• Search
  • Nederlands
  • English
  • Outpost24 Benelux/Lab106
    Email:
    Weteringschans 106
    1017 XS Amsterdam
    Phone: +31 (0) 20 420 9560
    Fax: +31 (0) 20 330 3844

News & Events

Newsletter June 2010


Featuring

  • HIGHLIGHTS QUALITY: BACK TO BASICS EVENT 27MAY
  • NEW FEATURES OUTSCAN AND HIAB:
    • OUTSCAN Web Application Scanning
    • HIAB & OUTSCAN Risk Dashboard
  • STILL SEATS AVAILABLE: OPST TRAINING 14-17 JUNE
Last Thursday 27 May we, Outpost24/Lab106, held an event with the theme: Quality: Back to Basics. Below a summary of THE HIGHLIGHTS written up by a student of the Vrije Universiteit in Amsterdam, who shares with us his fresh perspective on IT security and his take on the event.

QUALITY: Back to Basics by Outpost24/Lab106.

Background: I am not (yet) a top security consultant or analyst, or anything like that. I am a student who kindly got permission to attend this event, it was a very interesting day for me, and I promised to write something about my experiences. I arrived a bit early and got introduced to the people from Outpost24/lab106 who organized this event, who helped me figure out the details for the rest of the day.

The day officially started with a short introduction by Hero de Haan, Managing Director of Outpost24/Lab106, and Host of the day: Pete Herzog, Managing Director of ISECOM. The theme of the day "Back to Basics" was explained. We humans have a habit of copying old 'bad' behavior, and maybe its time to stop for a moment and critically look at the methods we started taking for granted. People are bad at judging trust and security, and this includes us and our friends. Maybe we need to stop guessing about things, which is what risk analyses seems to come down to.

The first workshop I attended focused on cloud computing. Andre Beerten from SZWN and Lex Beijk from TNO held a fun interactive session about a variety of issues involved, a few highlights for me were: Data security revolves around perimeters, we draw a line between us and the hostile outside world, and try to keep the bad stuff out. With cloud computing this concept changes, as has been extensively documented by the Jericho group. We have no idea where our data is located, we have no way to check if data we removed is actually gone, etc. To summarize a number of interesting observations by the participants of this workshop: Though the technical hurdles will disappear in the future, people will remain and will keep being the soft factor. It is our job as IT specialists to educate people on the consequences of cloud computing, ideally without belittling or insulting their behavior. Ninety percent of data leaks are not caused by malice, but by people being lazy or just not realizing they are doing something wrong.

The second workshop I attended was conducted by Ron Perris from Outpost24 Sweden who used a dummy/made up company as an example. This presentation was held at a rather high speed, probably because the basic concepts were already familiar to most people in the room. The story itself was very recognizable for everybody in the room, and it illustrated very well that introducing Security into a company is easy to do wrong.The key points I took home from this workshop were that we should start small. Be smart about scheduling scans so they don't interfere with business, etc. Work on gaining acceptance for your project from the start, define clear ownership, and then slowly extend your scope.

Again, get the basics right first.

Next it was our turn to be surprised by Hendrik Svaneklaer, who effortlessly fooled our senses and assumptions. It clearly showed that we are not immune from social engineering tactics either, this guy can make you do and say pretty much anything he wants. This was not just a fun intermezzo, but also a valuable lesson: how much use is 4096 bit encryption if this guy would walk up to an overworked secretary in your company and used his charms to get your password?

The day ended with yet another insightful speech, Pete Herzog elaborated on the concept of trust and related issues. Feelings are a bad tool for judging a situation, we should rely on facts and numbers. I imagine the list of trust factors created by ISECOM can be a very useful tool to not only judge a situation, but also to provide a clear estimate of safety, and what the problem points are.

(Please follow this link to view Pete Herzog's handouts).


I am still a nerd, I like technology, but it is good to realize the other side of the picture, for me in short:

Don't be afraid to rethink your assumptions,
and always keep people in mind when designing security.



This ended the official part of the event. During the drink and dinner following everybody had the chance to have more interactive conversations with the mixed crowed. Thank you again Outpost24/Lab106 for letting me join in!
NEW FEATURES OUTSCAN AND HIAB:

Outpost24 has recently released two important new features for OUTSCAN and HIAB*

1. OUTSCAN Web Application Scanning

Key Features:

  • Scan thousands of web pages for vulnerabilities quickly.
  • Highly accurate Cross Site Scripting and SQL Injection vulnerability detection.
  • Support for scanning virtual hosted sites.
  • Easy to use reports that allow quick remediation guidance.


Benefits:

  • Integrated with existing tools to provide unified reporting of both network and web vulnerabilities.
  • Discovers vulnerabilities in custom web sites and applications not just publicly available web applications.
  • No software to download or install.
  • High speed scanning with average scan times under one hour.


2. HIAB & OUTSCAN Risk Dashboard

Key Features:

  • Module dashboard that can be customized to show information most important to you.
  • Remediation statistics feature allows you to see how you are doing based on your custom policy.
  • Quick visual summaries of vulnerabilities in groups, applications and ports.
  • Custom dashboards for each user.
  • Save time by getting an overview of your risk before drilling into detail.


Benefits:

  • Gives you real data that you can base your actions on.
  • Quickly get an overview of your whole environment or just the targets most important to you.
  • Real data from your environment instead of vague scoring system.
  • Personalized module architecture that shows you the information you are most interested in.
  • View historic data to get more than just a snapshot in time.


Datasheets can be downloaded from here:

OUTSCAN data sheet: http://outpost24.com/files/O24-OUTSCAN-datasheet.pdf
HIAB data sheet: http://outpost24.com/files/O24-HIAB-datasheet.pdf

If you have any questions about the product improvements or if you want a quick demonstration of the new features please contact us! *The Webscanner functionality will be available for the HIAB soon!
OPST Training: 14-17 June.
There are still seats available for the OPST Training. Contact Outpost24/Lab106 to sign up now!

OPST Training: OSSTMM

Open Source System Testing Methodology Manual- Professional Security Testing Training.

Lab106/Outpost24 is an affiliate partner of ISECOM. As a result of this partnership Lab106/Outpost24 offers you OSSTMM trainings throughout the Benelux. The objective of all OSSTMM trainings is to learn 'How to test your security in a Methodological way' in other words Professional Ethical Hacking according to the OSSTMM (Open Source Security Testing Methodology Manual). The trainings will be given by Cor Rosielle who next to the CISSP and ISSAP holds all OSSTMM certifications and is a co-writer of the OSSTMM. You can find more information on the OPST, OPSA and OPSE Training at the following website: http://isecom.org/certification/opst.shtml. To enroll for the OPST course you can contact Lab106/Outpost24 at the following number: +31 20 420 9560 or sent an email to info@lab106.nl


© 2009 Outpost24 Benelux All rights reserved.
OSSTMM isecom.org facebook linkedin twitter