It’s OK to get H@CK3D
Introduction <ul><li>About me </li></ul><ul><li>About SensePost </li></ul><ul><li>References </li></ul><ul><ul><li>http://...
<ul><li>Who got h@ck3d? </li></ul><ul><li>Hackers -  the enemy or close friend? </li></ul><ul><li>Evaluating the work of E...
<ul><li>Problem vs Origin </li></ul><ul><li>De-Face </li></ul><ul><ul><li>Unauthorized change to web page </li></ul></ul><...
What Hackers do: <ul><li>Steal </li></ul><ul><ul><li>Information - to use and to sell </li></ul></ul><ul><ul><li>Money fro...
How do they do it? <ul><li>Social engineering </li></ul><ul><li>Networking </li></ul><ul><li>Resources from the web... </l...
<ul><li>Information gathering </li></ul><ul><li>Foot printing </li></ul><ul><li>ID servers/services by portscan </li></ul>...
 
<ul><li>Understand the origin of the problem, before trying to address it </li></ul><ul><li>Different types </li></ul><ul>...
<ul><li>Who would target you? </li></ul>What me worry?!
Evaluating the work of Ethical Hackers
<ul><li>ID Vulnerabilities proactively </li></ul><ul><li>Measure effectiveness of controls and Security investment </li></...
External Assessment (Audit) <ul><li>Collect  and evaluate evidence to determine whether a computer system : </li></ul><ul>...
Ethical Hackers- Evaluation <ul><li>Organization </li></ul><ul><ul><li>Independence </li></ul></ul><ul><ul><li>References ...
Ethical Hackers - Evaluation <ul><li>Methodology </li></ul><ul><ul><li>Certification/benchmark </li></ul></ul><ul><ul><li>...
Ethical Hackers - Evaluation <ul><li>Resources </li></ul><ul><ul><li>Business skills </li></ul></ul><ul><ul><li>Experience...
Ethical Hackers - Evaluation <ul><li>Toolbox </li></ul><ul><ul><li>Tool combinations: wider vulnerability exposure </li></...
 
 
 
<ul><li>Value your information assets </li></ul><ul><li>Evaluate your risk </li></ul><ul><li>Be requirement driven, not te...
The Internal Auditor <ul><li>Separation of duties </li></ul><ul><li>Security policy </li></ul><ul><li>Use of a specialist ...
questions?
 
Upcoming SlideShare
Loading in...5
×

Its Ok To Get Hacked

844

Published on

Presentation by Jaco van Gaan at IIA in 2001.

This presentation is about the use of ethical hackers in business. The presentation begins with a series of discussions about hackers, what they do, how they do it and the different types of hackers.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
844
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Comment on our background and the kind of work we do - technology focused
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Its Ok To Get Hacked

    1. 1. It’s OK to get H@CK3D
    2. 2. Introduction <ul><li>About me </li></ul><ul><li>About SensePost </li></ul><ul><li>References </li></ul><ul><ul><li>http://www.sensepost.com </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
    3. 3. <ul><li>Who got h@ck3d? </li></ul><ul><li>Hackers - the enemy or close friend? </li></ul><ul><li>Evaluating the work of Ethical hackers </li></ul><ul><li>Internal Audit tips and tricks </li></ul><ul><li>Questions </li></ul>Agenda
    4. 4. <ul><li>Problem vs Origin </li></ul><ul><li>De-Face </li></ul><ul><ul><li>Unauthorized change to web page </li></ul></ul><ul><ul><li>Not necessary damage or data loss </li></ul></ul><ul><ul><li>Loss in reputation </li></ul></ul><ul><ul><li>http://www.attrition.org/mirrors </li></ul></ul>Who got hacked?
    5. 5. What Hackers do: <ul><li>Steal </li></ul><ul><ul><li>Information - to use and to sell </li></ul></ul><ul><ul><li>Money from accounts </li></ul></ul><ul><ul><li>Goods through e-buying </li></ul></ul><ul><ul><li>Resource - time and equipment </li></ul></ul><ul><li>Talk, Boast </li></ul><ul><li>Leave backdoors open </li></ul><ul><ul><li>Launch new attacks </li></ul></ul>
    6. 6. How do they do it? <ul><li>Social engineering </li></ul><ul><li>Networking </li></ul><ul><li>Resources from the web... </li></ul>
    7. 7. <ul><li>Information gathering </li></ul><ul><li>Foot printing </li></ul><ul><li>ID servers/services by portscan </li></ul><ul><li>ID OS, services types (MS, IIS) </li></ul><ul><li>Check vulnerability databases </li></ul><ul><li>Run vulnerability checker (whisker) </li></ul><ul><li>Search for exploit tool / build exploit tool </li></ul><ul><li>Use tool </li></ul><ul><li>Gain control </li></ul><ul><li>De- face, delete, cover tracks. </li></ul>How do they do it 2?
    8. 9. <ul><li>Understand the origin of the problem, before trying to address it </li></ul><ul><li>Different types </li></ul><ul><ul><li>Script kiddies </li></ul></ul><ul><ul><li>Professional hackers </li></ul></ul><ul><ul><li>Government agencies </li></ul></ul><ul><ul><li>Ethical hackers </li></ul></ul><ul><li>Motivation behind attempts </li></ul><ul><ul><li>Hacker manifesto: </li></ul></ul><ul><li>“ Our only crime is curiosity” </li></ul>Hackers – enemy or close friend?
    9. 10. <ul><li>Who would target you? </li></ul>What me worry?!
    10. 11. Evaluating the work of Ethical Hackers
    11. 12. <ul><li>ID Vulnerabilities proactively </li></ul><ul><li>Measure effectiveness of controls and Security investment </li></ul><ul><li>Verify vendor and technology claims </li></ul><ul><li>Create awareness </li></ul><ul><li>Improve IT staff skills and knowledge </li></ul><ul><li>Motivate Security expenditure </li></ul><ul><li>Get objective, independent results </li></ul><ul><li>Business pressure </li></ul><ul><li>Setting benchmarks </li></ul><ul><li>Continual measure and monitor </li></ul>Why get Hacked?
    12. 13. External Assessment (Audit) <ul><li>Collect and evaluate evidence to determine whether a computer system : </li></ul><ul><ul><li>safeguards assets </li></ul></ul><ul><ul><li>maintain data integrity </li></ul></ul><ul><ul><li>allow the goals of an organisation to be achieved efficiently and effectively </li></ul></ul><ul><li>Security policy as control document </li></ul><ul><li>International standards: SAS 70, BS 7799. </li></ul>
    13. 14. Ethical Hackers- Evaluation <ul><li>Organization </li></ul><ul><ul><li>Independence </li></ul></ul><ul><ul><li>References </li></ul></ul><ul><ul><li>Experience </li></ul></ul><ul><ul><li>Certification </li></ul></ul><ul><ul><li>Cost </li></ul></ul><ul><ul><li>Ethics </li></ul></ul><ul><ul><li>Services offered </li></ul></ul><ul><ul><li>Backing: subsidiary/insurance </li></ul></ul>
    14. 15. Ethical Hackers - Evaluation <ul><li>Methodology </li></ul><ul><ul><li>Certification/benchmark </li></ul></ul><ul><ul><li>Audit plan </li></ul></ul><ul><ul><li>Execution according to plan </li></ul></ul><ul><ul><li>Report </li></ul></ul><ul><ul><li>Recommendations & resolution </li></ul></ul>
    15. 16. Ethical Hackers - Evaluation <ul><li>Resources </li></ul><ul><ul><li>Business skills </li></ul></ul><ul><ul><li>Experience: qualification, Certifications, Bodies </li></ul></ul><ul><ul><li>Individual background </li></ul></ul><ul><li>The brief… How, What, Where? </li></ul><ul><ul><li>Type: logical, physical or social </li></ul></ul><ul><ul><li>Restrictions / conditions </li></ul></ul><ul><ul><li>Internal /external </li></ul></ul>
    16. 17. Ethical Hackers - Evaluation <ul><li>Toolbox </li></ul><ul><ul><li>Tool combinations: wider vulnerability exposure </li></ul></ul><ul><ul><li>Proprietary or off the shelf </li></ul></ul><ul><li>Confidentiality </li></ul><ul><ul><li>NDA </li></ul></ul>
    17. 21. <ul><li>Value your information assets </li></ul><ul><li>Evaluate your risk </li></ul><ul><li>Be requirement driven, not technology driven </li></ul><ul><li>Enable your business </li></ul>The Internal Auditor
    18. 22. The Internal Auditor <ul><li>Separation of duties </li></ul><ul><li>Security policy </li></ul><ul><li>Use of a specialist </li></ul><ul><li>Be cautious of ‘strange’ software </li></ul>
    19. 23. questions?
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×