ISSA chapter meeting looks at regulation and penetration testing

Share this article:
ISSA chapter meeting looks at regulation and penetration testing
ISSA chapter meeting looks at regulation and penetration testing

The recent ISSA UK event was held aboard the HMS President in London once again, and Fujitsu's James Gosnold reported for SC Magazine on the day.

Opening the event on 11th July was Lord Erroll, who spent some time discussing small-to-medium enterprises (SMEs) and their need for cost-effective and trustworthy security advice. He said that over half of the UK workforce is in the employment of SMEs and many of these will be in the supply chains of larger companies.

Lord Erroll also pointed out that officious regulatory authorities in the UK need to understand that rules sometimes need to be broken by an SME to get the job done – this is understood on the continent. He said that he is a strong advocate of 100 per cent UK-wide broadband coverage and feels public money would be far better spent addressing this than expanding rail/road infrastructure.

He also made a bold prediction that the government's ‘Digital by Default' policy will be tested in the next few years when someone in the UK population, who does not have broadband, will die because they cannot access public services.

Following on from this was the first ‘Dragon's Den' session – the format of which is that four vendors get 12 minutes to pitch their wares to the audience. At the end of the day the best presenter and product are voted for.

Up next was SC columnist and penetration tester Ken Munro who is always an entertaining presenter and gets the right blend of geek and practical advice. Ken asked how we decide what to buy. F1 hospitality? The biggest ad in SC Magazine? Nice coloured lights on the appliance? (I imagine it would be quite depressing to learn how much of those criteria is often used).

Munro ran a live session to demonstrate how easy it is to pack/encrypt malware code to evade traditional anti-virus scanners using a £150 tool commonly used by games developers. Some interesting advice was also given, specifically that organisations should remove the anti-virus information from email signatures, as it is advertising externally what anti-virus you are choosing to defend yourself with and therefore makes it easier for an attacker to tailor their code to avoid it.

Next was Tom Davison from Check Point who talked about how easy it is to evade traditional signature-based tools, and the launch (in Q3 2013) of a new tool forming part of the Check Point threat cloud. This tool is called ‘Threat Emulation' and inspects files going in/out of the system; Davison gave examples of file types often causing the most concern such as .PDF and .exe.

At this point I was thinking I could name several products that already do this, but where this tool brings something apparently unique to the party is that it opens a suspicious file in a virtualised sandbox environment (currently XP and Windows 7) and then monitors the behaviour of the system looking for characteristics such as changes to the registry or new network connections being invoked.

Speaking next was Michael Whitlock from MPWA that announced the forthcoming Nice (Network & Internet Content Exception) solution, which has been in development since 2006. The solution uses a USB key and gateway, and its primary aim is to protect the end-user.

In summary the user connects the USB key to their system, uses a fingerprint to generate encryption between the key and the gateway (at corporate HQ) and then creates a secure link and uses “H-Browser” (which is apparently un-hackable.) The presentation did actually give an interesting insight into the launch of such a product – Whitlock was seeking investment.

The next speaker was Peter Wood of First Base Technologies whose credentials include chairing White Hat and generally doing pen testing for longer than I've been in long trousers. The presentation was quite basic given the audience – covering off how vulnerable SNMPv1 is and that systems with default credentials are a big threat.

The most interesting sound bite I took was that Wood felt “it is impossible to both design something and think of how to break it” when discussing the gap between security and developers/designers.

After a second Dragon's Den presentation, the final talk of the day was given by Chris Phillips from IPPSO on terrorism trends. He explained that the insider threat is the biggest to organisations, accounting for a significant portion of the estimated £27 billion hit to the UK economy from cyber crime in 2012.

Three crucial steps to improving personal security defences against the insider threat are recruitment processes (pre-employment checks, etc.), an on-going security regime and leaver's processes (termination of all access).

In respect of staff travelling abroad, Phillips stressed precautions should be taken as 600 British citizens were kidnapped in 2012 – to this end the CPNI site is an excellent resource for physical and personal security guidance.

At the end of the day, the Dragon's Den award for best presenter was given to Ken Munro, and the best product award to Adrian Wright from Secoda for his Rule Safe GRC tool.

Share this article:

Sign up to our newsletters