slash-seminar-security awareness-v1-0-20121212
DESCRIPTION
Presented this on 12.12.12 on Security Awareness Seminar at one of university.TRANSCRIPT
1 of 40
2 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:15
Introduction from cyberspace with love
3 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:15
Intro
duct
ion
From Cyber Space With Love
º Information is an asset that, like other important business assets, is essential
to an organization’s business and consequently needs to be suitably
protected. º Information can exist in many forms. It can be printed or written on paper,
stored electronically, transmitted by post or by using electronic means,
shown on films, or spoken in conversation. º Information security is the protection of information from a wide range of
threats in order to ensure business continuity, minimize business risk, and
maximize return on investments and business opportunities. º Information security is achieved by implementing a suitable set of controls,
including policies, processes, procedures, organizational structures and
software and hardware functions.
Reference: ISO/IEC 27002 Information technology Code of practice for information security management
4 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:15
Intro
duct
ion
From Cyber Space With Love
To ensure protection against unauthorized access to or use of confidential information. To ensure the accuracy and
completeness of information are maintained
To ensure information and vital services are assessable for use when required.
5 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:16
Intro
duct
ion
From Cyber Space With Love
Common Terminology º Any potential event or act that could cause one or more of the following to
occur: unauthorized disclosure, destruction, removal, modification or
interruption of sensitive or critical assets or services. A threat can be natural,
deliberate or accidental – Threat º A quantifiable, threat-independent characteristic or attribute of any asset
within a system boundary or environment in which it operates and which
increases the probability of a threat event occurring and causing harm in
terms of confidentiality, availability and/or integrity, or increases the severity
of the effects of a threat event if it occurs – Vulnerability
Reference: The Malaysian Public Sector Information Security Risk Assessment Methodology (MyRAM) Handbook
6 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:16
Security History hacker never dies
7 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:16
Secu
rit
y H
isto
ry
Hacker Never Dies
Dennis Ritchie and Ken Thompson created the UNIX (time-sharing) operating system at AT&T Bell Labs in 1969. A few months after the birth of UNIX, Dennis Ritchie creates the C programming language.
Ritchie was found dead on October 12, 2011. Thompson are now working at Google as a Distinguished Engineer.
”In 1971 when I joined the staff of the MIT Artificial Intelligence lab, all of us who helped develop the operating system software we called ourselves hackers.” – Interview with Richard Stallman by David Bennhaum, 1996
Richard M. Stallman, GNU project’s lead architect and organizer, also main author of free software licenses such as GNU General Public License (GPL).
8 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:16
Secu
rit
y H
isto
ry
Hacker Never Dies
Joe Engressia (AKA The Whistler / Joybubbles) has the unusual gift of perfect pitch. He can whistle any tone he wants. With it, the blind mathematics student of University of South Florida stumbles onto the 2600Hz cycle and figures out how to make free phone calls during the late 60s… just by whistling into the
receiver. Phreakers around the world supposedly called Joe to tune their Blue Boxes.
John Draper (AKA Captain Crunch) figured out how to make free phone calls using a plastic whistle pipe found in a Cap’n Crunch cereal box together with a Blue Box. John was active during the 70s and taught Steve Wozniak (co-
founder of Apple) how to use a Blue Box that Woz built. John is the owner of Crunch Creation, a group of geniuses and excellent talent engaged in large web development project.
9 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:16
Secu
rit
y H
isto
ry
Hacker Never Dies
Mark Abene (AKA Phiber Optik) is a notorious self-taught hacker, someone who didn’t learn his skills at a university or similar. Abene are now CTO and founder of TraceVector. In 2007, Abene presented “The Rise and Fall of Information Security in Western
World” at Hack in the Box security conference, Kuala Lumpur, Malaysia.
Robert Morris was the son of the chief scientist at the National Computer Security Center – part of the National Security Agency (NSA). In 1988 he released the first computer worm on the Internet that exploited a Sendmail vulnerability and a fingerd vulnerability.
Morris currently teaches computer science and artificial intelligence at MIT university.
10 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:16
Secu
rit
y H
isto
ry
Hacker Never Dies
Kevin Poulsen is famous for taking over all telephone lines going into KIIS-FM, a radio station in Los Angeles. This ensured him to be the 102nd caller and made him win a Porsche 944 S2. Kevin admitted breaking into computer systems to get names of
undercover businesses operated by the FBI. After serving a 3 year prison sentence he wasn’t allowed to use a computer for another 3 years. Kevin Poulsen was a journalist and the editorial director of SecurityFocus.com. Today, he is currently News Editor at
Wired.com
11 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:16
Secu
rit
y H
isto
ry
Hacker Never Dies
Kevin Mitnick was the most-wanted computer criminal in the United Stated and the first hacker who ended up on FBI’s Most Wanted list. At age 12, Mitnick used social engineering to bypass the punch
card system used in the Los Angeles bus system. Mitnick first gained unauthorized access to a computer network in 1979 and broke into DEC's computer network and copied their software. Mitnick used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from
some of the country's largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail.
Today he runs Mitnick Security Consulting, an information security and pen-test firm, mitnicksecurity.com
12 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:16
Secu
rit
y H
isto
ry
Hacker Never Dies
tiger team n. [U.S. military jargon] Originally, a team (of sneakers) whose purpose is to penetrate security, and thus test security measures. sneaker n. An individual hired to break into places in order
to test their security; analogous to tiger team. Today, penetration testing is the formal title of tiger team activity. Because the US military were the first to use Advanced Research Projects Agency Network (ARPANET), they were the first to conduct audits on computer security.
When the Internet was becoming useful to corporations, some businesses saw the same need as the military – security has to be tested in order to be confirmed secure. However,
many corporations didn’t see any need for security at all.
13 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:16
Secu
rit
y H
isto
ry
Hacker Never Dies
Today, hackers and some organization are actively developing and innovating new techniques towards offensive and defensive security including cyber warfare (CW), information warfare (IW) and electronic warfare (EW).
Hack-Fu
14 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:17
Offensive Security Awareness license to steal
15 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:17
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
know your enemy
Hackers
Crackers
Cyber Warrior
Cyber Terrorist
Cyber Criminals
Script Kiddies
’hackers’ are typically computer security experts, who specialize in penetration testing and other security testing methodologies. ‘crackers’ referred to a person who intentionally accesses a computer, or network of computers, for evil reasons Today these bad guy crackers are sometimes referred to as black hats, or mostly just hackers. ‘cyber warrior’ is an individual or group of people recruited and trained by the governments to use the Internet for offensive and defensive security.
16 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:17
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
know your enemy
Hackers
Crackers
Cyber Warrior
Cyber Terrorist
Cyber Criminals
Script Kiddies
‘cyber terrorist’ referred to individual or group of people who use the Internet to destroy computers or disrupt Internet-connected services for political reasons. ‘cyber criminals’ are typically referred to those who use the Internet to facilitate illegal or fraudulent activities including scammers and illegally distributed software, music, movies against copyright laws. ‘script kiddies’ usually have very limited computer skills and can be quite immature, trying to effect large numbers of attacks in order to obtain attention and reputation.
17 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:17
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Basic Pentest Methodology 1) Planning ü Define objective ü Define scope ü Define deliverable ü Type of attack
2) Discovery ü Information gathering ü Enumeration and vulnerability
scanning ü Source code audits and fuzzing ü Exploit research
3) Attack ü Gaining Access ü Privilege Escalation ü System browsing ü Rootkit installation ü Monitoring ü Access Management
A penetration test (pentest) is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders. Today, there are numerous methodologies available for public, among them:
An attacker are actually spends 90% of their time in the discovery phase..
18 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:17
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Information Gathering
Hack-Fu: Discovery
Types: Passive information gathering involves acquiring information without directly interacting with the target. Active information gathering involves interacting with the
target directly by any means.
19 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:17
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Information Gathering
Hack-Fu: Discovery
Example #1: Passive information Gathering
Last login: Fri Dec 7 23:42:03 on ttys001 [slash@sneakyrat-research_box]$ whois targetCompany.MY Registrant:
targetCompany (targetCompany-MY) # street address city, province, state, postcode, country Domain Name: targetCompany.MY
Administrative and Technical Contact:
Fullname, [email protected] targetCompany (targetCompany-MY) # street address, city, province, state, postcode, country Telephone: xxx-xxx-xx-xx Fax: xxx-xxx-xx-xx
Domain servers:
extdns1.targetCompany.MY 202.xxx.133.5 zaaba.targetCompany.MY 161.xxx.201.17
20 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:18
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Information Gathering
Hack-Fu: Discovery
Example #2: Passive information Gathering
Collecting email address from Google search engine: Last login: Fri Dec 7 23:45:03 on ttys001
[slash@sneakyrat-research_box]$ ./googmail –d targetCompany.MY Listing email address, patient….
[email protected] found! [email protected] found!
[email protected] found!
Collecting sensitive document from Google search engine: Last login: Fri Dec 7 23:58:15 on ttys001
[slash@sneakyrat-research_box]$ ./googdoc –d targetCompany.MY Listing document, patient….
memo-lampiran.pdf found! maccs-template.doc found!
examanation-draft.pdf found!
21 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:18
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Information Gathering
Hack-Fu: Discovery
Example #3: Active information gathering There is no patch to human, and therefore, there is no protection from social engineering. Based on history, social engineering has a magnificent success story.
22 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:18
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Enumeration and Vulnerability Mapping
Hack-Fu: Discovery
The attacker will try to identify specific weak points to test and how to test them. These activities include:
² Identify vulnerable applications or services ² Perform vulnerability scan to search for known vulnerabilities
which can be obtained from the vendors’ security announcements, or from public databases such as SecurityFocus, CVE or CERT advisories.
² Enumerate discovered vulnerabilities ² Estimate probable impact (classify vulnerabilities found) ² Identify attack paths and scenarios for exploitation
23 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:18
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Enumeration and Vulnerability Mapping
Hack-Fu: Discovery
Example #4: Googenum Samba Enumeration Enumeration is defined as a process of collecting and extracting user names, machine names, network resources, shares and services from a target system.
Last login: Fri Dec 8 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./googenum.pl –r targetCompany.MY Starting Googenum…. --- Target information --- Target: targetCompany.MY RID Range: 500-550, 1000-1050 Username: ‘’ Password: ‘’ Known Username: root, admin, guest, azlan, neelofa --- Enumerating Workgroup --- [+] Got domain/workgroup name: WORKGROUP --- Users on targetCompany.MY --- [I] Assuming that user “root” and “admin” [+] Got ISD: S-1-5-21-1801674531-1482476501-725345543 S-1-5-21-1801674531-1482476501-725345543-500 ARTIS\zizan (local user) S-1-5-21-1801674531-1482476501-725345543-500 ARTIS\nurul (local user)
24 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:18
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Enumeration and Vulnerability Scanning
Hack-Fu: Discovery
Example #5: Nikto Web Application Scanner Vulnerability Scanning is a process of identifying security weaknesses.
Last login: Fri Dec 8 11:38:15 on ttys001 [slash@sneakyrat-research_box]$ ./nikto.pl –host targetCompany.MY - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 202.xxx.xxx.xxx + Target Hostname: targetCompany.MY + Target Port: 80 + Start Time: 2012-12-08 22:38:08 (GMT8) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + Cookie ZM_TEST created without the httponly flag + No CGI Directories found (use '-C all' to force check all possible dirs) + Allowed HTTP Methods: GET, HEAD, POST, TRACE, OPTIONS + OSVDB-3092: /administrator: This might be interesting... + OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users). + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3092: /tmp/: This might be interesting...
25 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:18
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Gaining Access and Privilege Escalation
Hack-Fu: Attack
In any given situation a system can be enumerated further. Activities in this stage will allow the attacker to confirm and document probable intrusion and/or automated attacks propagation.
If access is obtained, the next step is to escalate access to a higher level such as administrative privileges.
26 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:18
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Gaining Access and Privilege Escalation
Hack-Fu: Attack
Password Stealing A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and escalate to higher privilege such as root and administrator.
How § Observed during entry § Password cracking § Password stealing tools
Why § Password is written
down somewhere § Password is stored
somewhere in clear text § Password is encrypted
with weak encryption algorithm
Password stealing
techniques
Social Engineering
Phishing
Spying
Guessing/ Cracking
Shoulder Surfing
Trojans
27 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:18
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Gaining Access and Privilege Escalation
Hack-Fu: Attack
Last login: Mon Dec 10 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./hydra -L u -P pwd targetCompany.MY https-head /financials/ Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2012-12-10 11:00:15 [DATA] 16 tasks, 1 servers, 217 login tries (l:31/p:7), ~13 tries per task [DATA] attacking service http-head on port 443 [443][www] host: x.x.x.x login: bdouglas password: javajoe [443][www] host: x.x.x.x login: intan password: zygote [443][www] host: x.x.x.x login: audit password: qwerty [443][www] host: x.x.x.x login: ashrafpassword: javajoe [443][www] host: x.x.x.x login: aaron password: qwerty [443][www] host: x.x.x.x login: testuser password: qwerty [STATUS] attack finished for targetCompany.MY (waiting for childs to finish)
Example #6: Password Cracking A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and escalate to higher privilege such as root and administrator.
28 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:19
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Gaining Access and Privilege Escalation
Hack-Fu: Attack
Example #7: Phishing Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Normally, this can be easily achieve in three (3) simple steps:
Ten (10) Types of Phishing Attack 1. Man-in-the-Middle 2. URL Obfuscation 3. Cross-Site Scripting 4. Hidden 5. Client-side
Vulnerabilities
6. Deceptive 7. Malware-Based 8. DNS-Based 9. Content-Injection 10. Search Engine
29 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:20
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Gaining Access and Privilege Escalation
Hack-Fu: Attack
Example #7: Email Phishing
Phishing emails have two tactics to trick users: a) They look like legitimate updates from Customer Service
informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details.
b) They threaten you that suspicious activities were made using
your account, and may take ‘legal action’ against you if you do not update your account.
Phishing emails share a distinct and common similarity – It directs you to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will then asks you to key in very, very personal details like name, IC number, phone number, email, account number and Pin No.
30 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:20
Off
ensi
ve
Secu
rit
y
Aw
aren
ess
License To Steal
Gaining Access and Privilege Escalation
Hack-Fu: Attack
Example #7: Email Phishing (continue)
Phishing emails have two tactics to trick users: a) They look like legitimate updates from Customer Service
informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details.
b) They threaten you that suspicious activities were made using
your account, and may take ‘legal action’ against you if you do not update your account.
Phishing emails share a distinct and common similarity – It directs you to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will then asks you to key in very, very personal details like name, IC number, phone number, email, account number and Pin No.
31 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:20
Defensive Security Awareness technology is not enough
32 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:20
Def
ensi
ve
Secu
rit
y
Aw
aren
ess
Technology Is Not Enough
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology” – Bruce Schneier, Security Technologies, Cryptographer and Author
“The Internet is the first thing that humanity has build that humanity doesn’t understand, the largest experiment in anarchy that we have ever had” – Eric Schmidt, Chairman and CEO, Google.
33 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:20
Def
ensi
ve
Secu
rit
y
Aw
aren
ess
Technology Is Not Enough
34 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:21
Technology Is Not Enough D
efen
siv
e Se
curit
y
Aw
aren
ess
REMOVED
35 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:21
Technology Is Not Enough
People
Management
Human Resource
Finance
Information Technology
Project Management
Office
Process
Governance
Policy
Standard
Procedure
Guideline
Specification
Technology
Physical Security
Access Security
Network Security
Application Security
Data Security
Major threats
Def
ensi
ve
Secu
rit
y
Aw
aren
ess
36 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:23
Def
ensi
ve
Secu
rit
y
Aw
aren
ess
Technology Is Not Enough
Non-Existent & Compliance Focused
Long Term Sustainment Metrics
Promoting Awareness and Change
1 2
4 3
º Impact and change behaviours º Proper plan before hand º Continual reinforcement
º No security awareness program º Annual or ad-hoc basis º No attempt to change
behaviour
º Add a proper process and resources in place for long-term
º Ensure budget are made available
º Ensure support from stakeholder
º Progress tracking º Measure impact º A formal metrics program to monitor
behaviour º Ultimately to reduce more risk
Security Awareness Maturity Model
Appoint the right person(s) to lead the charge: Dedicate at least one person to focus 100 percent of their energy on security awareness across the organization. This person needs to be an individual who communicates well and knows how to sell, market, and build relationships with employees.
37 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:23
Def
ensi
ve
Secu
rit
y
Aw
aren
ess
Technology Is Not Enough
Create content where people come to you. 70-80% of your awareness program also applies to peoples’ personal life.
Continue publish and distribute security awareness newsletter
Provide security awareness video so people can take training on their own schedule.
38 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:25
Conclusion live and let’s comply
39 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint
18 December 2012 23:52:25
Con
clusi
on
Live and Let‘s Comply
40 of 40
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. [email protected] http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint