SECFORCE          
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
   
HOME SECFORCE - penetration testing COMPANY SECFORCE - penetration testing SERVICES SECFORCE - penetration testing RESEARCH SECFORCE - penetration testing BLOG SECFORCE - penetration testing NEWS & EVENTS SECFORCE - penetration testing INITIATIVES SECFORCE - penetration testing CONTACT
 
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    SECFORCE - penetration testing

Blog ■

 
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    Home : Blog  
SECFORCE - penetration testing SECFORCE - penetration testing
   
Archive for October, 2012
 

Should you protect your identify from cybercriminals and would be penetration testers?

Monday, October 29th, 2012

Andy Smith, an internet security chief at the Cabinet Office, has said people should only give accurate details to trusted sites such as government ones. (http://www.bbc.co.uk/news/uk-politics-20082493)

Giving fake details to social networking sites is “a very sensible thing to do”

Andy Smith

The reason for this is the high volume of websites that ask for highly privileged information such as date birth on their users where this information is not strictly necessary. Because of the vast number of websites involved, the overall challenge of keeping an individual’s information confidential is becoming virtually impossible.

As an individual working for a well respected penetration testing company I see the effects of this on a daily basis when SECFORCE are asked to perform social engineering attacks and client side browser exploitation against unsuspecting company employees. For us, without the rich source of information leakage on organisation’s employees in social media and other websites, our job of either tricking the user, or using their identity to trick others would be much harder.

The trick with a client side attack is to encourage an individual to perform an action of some kind, the chances of this being successful are increased a thousand fold if you use specific information pertaining to that user that puts them at ease, and elevates their misplaced trust in you –  ‘the attacker’. This is why social media is so powerful – a message from a friend on Facebook, an email from a colleague on LinkedIn, each containing a specific piece of information (for example a happy birthday message on your birthday), and prompting an action to click or download such as – here is a picture of your daughter from the party last weekend, or good luck with the presentation today.

Messages that are backed by some truth and privileged information are likely to result in the desired result (compromise of the user).

Cyber criminals have exactly the same access to this information as legitimate penetration testers and they are putting it to good use. Client side browser attacks are exponentially increasing. The attacker’s goal is often being to form a bridgehead into an organisation for further significant impact. This form of attack can be sustained against an organisation and its employees for a period of months, so the odds of success are on the side of the attacker, and the only real countermeasures are the awareness and vigilance of your employees.

So, is Andy Smith from the Cabinet Office correct to give this advice? It is clear that there are a number of challenges to protect an individual’s identity online, however at the same time, websites such as Facebook, Twitter and LinkedIn as well as the hundreds of others that store information on you are here to stay. We are at a point of transition, not fully equipped or aware of the risks our online behaviour expose us to, but at the same time reliant on the benefits this new technology brings to our lives.

Holistic penetration testing – when 1 + 1 does not always equal 2

Sunday, October 21st, 2012

Motivated attackers don’t know about “rules of engagement”, narrow scopes of work, “not bruteforing allowed”, etc. Attackers would follow any available path to accomplish their goal, whatever that is. It is not unrealistic to think that a highly motivated attacker would go to great lengths to perform an attack, such as for example compromising a slightly weaker “Application A” to gain access to the DMZ and in turn compromise the real objective “Application B”. Or to test the corporate wireless network in order to gain network access to the internal network…

Although this may seem an obvious statement, many cutting edge companies forget who they are protecting against and what their real outcome for their testing programmes should be.

Nowadays the most common penetration testing requirement is application or system focussed with a defined scope to which penetration testing consultancies need to adhere. This is a natural approach, as dynamic companies very often develop new applications and systems which require security testing before being deployed in production. However, we see a trend among our customers where they complement their normal testing strategy with an annual holistic penetration testing.

A holistic approach would include penetration testing of the infrastructure, physical penetration testing of premises, wireless testing, social engineering attacks and any other angle which is deemed relevant for the specific customer.

Results, of course, differ, but they are always very interesting. The most recurrent discovery is the realisation of the lack of security awareness of the staff, who would handle confidential information such as their username and password when presented with a credible and well delivered phising attack.

The fact that people are the weakest link is very often proven right and inevitably prompts the question whether the investment in defensive security should be somehow split and more resources should be invested in security awareness programmes.

SECFORCE achieves ISO27001:2005

Thursday, October 11th, 2012

SECFORCE has been accredited to ISO27001:2005 by the British Assessment Bureau.

SECFORCE’s Operations and Commercial Director Sam Temple said:

“This marks an important milestone for us in security management. It is one thing to strive to operate in a secure manner, but fantastic to have it confirmed by a respected external auditing body. Having achieved ISO27001 will not mean that we can relax about our security though, although we can be confident that the systems and procedures put in place are effective now, we will continue to invest effort in to this area to ensure that they remain so. ”

SECFORCE iso27001

SECFORCE handles confidential information in a daily basis. This achievement contributes to ensure that our client’s information is kept secure.

SECFORCE Presents to European Banking Industry in Riederau

Wednesday, October 3rd, 2012

SECFORCE Technical Director, Rodrigo Marcos, impressed bankers at an IT Cyber-Security workshop in Germany on Tuesday treating them to a live hacking demonstration. The presentation comes as financial institutions focus more and more on how to foil the dangerous and cutting-edge cyber criminals hiding behind their computer screens around the globe.
During the two day conference Marcos demonstrated how an unsuspecting online banking customer could be targeted and their life-savings stolen without them even noticing that their browser had been compromised.

“It is not common to see competitors in the same industry sharing information security knowledge and organising events like this one. To my mind, it clearly shows the increasing security awareness in the market today.” said Rodrigo Marcos.

The experienced ethical hacker also advised the banks to provide more security tips to their customers such as opening a new browser session when conducting online banking.

 
   
 
BLOG

Archives

April 2014
March 2014
February 2014
August 2013
June 2013
February 2013
January 2013
December 2012
November 2012
October 2012
January 2012
October 2011
September 2011
July 2011
June 2011
April 2011
February 2011
January 2011
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008

Categories

Aircraft security (1)
Business Continuity (2)
CREST (1)
cyber security (2)
Embedded devices security (1)
exploit (8)
Fuzzing (1)
Penetration Testing (40)
Phishing (3)
Risk Management (5)
SECFORCE (17)
Security architecture (2)
Security Books (1)
Security Compliance (1)
Security research (8)
social engineering (1)
social media (1)
sql injection (3)
SQL Server (3)
Tools (13)
Uncategorized (2)
Vulnerabilities (10)
 
SECFORCE - penetration testing
  SECFORCE - penetration testing Aegon House, 13 Lanark Square
Canary Wharf - E14 9QD, London
SECFORCE - penetration testing Direct Line +44 (0) 845 056 8694
E-mail SECFORCE - penetration testing
  Follow us in Twitter Check us out in LinkedIn SECFORCE is CREST certified. Click on the logo for more information ISO9001 ISO27001
SECFORCE - penetration testing
    Copyright (c) 2014 SECFORCE Ltd · All Rights Reserved