ethical hackers are your best friends
DESCRIPTION
Ethical Hackers Are Your Best Friends. Xavier Mertens - Principal Security Consultant “If the enemy leaves a door open, you must rush in” (Sun Tzu). # whoami. Xavier Mertens Not $VENDORS’ best friend Interested in your $DATA!. # whoami. . . Agenda. Introduction - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/1.jpg)
Telenet for BusinessTelenet for Business
Ethical Hackers Are Your Best FriendsXavier Mertens - Principal Security Consultant
“If the enemy leaves a door open, you must rush in” (Sun Tzu)
![Page 2: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/2.jpg)
# whoami
Xavier Mertens Not $VENDORS’ best friend Interested in your $DATA!
![Page 3: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/3.jpg)
# whoami
![Page 4: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/4.jpg)
<warning>
</warning>
![Page 5: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/5.jpg)
Agenda Introduction We all fail Auditing VS. Pentesting How? Limitations! Conclusion
![Page 6: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/6.jpg)
Recent Events
December 2013 January 2014
200K Algerian routers
vulnerable
Starbucks’ iOS app
stores plain text
passwords
Neiman Marcus
databreach
Target stores hacked: 40M CC accounts
breached
Microsoft TIFF 0-day
vulnerabilityCVE-2013-5065
Who’sNext?
![Page 7: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/7.jpg)
But I’ve An Antivirus...
![Page 8: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/8.jpg)
But I Also Have A Firewall...
![Page 9: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/9.jpg)
And Many Other Stuff...
![Page 10: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/10.jpg)
Like Airplane Crashes
![Page 11: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/11.jpg)
The Weakest Link
![Page 12: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/12.jpg)
Security $VENDORS Bound to fail against targeted
attacks Might increase the surface attack(1)
Prone to broadcast a false sense of security
(1) Turning your AV into a botnet - bit.ly/1aL7GcL
Our 2.0-NG-software deployed in the cloud will protect you against all APT…
![Page 13: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/13.jpg)
“Ethic”
“A set of moral principles of right and wrong that are accepted by an individual or a social group”
![Page 14: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/14.jpg)
“Hacking”“Practice of modifying computer hardware, software or any other electronic device to accomplish a goal outside of the creator’s original purpose. People who engage in computer hacking activities are often called ‘hacker’”. Hackers are good guys!
Ethical Hackers help you to find security holes in your infrastructure or process using the sametools and techniques as bad guys
![Page 15: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/15.jpg)
Agenda IntroductionWe all fail Auditing VS. Pentesting How? Limitations! Conclusion
![Page 16: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/16.jpg)
People... The problem has been located
between the keyboard and the chair Error is human Programs are written by humans, so
they have bugs
![Page 17: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/17.jpg)
Misconfigurations
![Page 18: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/18.jpg)
Complexity
![Page 19: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/19.jpg)
Patching
![Page 20: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/20.jpg)
We are lazy!
![Page 21: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/21.jpg)
The Business
![Page 22: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/22.jpg)
Agenda Introduction We all failAuditing VS. Pentesting How? Limitations! Conclusion
![Page 23: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/23.jpg)
Auditing“Auditing is defined as a systematic and independent examination of data, statements, records and performances (in this case IT) of an enterprise for a stated purpose” (Source: wikipedia)
![Page 24: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/24.jpg)
Pentesting“Pentesting is an act performed with a specific goal which determines the success status of the test. It can be any combination of attack methods depending on the goals and rules of engagement set” (Source: wikipedia)
![Page 25: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/25.jpg)
“It’s A Question of View”Does you have a Web Application Firewall?
![Page 26: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/26.jpg)
Think As A Bad Guy
Will you trust this guy?
![Page 27: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/27.jpg)
But Look Like A Good Guy
And this one?
![Page 28: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/28.jpg)
Wait, Why Attacking Me? Information is valuable!• Customers details• Financial information• Patent
You’re not the end-target. Are you providing services to big customers? (pivot)
![Page 29: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/29.jpg)
Multiple Targets Anything that runs
“code”• Computers, printers,
webcams, phones,routers
Hardware• Locks, cars, SCADA,
scales
![Page 30: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/30.jpg)
Impacts Brand reputation
Financial• Loss of revenue• EU Data Breach notification law soon?
![Page 31: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/31.jpg)
Agenda Introduction We all fail Auditing VS. PentestingHow? Limitations! Conclusion
![Page 32: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/32.jpg)
Different Approaches
![Page 33: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/33.jpg)
Step 0 – Engagement
![Page 34: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/34.jpg)
Step 1 – Public Info “You just have been indexed!” Google is your best friend!• site:mytarget.com "Microsoft OLE DB Provider
for SQL Server“• site:mytarget.com "You have an error in your
SQL syntax“ OSINT
![Page 35: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/35.jpg)
Step 2 – Reconnaissance Scan your target Onsite visit & plug a computer Grab stuff on eBay Look for garbage
![Page 36: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/36.jpg)
Step 3 - Exploit Computers• Obsolete or internal software
Humans• Drop USB keys• Send emails• Buy flowers (secretary) or goodies
(techies) ;-)
![Page 37: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/37.jpg)
Step 4 - Attack Remain stealth Stay in Exfiltrate Cover your tracks
![Page 38: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/38.jpg)
Step 5 – Reporting After the fun, some homework! Address the management
(a screenshot is worth a thousand words)
Put risks levels on findings (be realistic)
Use the report to define your security roadmap
![Page 39: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/39.jpg)
Agenda Introduction We all fail Auditing VS. Pentesting How?Limitations! Conclusion
![Page 40: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/40.jpg)
Bad Guy VS. Good Guy No scope constraint No time constraint No budget constraint No NDA Can be destructive Engaged resources are directly
related to the target value
![Page 41: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/41.jpg)
Agenda Introduction Why we fail? Auditing VS. Pentesting How? Limitations!Conclusion
![Page 42: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/42.jpg)
Conclusion Security == Ability to resist to
attacks Don’t ask “How?” but “When?” We live in a digital world run by
analog managers Classic audit results might give a
false sense of security Ask some help from ethical hackers!
![Page 43: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/43.jpg)
Conclusion• Keep in mind the “security triangle”
Features
Ease of Use Security
![Page 44: Ethical Hackers Are Your Best Friends](https://reader035.vdocuments.mx/reader035/viewer/2022062812/56816387550346895dd4725d/html5/thumbnails/44.jpg)
Thank You!
Interested?Contact your AccountManager for moreinformation!