Post on 29-Jan-2015
description
Unpatched Systems
Peter WoodChief Executive Officer
First•Base Technologies
An Ethical Hacker’s View
Slide 2 © First Base Technologies 2013
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’
Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2013
Hacker thinking
• How does this work?
• What research is there out there?
• What’s happening under the covers?
• What happens if I do this?
• What happens if I ignore the instructions?
• What if I’m a “legitimate” user?
• Where are the weak points?
• Is there another way in?
Slide 4 © First Base Technologies 2013
Missing Patches – Where?
• Internet facing systems- Operating systems, web servers, applications
• Internal servers- Operating systems, databases, applications
• Workstations & Laptops- Operating systems, browsers, applications
• Smartphones, iPads, etc.- Operating systems, browsers, apps
Slide 5 © First Base Technologies 2013
Slide 6 © First Base Technologies 2013
The Attackers
• Attacks may be external or internal• Attacks are not limited to ‘hackers’• Attacks can be manual or automated
Slide 7 © First Base Technologies 2013
Slide 8 © First Base Technologies 2013
Unpatched FTP
Slide 9 © First Base Technologies 2013
Unpatched Sendmail
Slide 10 © First Base Technologies 2013
Unpatched Router
SNMP Read-Write strings revealed.Now we have full control of this device
Slide 11 © First Base Technologies 2013
‘Root’ on a UNIX Host
Drag and drop an exploit on the target host
Now we have ‘root’ and control the file system
Slide 12 © First Base Technologies 2013
‘System’ on a Windows Host
Drag and drop an exploit on the target host
Now we have ‘system’ and control the file system
Slide 13 © First Base Technologies 2013
Consequences of Missing Patches
• Information theft- Reputational loss- Loss of competitive advantage- Legal action
• Malware infection- Remediation costs- Participation in botnet
• Unauthorised control of systems- Corporate espionage- Corruption of information
• Denial of service- Loss of revenue- Remediation costs
Slide 14 © First Base Technologies 2013
Peter WoodChief Executive Officer
First Base Technologies LLP
peterw@firstbase.co.uk
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Twitter: peterwoodx
Need more information?