Selling your Information Security Team Part 6

If you are followed this series so you can present a similar demonstration, this VM will be used by the audience member that volunteers to be the victim.  We are not going to patch it so we can take advantage of some vulnerabilities that exist in the SP1 build.

We are on to building the Victim VM.  This VM will be built with Window 7 SP1 32-bit.  Be aware that when SP1 was released, these vulnerabilities were either not known or were later zero day discoveries.  More on the vulnerabilities in SP1 later during the post on the attacker VM.

Continue reading “Selling your Information Security Team Part 6”

Selling your Information Security Team Part 3

Building on the framework that was designed in the previous posts, we are now ready to start creating our first Virtual Machine: the Firewall. This VM will join the two networks together and form the keystone of the demonstration before the Board of Directors.

As I continue this series on Selling Your Information Security Team, it’s now time to start building the Virtual Machines that will be used in the demonstration.  This post will cover building the keystone of the demonstration … the Firewall Virtual Machine.  In Part 2 of this series, we built the host environment and defined the two networks joined by the firewall.

Continue reading “Selling your Information Security Team Part 3”

Selling your Information Security Team Part 2

In this installment of “Selling your Information Security Team”, we discuss recommendations for your host computer and installation of Virtualization Software. We define the network types we will use and reveal what the virtual network layout will look like. Prepare to WOW your Board of Directors!

In the previous installment of this series, we discussed how Information Security can be similar to insurance … it’s only discussed when bad things happen, and it’s rarely a revenue generating center.  We also talked about how one might show return on investment in the Information Security Team.  Finally we walked through a four phase Cyber Kill Chain that could be used to simplify a complex demonstration of Information Security that could be presented to non-InfoSec managers and Board of Directors.  In this part of the series we will install Virtualization Software for the Virtual Penetration Lab that will be the foundation of our demonstration to the Board of Directors.

Continue reading “Selling your Information Security Team Part 2”