model express agile 2012drewz lin
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBsGFI Software
 
Distance Learning Technologies
Distance Learning TechnologiesDistance Learning Technologies
Distance Learning TechnologiesMichaels & Associates
 
Patch management
Patch managementPatch management
Patch managementGFI Software
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance 1CloudRoad.com
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Appsec Introduction
Appsec IntroductionAppsec Introduction
Appsec IntroductionMohamed Ridha CHEBBI, CISSP
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 
Polk County Sheriffs Office Success Story
Polk County Sheriffs Office Success StoryPolk County Sheriffs Office Success Story
Polk County Sheriffs Office Success StoryImprivata
 
Ayman Hamed (1)-2
Ayman Hamed (1)-2Ayman Hamed (1)-2
Ayman Hamed (1)-2Ayman hamed
 
Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012
Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012
Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012StalwartAcademy
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Team Sistemi
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Applied mobile chaos theory
Applied mobile chaos theoryApplied mobile chaos theory
Applied mobile chaos theorySecureITExperts
 
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyDevelop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyOracleIDM
 
Distance Learning Technologies
Distance Learning TechnologiesDistance Learning Technologies
Distance Learning Technologiespquinn1
 
The Darkside of Mobile Applications
The Darkside of Mobile ApplicationsThe Darkside of Mobile Applications
The Darkside of Mobile ApplicationsWirehead Technology
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareGFI Software
 
Threat model express agile 2012
Threat model express agile 2012Threat model express agile 2012
Threat model express agile 2012drewz lin
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBsGFI Software
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance 1CloudRoad.com
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 
Polk County Sheriffs Office Success Story
Polk County Sheriffs Office Success StoryPolk County Sheriffs Office Success Story
Polk County Sheriffs Office Success StoryImprivata
 
Ayman Hamed (1)-2
Ayman Hamed (1)-2Ayman Hamed (1)-2
Ayman Hamed (1)-2Ayman hamed
 
Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012
Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012
Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012StalwartAcademy
 

Was ist angesagt? (20)

Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
 
Applied mobile chaos theory
Applied mobile chaos theoryApplied mobile chaos theory
Applied mobile chaos theory
 
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyDevelop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
 
Distance Learning Technologies
Distance Learning TechnologiesDistance Learning Technologies
Distance Learning Technologies
 
The Darkside of Mobile Applications
The Darkside of Mobile ApplicationsThe Darkside of Mobile Applications
The Darkside of Mobile Applications
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
 
Threat model express agile 2012
Threat model express agile 2012Threat model express agile 2012
Threat model express agile 2012
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBs
 
Distance Learning Technologies
Distance Learning TechnologiesDistance Learning Technologies
Distance Learning Technologies
 
Patch management
Patch managementPatch management
Patch management
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Appsec Introduction
Appsec IntroductionAppsec Introduction
Appsec Introduction
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Network Environments
Network EnvironmentsNetwork Environments
Network Environments
 
Polk County Sheriffs Office Success Story
Polk County Sheriffs Office Success StoryPolk County Sheriffs Office Success Story
Polk County Sheriffs Office Success Story
 
Ayman Hamed (1)-2
Ayman Hamed (1)-2Ayman Hamed (1)-2
Ayman Hamed (1)-2
 
Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012
Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012
Scot Hull with Cisco - Beyond BYOD -- Stalwart Executive Briefing 2012
 

Ähnlich wie Cloud, social networking and BYOD collide!

Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace RisksParag Deodhar
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012henkpieper
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Building A Cloud-Ready Security Program
Building A Cloud-Ready Security ProgramBuilding A Cloud-Ready Security Program
Building A Cloud-Ready Security ProgramNetIQ
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentationrfragola
 
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityStopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityLumension
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
Best practices for mobile enterprise security and the importance of endpoint ...
Best practices for mobile enterprise security and the importance of endpoint ...Best practices for mobile enterprise security and the importance of endpoint ...
Best practices for mobile enterprise security and the importance of endpoint ...Chris Pepin
 
Session 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySession 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySantosh Satam
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Uncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software VulnerabilitiesUncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software VulnerabilitiesSecPod
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
Security Management in the Cloud
Security Management in the CloudSecurity Management in the Cloud
Security Management in the CloudGaryArdito
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 

Ähnlich wie Cloud, social networking and BYOD collide! (20)

Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineering
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Building A Cloud-Ready Security Program
Building A Cloud-Ready Security ProgramBuilding A Cloud-Ready Security Program
Building A Cloud-Ready Security Program
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
 
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityStopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater Insanity
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
 
Best practices for mobile enterprise security and the importance of endpoint ...
Best practices for mobile enterprise security and the importance of endpoint ...Best practices for mobile enterprise security and the importance of endpoint ...
Best practices for mobile enterprise security and the importance of endpoint ...
 
Session 4 Enterprise Mobile Security
Session 4 Enterprise Mobile SecuritySession 4 Enterprise Mobile Security
Session 4 Enterprise Mobile Security
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)
 
Uncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software VulnerabilitiesUncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software Vulnerabilities
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
Security Management in the Cloud
Security Management in the CloudSecurity Management in the Cloud
Security Management in the Cloud
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 

Mehr von Peter Wood

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesPeter Wood
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud securityPeter Wood
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 ThreatscapePeter Wood
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Advanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExerciseAdvanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExercisePeter Wood
 
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPeter Wood
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big dataPeter Wood
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePeter Wood
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewPeter Wood
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesPeter Wood
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security LandscapePeter Wood
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerPeter Wood
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of AusterityPeter Wood
 

Mehr von Peter Wood (20)

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilities
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud security
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team Exercise
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to us
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Advanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExerciseAdvanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team Exercise
 
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network Infrastructure
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's View
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security Vulnerabilities
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised Environment
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a Hacker
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
 

Kürzlich hochgeladen

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Kürzlich hochgeladen (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Cloud, social networking and BYOD collide!

  • 1. Cloud, social networking and BYOD collide! Peter Wood Chief Executive Officer First•Base Technologies
  • 2. Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Member of ISACA Security Advisory Group Vice Chair of BCS Information Risk Management and Audit Group UK Chair, Corporate Executive Programme FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, Mensa Slide 2 © First Base Technologies 2012
  • 3. Cloud Slide 3 © First Base Technologies 2012
  • 4. What's Different in Cloud Security ~ THEM Security ~ YOU SaaS Software as a Service IaaS PaaS Platform as a Service Infrastructure as a Service Slide 4 © First Base Technologies 2012
  • 5. What's Different in Cloud Slide 5 © First Base Technologies 2012
  • 6. What's Different in Cloud Slide 6 © First Base Technologies 2012
  • 7. Just a little brainstorm Slide 7 © First Base Technologies 2012
  • 8. Social Networking Slide 8 © First Base Technologies 2012
  • 9. Yada yada yada • People have always talked about work to their friends • What has changed is the nature of how we interact • We talk about our lives on our blogs, on social networking sites such as Facebook and Twitter, and on message boards pertaining to the work we're doing • What was once intimate and ephemeral is now available to the whole world, indexed by Google, and archived for posterity • A good open-source intelligence gatherer can learn a lot about what a company is doing by monitoring its employees’ online activities Bruce Schneier Slide 9 © First Base Technologies 2012
  • 10. Social networks vulnerabilities Slide 10 © First Base Technologies 2012
  • 11. Social networks vulnerabilities Slide 11 © First Base Technologies 2012
  • 12. Why APT works Slide 12 © First Base Technologies 2012
  • 13. BYOD Slide 13 © First Base Technologies 2012
  • 14. Data loss • Unencrypted storage and backup • Poor or missing passwords and PINs • No automatic screen lock • Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords Slide 14 © First Base Technologies 2012
  • 15. Network spoofing • Mobile devices use wireless communications exclusively and often public WiFi • SSL can fall victim to a downgrade attack if app allows degrading HTTPS to HTTP • SSL could also be compromised if app does not fail on invalid certificates, enabling MITM attacks Slide 15 © First Base Technologies 2012
  • 16. Spyware http://www.f-secure.com/en/web/labs_global/whitepapers/reports Slide 16 © First Base Technologies 2012
  • 17. UI impersonation • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application • Victim is asked to authenticate and ends up sending their credentials to an attacker http://blogs.mcafee.com/mcafee-labs/android-malware-pairs-man-in-the-middle-with-remote-controlled-banking-trojan Slide 17 © First Base Technologies 2012
  • 18. BYOD risks • Data loss: a stolen or lost phone with unprotected memory allows an attacker to access the data on it • Unintentional data disclosure: most apps have privacy settings but many users are unaware that data is being transmitted, let alone know of the existence of the settings to prevent this • Network spoofing attacks: an attacker deploys a rogue network access point and intercepts user’s data or conducts MITM attacks • Phishing: an attacker collects user credentials using fake apps or messages that seem genuine. • Spyware: the smartphone has spyware installed allowing an attacker to access or infer personal data • Surveillance: spying using open microphone and/or camera • Diallerware: an attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers. • Financial malware: malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions. Slide 18 © First Base Technologies 2012
  • 19. The Collision Slide 19 © First Base Technologies 2012
  • 20. How Security sees Management? Slide 20 © First Base Technologies 2012
  • 21. How Management sees Security? Slide 21 © First Base Technologies 2012
  • 22. The Solution? Slide 22 © First Base Technologies 2012
  • 23. Make it real! Identify real threats Identify real impact Demonstrate the risk Slide 23 © First Base Technologies 2012
  • 24. Now for the science bit … Slide 24 © First Base Technologies 2012
  • 25. Business Impact Level A successful exploit will result in compromise of Confidentiality, Integrity or Availability of an asset • Level 1: negligible impact • Level 2: limited consequences • Level 3: significant impact • Level 4: very high impact, requiring external assistance and possible financial support • Level 5: major risk which seriously endangers business processes and prevents continuity Slide 25 © First Base Technologies 2012
  • 26. Threat Actors • System and Service Users - Regular users, admins, end users, shared service users • Direct Connections - Service providers, other business units • Indirect Connections - Network users, internet users • Supply Chain - Developers, hardware support • Physically Present - Regular users, admins, visitors, war drivers, intruders Slide 26 © First Base Technologies 2012
  • 27. Threat Actor Capability 1. Very little: almost no capabilities or resources 2. Little: an average untrained computer user 3. Limited: a trained computer user 4. Significant: a full-time well-educated computer expert using publicly available tools 5. Formidable: a full-time well-educated computer expert using bespoke attacks Slide 27 © First Base Technologies 2012
  • 28. Threat Actor Motivation 1. Very low: Indifferent 2. Low: Curious 3. Medium: Interested 4. High: Committed 5. Very high: Focused Slide 28 © First Base Technologies 2012
  • 29. Threat = Capability x Motivation Slide 29 © First Base Technologies 2012
  • 30. Example Threat Actor Analysis Slide 30 © First Base Technologies 2012
  • 31. Risk = Impact x Threat Slide 31 © First Base Technologies 2012
  • 32. Example Risk for Impact Level of 3 Slide 32 © First Base Technologies 2012
  • 33. Example Prioritised Risk List Slide 33 © First Base Technologies 2012
  • 34. Run a Workshop Slide 34 © First Base Technologies 2012
  • 35. Now you’ve added value! Slide 35 © First Base Technologies 2012
  • 36. Or … Management Security Slide 36 © First Base Technologies 2012
  • 37. Which results in … Slide 37 © First Base Technologies 2012
  • 38. Need more information? Peter Wood Chief Executive Officer First Base Technologies LLP peterw@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Twitter: peterwoodx Slide 38 © First Base Technologies 2012

Hinweis der Redaktion

  1. The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.