November 1st, 2011 by peter.bassill
Caution – Rant within
Cyber
Well the press have gone mad for “Cyber” now. Everywhere is awash with news on massive Cyber attacks being conducted against the UK’s infrastructure and enterprise, but it leaves a burning question in my head; Why are all these systems susceptible to attack? If these systems are that important, air gap that shit. Don’t have it connected to the public Internet in the first place.
Read the rest of this entry »
October 28th, 2011 by peter.bassill
I have been asked on a few occasions if I would put together an outline on how to build a secure server from scratch. Having thought the topic through on a number of occasions and having tried to write this blog article on what is probably nearer 20 times I finally bit the bullet and got on with it.
In this post, I will explore how to take a default Ubuntu install, in this case it is 11.04 server, and build it as a secure web server.
Read the rest of this entry »
April 12th, 2011 by peter.bassill
Penetration Testing has been a part of information security since the early 1990’s, yet to this day security staff make the same mistakes over and over again. In this short piece I explore my personal views on selecting a penetration testing firm and how I go about engaging them in some real world attack scopes. Read the rest of this entry »
April 11th, 2011 by peter.bassill
I want a penetration testing firm that:
understands my employers business is to make money
but my business is to protect my employer
understands that I find no value in a 300 page report
but a high quality report 3 pages report in queens english is better than gold
understands that I take a risk based approached to security
and knows that risk is a common business language, not CVSS criteria
understands when I say holistic, it means you find your own damn way in
and not “well, we can get in easier from your server lan”
understands that I dont give a damn about a particular standard
but knows the contects of NIST 800-53, PCI and ISO:2700x
understands that PCI-DSS is a base line level of security
and not something I think we aspire to
understands that I use all the tools available to
and knows how to test manually, thinking outside the box
I want a penetration testing firm that listens!
April 3rd, 2011 by peter.bassill
Ok, so here are some of the results. I will try and get some visualisation of the results through Splunk later in the week but here is the raw output from the box after 48 hours:
Read the rest of this entry »