I get paid to break into company and government …€¢I get paid to break into company and...
-
Upload
truongkiet -
Category
Documents
-
view
215 -
download
1
Transcript of I get paid to break into company and government …€¢I get paid to break into company and...
![Page 1: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/1.jpg)
![Page 2: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/2.jpg)
• I get paid to break into company and government networks for a living
• 23 years in various IT roles, both here and internationally
o 7 years in security consulting
o 5 years as a Pentester
• 1 of first 10 people globally to become a Certified Ethical Hacker
• 23 certifications
• Trainer of upcoming CEHs.
![Page 3: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/3.jpg)
• The content presented today contains tools, techniques and resources used for hacking and illegal
activities
• The content is for education purposes only
• Hacking is illegal. You MUST have written permission from the associated target/party(s)
• The underground sites presented today should not be visited and are monitored by federal authorities
• Kiandra does not condone illegal hacking or malicious activities.
![Page 4: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/4.jpg)
PHISHING MALWARE SOCIAL
ENGINEERING
IDENTITY
THEFT
BOT/
BOTNETEXPLOIT
![Page 5: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/5.jpg)
• Identify threats to the business
• Eliminate risks
• Compliance
• Instil confidence for clients
• Availability and data security
• The rapid growth of Hacktivism and ‘Anonymous’ type hacking groups / local chapters.
![Page 6: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/6.jpg)
![Page 7: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/7.jpg)
![Page 8: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/8.jpg)
• Internet environment complexity
• New technologies, new threats and new exploits
• Limited focus on security
• Limited security expertise
• Limited funding
• Unreported incidents.
![Page 9: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/9.jpg)
Breached records in 2016
1bln+1,738,099,866
28 breaches per week reported
1512REPORTED BREACHES
In the US alone, 40 major breaches in Australia in 2016
1093BREACH INCIDENTS
In 47% of breaches the number of records compromised was
UNKNOWN
47%UNKNOWN
The Ponemon Institute Cost of Cybercrime 2016 study shows
on average cybercrime costs an Australian organisation
anywhere from $900,000 to $7,100,000 per breach. Average
is 2.64 million!
2.64MILLION
![Page 10: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/10.jpg)
FINANCIAL
INDUSTRIAL
SERVICES
TECHNOLOGYRETAIL
PUBLIC/GOV
CONSUMER
OTHER (MISC)
14%
14%
12%
12%9%
8%
7%
24%
![Page 11: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/11.jpg)
46%Malicious outsider/
cyber crims
27%27%
Accidental loss/human
errorSystem glitch
![Page 12: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/12.jpg)
IDENTITY THEFT
64%
NUISANCE
4%
ACCOUNT ACCESS
11%
FINANCIAL ACCESS
16%
EXISTENTIAL DATA
5%
![Page 13: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/13.jpg)
![Page 14: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/14.jpg)
![Page 15: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/15.jpg)
![Page 16: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/16.jpg)
• Loss of reputation / good will and revenue
• Data loss
• Privacy implications
• Theft of data
• Downtime or permanent closures
• Loss of revenue, cost of downtime and
remediation $$$.
![Page 17: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/17.jpg)
• Poor detection, response and escalation
• No formal policies for proactive auditing / event management or incident response
• Lack of security focus, expertise and expenditure. It costs too much money!
• Staff Awareness & Misconfiguration
• Not worth the bother! We have a firewall… Why would I be a target?
• Implementation of unauthorised devices into the network,
e.g. mobile devices, BYOD.
• Insecure Network Design
• No Physical Security
![Page 18: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/18.jpg)
• Recon/information gathering
• Social engineering and phishing attacks
• Client side attacks
• Wireless and mobile devices
• Execute, implant, harvest and exfil.
![Page 19: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/19.jpg)
• The demo about to be presented contains common techniques, information
leakage and vulnerabilities that EVERY organisation has
• It does not indicate that an organisation, person or entity is vulnerable or has
weakness or vulnerabilities in their environment in any way.
• Although a specific organisation will be targeted, the same outcomes would be
achieved against ANY organisation with an internet presence
• The demo's are for education purposes only.
![Page 20: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/20.jpg)
• We live in a digital age
• Information is everywhere
• Everything is online
• It’s easy to get (no tech hacking)
• You just need to know how to piece it all together!
![Page 21: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/21.jpg)
![Page 22: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/22.jpg)
![Page 23: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/23.jpg)
![Page 24: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/24.jpg)
![Page 25: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/25.jpg)
PATH OF LEAST RESISTANCE
![Page 26: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/26.jpg)
Legacy systemsIT providerUSB
Mobile devicesPhishingWebsite
Physical access
WirelessEmployees/users
Passwords
![Page 27: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/27.jpg)
• Security policies
• User awareness
• Security controls, firewalls, IDS/IPS’s, patching, AV
• Scheduled security assessments, such as penetration testing.
![Page 28: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/28.jpg)
• Social engineering
• Everybody loves receiving emails, especially with
attachments
• Physical access – air-con/service, imitation of
employees
• Weak wireless and user passwords
• Forgotten accounts left in place.
• Rogue Devices & Access Points
• Missing Patches
• USB Access
![Page 29: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/29.jpg)
1-2 repeat offenders every engagement
giving their passwords out multiple
times
Average 18% click rate
People respond fast
25% would give us passwords
Repeat offenders
25% would follow through with giving up
credentials
4% would click on the link and
give out their passwords in under
5 minutes
People love phishing emails
![Page 30: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/30.jpg)
• Pentest
• Incident response policy
• Cyber insurance coverage
• IT are doing the right thing, Email and network protection, such as firewall
and an IPS (Intrusion Prevention System), endpoint protection, Blocking
USB, locking down the environment
• Monitoring, do you know when you are getting hacked?
• Staff awareness testing and regular training
![Page 31: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/31.jpg)
• Pen-test, Have you had one, have the issues been remediated?
• Is an incident response policy in place and tested?
• Do you have Cyber insurance coverage in place and is the amount suitable?
• Have you got the necessary technical measures in place to reduce the risk
of a cyber event?
• Do you have sufficient budget allocations for training and security?
• Have all staff undertaken awareness training and is cyber security training
incorporated into on-boarding.
![Page 32: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/32.jpg)
![Page 33: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/33.jpg)
![Page 34: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/34.jpg)
34
Will you be hacked?Daniel Weis
Cyber Underground and Cybercrime
![Page 35: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/35.jpg)
• Anything that can be indexed by a typical search engine like Google,
Bing or Yahoo
• The “visible web”
• 4 billion indexed web pages
• This is the web you know
SURFACE WEB
• Is a small portion of the deep web that has been intentionally hidden
and is inaccessible through standard web browsers
• Can only be accessed with special software designed to hide you
• Contains darknet markets
• Anonymous marketplace ecosystem does in excess of $500,000 a
day.
DARK WEB
• The deep web is anything that a search engine can’t find,
• Data behind firewalls, like corporate resources, business intranets,
password protected websites, infrastructure etc
DEEP WEB
![Page 36: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/36.jpg)
![Page 37: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/37.jpg)
![Page 38: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/38.jpg)
• When they get shut down, they just come back again a short time later on a
different provider
• Usually operate in countries with no jurisdictions, such as South America,
Eastern Europe, South East Asia
• Use bulletproof hosting
• Mini ISP’s (datacenters)
• Specialise in offering services that are largely immune from takedown
requests and pressure from western law enforcement agencies.
![Page 39: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/39.jpg)
• Located six miles off coast of Suffolk,
England
• Built during WW2 as an anti-aircraft gun
platform
• Declared an independent nation in 1967
• Home to HavenCo the worlds first bulletproof
hoster
• “Its own nation, its own rules.”
![Page 40: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/40.jpg)
• Former home of Wikileaks
• Inside White Mountains of Stockholm
• Located below 30 meters of granite and
secured by a 40-centimeter-thick door
• The data-center can withstand a hydrogen
bomb attack.
![Page 41: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/41.jpg)
• Abandoned NATO bunker
• Netherlands
• Discarded by Dutch military in 1994
• Built to survive a 20-megaton nuclear attack
• 5 subterranean levels.
![Page 42: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/42.jpg)
![Page 43: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/43.jpg)
http://breachlevelindex.com
http://datalossdb.org/
www.Idtheftcenter.org
https://www.privacyrights.org
https://pages.riskbasedsecurity.com/2016-midyear-data-breach-year-
in-review
http://www.informationisbeautiful.net/visualizations/worlds-biggest-
data-breaches-hacks/
DATA BREACHES
http://www.trendmicro.com/vinfo/us/security/special-
report/cybercriminal-underground-economy-series/global-
black-market-for-stolen-data/
COST CALCULATOR
http://cybermap.kaspersky.com/
http://map.ipviking.com/
https://www.fireeye.com/cyber-map/threat-map.html
http://www.digitalattackmap.com/
THREAT MAPS
IOT / INTERNET FACING DEVICES
https://shodan.io
https://www.censys.io
https://ics-radar.shodan.io
![Page 44: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/44.jpg)
![Page 45: I get paid to break into company and government …€¢I get paid to break into company and government networks for a living ... •Pen-test, Have you had one ... PowerPoint Presentation](https://reader031.fdocuments.net/reader031/viewer/2022022516/5b036cba7f8b9ab9598f5779/html5/thumbnails/45.jpg)
• For more info, feel free to grab me after the presentation
• Drop an email to [email protected]
• Grab one of my business cards!
• Track me down on social networking
• Visit our website: kiandra.com.au