PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017

download PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017

of 55

  • date post

    22-Jan-2018
  • Category

    Software

  • view

    3.020
  • download

    0

Embed Size (px)

Transcript of PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017

  1. 1. Jean-Paul Garcia-Moran Security Architect March 2017 Protect and survivesafeguarding your information assets #MFSummit2017
  2. 2. What is the feeling out there on security? 44% 71% 51% PwC Global Economic Crime survey 2016 Of UK respondents who experienced cybercrime, up from 24% in 2014 Of respondents felt the risk of cybercrime had increased over the last 2 years Sinking expectations from people, this is number of respondents that felt that they would probably get hacked in the next two years.
  3. 3. 1 2 3 4 5 6 7 Cyber Kill Chain Reconnaissance Delivery Installation Actionson Objectives Weaponisation Exploitation Command& Control(C2)
  4. 4. Information Gathering on Places Public Infrastructure Corporations Peoples Homes
  5. 5. Information Gathering on Services Connectivity Data Repositories File Sharing Internet Facing Devices
  6. 6. Tools for network scanning Query public DNS databases for info on IPs Enumerate services and vulnerabilities Active Reconnaissance
  7. 7. Specialized Search Engines provide an advantage of relative anonymity when researching targets Public repositories such as GitHub can be searched for users mistakingly publishing passwords and application code. (If there is one guarantee is that users make mistakes!) Passive Reconnaissance
  8. 8. Many public databases to share Google Dorks Look for login UIs Shared documents in public clouds Web server information Application Errors (SQLi attack vector)
  9. 9. intitle:"Login - OpenStack Dashboard" inurl:"dashboard
  10. 10. site:onedrive.live.com shared by
  11. 11. inurl:/dbg-wizard.php filetype:php
  12. 12. site:cloudshark.org/captures# password
  13. 13. site:pastebin.com intext:@gmail.com | @yahoo.com | @hotmail.com daterange:2457780-2457811
  14. 14. site:pastebin.com intext:@gmail.com | @yahoo.com | @hotmail.com daterange:2457780-2457811
  15. 15. intext:"expects parameter 1 to be resource, boolean given" filetype:php
  16. 16. Most of the time, its an attack of opportunity Automation is possible with advanced payload techniques Common targets are PHP and MySQL applications
  17. 17. How to perform SQLi Login OR 1=1;/* /* -- SELECT * FROM users WHERE username = OR 1=1; /* AND password = */ -- Unauthorized access is granted to the application
  18. 18. SELECT * FROM some_table WHERE double_quotes = "[Injection point] Advanced SQLi Payloads "IF(SUBSTR(@@version,1,1)