Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Assessing your public security exposure without sending a single packet

Peleus Uhley (Adobe)
4:45pm–5:25pm Wednesday, November 1, 2017
Security analytics
Location: Beekman
Average rating: *****
(5.00, 1 rating)

Who is this presentation for?

  • Security researchers

Prerequisite knowledge

  • A basic understanding of DNS terminology (TXT, CNAME, etc.), certificate transparency, SSL certificates, HTTP headers, JSON, and common vulnerabilities

What you'll learn

  • Understand what information is freely available on the internet regarding your organization's network and applications
  • Learn techniques for harnessing that data to gain more insight into your services and using it to identify security risks

Description

It can be difficult for security teams in large organizations to accurately measure their public infrastructure and services, due to issues such as shadow IT, frequent acquisitions, legacy services, organizational silos, and rapid development. However, it is critical for organizations to have some way of measuring their entire organization for efforts such as deploying large-scale security automation.

Peleus Uhley shares techniques for leveraging freely available data to create complete network graphs, track best practices, and identify security issues. Using free and publicly available data, it is possible to create an inventory of everything that is remotely measurable about your infrastructure and applications. This data can provide insight into issues such as identifying forgotten hosts, measuring best practice adoption, and identifying security vulnerabilities. It can also be useful to red teams who want to measure a target without generating traffic against the hosts. Groups on the internet have already scanned your services, so why not copy their homework?

Photo of Peleus Uhley

Peleus Uhley

Adobe

Peleus Uhley is the lead security strategist at Adobe, where he assists the company with proactive and reactive security. Peleus has been a part of the security industry for more than 15 years. Previously, he was a senior developer at Anonymizer and a security consultant for @stake and Symantec.