slash-seminar-security awareness-v1-0-20121212

40
1 of 40

Upload: slash-underground

Post on 03-Nov-2014

14 views

Category:

Technology


3 download

DESCRIPTION

Presented this on 12.12.12 on Security Awareness Seminar at one of university.

TRANSCRIPT

Page 1: SLASH-Seminar-security awareness-v1-0-20121212

1 of 40

Page 2: SLASH-Seminar-security awareness-v1-0-20121212

2 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:15

Introduction from cyberspace with love

Page 3: SLASH-Seminar-security awareness-v1-0-20121212

3 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:15

Intro

duct

ion

From Cyber Space With Love

º  Information is an asset that, like other important business assets, is essential

to an organization’s business and consequently needs to be suitably

protected. º  Information can exist in many forms. It can be printed or written on paper,

stored electronically, transmitted by post or by using electronic means,

shown on films, or spoken in conversation. º  Information security is the protection of information from a wide range of

threats in order to ensure business continuity, minimize business risk, and

maximize return on investments and business opportunities. º  Information security is achieved by implementing a suitable set of controls,

including policies, processes, procedures, organizational structures and

software and hardware functions.

Reference: ISO/IEC 27002 Information technology Code of practice for information security management

Page 4: SLASH-Seminar-security awareness-v1-0-20121212

4 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:15

Intro

duct

ion

From Cyber Space With Love

To ensure protection against unauthorized access to or use of confidential information. To ensure the accuracy and

completeness of information are maintained

To ensure information and vital services are assessable for use when required.

Page 5: SLASH-Seminar-security awareness-v1-0-20121212

5 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:16

Intro

duct

ion

From Cyber Space With Love

Common Terminology º  Any potential event or act that could cause one or more of the following to

occur: unauthorized disclosure, destruction, removal, modification or

interruption of sensitive or critical assets or services. A threat can be natural,

deliberate or accidental – Threat º  A quantifiable, threat-independent characteristic or attribute of any asset

within a system boundary or environment in which it operates and which

increases the probability of a threat event occurring and causing harm in

terms of confidentiality, availability and/or integrity, or increases the severity

of the effects of a threat event if it occurs – Vulnerability

Reference: The Malaysian Public Sector Information Security Risk Assessment Methodology (MyRAM) Handbook

Page 6: SLASH-Seminar-security awareness-v1-0-20121212

6 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:16

Security History hacker never dies

Page 7: SLASH-Seminar-security awareness-v1-0-20121212

7 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:16

Secu

rit

y H

isto

ry

Hacker Never Dies

Dennis Ritchie and Ken Thompson created the UNIX (time-sharing) operating system at AT&T Bell Labs in 1969. A few months after the birth of UNIX, Dennis Ritchie creates the C programming language.

Ritchie was found dead on October 12, 2011. Thompson are now working at Google as a Distinguished Engineer.

”In 1971 when I joined the staff of the MIT Artificial Intelligence lab, all of us who helped develop the operating system software we called ourselves hackers.” – Interview with Richard Stallman by David Bennhaum, 1996

Richard M. Stallman, GNU project’s lead architect and organizer, also main author of free software licenses such as GNU General Public License (GPL).

Page 8: SLASH-Seminar-security awareness-v1-0-20121212

8 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:16

Secu

rit

y H

isto

ry

Hacker Never Dies

Joe Engressia (AKA The Whistler / Joybubbles) has the unusual gift of perfect pitch. He can whistle any tone he wants. With it, the blind mathematics student of University of South Florida stumbles onto the 2600Hz cycle and figures out how to make free phone calls during the late 60s… just by whistling into the

receiver. Phreakers around the world supposedly called Joe to tune their Blue Boxes.

John Draper (AKA Captain Crunch) figured out how to make free phone calls using a plastic whistle pipe found in a Cap’n Crunch cereal box together with a Blue Box. John was active during the 70s and taught Steve Wozniak (co-

founder of Apple) how to use a Blue Box that Woz built. John is the owner of Crunch Creation, a group of geniuses and excellent talent engaged in large web development project.

Page 9: SLASH-Seminar-security awareness-v1-0-20121212

9 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:16

Secu

rit

y H

isto

ry

Hacker Never Dies

Mark Abene (AKA Phiber Optik) is a notorious self-taught hacker, someone who didn’t learn his skills at a university or similar. Abene are now CTO and founder of TraceVector. In 2007, Abene presented “The Rise and Fall of Information Security in Western

World” at Hack in the Box security conference, Kuala Lumpur, Malaysia.

Robert Morris was the son of the chief scientist at the National Computer Security Center – part of the National Security Agency (NSA). In 1988 he released the first computer worm on the Internet that exploited a Sendmail vulnerability and a fingerd vulnerability.

Morris currently teaches computer science and artificial intelligence at MIT university.

Page 10: SLASH-Seminar-security awareness-v1-0-20121212

10 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:16

Secu

rit

y H

isto

ry

Hacker Never Dies

Kevin Poulsen is famous for taking over all telephone lines going into KIIS-FM, a radio station in Los Angeles. This ensured him to be the 102nd caller and made him win a Porsche 944 S2. Kevin admitted breaking into computer systems to get names of

undercover businesses operated by the FBI. After serving a 3 year prison sentence he wasn’t allowed to use a computer for another 3 years. Kevin Poulsen was a journalist and the editorial director of SecurityFocus.com. Today, he is currently News Editor at

Wired.com

Page 11: SLASH-Seminar-security awareness-v1-0-20121212

11 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:16

Secu

rit

y H

isto

ry

Hacker Never Dies

Kevin Mitnick was the most-wanted computer criminal in the United Stated and the first hacker who ended up on FBI’s Most Wanted list. At age 12, Mitnick used social engineering to bypass the punch

card system used in the Los Angeles bus system. Mitnick first gained unauthorized access to a computer network in 1979 and broke into DEC's computer network and copied their software. Mitnick used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from

some of the country's largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail.

Today he runs Mitnick Security Consulting, an information security and pen-test firm, mitnicksecurity.com

Page 12: SLASH-Seminar-security awareness-v1-0-20121212

12 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:16

Secu

rit

y H

isto

ry

Hacker Never Dies

tiger team n. [U.S. military jargon] Originally, a team (of sneakers) whose purpose is to penetrate security, and thus test security measures. sneaker n. An individual hired to break into places in order

to test their security; analogous to tiger team. Today, penetration testing is the formal title of tiger team activity. Because the US military were the first to use Advanced Research Projects Agency Network (ARPANET), they were the first to conduct audits on computer security.

When the Internet was becoming useful to corporations, some businesses saw the same need as the military – security has to be tested in order to be confirmed secure. However,

many corporations didn’t see any need for security at all.

Page 13: SLASH-Seminar-security awareness-v1-0-20121212

13 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:16

Secu

rit

y H

isto

ry

Hacker Never Dies

Today, hackers and some organization are actively developing and innovating new techniques towards offensive and defensive security including cyber warfare (CW), information warfare (IW) and electronic warfare (EW).

Hack-Fu

Page 14: SLASH-Seminar-security awareness-v1-0-20121212

14 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:17

Offensive Security Awareness license to steal

Page 15: SLASH-Seminar-security awareness-v1-0-20121212

15 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:17

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

know your enemy

Hackers

Crackers

Cyber Warrior

Cyber Terrorist

Cyber Criminals

Script Kiddies

’hackers’ are typically computer security experts, who specialize in penetration testing and other security testing methodologies. ‘crackers’ referred to a person who intentionally accesses a computer, or network of computers, for evil reasons Today these bad guy crackers are sometimes referred to as black hats, or mostly just hackers. ‘cyber warrior’ is an individual or group of people recruited and trained by the governments to use the Internet for offensive and defensive security.

Page 16: SLASH-Seminar-security awareness-v1-0-20121212

16 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:17

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

know your enemy

Hackers

Crackers

Cyber Warrior

Cyber Terrorist

Cyber Criminals

Script Kiddies

‘cyber terrorist’ referred to individual or group of people who use the Internet to destroy computers or disrupt Internet-connected services for political reasons. ‘cyber criminals’ are typically referred to those who use the Internet to facilitate illegal or fraudulent activities including scammers and illegally distributed software, music, movies against copyright laws. ‘script kiddies’ usually have very limited computer skills and can be quite immature, trying to effect large numbers of attacks in order to obtain attention and reputation.

Page 17: SLASH-Seminar-security awareness-v1-0-20121212

17 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:17

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Basic Pentest Methodology 1) Planning ü  Define objective ü  Define scope ü  Define deliverable ü  Type of attack

2) Discovery ü  Information gathering ü  Enumeration and vulnerability

scanning ü  Source code audits and fuzzing ü  Exploit research

3) Attack ü  Gaining Access ü  Privilege Escalation ü  System browsing ü  Rootkit installation ü  Monitoring ü  Access Management

A penetration test (pentest) is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders. Today, there are numerous methodologies available for public, among them:

An attacker are actually spends 90% of their time in the discovery phase..

Page 18: SLASH-Seminar-security awareness-v1-0-20121212

18 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:17

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Information Gathering

Hack-Fu: Discovery

Types: Passive information gathering involves acquiring information without directly interacting with the target. Active information gathering involves interacting with the

target directly by any means.

Page 19: SLASH-Seminar-security awareness-v1-0-20121212

19 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:17

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Information Gathering

Hack-Fu: Discovery

Example #1: Passive information Gathering

Last login: Fri Dec 7 23:42:03 on ttys001 [slash@sneakyrat-research_box]$ whois targetCompany.MY Registrant:

targetCompany (targetCompany-MY) # street address city, province, state, postcode, country Domain Name: targetCompany.MY

Administrative and Technical Contact:

Fullname, [email protected] targetCompany (targetCompany-MY) # street address, city, province, state, postcode, country Telephone: xxx-xxx-xx-xx Fax: xxx-xxx-xx-xx

Domain servers:

extdns1.targetCompany.MY 202.xxx.133.5 zaaba.targetCompany.MY 161.xxx.201.17

Page 20: SLASH-Seminar-security awareness-v1-0-20121212

20 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:18

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Information Gathering

Hack-Fu: Discovery

Example #2: Passive information Gathering

Collecting email address from Google search engine: Last login: Fri Dec 7 23:45:03 on ttys001

[slash@sneakyrat-research_box]$ ./googmail –d targetCompany.MY Listing email address, patient….

[email protected] found! [email protected] found!

[email protected] found!

Collecting sensitive document from Google search engine: Last login: Fri Dec 7 23:58:15 on ttys001

[slash@sneakyrat-research_box]$ ./googdoc –d targetCompany.MY Listing document, patient….

memo-lampiran.pdf found! maccs-template.doc found!

examanation-draft.pdf found!

Page 21: SLASH-Seminar-security awareness-v1-0-20121212

21 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:18

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Information Gathering

Hack-Fu: Discovery

Example #3: Active information gathering There is no patch to human, and therefore, there is no protection from social engineering. Based on history, social engineering has a magnificent success story.

Page 22: SLASH-Seminar-security awareness-v1-0-20121212

22 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:18

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Enumeration and Vulnerability Mapping

Hack-Fu: Discovery

The attacker will try to identify specific weak points to test and how to test them. These activities include:

²  Identify vulnerable applications or services ²  Perform vulnerability scan to search for known vulnerabilities

which can be obtained from the vendors’ security announcements, or from public databases such as SecurityFocus, CVE or CERT advisories.

²  Enumerate discovered vulnerabilities ²  Estimate probable impact (classify vulnerabilities found) ²  Identify attack paths and scenarios for exploitation

Page 23: SLASH-Seminar-security awareness-v1-0-20121212

23 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:18

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Enumeration and Vulnerability Mapping

Hack-Fu: Discovery

Example #4: Googenum Samba Enumeration Enumeration is defined as a process of collecting and extracting user names, machine names, network resources, shares and services from a target system.

Last login: Fri Dec 8 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./googenum.pl –r targetCompany.MY Starting Googenum…. --- Target information --- Target: targetCompany.MY RID Range: 500-550, 1000-1050 Username: ‘’ Password: ‘’ Known Username: root, admin, guest, azlan, neelofa --- Enumerating Workgroup --- [+] Got domain/workgroup name: WORKGROUP --- Users on targetCompany.MY --- [I] Assuming that user “root” and “admin” [+] Got ISD: S-1-5-21-1801674531-1482476501-725345543 S-1-5-21-1801674531-1482476501-725345543-500 ARTIS\zizan (local user) S-1-5-21-1801674531-1482476501-725345543-500 ARTIS\nurul (local user)

Page 24: SLASH-Seminar-security awareness-v1-0-20121212

24 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:18

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Enumeration and Vulnerability Scanning

Hack-Fu: Discovery

Example #5: Nikto Web Application Scanner Vulnerability Scanning is a process of identifying security weaknesses.

Last login: Fri Dec 8 11:38:15 on ttys001 [slash@sneakyrat-research_box]$ ./nikto.pl –host targetCompany.MY -  Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 202.xxx.xxx.xxx + Target Hostname: targetCompany.MY + Target Port: 80 + Start Time: 2012-12-08 22:38:08 (GMT8) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + Cookie ZM_TEST created without the httponly flag + No CGI Directories found (use '-C all' to force check all possible dirs) + Allowed HTTP Methods: GET, HEAD, POST, TRACE, OPTIONS + OSVDB-3092: /administrator: This might be interesting... + OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users). + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3092: /tmp/: This might be interesting...

Page 25: SLASH-Seminar-security awareness-v1-0-20121212

25 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:18

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Gaining Access and Privilege Escalation

Hack-Fu: Attack

In any given situation a system can be enumerated further. Activities in this stage will allow the attacker to confirm and document probable intrusion and/or automated attacks propagation.

If access is obtained, the next step is to escalate access to a higher level such as administrative privileges.

Page 26: SLASH-Seminar-security awareness-v1-0-20121212

26 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:18

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Gaining Access and Privilege Escalation

Hack-Fu: Attack

Password Stealing A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and escalate to higher privilege such as root and administrator.

How §  Observed during entry §  Password cracking §  Password stealing tools

Why §  Password is written

down somewhere §  Password is stored

somewhere in clear text §  Password is encrypted

with weak encryption algorithm

Password stealing

techniques  

Social Engineering

Phishing

Spying

Guessing/ Cracking

Shoulder Surfing

Trojans

Page 27: SLASH-Seminar-security awareness-v1-0-20121212

27 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:18

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Gaining Access and Privilege Escalation

Hack-Fu: Attack

Last login: Mon Dec 10 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./hydra -L u -P pwd targetCompany.MY https-head /financials/ Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2012-12-10 11:00:15 [DATA] 16 tasks, 1 servers, 217 login tries (l:31/p:7), ~13 tries per task [DATA] attacking service http-head on port 443 [443][www] host: x.x.x.x login: bdouglas password: javajoe [443][www] host: x.x.x.x login: intan password: zygote [443][www] host: x.x.x.x login: audit password: qwerty [443][www] host: x.x.x.x login: ashrafpassword: javajoe [443][www] host: x.x.x.x login: aaron password: qwerty [443][www] host: x.x.x.x login: testuser password: qwerty [STATUS] attack finished for targetCompany.MY (waiting for childs to finish)

Example #6: Password Cracking A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and escalate to higher privilege such as root and administrator.

Page 28: SLASH-Seminar-security awareness-v1-0-20121212

28 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:19

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Gaining Access and Privilege Escalation

Hack-Fu: Attack

Example #7: Phishing Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Normally, this can be easily achieve in three (3) simple steps:

Ten (10) Types of Phishing Attack 1.  Man-in-the-Middle 2.  URL Obfuscation 3.  Cross-Site Scripting 4.  Hidden 5.  Client-side

Vulnerabilities

6. Deceptive 7. Malware-Based 8. DNS-Based 9. Content-Injection 10. Search Engine

Page 29: SLASH-Seminar-security awareness-v1-0-20121212

29 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:20

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Gaining Access and Privilege Escalation

Hack-Fu: Attack

Example #7: Email Phishing

Phishing emails have two tactics to trick users: a)  They look like legitimate updates from Customer Service

informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details.

b)  They threaten you that suspicious activities were made using

your account, and may take ‘legal action’ against you if you do not update your account.

Phishing emails share a distinct and common similarity – It directs you to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will then asks you to key in very, very personal details like name, IC number, phone number, email, account number and Pin No.

Page 30: SLASH-Seminar-security awareness-v1-0-20121212

30 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:20

Off

ensi

ve

Secu

rit

y

Aw

aren

ess

License To Steal

Gaining Access and Privilege Escalation

Hack-Fu: Attack

Example #7: Email Phishing (continue)

Phishing emails have two tactics to trick users: a)  They look like legitimate updates from Customer Service

informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details.

b)  They threaten you that suspicious activities were made using

your account, and may take ‘legal action’ against you if you do not update your account.

Phishing emails share a distinct and common similarity – It directs you to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will then asks you to key in very, very personal details like name, IC number, phone number, email, account number and Pin No.

Page 31: SLASH-Seminar-security awareness-v1-0-20121212

31 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:20

Defensive Security Awareness technology is not enough

Page 32: SLASH-Seminar-security awareness-v1-0-20121212

32 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:20

Def

ensi

ve

Secu

rit

y

Aw

aren

ess

Technology Is Not Enough

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology” – Bruce Schneier, Security Technologies, Cryptographer and Author

“The Internet is the first thing that humanity has build that humanity doesn’t understand, the largest experiment in anarchy that we have ever had” – Eric Schmidt, Chairman and CEO, Google.

Page 33: SLASH-Seminar-security awareness-v1-0-20121212

33 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:20

Def

ensi

ve

Secu

rit

y

Aw

aren

ess

Technology Is Not Enough

Page 34: SLASH-Seminar-security awareness-v1-0-20121212

34 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:21

Technology Is Not Enough D

efen

siv

e Se

curit

y

Aw

aren

ess

REMOVED

Page 35: SLASH-Seminar-security awareness-v1-0-20121212

35 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:21

Technology Is Not Enough

People

Management

Human Resource

Finance

Information Technology

Project Management

Office

Process

Governance

Policy

Standard

Procedure

Guideline

Specification  

Technology

Physical Security

Access Security

Network Security

Application Security

Data Security

Major threats

Def

ensi

ve

Secu

rit

y

Aw

aren

ess

Page 36: SLASH-Seminar-security awareness-v1-0-20121212

36 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:23

Def

ensi

ve

Secu

rit

y

Aw

aren

ess

Technology Is Not Enough

Non-Existent & Compliance Focused

Long Term Sustainment Metrics

Promoting Awareness and Change

1 2

4 3

º  Impact and change behaviours º  Proper plan before hand º  Continual reinforcement

º No security awareness program º Annual or ad-hoc basis º No attempt to change

behaviour

º  Add a proper process and resources in place for long-term

º  Ensure budget are made available

º  Ensure support from stakeholder

º  Progress tracking º Measure impact º A formal metrics program to monitor

behaviour º Ultimately to reduce more risk

Security Awareness Maturity Model

Appoint the right person(s) to lead the charge: Dedicate at least one person to focus 100 percent of their energy on security awareness across the organization. This person needs to be an individual who communicates well and knows how to sell, market, and build relationships with employees.

Page 37: SLASH-Seminar-security awareness-v1-0-20121212

37 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:23

Def

ensi

ve

Secu

rit

y

Aw

aren

ess

Technology Is Not Enough

Create content where people come to you. 70-80% of your awareness program also applies to peoples’ personal life.

Continue publish and distribute security awareness newsletter

Provide security awareness video so people can take training on their own schedule.

Page 38: SLASH-Seminar-security awareness-v1-0-20121212

38 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:25

Conclusion live and let’s comply

Page 39: SLASH-Seminar-security awareness-v1-0-20121212

39 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

18 December 2012 23:52:25

Con

clusi

on

Live and Let‘s Comply

Page 40: SLASH-Seminar-security awareness-v1-0-20121212

40 of 40

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint