KLC Consulting 1

Kyle LaiPresident & CTOKLC Consulting

April 2015

KLC Consulting 2

Career HighlightsCISSP, CISA, CSSLP, CIPP/US/G

20 years in IT, 15 year specializing in securityCISO, DISA Operations Manager for Security Portal

ISO 27001/2, Regulatory Compliance, Third-Party Risk,

Penetration/Vulnerability Tester, IT Auditor, Network Admin,

Developer, DBA, Sys Admin

Consultant forBoeing | HP | PWC | DoD | Fidelity | ExxonMobilFannie Mae | RBS | Federal Gov’t | Akamai | Brandeis Univ

Author of SMAC MAC Address Changer (SMAC) tool

WebDAV Scanner tool

Administer Linkedin GroupsCyberSecurity Community

Cloud Computing Security Community

Third Party Security Risk Management

Married, 2 kids, 1 teenage dog!

Graduated from UCONN with BS in Electrical Engineering

KLC Consulting 3

KLC Consulting 4

Recent huge cyber attacks:

(1/2015) Primera Blue Cross : 11 million customer records in May 2014, went

undiscovered until 1/29/2015

(2/2015) Anthem (including Blue Cross Blue Shield members) : 80 million

insured’s health records stolen

(11/2014) SONY Picture : 11/2014

(10/2014) Staples : 1.16 million customer credit cards

(9/2014) Home Depot : 56 million customer credit cards

(8/2014) JPMorgan Chase : 83 million household and business accounts

(6/2014) Community Health Systems : 4.5 million patient records

(4/2014) Michaels Stores: 3 million customer payment cards

(12/2013) Target : 40 million customer credit and debit cards. CEO was fired!

KLC Consulting 5

KLC Consulting 6

CyberSecurity Definition:

The activity or process, ability or capability, or state whereby information and

communications systems and the information contained therein are protected

from and/or defended against damage, unauthorized use or modification, or

exploitation. (http://niccs.us-cert.gov/glossary)

In Straight Talk:Your Capability and Readiness for attacks against your technology / system /

applications:

Prevention / protection / monitoring / detection

React / respond / attack* / counter attack* / handle breach notifications

*Authorization required

KLC Consulting 7

Source: https://buildsecurityin.us-cert.gov/sites/default/files/BobMartin-CybersecurityEcosystem.pdf

KLC Consulting 8

* “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com

Cloud /Outsource

KLC Consulting 9

92% OF THE INCIDENTS WE’VE SEEN OVER THE LAST 10 YEARS — AND 94% OF THE BREACHES IN 2013 —CAN BE DESCRIBED WITH JUST NINE PATTERNS.Source: VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT

KLC Consulting 10

Advanced Persistent Threat (APT)

Distributed Denial of Service (DDoS)

Cross-Platform Malware

Metamorphic and Polymorphic Malware

Phishing

Source: Recorded Future - Cyber Threat Landscape: Basic Overview and Attack Methods

KLC Consulting 11

A1: InjectionA2: Broken Authentication and Session ManagementA3: Cross-Site Scripting (XSS)A4: Insecure Direct Object ReferencesA5: Security MisconfigurationA6: Sensitive Data ExposureA7: Missing Function Level Access ControlA8: Cross-Site Request Forgery (CSRF)A9: Using Known Vulnerable ComponentsA10: Unvalidated Redirects and Forwards

KLC Consulting 12

KLC Consulting 13

Critical Infrastructure

Power grid / Oil pipelines

Financial Services

Banking / Wall Street

Government Services

Fire / Police / Water / Traffic Light

Several nations are capable of launching large-scale attacks against the

USA

KLC Consulting 14

Live Attacks - http://map.ipviking.com (no sensors in China so cannot see attacks made upon China)

KLC Consulting 15

Source: http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

• Cyber Weapon – Stuxnet attacked Iranian nuclear centrifuge in 2010

• It is claimed to be the first effective cyber weapon

• Infect the environment by USB• Attack industrial programmable

logic controllers (PLCs)• Only target Siemens system

running on Windows• Reportedly compromised Iranian

PLCs• Collects information about

industrial systems• Causes the high speed centrifuges

to tear themselves apart

• Who made Stuxnet??? No one claimed the responsibility…

KLC Consulting 16

Denial Of Service

AMIDALA : We must continue to rely on negotiation.

BIBBLE : Negotiation? We've lost all communications!

(Also used in Russia-Georgia war)

Compromise Integrity, Escalation of Privilege...

OBI-WAN: This is where it ought to be... but it isn’t. Gravity is pulling

all the stars in this area inward to this spot. There should be a star

here... but there isn’t.

JEDI CHILD: Because someone erased it from the archive memory.

OBI-WAN: But Master Yoda who could have erased information

from the archives? That’s impossible, isn’t it?

YODA: (frowning) Much harder to answer, that question is.

KLC Consulting 17

You Possess Fundamental Skills for CyberSecurityStrong PROBLEM SOLVING SKILLS

Programming Skills

Advanced Computer skills

Understand a mix of technologies

Acquire new skills

Think outside the box when it comes to creative problem solving

Learn penetration testing skills

Think like a BAD hacker, and see how you can protect your employer

Learn Risk Assessment.Identify vulnerabilities, potential areas of exposure, estimate cost of damage should attack come via this vulnerability, estimate cost to fix, the cost to not fix, the cost of carrying business insurance to cover the risk, is the risk acceptable?

KLC Consulting 18

Learn the basics (network, database, application, web)

Learn programming languages (Python – most useful)

Be passionate! You will learn more if you have the interest

Try out all the hacking practice sites. Lots of free training. Youtube. Google -research!!!

Follow websites, tweets, security news

Follow the new security threats, vulnerabilities

Learn the hacking tools, stay current with existing and newest Jedi tricks

Pay attention to the trend...

Setup a lab and try out Jedi tricks at home!A few computers

A few Virtual Machines

KLC Consulting 19

Sample CyberSecurity Opportunities

VulnerabilityManagement

Secure Software Development

Encryption

Security Operations Center

Patch Management Malware Analysis

Security Policy / Procedure

Forensics ERP / SAP / Oracle

Network / Firewall / VPN Threat Intelligence Incident Response

Application Security Penetration Testing Project Manager

Database Security Third-Party Security Risk Regulatory Compliance

SCADA / PLC Security Certification & Accreditation

Cyber Warfare(DoD, DHS, NSA, CIA)

Cloud Security / VM Security

Audit / Logging / Logcoordination

Researcher – Focus on security issues

POS Security IoT Hardware Security

KLC Consulting 20

Verizon Data Breach Investigation Report - http://www.verizonenterprise.com/DBIR/2014DHS CyberSecurity Portal - http://www.dhs.gov/topic/cybersecurityDoD Information Assurance Portal – http://iase.disa.milHacking Practice (Web App Pentest)

Hack This Site - https://www.hackthissite.orgMultillidae - http://sourceforge.net/projects/mutillidaeDamn Vulnerable Web App - http://www.dvwa.co.uk

Security KnowledgeOWASP – www.owasp.orgDarkReading - www.darkreading.comSANS Reading Room - https://www.sans.org/reading-room/FireEye / Mandiant Threat Intelligence Reports - https://www.fireeye.com/current-threats/threat-intelligence-reports.htmlYoutube, Twitter

Security IntelTwitter – follow news, alerts – i.e. @Symantec, @TheHackersNews, @SCMagazineSANS Internet Storm CenterUS-CERT Alerts - Subscribe - https://www.us-cert.gov/ncas/alertsNIST Vulnerability Database - https://nvd.nist.gov

ToolsKali Linux - https://www.kali.org (Linux Distro – comes with many tools – MUST HAVE)Metasploit – http://www.metasploit.comSystem Internals - https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx

Basic CertificationsSecurity+CEH

KLC Consulting 21

Kyle LaiCISSP, CSSLP, CISA, CIPP/US/G

President & CTOKLC Consulting, Inc.

@KLCConsultingklai@klcconsulting.net

www.KLCConsulting.net