I recently attended a seminar on security presented by Holly at Sec-1 – she started with external, covering off injection attacks, pivoting to internal systems, and then talked about compromising from the inside. She also went through some interesting stuff about physical access to buildings and in particular server rooms.
It was a good talk, and I thoroughly enjoyed hearing what she had to see and seeing some ‘live’ attacks. Holly gave some great tips about things that can be done to further-secure existing networks (which I’ll probably go away and do now), but in addition to that she did effectively say that she’s managed to get access into any system she’s tried; a bit like a domestic burglary, if someone wants what you have badly enough, they’ll find a way to get it.
What’s particularly interesting about the new wave of information attacks is that due to the number of automated tools now, one doesn’t have to be an expert to be able get some data out of a system and have a good root around – almost anyone can do it.
For me though, the biggest takeaway was about password re-use, Holly mentioned in particular watering hole attacks – why bother breaking into a company, instead target a website that they use, break into that, and the vast majority of the users will have re-used the same password on the site you’ve accessed as on their company network.
Of course there’s a nice little xkcd comic all about it.
The only drawback was that they took us to the less-nice Marriott in Bristol…