Unpatched Systems

Peter WoodChief Executive Officer

First•Base Technologies

An Ethical Hacker’s View

Slide 2 © First Base Technologies 2013

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’

Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa

Slide 3 © First Base Technologies 2013

Hacker thinking

• How does this work?

• What research is there out there?

• What’s happening under the covers?

• What happens if I do this?

• What happens if I ignore the instructions?

• What if I’m a “legitimate” user?

• Where are the weak points?

• Is there another way in?

Slide 4 © First Base Technologies 2013

Missing Patches – Where?

• Internet facing systems- Operating systems, web servers, applications

• Internal servers- Operating systems, databases, applications

• Workstations & Laptops- Operating systems, browsers, applications

• Smartphones, iPads, etc.- Operating systems, browsers, apps

Slide 5 © First Base Technologies 2013

Slide 6 © First Base Technologies 2013

The Attackers

• Attacks may be external or internal• Attacks are not limited to ‘hackers’• Attacks can be manual or automated

Slide 7 © First Base Technologies 2013

Slide 8 © First Base Technologies 2013

Unpatched FTP

Slide 9 © First Base Technologies 2013

Unpatched Sendmail

Slide 10 © First Base Technologies 2013

Unpatched Router

SNMP Read-Write strings revealed.Now we have full control of this device

Slide 11 © First Base Technologies 2013

‘Root’ on a UNIX Host

Drag and drop an exploit on the target host

Now we have ‘root’ and control the file system

Slide 12 © First Base Technologies 2013

‘System’ on a Windows Host

Drag and drop an exploit on the target host

Now we have ‘system’ and control the file system

Slide 13 © First Base Technologies 2013

Consequences of Missing Patches

• Information theft- Reputational loss- Loss of competitive advantage- Legal action

• Malware infection- Remediation costs- Participation in botnet

• Unauthorised control of systems- Corporate espionage- Corruption of information

• Denial of service- Loss of revenue- Remediation costs

Slide 14 © First Base Technologies 2013

Peter WoodChief Executive Officer

First Base Technologies LLP

peterw@firstbase.co.uk

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Twitter: peterwoodx

Need more information?