SlideShare ist ein Scribd-Unternehmen logo

SLASH-Seminar-security awareness-v1-0-20121212

Haris Tahir
Haris Tahir

Presented this on 12.12.12 on Security Awareness Seminar at one of university.

Technologie
1 von 40
Downloaden Sie, um offline zu lesen
1 of 40
Introduction from cyberspace with love Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 2 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
From Cyber Space With Love º  Informatio n is an asset th to an organiza at, like other tion’s busines important bu protected. s and consequ siness assets, is ently needs to essential Introduction be suitably º  Informatio n can exist in stored electro many forms. nically, transm It can be prin shown on film itted by post ted or written s, or spoken in or by using ele on paper, conversation. ctronic mean s, º  Informatio n security is th threats in ord e protection o er to ensure b f information maximize retu usiness contin from a wide r rn on investm uity, minimize ange of ents and busin business risk, ess opportunit and º  Informatio ies. n security is a including poli chieved by im cies, processe plementing a software and s, procedures suitable set of hardware fun , organization controls, ctions. al structures a nd ISO/IEC 2700 Reference: Code of pract 2 Information ice for inform technology ation security management Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 3 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
From Cyber Space With Love To ensure protection against unauthorized access to or use of confidential Introduction To ensure the accuracy and information. completeness of information are maintained To ensure information and vital services are assessable for use when required. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 4 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
From Cyber Space With Love Common Ter m inology º  Any pote Introduction ntial event or occur: unauth act that could orized disclos cause one or interruption o ure, destructi more of the fo f sensitive or on, removal, llowing to deliberate or critical assets modification accidental – T or services. A or hreat threat can be natural, º  A quantifi able, threat-in within a syste dependent ch m boundary o aracteristic or increases the r environmen attribute of a probability of t in which it o ny asset terms of confi a threat even perates and w dentiality, ava t occurring an hich of the effects ilability and/o d causing har of a threat ev r integrity, or m in ent if it occur increases the s – Vulnerabil severity ity Reference: The Malaysian Information S Public Sector ecurity Risk A Methodology ssessm (MyRAM) Han ent dbook Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 5 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
Security History hacker never dies Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 6 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
Hacker Never Dies Dennis Ritchie and Ken Thompson created the UNIX (time- Security History sharing) operating system at AT&T Bell Labs in 1969. A few months after the birth of UNIX, Dennis Ritchie creates the C programming language. Ritchie was found dead on October 12, 2011. Thompson are now working at Google as a Distinguished Engineer. ”In 1971 when I joined the staff of the MIT Artificial Intelligence lab, all of us who helped develop the operating system software we called ourselves hackers.” – Interview with Richard Stallman by David Bennhaum, 1996 Richard M. Stallman, GNU project’s lead architect and organizer, also main author of free software licenses such as GNU General Public License (GPL). Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 7 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
Hacker Never Dies Joe Engressia (AKA The Whistler / Joybubbles) has the unusual Security History gift of perfect pitch. He can whistle any tone he wants. With it, the blind mathematics student of University of South Florida stumbles onto the 2600Hz cycle and figures out how to make free phone calls during the late 60s… just by whistling into the receiver. Phreakers around the world supposedly called Joe to tune their Blue Boxes. John Draper (AKA Captain Crunch) figured out how to make free phone calls using a plastic whistle pipe found in a Cap’n Crunch cereal box together with a Blue Box. John was active during the 70s and taught Steve Wozniak (co- founder of Apple) how to use a Blue Box that Woz built. John is the owner of Crunch Creation, a group of geniuses and excellent talent engaged in large web development project. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 8 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
Hacker Never Dies Mark Abene (AKA Phiber Optik) is a notorious self-taught hacker, Security History someone who didn’t learn his skills at a university or similar. Abene are now CTO and founder of TraceVector. In 2007, Abene presented “The Rise and Fall of Information Security in Western World” at Hack in the Box security conference, Kuala Lumpur, Malaysia. Robert Morris was the son of the chief scientist at the National Computer Security Center – part of the National Security Agency (NSA). In 1988 he released the first computer worm on the Internet that exploited a Sendmail vulnerability and a fingerd vulnerability. Morris currently teaches computer science and artificial intelligence at MIT university. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 9 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
Hacker Never Dies Security History Kevin Poulsen is famous for taking over all telephone lines going into KIIS-FM, a radio station in Los Angeles. This ensured him to be the 102nd caller and made him win a Porsche 944 S2. Kevin admitted breaking into computer systems to get names of undercover businesses operated by the FBI. After serving a 3 year prison sentence he wasn’t allowed to use a computer for another 3 years. Kevin Poulsen was a journalist and the editorial director of SecurityFocus.com. Today, he is currently News Editor at Wired.com Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 10 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
Hacker Never Dies Security History Kevin Mitnick was the most-wanted computer criminal in the United Stated and the first hacker who ended up on FBI’s Most Wanted list. At age 12, Mitnick used social engineering to bypass the punch card system used in the Los Angeles bus system. Mitnick first gained unauthorized access to a computer network in 1979 and broke into DEC's computer network and copied their software. Mitnick used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country's largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail. Today he runs Mitnick Security Consulting, an information security and pen-test firm, mitnicksecurity.com Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 11 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
Hacker Never Dies Security History tiger team n. [U.S. military jargon] Originally, a team (of sneakers) whose purpose is to penetrate security, and thus test security measures. sneaker n. An individual hired to break into places in order to test their security; analogous to tiger team. Today, penetration testing is the formal title of tiger team activity. Because the US military were the first to use Advanced Research Projects Agency Network (ARPANET), they were the first to conduct audits on computer security. When the Internet was becoming useful to corporations, some businesses saw the same need as the military – security has to be tested in order to be confirmed secure. However, many corporations didn’t see any need for security at all. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 12 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
Hacker Never Dies Security History Hack-Fu Today, hackers and some organization are actively developing and innovating new techniques towards offensive and defensive security including cyber warfare (CW), information warfare (IW) and electronic warfare (EW). Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 13 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
Offensive Security Awareness license to steal Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 14 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
Offensive Security License To Steal know your enemy Awareness Hackers Cyber Terrorist Crackers Cyber Criminals Cyber Warrior Script Kiddies ’hackers’ are typically computer security experts, who specialize in penetration testing and other security testing methodologies. ‘crackers’ referred to a person who intentionally accesses a computer, or network of computers, for evil reasons Today these bad guy crackers are sometimes referred to as black hats, or mostly just hackers. ‘cyber warrior’ is an individual or group of people recruited and trained by the governments to use the Internet for offensive and defensive security. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 15 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
Offensive Security License To Steal know your enemy Awareness Hackers Cyber Terrorist Crackers Cyber Criminals Cyber Warrior Script Kiddies ‘cyber terrorist’ referred to individual or group of people who use the Internet to destroy computers or disrupt Internet-connected services for political reasons. ‘cyber criminals’ are typically referred to those who use the Internet to facilitate illegal or fraudulent activities including scammers and illegally distributed software, music, movies against copyright laws. ‘script kiddies’ usually have very limited computer skills and can be quite immature, trying to effect large numbers of attacks in order to obtain attention and reputation. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 16 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
License To Steal Basic Pentest Methodology Offensive Security 1) Planning 2) Discovery 3) Attack ü  Define objective ü  Information gathering ü  Gaining Access Awareness ü  Define scope ü  Enumeration and vulnerability ü  Privilege Escalation ü  Define deliverable scanning ü  System browsing ü  Type of attack ü  Source code audits and fuzzing ü  Rootkit installation ü  Exploit research ü  Monitoring ü  Access Management A penetration test (pentest) is a method of evaluating the security of a computer system or network by simulating an attack from An attacker are actually spends malicious outsiders and malicious insiders. Today, there are 90% of their time in the numerous methodologies available for public, among them: discovery phase.. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 17 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
Offensive Security License To Steal Hack-Fu: Discovery Awareness Types: Passive information gathering involves acquiring information Information without directly interacting with the target. Gathering Active information gathering involves interacting with the target directly by any means. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 18 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
License To Steal Example #1: Passive information Gathering Offensive Security Hack-Fu: Last login: Fri Dec 7 23:42:03 on ttys001 Discovery [slash@sneakyrat-research_box]$ whois targetCompany.MY Awareness Registrant: targetCompany (targetCompany-MY) # street address city, province, state, postcode, country Domain Name: targetCompany.MY Administrative and Technical Contact: Fullname, email@targetCompany.MY targetCompany (targetCompany-MY) # street address, city, province, state, postcode, country Telephone: xxx-xxx-xx-xx Fax: xxx-xxx-xx-xx Information Gathering Domain servers: extdns1.targetCompany.MY 202.xxx.133.5 zaaba.targetCompany.MY 161.xxx.201.17 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 19 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
License To Steal Example #2: Passive information Gathering Offensive Security Hack-Fu: Collecting email address from Google search engine: Discovery Last login: Fri Dec 7 23:45:03 on ttys001 Awareness [slash@sneakyrat-research_box]$ ./googmail –d targetCompany.MY Listing email address, patient…. nazri.@targetCompany.MY found! amin@targetCompany.MY found! marzuki@targetCompany.MY found! Collecting sensitive document from Google search engine: Last login: Fri Dec 7 23:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./googdoc –d targetCompany.MY Information Listing document, patient…. Gathering memo-lampiran.pdf found! maccs-template.doc found! examanation-draft.pdf found! Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 20 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
License To Steal Example #3: Active information gathering Offensive Security There is no patch to human, and therefore, there is no protection from Hack-Fu: social engineering. Based on history, social engineering has a Discovery magnificent success story. Awareness Information Gathering Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 21 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
Offensive Security License To Steal Hack-Fu: Discovery Awareness The attacker will try to identify specific weak points to test and how to test them. These activities include: ²  Identify vulnerable applications or services ²  Perform vulnerability scan to search for known vulnerabilities which can be obtained from the vendors’ security Enumeration and announcements, or from public databases such as SecurityFocus, CVE or CERT advisories. Vulnerability ²  Enumerate discovered vulnerabilities Mapping ²  Estimate probable impact (classify vulnerabilities found) ²  Identify attack paths and scenarios for exploitation Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 22 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
License To Steal Example #4: Googenum Samba Enumeration Offensive Security Hack-Fu: Enumeration is defined as a process of collecting and extracting user names, machine names, network resources, shares and services from a Discovery target system. Awareness Last login: Fri Dec 8 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./googenum.pl –r targetCompany.MY Starting Googenum…. --- Target information --- Target: targetCompany.MY RID Range: 500-550, 1000-1050 Username: ‘’ Password: ‘’ Known Username: root, admin, guest, azlan, neelofa --- Enumerating Workgroup --- [+] Got domain/workgroup name: WORKGROUP Enumeration and --- Users on targetCompany.MY --- Vulnerability [I] Assuming that user “root” and “admin” [+] Got ISD: S-1-5-21-1801674531-1482476501-725345543 Mapping S-1-5-21-1801674531-1482476501-725345543-500 ARTISzizan (local user) S-1-5-21-1801674531-1482476501-725345543-500 ARTISnurul (local user) Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 23 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
License To Steal Example #5: Nikto Web Application Scanner Offensive Security Hack-Fu: Vulnerability Scanning is a process of identifying security weaknesses. Discovery Awareness Last login: Fri Dec 8 11:38:15 on ttys001 [slash@sneakyrat-research_box]$ ./nikto.pl –host targetCompany.MY -  Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 202.xxx.xxx.xxx + Target Hostname: targetCompany.MY + Target Port: 80 + Start Time: 2012-12-08 22:38:08 (GMT8) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + Cookie ZM_TEST created without the httponly flag + No CGI Directories found (use '-C all' to force check all possible dirs) + Allowed HTTP Methods: GET, HEAD, POST, TRACE, OPTIONS + OSVDB-3092: /administrator: This might be interesting... Enumeration and + OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users). Vulnerability + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. Scanning + OSVDB-3092: /tmp/: This might be interesting... Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 24 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
Offensive Security License To Steal Hack-Fu: Attack Awareness In any given situation a system can be enumerated further. Activities in this stage will allow the attacker to confirm and document probable intrusion and/or automated attacks Gaining Access propagation. and Privilege Escalation If access is obtained, the next step is to escalate access to a higher level such as administrative privileges. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 25 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
License To Steal Password Stealing Offensive Security Hack-Fu: A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and Attack escalate to higher privilege such as root and administrator. Awareness How §  Observed during entry Social Engineering §  Password cracking §  Password stealing tools Trojans Phishing Why §  Password is written Password down somewhere stealing techniques   §  Password is stored somewhere in clear text Shoulder Gaining Access §  Password is encrypted Surfing Spying with weak encryption and Privilege algorithm Guessing/ Escalation Cracking Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 26 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
License To Steal Example #6: Password Cracking Offensive Security Hack-Fu: A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and Attack escalate to higher privilege such as root and administrator. Awareness Last login: Mon Dec 10 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./hydra -L u -P pwd targetCompany.MY https-head /financials/ Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2012-12-10 11:00:15 [DATA] 16 tasks, 1 servers, 217 login tries (l:31/p:7), ~13 tries per task [DATA] attacking service http-head on port 443 [443][www] host: x.x.x.x login: bdouglas password: javajoe [443][www] host: x.x.x.x login: intan password: zygote [443][www] host: x.x.x.x login: audit password: qwerty [443][www] host: x.x.x.x login: ashrafpassword: javajoe Gaining Access [443][www] host: x.x.x.x login: aaron password: qwerty and Privilege [443][www] host: x.x.x.x login: testuser password: qwerty [STATUS] attack finished for targetCompany.MY (waiting for childs to Escalation finish) Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 27 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
License To Steal Example #7: Phishing Offensive Security Hack-Fu: Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by Attack masquerading as a trustworthy entity in an electronic communication. Awareness Normally, this can be easily achieve in three (3) simple steps: Ten (10) Types of Phishing Attack 1.  Man-in-the-Middle 6. Deceptive 2.  URL Obfuscation 7. Malware-Based Gaining Access 3.  Cross-Site Scripting 8. DNS-Based and Privilege 4.  Hidden 9. Content-Injection 5.  Client-side 10. Search Engine Escalation Vulnerabilities Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 28 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:19 18 December 2012
License To Steal Example #7: Email Phishing Offensive Security Hack-Fu: Attack Phishing emails have two tactics to trick users: Awareness a)  They look like legitimate updates from Customer Service informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details. b)  They threaten you that suspicious activities were made using your account, and may take ‘legal action’ against you if you do not update your account. Phishing emails share a distinct and common similarity – It directs you Gaining Access to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will and Privilege then asks you to key in very, very personal details like name, IC Escalation number, phone number, email, account number and Pin No. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 29 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
License To Steal Example #7: Email Phishing (continue) Offensive Security Hack-Fu: Attack Phishing emails have two tactics to trick users: Awareness a)  They look like legitimate updates from Customer Service informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details. b)  They threaten you that suspicious activities were made using your account, and may take ‘legal action’ against you if you do not update your account. Phishing emails share a distinct and common similarity – It directs you Gaining Access to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will and Privilege then asks you to key in very, very personal details like name, IC Escalation number, phone number, email, account number and Pin No. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 30 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
Defensive Security Awareness technology is not enough Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 31 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
Defensive Security Technology Is Not Enough “If you think technology can solve your security problems, then you Awareness don’t understand the problems and you don’t understand the technology” – Bruce Schneier, Security Technologies, Cryptographer and Author “The Internet is the first thing that humanity has build that humanity doesn’t understand, the largest experiment in anarchy that we have ever had” – Eric Schmidt, Chairman and CEO, Google. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 32 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
Defensive Security Technology Is Not Enough Awareness Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 33 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
Defensive Security Technology Is Not Enough Awareness REMOVED Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 34 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:21 18 December 2012
Technology Is Not Enough People Defensive Security Major threats Awareness Management Process Human Resource Governance Technology Finance Policy Standard Information Procedure Technology Physical Access Network Application Data Guideline Security Security Security Security Security Project Management Specification   Office Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 35 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:21 18 December 2012
Technology Is Not Enough Security Awareness Maturity Model Defensive Security Non-Existent & Compliance Focused Promoting Awareness and Change º  No security awareness program º  Impact and change behaviours º  Annual or ad-hoc basis º  Proper plan before hand Awareness º  No attempt to change º  Continual reinforcement 1 2 behaviour Metrics Long Term Sustainment º  Progress tracking 4 3 º  Measure impact º  Add a proper process and º  A formal metrics program to monitor resources in place for long-term behaviour º  Ensure budget are made available º  Ultimately to reduce more risk º  Ensure support from stakeholder Appoint the right person(s) to lead the charge: Dedicate at least one person to focus 100 percent of their energy on security awareness across the organization. This person needs to be an individual who communicates well and knows how to sell, market, and build relationships with employees. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 36 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:23 18 December 2012
Technology Is Not Enough Create content where people come to you. Defensive Security Provide security awareness Continue publish 70-80% of your video so people can take and distribute awareness program training on their own security awareness also applies to Awareness schedule. newsletter peoples’ personal life. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 37 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:23 18 December 2012
Conclusion live and let’s comply Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 38 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:25 18 December 2012
Live and Let‘s Comply Conclusion Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 39 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:25 18 December 2012
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 40 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

Empfohlen

eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Securityeircom
 
Reducing IT Costs and Improving Security with Purpose Built Network Appliances
Reducing IT Costs and Improving Security with Purpose Built Network AppliancesReducing IT Costs and Improving Security with Purpose Built Network Appliances
Reducing IT Costs and Improving Security with Purpose Built Network AppliancesIBMGovernmentCA
 
285 288
285 288285 288
285 288Editor IJARCET
 
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, GiuxIBMSSA
 
Smau Bari 2012 Marco Soldi
Smau Bari 2012 Marco SoldiSmau Bari 2012 Marco Soldi
Smau Bari 2012 Marco SoldiSMAU
 
Copyright and Technology London 2012: Content Identification - Werner Strydom...
Copyright and Technology London 2012: Content Identification - Werner Strydom...Copyright and Technology London 2012: Content Identification - Werner Strydom...
Copyright and Technology London 2012: Content Identification - Werner Strydom...GiantSteps Media Technology Strategies
 
Green Security
Green SecurityGreen Security
Green SecurityShahar Geiger Maor
 
Securing Mobile - A Business Centric Approach
Securing Mobile - A Business Centric ApproachSecuring Mobile - A Business Centric Approach
Securing Mobile - A Business Centric ApproachSalahuddin Khawaja
 

Empfohlen

eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Securityeircom
 
Reducing IT Costs and Improving Security with Purpose Built Network Appliances
Reducing IT Costs and Improving Security with Purpose Built Network AppliancesReducing IT Costs and Improving Security with Purpose Built Network Appliances
Reducing IT Costs and Improving Security with Purpose Built Network AppliancesIBMGovernmentCA
 
285 288
285 288285 288
285 288Editor IJARCET
 
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, GiuxIBMSSA
 
Smau Bari 2012 Marco Soldi
Smau Bari 2012 Marco SoldiSmau Bari 2012 Marco Soldi
Smau Bari 2012 Marco SoldiSMAU
 
Copyright and Technology London 2012: Content Identification - Werner Strydom...
Copyright and Technology London 2012: Content Identification - Werner Strydom...Copyright and Technology London 2012: Content Identification - Werner Strydom...
Copyright and Technology London 2012: Content Identification - Werner Strydom...GiantSteps Media Technology Strategies
 
Green Security
Green SecurityGreen Security
Green SecurityShahar Geiger Maor
 
Securing Mobile - A Business Centric Approach
Securing Mobile - A Business Centric ApproachSecuring Mobile - A Business Centric Approach
Securing Mobile - A Business Centric ApproachSalahuddin Khawaja
 
Awarenesstechnologies Intro Document
Awarenesstechnologies Intro DocumentAwarenesstechnologies Intro Document
Awarenesstechnologies Intro DocumentGuardEra Access Solutions, Inc.
 
280 284
280 284280 284
280 284Editor IJARCET
 
Predictive Threats Analysis
Predictive Threats AnalysisPredictive Threats Analysis
Predictive Threats AnalysisEnterprise Security Risk Management
 
Designing Login Interfaces for Mobiles
Designing Login Interfaces for MobilesDesigning Login Interfaces for Mobiles
Designing Login Interfaces for MobilesRohit Ashok Khot
 
Complete Security with Sophos and Softchoice
Complete Security with Sophos and SoftchoiceComplete Security with Sophos and Softchoice
Complete Security with Sophos and SoftchoiceSoftchoice Corporation
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora PitfallTyler Shields
 
Isl awareness training
Isl awareness trainingIsl awareness training
Isl awareness trainingshibichery
 
Ehc brochure
Ehc brochureEhc brochure
Ehc brochureEhab El Barbary
 
Spiritualists, magicians and security vendors
Spiritualists, magicians and security vendorsSpiritualists, magicians and security vendors
Spiritualists, magicians and security vendorsChris Hammond-Thrasher
 
Infrastructure Services Market 2009
Infrastructure Services Market 2009Infrastructure Services Market 2009
Infrastructure Services Market 2009Dr. Jimmy Schwarzkopf
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awarenessCOMSATS
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Professionamiable_indian
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security AwarenessDinesh O Bareja
 
Iaetsd network security and
Iaetsd network security andIaetsd network security and
Iaetsd network security andIaetsd Iaetsd
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trendswardell henley
 
Deepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on CybersecurityDeepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on CybersecurityPC Doctors NET
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
Maloney slides
Maloney slidesMaloney slides
Maloney slidesOnkar Sule
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
Vol13 no2
Vol13 no2Vol13 no2
Vol13 no2fphart
 

Weitere ähnliche Inhalte

Was ist angesagt?

Designing Login Interfaces for Mobiles
Designing Login Interfaces for MobilesDesigning Login Interfaces for Mobiles
Designing Login Interfaces for MobilesRohit Ashok Khot
 
Complete Security with Sophos and Softchoice
Complete Security with Sophos and SoftchoiceComplete Security with Sophos and Softchoice
Complete Security with Sophos and SoftchoiceSoftchoice Corporation
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora PitfallTyler Shields
 

Was ist angesagt? (6)

Awarenesstechnologies Intro Document
Awarenesstechnologies Intro DocumentAwarenesstechnologies Intro Document
Awarenesstechnologies Intro Document
 
280 284
280 284280 284
280 284
 
Predictive Threats Analysis
Predictive Threats AnalysisPredictive Threats Analysis
Predictive Threats Analysis
 
Designing Login Interfaces for Mobiles
Designing Login Interfaces for MobilesDesigning Login Interfaces for Mobiles
Designing Login Interfaces for Mobiles
 
Complete Security with Sophos and Softchoice
Complete Security with Sophos and SoftchoiceComplete Security with Sophos and Softchoice
Complete Security with Sophos and Softchoice
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
 

Ähnlich wie SLASH-Seminar-security awareness-v1-0-20121212

Isl awareness training
Isl awareness trainingIsl awareness training
Isl awareness trainingshibichery
 
Spiritualists, magicians and security vendors
Spiritualists, magicians and security vendorsSpiritualists, magicians and security vendors
Spiritualists, magicians and security vendorsChris Hammond-Thrasher
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awarenessCOMSATS
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Professionamiable_indian
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security AwarenessDinesh O Bareja
 
Iaetsd network security and
Iaetsd network security andIaetsd network security and
Iaetsd network security andIaetsd Iaetsd
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacySamudin Kassan
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trendswardell henley
 
Deepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on CybersecurityDeepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on CybersecurityPC Doctors NET
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
Maloney slides
Maloney slidesMaloney slides
Maloney slidesOnkar Sule
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
Vol13 no2
Vol13 no2Vol13 no2
Vol13 no2fphart
 
Creating Secure Social Applications
Creating Secure Social ApplicationsCreating Secure Social Applications
Creating Secure Social ApplicationsTyler Browning
 
Cyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David BundoCyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David Bundohdbundo
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich TopCyberNewsMAGAZINE
 

Ähnlich wie SLASH-Seminar-security awareness-v1-0-20121212 (20)

Isl awareness training
Isl awareness trainingIsl awareness training
Isl awareness training
 
Ehc brochure
Ehc brochureEhc brochure
Ehc brochure
 
Spiritualists, magicians and security vendors
Spiritualists, magicians and security vendorsSpiritualists, magicians and security vendors
Spiritualists, magicians and security vendors
 
Infrastructure Services Market 2009
Infrastructure Services Market 2009Infrastructure Services Market 2009
Infrastructure Services Market 2009
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
 
Iaetsd network security and
Iaetsd network security andIaetsd network security and
Iaetsd network security and
 
Computer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & PrivacyComputer Security and Safety, Ethics & Privacy
Computer Security and Safety, Ethics & Privacy
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
Deepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on CybersecurityDeepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
Maloney slides
Maloney slidesMaloney slides
Maloney slides
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
 
Vol13 no2
Vol13 no2Vol13 no2
Vol13 no2
 
Creating Secure Social Applications
Creating Secure Social ApplicationsCreating Secure Social Applications
Creating Secure Social Applications
 
Cyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David BundoCyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David Bundo
 
News letter april 12
News letter april 12News letter april 12
News letter april 12
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich
 

Kürzlich hochgeladen

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Kürzlich hochgeladen (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

SLASH-Seminar-security awareness-v1-0-20121212

  • 1. 1 of 40
  • 2. Introduction from cyberspace with love Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 2 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
  • 3. From Cyber Space With Love º  Informatio n is an asset th to an organiza at, like other tion’s busines important bu protected. s and consequ siness assets, is ently needs to essential Introduction be suitably º  Informatio n can exist in stored electro many forms. nically, transm It can be prin shown on film itted by post ted or written s, or spoken in or by using ele on paper, conversation. ctronic mean s, º  Informatio n security is th threats in ord e protection o er to ensure b f information maximize retu usiness contin from a wide r rn on investm uity, minimize ange of ents and busin business risk, ess opportunit and º  Informatio ies. n security is a including poli chieved by im cies, processe plementing a software and s, procedures suitable set of hardware fun , organization controls, ctions. al structures a nd ISO/IEC 2700 Reference: Code of pract 2 Information ice for inform technology ation security management Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 3 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
  • 4. From Cyber Space With Love To ensure protection against unauthorized access to or use of confidential Introduction To ensure the accuracy and information. completeness of information are maintained To ensure information and vital services are assessable for use when required. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 4 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
  • 5. From Cyber Space With Love Common Ter m inology º  Any pote Introduction ntial event or occur: unauth act that could orized disclos cause one or interruption o ure, destructi more of the fo f sensitive or on, removal, llowing to deliberate or critical assets modification accidental – T or services. A or hreat threat can be natural, º  A quantifi able, threat-in within a syste dependent ch m boundary o aracteristic or increases the r environmen attribute of a probability of t in which it o ny asset terms of confi a threat even perates and w dentiality, ava t occurring an hich of the effects ilability and/o d causing har of a threat ev r integrity, or m in ent if it occur increases the s – Vulnerabil severity ity Reference: The Malaysian Information S Public Sector ecurity Risk A Methodology ssessm (MyRAM) Han ent dbook Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 5 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 6. Security History hacker never dies Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 6 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 7. Hacker Never Dies Dennis Ritchie and Ken Thompson created the UNIX (time- Security History sharing) operating system at AT&T Bell Labs in 1969. A few months after the birth of UNIX, Dennis Ritchie creates the C programming language. Ritchie was found dead on October 12, 2011. Thompson are now working at Google as a Distinguished Engineer. ”In 1971 when I joined the staff of the MIT Artificial Intelligence lab, all of us who helped develop the operating system software we called ourselves hackers.” – Interview with Richard Stallman by David Bennhaum, 1996 Richard M. Stallman, GNU project’s lead architect and organizer, also main author of free software licenses such as GNU General Public License (GPL). Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 7 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 8. Hacker Never Dies Joe Engressia (AKA The Whistler / Joybubbles) has the unusual Security History gift of perfect pitch. He can whistle any tone he wants. With it, the blind mathematics student of University of South Florida stumbles onto the 2600Hz cycle and figures out how to make free phone calls during the late 60s… just by whistling into the receiver. Phreakers around the world supposedly called Joe to tune their Blue Boxes. John Draper (AKA Captain Crunch) figured out how to make free phone calls using a plastic whistle pipe found in a Cap’n Crunch cereal box together with a Blue Box. John was active during the 70s and taught Steve Wozniak (co- founder of Apple) how to use a Blue Box that Woz built. John is the owner of Crunch Creation, a group of geniuses and excellent talent engaged in large web development project. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 8 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 9. Hacker Never Dies Mark Abene (AKA Phiber Optik) is a notorious self-taught hacker, Security History someone who didn’t learn his skills at a university or similar. Abene are now CTO and founder of TraceVector. In 2007, Abene presented “The Rise and Fall of Information Security in Western World” at Hack in the Box security conference, Kuala Lumpur, Malaysia. Robert Morris was the son of the chief scientist at the National Computer Security Center – part of the National Security Agency (NSA). In 1988 he released the first computer worm on the Internet that exploited a Sendmail vulnerability and a fingerd vulnerability. Morris currently teaches computer science and artificial intelligence at MIT university. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 9 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 10. Hacker Never Dies Security History Kevin Poulsen is famous for taking over all telephone lines going into KIIS-FM, a radio station in Los Angeles. This ensured him to be the 102nd caller and made him win a Porsche 944 S2. Kevin admitted breaking into computer systems to get names of undercover businesses operated by the FBI. After serving a 3 year prison sentence he wasn’t allowed to use a computer for another 3 years. Kevin Poulsen was a journalist and the editorial director of SecurityFocus.com. Today, he is currently News Editor at Wired.com Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 10 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 11. Hacker Never Dies Security History Kevin Mitnick was the most-wanted computer criminal in the United Stated and the first hacker who ended up on FBI’s Most Wanted list. At age 12, Mitnick used social engineering to bypass the punch card system used in the Los Angeles bus system. Mitnick first gained unauthorized access to a computer network in 1979 and broke into DEC's computer network and copied their software. Mitnick used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country's largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail. Today he runs Mitnick Security Consulting, an information security and pen-test firm, mitnicksecurity.com Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 11 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 12. Hacker Never Dies Security History tiger team n. [U.S. military jargon] Originally, a team (of sneakers) whose purpose is to penetrate security, and thus test security measures. sneaker n. An individual hired to break into places in order to test their security; analogous to tiger team. Today, penetration testing is the formal title of tiger team activity. Because the US military were the first to use Advanced Research Projects Agency Network (ARPANET), they were the first to conduct audits on computer security. When the Internet was becoming useful to corporations, some businesses saw the same need as the military – security has to be tested in order to be confirmed secure. However, many corporations didn’t see any need for security at all. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 12 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 13. Hacker Never Dies Security History Hack-Fu Today, hackers and some organization are actively developing and innovating new techniques towards offensive and defensive security including cyber warfare (CW), information warfare (IW) and electronic warfare (EW). Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 13 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 14. Offensive Security Awareness license to steal Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 14 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 15. Offensive Security License To Steal know your enemy Awareness Hackers Cyber Terrorist Crackers Cyber Criminals Cyber Warrior Script Kiddies ’hackers’ are typically computer security experts, who specialize in penetration testing and other security testing methodologies. ‘crackers’ referred to a person who intentionally accesses a computer, or network of computers, for evil reasons Today these bad guy crackers are sometimes referred to as black hats, or mostly just hackers. ‘cyber warrior’ is an individual or group of people recruited and trained by the governments to use the Internet for offensive and defensive security. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 15 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 16. Offensive Security License To Steal know your enemy Awareness Hackers Cyber Terrorist Crackers Cyber Criminals Cyber Warrior Script Kiddies ‘cyber terrorist’ referred to individual or group of people who use the Internet to destroy computers or disrupt Internet-connected services for political reasons. ‘cyber criminals’ are typically referred to those who use the Internet to facilitate illegal or fraudulent activities including scammers and illegally distributed software, music, movies against copyright laws. ‘script kiddies’ usually have very limited computer skills and can be quite immature, trying to effect large numbers of attacks in order to obtain attention and reputation. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 16 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 17. License To Steal Basic Pentest Methodology Offensive Security 1) Planning 2) Discovery 3) Attack ü  Define objective ü  Information gathering ü  Gaining Access Awareness ü  Define scope ü  Enumeration and vulnerability ü  Privilege Escalation ü  Define deliverable scanning ü  System browsing ü  Type of attack ü  Source code audits and fuzzing ü  Rootkit installation ü  Exploit research ü  Monitoring ü  Access Management A penetration test (pentest) is a method of evaluating the security of a computer system or network by simulating an attack from An attacker are actually spends malicious outsiders and malicious insiders. Today, there are 90% of their time in the numerous methodologies available for public, among them: discovery phase.. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 17 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 18. Offensive Security License To Steal Hack-Fu: Discovery Awareness Types: Passive information gathering involves acquiring information Information without directly interacting with the target. Gathering Active information gathering involves interacting with the target directly by any means. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 18 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 19. License To Steal Example #1: Passive information Gathering Offensive Security Hack-Fu: Last login: Fri Dec 7 23:42:03 on ttys001 Discovery [slash@sneakyrat-research_box]$ whois targetCompany.MY Awareness Registrant: targetCompany (targetCompany-MY) # street address city, province, state, postcode, country Domain Name: targetCompany.MY Administrative and Technical Contact: Fullname, email@targetCompany.MY targetCompany (targetCompany-MY) # street address, city, province, state, postcode, country Telephone: xxx-xxx-xx-xx Fax: xxx-xxx-xx-xx Information Gathering Domain servers: extdns1.targetCompany.MY 202.xxx.133.5 zaaba.targetCompany.MY 161.xxx.201.17 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 19 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 20. License To Steal Example #2: Passive information Gathering Offensive Security Hack-Fu: Collecting email address from Google search engine: Discovery Last login: Fri Dec 7 23:45:03 on ttys001 Awareness [slash@sneakyrat-research_box]$ ./googmail –d targetCompany.MY Listing email address, patient…. nazri.@targetCompany.MY found! amin@targetCompany.MY found! marzuki@targetCompany.MY found! Collecting sensitive document from Google search engine: Last login: Fri Dec 7 23:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./googdoc –d targetCompany.MY Information Listing document, patient…. Gathering memo-lampiran.pdf found! maccs-template.doc found! examanation-draft.pdf found! Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 20 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 21. License To Steal Example #3: Active information gathering Offensive Security There is no patch to human, and therefore, there is no protection from Hack-Fu: social engineering. Based on history, social engineering has a Discovery magnificent success story. Awareness Information Gathering Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 21 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 22. Offensive Security License To Steal Hack-Fu: Discovery Awareness The attacker will try to identify specific weak points to test and how to test them. These activities include: ²  Identify vulnerable applications or services ²  Perform vulnerability scan to search for known vulnerabilities which can be obtained from the vendors’ security Enumeration and announcements, or from public databases such as SecurityFocus, CVE or CERT advisories. Vulnerability ²  Enumerate discovered vulnerabilities Mapping ²  Estimate probable impact (classify vulnerabilities found) ²  Identify attack paths and scenarios for exploitation Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 22 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 23. License To Steal Example #4: Googenum Samba Enumeration Offensive Security Hack-Fu: Enumeration is defined as a process of collecting and extracting user names, machine names, network resources, shares and services from a Discovery target system. Awareness Last login: Fri Dec 8 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./googenum.pl –r targetCompany.MY Starting Googenum…. --- Target information --- Target: targetCompany.MY RID Range: 500-550, 1000-1050 Username: ‘’ Password: ‘’ Known Username: root, admin, guest, azlan, neelofa --- Enumerating Workgroup --- [+] Got domain/workgroup name: WORKGROUP Enumeration and --- Users on targetCompany.MY --- Vulnerability [I] Assuming that user “root” and “admin” [+] Got ISD: S-1-5-21-1801674531-1482476501-725345543 Mapping S-1-5-21-1801674531-1482476501-725345543-500 ARTISzizan (local user) S-1-5-21-1801674531-1482476501-725345543-500 ARTISnurul (local user) Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 23 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 24. License To Steal Example #5: Nikto Web Application Scanner Offensive Security Hack-Fu: Vulnerability Scanning is a process of identifying security weaknesses. Discovery Awareness Last login: Fri Dec 8 11:38:15 on ttys001 [slash@sneakyrat-research_box]$ ./nikto.pl –host targetCompany.MY -  Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 202.xxx.xxx.xxx + Target Hostname: targetCompany.MY + Target Port: 80 + Start Time: 2012-12-08 22:38:08 (GMT8) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + Cookie ZM_TEST created without the httponly flag + No CGI Directories found (use '-C all' to force check all possible dirs) + Allowed HTTP Methods: GET, HEAD, POST, TRACE, OPTIONS + OSVDB-3092: /administrator: This might be interesting... Enumeration and + OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users). Vulnerability + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. Scanning + OSVDB-3092: /tmp/: This might be interesting... Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 24 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 25. Offensive Security License To Steal Hack-Fu: Attack Awareness In any given situation a system can be enumerated further. Activities in this stage will allow the attacker to confirm and document probable intrusion and/or automated attacks Gaining Access propagation. and Privilege Escalation If access is obtained, the next step is to escalate access to a higher level such as administrative privileges. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 25 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 26. License To Steal Password Stealing Offensive Security Hack-Fu: A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and Attack escalate to higher privilege such as root and administrator. Awareness How §  Observed during entry Social Engineering §  Password cracking §  Password stealing tools Trojans Phishing Why §  Password is written Password down somewhere stealing techniques   §  Password is stored somewhere in clear text Shoulder Gaining Access §  Password is encrypted Surfing Spying with weak encryption and Privilege algorithm Guessing/ Escalation Cracking Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 26 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 27. License To Steal Example #6: Password Cracking Offensive Security Hack-Fu: A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and Attack escalate to higher privilege such as root and administrator. Awareness Last login: Mon Dec 10 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./hydra -L u -P pwd targetCompany.MY https-head /financials/ Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2012-12-10 11:00:15 [DATA] 16 tasks, 1 servers, 217 login tries (l:31/p:7), ~13 tries per task [DATA] attacking service http-head on port 443 [443][www] host: x.x.x.x login: bdouglas password: javajoe [443][www] host: x.x.x.x login: intan password: zygote [443][www] host: x.x.x.x login: audit password: qwerty [443][www] host: x.x.x.x login: ashrafpassword: javajoe Gaining Access [443][www] host: x.x.x.x login: aaron password: qwerty and Privilege [443][www] host: x.x.x.x login: testuser password: qwerty [STATUS] attack finished for targetCompany.MY (waiting for childs to Escalation finish) Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 27 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 28. License To Steal Example #7: Phishing Offensive Security Hack-Fu: Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by Attack masquerading as a trustworthy entity in an electronic communication. Awareness Normally, this can be easily achieve in three (3) simple steps: Ten (10) Types of Phishing Attack 1.  Man-in-the-Middle 6. Deceptive 2.  URL Obfuscation 7. Malware-Based Gaining Access 3.  Cross-Site Scripting 8. DNS-Based and Privilege 4.  Hidden 9. Content-Injection 5.  Client-side 10. Search Engine Escalation Vulnerabilities Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 28 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:19 18 December 2012
  • 29. License To Steal Example #7: Email Phishing Offensive Security Hack-Fu: Attack Phishing emails have two tactics to trick users: Awareness a)  They look like legitimate updates from Customer Service informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details. b)  They threaten you that suspicious activities were made using your account, and may take ‘legal action’ against you if you do not update your account. Phishing emails share a distinct and common similarity – It directs you Gaining Access to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will and Privilege then asks you to key in very, very personal details like name, IC Escalation number, phone number, email, account number and Pin No. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 29 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 30. License To Steal Example #7: Email Phishing (continue) Offensive Security Hack-Fu: Attack Phishing emails have two tactics to trick users: Awareness a)  They look like legitimate updates from Customer Service informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details. b)  They threaten you that suspicious activities were made using your account, and may take ‘legal action’ against you if you do not update your account. Phishing emails share a distinct and common similarity – It directs you Gaining Access to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will and Privilege then asks you to key in very, very personal details like name, IC Escalation number, phone number, email, account number and Pin No. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 30 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 31. Defensive Security Awareness technology is not enough Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 31 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 32. Defensive Security Technology Is Not Enough “If you think technology can solve your security problems, then you Awareness don’t understand the problems and you don’t understand the technology” – Bruce Schneier, Security Technologies, Cryptographer and Author “The Internet is the first thing that humanity has build that humanity doesn’t understand, the largest experiment in anarchy that we have ever had” – Eric Schmidt, Chairman and CEO, Google. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 32 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 33. Defensive Security Technology Is Not Enough Awareness Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 33 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 34. Defensive Security Technology Is Not Enough Awareness REMOVED Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 34 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:21 18 December 2012
  • 35. Technology Is Not Enough People Defensive Security Major threats Awareness Management Process Human Resource Governance Technology Finance Policy Standard Information Procedure Technology Physical Access Network Application Data Guideline Security Security Security Security Security Project Management Specification   Office Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 35 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:21 18 December 2012
  • 36. Technology Is Not Enough Security Awareness Maturity Model Defensive Security Non-Existent & Compliance Focused Promoting Awareness and Change º  No security awareness program º  Impact and change behaviours º  Annual or ad-hoc basis º  Proper plan before hand Awareness º  No attempt to change º  Continual reinforcement 1 2 behaviour Metrics Long Term Sustainment º  Progress tracking 4 3 º  Measure impact º  Add a proper process and º  A formal metrics program to monitor resources in place for long-term behaviour º  Ensure budget are made available º  Ultimately to reduce more risk º  Ensure support from stakeholder Appoint the right person(s) to lead the charge: Dedicate at least one person to focus 100 percent of their energy on security awareness across the organization. This person needs to be an individual who communicates well and knows how to sell, market, and build relationships with employees. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 36 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:23 18 December 2012
  • 37. Technology Is Not Enough Create content where people come to you. Defensive Security Provide security awareness Continue publish 70-80% of your video so people can take and distribute awareness program training on their own security awareness also applies to Awareness schedule. newsletter peoples’ personal life. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 37 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:23 18 December 2012
  • 38. Conclusion live and let’s comply Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 38 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:25 18 December 2012
  • 39. Live and Let‘s Comply Conclusion Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 39 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:25 18 December 2012
  • 40. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 40 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint