Cyber Security - An Overview

•Als PPTX, PDF herunterladen•

1 gefällt mir•513 views

robustbrad

Presentation given to a general computer elective at Metropolitan State University of Denver

The OWASP Foundation
http://www.owasp.org
Cyber Security: An Overview
Brad Carvalho
me@bradcarvalho.com
Twitter: @bradcarvalho

Brad Carvalho
• Cyber Security Engineer at Aerstone
• Senior at MSU Denver
• OWASP Boulder chapter member
• SnowFROC Conference Committee
• Blah … Blah … Blah.
Did I establish enough credibility?

Stuxnet
• Targeted Iran’s Uranium
enrichment plants
• Increased centrifuges
operating speeds while
reporting back normal
values to the C&C center
• Self replicated via USB
• Believed to be created by a
join venture between the
U.S and Israel.
8

Flame
• Cyber Espionage Tool
• Screenshots, keyboard
activity and network traffic
• Records Skype
conversations
• Operated by command and
control servers
• Could update itself with new
malware or attack vectors
• Believed to be created by
U.S and Israel
9

LinkedIn
• Over 6.5 million password
hashes recovered
• Over 4 million of those have
already been cracked. (as 6
months ago)
• Used an outdated hashing
algorithm to store
passwords (MD5)
• Did not salt their password
hashes (makes them
susceptible to rainbow
attacks)
• SQL injection!
10

Improve Security Architecture
• Web Application Firewalls
• Intrusion Detection Systems
• Log Monitoring
• Embrace the cloud
• Automate everything!
12

14
Personal Security
KeePass
• Encrypted
Password store
• Andriod and IOS
versions
1Password
• 1-click open
• Online shopping
credentials
• Not free
• Android and IOS
versions
PasswordSafe
• Autotype
• Clear Layout
• Free!

15
Education and Outreach
MSU Denver – Cyber Security Team

16
Opportunities
• Internships
• Pentesters
• Application Security Analysts
• SOC (Security Operations Center) Analysts
• DevOps Engineers (security focused)
• Network Security Engineers
• Security Architects
• Sales Engineers (security focuses)
• Developers!

Empfohlen

Threat Intelligence Field of DreamsGreg Foss

Open Source SecuritySander Temme

Web & Cloud Security in the real worldMadhu Akula

Humla workshop on Android Security Testing - null Singaporen|u - The Open Security Community

Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost

BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesJason Trost

Solnet dev secops meetuppbink

R-CISC Summit 2016 Borderless Threat IntelligenceJason Trost

Empfohlen

Threat Intelligence Field of DreamsGreg Foss

Open Source SecuritySander Temme

Web & Cloud Security in the real worldMadhu Akula

Humla workshop on Android Security Testing - null Singaporen|u - The Open Security Community

Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost

BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesJason Trost

Solnet dev secops meetuppbink

R-CISC Summit 2016 Borderless Threat IntelligenceJason Trost

(In)security in Open SourceShane Coughlan

Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...North Texas Chapter of the ISSA

Realities of Security in the Cloud - CSS ATX 2017Alert Logic

Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green North Texas Chapter of the ISSA

BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz

Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks

Realities of Security in the CloudAlert Logic

The path of secure software by Katy AntonDevSecCon

Study of Directory Traversal Attack and Tools Used for Attackijtsrd

Activated Charcoal - Making Sense of Endpoint DataGreg Foss

7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks

External to DA, the OS X WayStephan Borosh

Security Implications of the Cloud - CSS Dallas AzureAlert Logic

Stories from the Security Operations Center (S.O.C.)Alert Logic

Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen

Billions & Billions of LogsJack Crook

Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Invincea, Inc.

Cybereason - behind the HackingTeam infection serverAmit Serper

Anomaly Detection at Multiple Scales (Waltzman)Michael Scovetta

Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal

Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson

Web hackingtools 2015ColdFusionConference

Weitere ähnliche Inhalte

Was ist angesagt?

(In)security in Open SourceShane Coughlan

Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...North Texas Chapter of the ISSA

Realities of Security in the Cloud - CSS ATX 2017Alert Logic

Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green North Texas Chapter of the ISSA

BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz

Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks

Realities of Security in the CloudAlert Logic

The path of secure software by Katy AntonDevSecCon

Study of Directory Traversal Attack and Tools Used for Attackijtsrd

Activated Charcoal - Making Sense of Endpoint DataGreg Foss

7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks

External to DA, the OS X WayStephan Borosh

Security Implications of the Cloud - CSS Dallas AzureAlert Logic

Stories from the Security Operations Center (S.O.C.)Alert Logic

Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen

Billions & Billions of LogsJack Crook

Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...Invincea, Inc.

Cybereason - behind the HackingTeam infection serverAmit Serper

Anomaly Detection at Multiple Scales (Waltzman)Michael Scovetta

Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal

Was ist angesagt? (20)

(In)security in Open Source

Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...

Realities of Security in the Cloud - CSS ATX 2017

Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...

Realities of Security in the Cloud

The path of secure software by Katy Anton

Study of Directory Traversal Attack and Tools Used for Attack

Activated Charcoal - Making Sense of Endpoint Data

7 Reasons Your Applications are Attractive to Adversaries

External to DA, the OS X Way

Security Implications of the Cloud - CSS Dallas Azure

Stories from the Security Operations Center (S.O.C.)

Please, Please, PLEASE Defend Your Mobile Apps!

Billions & Billions of Logs

Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...

Cybereason - behind the HackingTeam infection server

Anomaly Detection at Multiple Scales (Waltzman)

Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd

Ähnlich wie Cyber Security - An Overview

Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson

Web hackingtools 2015ColdFusionConference

Web hackingtools 2015devObjective

security misconfigurationsMegha Sahu

AMP_Security_ Malware Protection PresentatiionSohanGole1

Divine and felonios cyber security devopsdays austin 2018John Willis

NPTsBrandon Levene

Genetic MalwareLauren Sheppard

Genetic MalwareOkta

Malware is Called Malicious for a Reason: The Risks of Weaponizing CodeStephen Cobb

Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small

Web SecurityGerald Villorente

An Introduction To IT Security And Privacy - Servers And MoreBlake Carver

Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil

Afcea 4 internet networksPaul Strassmann

Malware and the risks of weaponizing codeStephen Cobb

Keith J. Jones, Ph.D. - Crash Course malware analysisKeith Jones, PhD

Chasing web-based malwareFACE

Penetration Testing Resource Guide Bishop Fox

Labeling the virus share malware dataset lessons learnedJohn Seymour

Ähnlich wie Cyber Security - An Overview (20)

Keeping Secrets on the Internet of Things - Mobile Web Application Security

Web hackingtools 2015

security misconfigurations

AMP_Security_ Malware Protection Presentatiion

Divine and felonios cyber security devopsdays austin 2018

NPTs

Genetic Malware

Malware is Called Malicious for a Reason: The Risks of Weaponizing Code

Beyond the Scan: The Value Proposition of Vulnerability Assessment

Web Security

An Introduction To IT Security And Privacy - Servers And More

Heartbleed Bug Vulnerability: Discovery, Impact and Solution

Afcea 4 internet networks

Malware and the risks of weaponizing code

Keith J. Jones, Ph.D. - Crash Course malware analysis

Chasing web-based malware

Penetration Testing Resource Guide

Labeling the virus share malware dataset lessons learned

Cyber Security - An Overview

1. The OWASP Foundation http://www.owasp.org Cyber Security: An Overview Brad Carvalho me@bradcarvalho.com Twitter: @bradcarvalho

2. Brad Carvalho • Cyber Security Engineer at Aerstone • Senior at MSU Denver • OWASP Boulder chapter member • SnowFROC Conference Committee • Blah … Blah … Blah. Did I establish enough credibility?

3. Cyber Attacks – Private Sector 3

4. 4 Nation States at Cyber War

5. 5 It’s overwhelming!

6. 6 Impacts are very serious …

7. 7 Even more serious …

8. Stuxnet • Targeted Iran’s Uranium enrichment plants • Increased centrifuges operating speeds while reporting back normal values to the C&C center • Self replicated via USB • Believed to be created by a join venture between the U.S and Israel. 8

9. Flame • Cyber Espionage Tool • Screenshots, keyboard activity and network traffic • Records Skype conversations • Operated by command and control servers • Could update itself with new malware or attack vectors • Believed to be created by U.S and Israel 9

10. LinkedIn • Over 6.5 million password hashes recovered • Over 4 million of those have already been cracked. (as 6 months ago) • Used an outdated hashing algorithm to store passwords (MD5) • Did not salt their password hashes (makes them susceptible to rainbow attacks) • SQL injection! 10

11. 11 What can be done?

12. Improve Security Architecture • Web Application Firewalls • Intrusion Detection Systems • Log Monitoring • Embrace the cloud • Automate everything! 12

13. 13 Application Security

14. 14 Personal Security KeePass • Encrypted Password store • Andriod and IOS versions 1Password • 1-click open • Online shopping credentials • Not free • Android and IOS versions PasswordSafe • Autotype • Clear Layout • Free!

15. 15 Education and Outreach MSU Denver – Cyber Security Team

16. 16 Opportunities • Internships • Pentesters • Application Security Analysts • SOC (Security Operations Center) Analysts • DevOps Engineers (security focused) • Network Security Engineers • Security Architects • Sales Engineers (security focuses) • Developers!

17. Questions? 17