2. Introduction
from cyberspace with love
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
2 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
3. From Cyber Space With Love
º Informatio
n is an asset th
to an organiza at, like other
tion’s busines important bu
protected. s and consequ siness assets, is
ently needs to essential
Introduction
be suitably
º Informatio
n can exist in
stored electro many forms.
nically, transm It can be prin
shown on film itted by post ted or written
s, or spoken in or by using ele on paper,
conversation. ctronic mean
s,
º Informatio
n security is th
threats in ord e protection o
er to ensure b f information
maximize retu usiness contin from a wide r
rn on investm uity, minimize ange of
ents and busin business risk,
ess opportunit and
º Informatio ies.
n security is a
including poli chieved by im
cies, processe plementing a
software and s, procedures suitable set of
hardware fun , organization controls,
ctions. al structures a
nd
ISO/IEC 2700 Reference:
Code of pract 2 Information
ice for inform technology
ation security
management
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
3 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
4. From Cyber Space With Love
To ensure protection
against unauthorized access
to or use of confidential
Introduction
To ensure the accuracy and information.
completeness of information
are maintained
To ensure information and vital
services are assessable for use
when required.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
4 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
5. From Cyber Space With Love
Common Ter
m inology
º Any pote
Introduction
ntial event or
occur: unauth act that could
orized disclos cause one or
interruption o ure, destructi more of the fo
f sensitive or on, removal, llowing to
deliberate or critical assets modification
accidental – T or services. A or
hreat threat can be
natural,
º A quantifi
able, threat-in
within a syste dependent ch
m boundary o aracteristic or
increases the r environmen attribute of a
probability of t in which it o ny asset
terms of confi a threat even perates and w
dentiality, ava t occurring an hich
of the effects ilability and/o d causing har
of a threat ev r integrity, or m in
ent if it occur increases the
s – Vulnerabil severity
ity
Reference:
The Malaysian
Information S Public Sector
ecurity Risk A
Methodology ssessm
(MyRAM) Han ent
dbook
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
5 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
6. Security History
hacker never dies
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
6 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
7. Hacker Never Dies
Dennis Ritchie and Ken Thompson created the UNIX (time-
Security History
sharing) operating system at AT&T Bell Labs in 1969.
A few months after the birth of UNIX, Dennis Ritchie creates the
C programming language.
Ritchie was found dead on October 12, 2011. Thompson are now
working at Google as a Distinguished Engineer.
”In 1971 when I joined the staff of the MIT Artificial Intelligence
lab, all of us who helped develop the operating system software we
called ourselves hackers.” – Interview with Richard Stallman by
David Bennhaum, 1996
Richard M. Stallman, GNU project’s lead architect and
organizer, also main author of free software licenses such as
GNU General Public License (GPL).
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
7 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
8. Hacker Never Dies
Joe Engressia (AKA The Whistler / Joybubbles) has the unusual
Security History
gift of perfect pitch. He can whistle any tone he wants. With it,
the blind mathematics student of University of South Florida
stumbles onto the 2600Hz cycle and figures out how to make free
phone calls during the late 60s… just by whistling into the
receiver. Phreakers around the world supposedly called Joe to
tune their Blue Boxes.
John Draper (AKA Captain Crunch) figured out how to make free
phone calls using a plastic whistle pipe found in a Cap’n Crunch
cereal box together with a Blue Box.
John was active during the 70s and taught Steve Wozniak (co-
founder of Apple) how to use a Blue Box that Woz built.
John is the owner of Crunch Creation, a group of geniuses and
excellent talent engaged in large web development project.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
8 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
9. Hacker Never Dies
Mark Abene (AKA Phiber Optik) is a notorious self-taught hacker,
Security History
someone who didn’t learn his skills at a university or similar.
Abene are now CTO and founder of TraceVector. In 2007, Abene
presented “The Rise and Fall of Information Security in Western
World” at Hack in the Box security conference, Kuala Lumpur,
Malaysia.
Robert Morris was the son of the chief scientist at the National
Computer Security Center – part of the National Security Agency
(NSA). In 1988 he released the first computer worm on the
Internet that exploited a Sendmail vulnerability and a fingerd
vulnerability.
Morris currently teaches computer science and artificial
intelligence at MIT university.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
9 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
10. Hacker Never Dies
Security History
Kevin Poulsen is famous for taking over all telephone lines going
into KIIS-FM, a radio station in Los Angeles. This ensured him
to be the 102nd caller and made him win a Porsche 944 S2.
Kevin admitted breaking into computer systems to get names of
undercover businesses operated by the FBI. After serving a 3
year prison sentence he wasn’t allowed to use a computer for
another 3 years.
Kevin Poulsen was a journalist and the editorial director of
SecurityFocus.com. Today, he is currently News Editor at
Wired.com
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
10 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
11. Hacker Never Dies
Security History
Kevin Mitnick was the most-wanted computer criminal in the
United Stated and the first hacker who ended up on FBI’s Most
Wanted list.
At age 12, Mitnick used social engineering to bypass the punch
card system used in the Los Angeles bus system. Mitnick first
gained unauthorized access to a computer network in 1979 and
broke into DEC's computer network and copied their software.
Mitnick used cloned cellular phones to hide his location and,
among other things, copied valuable proprietary software from
some of the country's largest cellular telephone and computer
companies. Mitnick also intercepted and stole computer
passwords, altered computer networks, and broke into and read
private e-mail.
Today he runs Mitnick Security Consulting, an information
security and pen-test firm, mitnicksecurity.com
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
11 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
12. Hacker Never Dies
Security History
tiger team n. [U.S. military jargon] Originally, a team (of
sneakers) whose purpose is to penetrate security, and thus
test security measures.
sneaker n. An individual hired to break into places in order
to test their security; analogous to tiger team.
Today, penetration testing is the formal title of tiger team
activity. Because the US military were the first to use
Advanced Research Projects Agency Network (ARPANET),
they were the first to conduct audits on computer security.
When the Internet was becoming useful to corporations,
some businesses saw the same need as the military – security
has to be tested in order to be confirmed secure. However,
many corporations didn’t see any need for security at all.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
12 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
13. Hacker Never Dies
Security History
Hack-Fu
Today, hackers and some organization are actively developing and
innovating new techniques towards offensive and defensive
security including cyber warfare (CW), information warfare (IW)
and electronic warfare (EW).
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
13 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
14. Offensive Security Awareness
license to steal
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
14 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
15. Offensive Security License To Steal
know your enemy
Awareness
Hackers Cyber Terrorist
Crackers Cyber Criminals
Cyber Warrior Script Kiddies
’hackers’ are typically computer security experts, who specialize in penetration testing and
other security testing methodologies.
‘crackers’ referred to a person who intentionally accesses a computer, or network of
computers, for evil reasons Today these bad guy crackers are sometimes referred to as black
hats, or mostly just hackers.
‘cyber warrior’ is an individual or group of people recruited and trained by the governments
to use the Internet for offensive and defensive security.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
15 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
16. Offensive Security License To Steal
know your enemy
Awareness
Hackers Cyber Terrorist
Crackers Cyber Criminals
Cyber Warrior Script Kiddies
‘cyber terrorist’ referred to individual or group of people who use the Internet to destroy
computers or disrupt Internet-connected services for political reasons.
‘cyber criminals’ are typically referred to those who use the Internet to facilitate illegal or
fraudulent activities including scammers and illegally distributed software, music, movies
against copyright laws.
‘script kiddies’ usually have very limited computer skills and can be quite immature, trying to
effect large numbers of attacks in order to obtain attention and reputation.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
16 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
17. License To Steal
Basic Pentest Methodology
Offensive Security
1) Planning 2) Discovery 3) Attack
ü Define objective ü Information gathering ü Gaining Access
Awareness
ü Define scope ü Enumeration and vulnerability ü Privilege Escalation
ü Define deliverable scanning ü System browsing
ü Type of attack ü Source code audits and fuzzing ü Rootkit installation
ü Exploit research ü Monitoring
ü Access Management
A penetration test (pentest) is a method of evaluating the security
of a computer system or network by simulating an attack from An attacker are actually spends
malicious outsiders and malicious insiders. Today, there are 90% of their time in the
numerous methodologies available for public, among them: discovery phase..
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
17 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
18. Offensive Security License To Steal
Hack-Fu:
Discovery
Awareness
Types:
Passive information gathering involves acquiring information
Information without directly interacting with the target.
Gathering Active information gathering involves interacting with the
target directly by any means.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
18 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
19. License To Steal
Example #1: Passive information Gathering
Offensive Security
Hack-Fu:
Last login: Fri Dec 7 23:42:03 on ttys001
Discovery [slash@sneakyrat-research_box]$ whois targetCompany.MY
Awareness
Registrant:
targetCompany (targetCompany-MY)
# street address
city, province, state, postcode, country
Domain Name: targetCompany.MY
Administrative and Technical Contact:
Fullname, email@targetCompany.MY
targetCompany (targetCompany-MY)
# street address, city, province, state, postcode, country
Telephone: xxx-xxx-xx-xx Fax: xxx-xxx-xx-xx
Information
Gathering Domain servers:
extdns1.targetCompany.MY 202.xxx.133.5
zaaba.targetCompany.MY 161.xxx.201.17
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
19 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
20. License To Steal
Example #2: Passive information Gathering
Offensive Security
Hack-Fu: Collecting email address from Google search engine:
Discovery Last login: Fri Dec 7 23:45:03 on ttys001
Awareness
[slash@sneakyrat-research_box]$ ./googmail –d targetCompany.MY
Listing email address, patient….
nazri.@targetCompany.MY found!
amin@targetCompany.MY found!
marzuki@targetCompany.MY found!
Collecting sensitive document from Google search engine:
Last login: Fri Dec 7 23:58:15 on ttys001
[slash@sneakyrat-research_box]$ ./googdoc –d targetCompany.MY
Information Listing document, patient….
Gathering memo-lampiran.pdf found!
maccs-template.doc found!
examanation-draft.pdf found!
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
20 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
21. License To Steal
Example #3: Active information gathering
Offensive Security
There is no patch to human, and therefore, there is no protection from
Hack-Fu: social engineering. Based on history, social engineering has a
Discovery magnificent success story.
Awareness
Information
Gathering
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
21 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
22. Offensive Security License To Steal
Hack-Fu:
Discovery
Awareness
The attacker will try to identify specific weak points to test and how to
test them. These activities include:
² Identify vulnerable applications or services
² Perform vulnerability scan to search for known vulnerabilities
which can be obtained from the vendors’ security
Enumeration and announcements, or from public databases such as
SecurityFocus, CVE or CERT advisories.
Vulnerability ² Enumerate discovered vulnerabilities
Mapping ² Estimate probable impact (classify vulnerabilities found)
² Identify attack paths and scenarios for exploitation
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
22 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
23. License To Steal
Example #4: Googenum Samba Enumeration
Offensive Security
Hack-Fu: Enumeration is defined as a process of collecting and extracting user
names, machine names, network resources, shares and services from a
Discovery target system.
Awareness
Last login: Fri Dec 8 10:58:15 on ttys001
[slash@sneakyrat-research_box]$ ./googenum.pl –r targetCompany.MY
Starting Googenum….
--- Target information ---
Target: targetCompany.MY
RID Range: 500-550, 1000-1050
Username: ‘’
Password: ‘’
Known Username: root, admin, guest, azlan, neelofa
--- Enumerating Workgroup ---
[+] Got domain/workgroup name: WORKGROUP
Enumeration and --- Users on targetCompany.MY ---
Vulnerability [I] Assuming that user “root” and “admin”
[+] Got ISD: S-1-5-21-1801674531-1482476501-725345543
Mapping S-1-5-21-1801674531-1482476501-725345543-500 ARTISzizan (local user)
S-1-5-21-1801674531-1482476501-725345543-500 ARTISnurul (local user)
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
23 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
24. License To Steal
Example #5: Nikto Web Application Scanner
Offensive Security
Hack-Fu: Vulnerability Scanning is a process of identifying security weaknesses.
Discovery
Awareness
Last login: Fri Dec 8 11:38:15 on ttys001
[slash@sneakyrat-research_box]$ ./nikto.pl –host targetCompany.MY
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 202.xxx.xxx.xxx
+ Target Hostname: targetCompany.MY
+ Target Port: 80
+ Start Time: 2012-12-08 22:38:08 (GMT8)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie ZM_TEST created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, TRACE, OPTIONS
+ OSVDB-3092: /administrator: This might be interesting...
Enumeration and + OSVDB-637: Enumeration of users is possible by requesting ~username
(responds with 'Forbidden' for users, 'not found' for non-existent users).
Vulnerability + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing
MySQL databases, and should be protected or limited to authorized hosts.
Scanning + OSVDB-3092: /tmp/: This might be interesting...
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
24 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
25. Offensive Security License To Steal
Hack-Fu:
Attack
Awareness
In any given situation a system can be enumerated further.
Activities in this stage will allow the attacker to confirm and
document probable intrusion and/or automated attacks
Gaining Access propagation.
and Privilege
Escalation If access is obtained, the next step is to escalate access to a
higher level such as administrative privileges.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
25 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
26. License To Steal
Password Stealing
Offensive Security
Hack-Fu: A password is used by the attacker to exploit user credentials. It allows
attacker to access personal information, gain access to the system and
Attack escalate to higher privilege such as root and administrator.
Awareness
How
§ Observed during entry Social
Engineering
§ Password cracking
§ Password stealing tools
Trojans Phishing
Why
§ Password is written Password
down somewhere stealing
techniques
§ Password is stored
somewhere in clear text
Shoulder
Gaining Access § Password is encrypted Surfing Spying
with weak encryption
and Privilege algorithm
Guessing/
Escalation Cracking
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
26 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
27. License To Steal
Example #6: Password Cracking
Offensive Security
Hack-Fu: A password is used by the attacker to exploit user credentials. It allows
attacker to access personal information, gain access to the system and
Attack escalate to higher privilege such as root and administrator.
Awareness
Last login: Mon Dec 10 10:58:15 on ttys001
[slash@sneakyrat-research_box]$ ./hydra -L u -P pwd
targetCompany.MY https-head /financials/
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal
purposes.
Hydra (http://www.thc.org) starting at 2012-12-10 11:00:15
[DATA] 16 tasks, 1 servers, 217 login tries (l:31/p:7), ~13 tries per task
[DATA] attacking service http-head on port 443
[443][www] host: x.x.x.x login: bdouglas password: javajoe
[443][www] host: x.x.x.x login: intan password: zygote
[443][www] host: x.x.x.x login: audit password: qwerty
[443][www] host: x.x.x.x login: ashrafpassword: javajoe
Gaining Access [443][www] host: x.x.x.x login: aaron password: qwerty
and Privilege [443][www] host: x.x.x.x login: testuser password: qwerty
[STATUS] attack finished for targetCompany.MY (waiting for childs to
Escalation finish)
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
27 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
28. License To Steal
Example #7: Phishing
Offensive Security
Hack-Fu: Phishing is the act of attempting to acquire information such as usernames,
passwords, and credit card details (and sometimes, indirectly, money) by
Attack masquerading as a trustworthy entity in an electronic communication.
Awareness
Normally, this can be easily achieve in three (3) simple steps:
Ten (10) Types of Phishing Attack
1. Man-in-the-Middle 6. Deceptive
2. URL Obfuscation 7. Malware-Based
Gaining Access 3. Cross-Site Scripting 8. DNS-Based
and Privilege 4. Hidden 9. Content-Injection
5. Client-side 10. Search Engine
Escalation Vulnerabilities
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
28 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:19 18 December 2012
29. License To Steal
Example #7: Email Phishing
Offensive Security
Hack-Fu:
Attack Phishing emails have two tactics to trick users:
Awareness
a) They look like legitimate updates from Customer Service
informing that to enhance or provide better security/ service or
because of an error in the online banking system, you are
‘encouraged’ to submit personal information about your
account details.
b) They threaten you that suspicious activities were made using
your account, and may take ‘legal action’ against you if you do
not update your account.
Phishing emails share a distinct and common similarity – It directs you
Gaining Access to a link. You will end up in a legitimate-looking website, with a similar
website address so you can’t tell whether the website is fake. It will
and Privilege then asks you to key in very, very personal details like name, IC
Escalation number, phone number, email, account number and Pin No.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
29 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
30. License To Steal
Example #7: Email Phishing (continue)
Offensive Security
Hack-Fu:
Attack Phishing emails have two tactics to trick users:
Awareness
a) They look like legitimate updates from Customer Service
informing that to enhance or provide better security/ service or
because of an error in the online banking system, you are
‘encouraged’ to submit personal information about your
account details.
b) They threaten you that suspicious activities were made using
your account, and may take ‘legal action’ against you if you do
not update your account.
Phishing emails share a distinct and common similarity – It directs you
Gaining Access to a link. You will end up in a legitimate-looking website, with a similar
website address so you can’t tell whether the website is fake. It will
and Privilege then asks you to key in very, very personal details like name, IC
Escalation number, phone number, email, account number and Pin No.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
30 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
31. Defensive Security Awareness
technology is not enough
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
31 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
32. Defensive Security Technology Is Not Enough
“If you think technology can solve your security problems, then you
Awareness
don’t understand the problems and you don’t understand the
technology” – Bruce Schneier, Security Technologies,
Cryptographer and Author
“The Internet is the first thing that humanity has build that
humanity doesn’t understand, the largest experiment in anarchy
that we have ever had” – Eric Schmidt, Chairman and CEO,
Google.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
32 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
33. Defensive Security Technology Is Not Enough
Awareness
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
33 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
34. Defensive Security Technology Is Not Enough
Awareness
REMOVED
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
34 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:21 18 December 2012
35. Technology Is Not Enough
People
Defensive Security
Major threats
Awareness
Management Process
Human Resource
Governance
Technology
Finance Policy
Standard
Information Procedure
Technology Physical Access Network Application Data
Guideline Security Security Security Security Security
Project
Management Specification
Office
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
35 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:21 18 December 2012
36. Technology Is Not Enough
Security Awareness Maturity Model
Defensive Security
Non-Existent & Compliance Focused Promoting Awareness and Change
º No security awareness program º Impact and change behaviours
º Annual or ad-hoc basis º Proper plan before hand
Awareness
º No attempt to change º Continual reinforcement
1 2
behaviour
Metrics Long Term Sustainment
º Progress tracking 4 3
º Measure impact º Add a proper process and
º A formal metrics program to monitor resources in place for long-term
behaviour º Ensure budget are made available
º Ultimately to reduce more risk º Ensure support from stakeholder
Appoint the right person(s) to lead the charge:
Dedicate at least one person to focus 100 percent of their energy on security awareness across the
organization. This person needs to be an individual who communicates well and knows how to sell,
market, and build relationships with employees.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
36 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:23 18 December 2012
37. Technology Is Not Enough
Create content
where people
come to you.
Defensive Security
Provide security awareness Continue publish
70-80% of your
video so people can take and distribute
awareness program
training on their own security awareness
also applies to
Awareness
schedule. newsletter
peoples’ personal
life.
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
37 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:23 18 December 2012
38. Conclusion
live and let’s comply
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
38 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:25 18 December 2012
39. Live and Let‘s Comply
Conclusion
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
39 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:25 18 December 2012
40. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,
virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
40 of 40
haris.slash@gmail.com
http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint