Your SlideShare is downloading. ×
SLASH-Seminar-security awareness-v1-0-20121212
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SLASH-Seminar-security awareness-v1-0-20121212

2,898
views

Published on

Presented this on 12.12.12 on Security Awareness Seminar at one of university.

Presented this on 12.12.12 on Security Awareness Seminar at one of university.

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,898
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1 of 40
  • 2. Introduction from cyberspace with loveHalf seaman, half geek, sometimes musician, partial comedian, probably not a politician,virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 2 of 40haris.slash@gmail.comhttp://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
  • 3. From Cyber Space With Love º  Informatio n is an asset th to an organiza at, like other tion’s busines important bu protected. s and consequ siness assets, is ently needs to essentialIntroduction be suitably º  Informatio n can exist in stored electro many forms. nically, transm It can be prin shown on film itted by post ted or written s, or spoken in or by using ele on paper, conversation. ctronic mean s, º  Informatio n security is th threats in ord e protection o er to ensure b f information maximize retu usiness contin from a wide r rn on investm uity, minimize ange of ents and busin business risk, ess opportunit and º  Informatio ies. n security is a including poli chieved by im cies, processe plementing a software and s, procedures suitable set of hardware fun , organization controls, ctions. al structures a nd ISO/IEC 2700 Reference: Code of pract 2 Information ice for inform technology ation security management Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 3 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
  • 4. From Cyber Space With Love To ensure protection against unauthorized access to or use of confidentialIntroduction To ensure the accuracy and information. completeness of information are maintained To ensure information and vital services are assessable for use when required. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 4 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:15 18 December 2012
  • 5. From Cyber Space With Love Common Ter m inology º  Any poteIntroduction ntial event or occur: unauth act that could orized disclos cause one or interruption o ure, destructi more of the fo f sensitive or on, removal, llowing to deliberate or critical assets modification accidental – T or services. A or hreat threat can be natural, º  A quantifi able, threat-in within a syste dependent ch m boundary o aracteristic or increases the r environmen attribute of a probability of t in which it o ny asset terms of confi a threat even perates and w dentiality, ava t occurring an hich of the effects ilability and/o d causing har of a threat ev r integrity, or m in ent if it occur increases the s – Vulnerabil severity ity Reference: The Malaysian Information S Public Sector ecurity Risk A Methodology ssessm (MyRAM) Han ent dbook Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 5 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 6. Security History hacker never diesHalf seaman, half geek, sometimes musician, partial comedian, probably not a politician,virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 6 of 40haris.slash@gmail.comhttp://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 7. Hacker Never Dies Dennis Ritchie and Ken Thompson created the UNIX (time-Security History sharing) operating system at AT&T Bell Labs in 1969. A few months after the birth of UNIX, Dennis Ritchie creates the C programming language. Ritchie was found dead on October 12, 2011. Thompson are now working at Google as a Distinguished Engineer. ”In 1971 when I joined the staff of the MIT Artificial Intelligence lab, all of us who helped develop the operating system software we called ourselves hackers.” – Interview with Richard Stallman by David Bennhaum, 1996 Richard M. Stallman, GNU project’s lead architect and organizer, also main author of free software licenses such as GNU General Public License (GPL). Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 7 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 8. Hacker Never Dies Joe Engressia (AKA The Whistler / Joybubbles) has the unusualSecurity History gift of perfect pitch. He can whistle any tone he wants. With it, the blind mathematics student of University of South Florida stumbles onto the 2600Hz cycle and figures out how to make free phone calls during the late 60s… just by whistling into the receiver. Phreakers around the world supposedly called Joe to tune their Blue Boxes. John Draper (AKA Captain Crunch) figured out how to make free phone calls using a plastic whistle pipe found in a Cap’n Crunch cereal box together with a Blue Box. John was active during the 70s and taught Steve Wozniak (co- founder of Apple) how to use a Blue Box that Woz built. John is the owner of Crunch Creation, a group of geniuses and excellent talent engaged in large web development project. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 8 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 9. Hacker Never Dies Mark Abene (AKA Phiber Optik) is a notorious self-taught hacker,Security History someone who didn’t learn his skills at a university or similar. Abene are now CTO and founder of TraceVector. In 2007, Abene presented “The Rise and Fall of Information Security in Western World” at Hack in the Box security conference, Kuala Lumpur, Malaysia. Robert Morris was the son of the chief scientist at the National Computer Security Center – part of the National Security Agency (NSA). In 1988 he released the first computer worm on the Internet that exploited a Sendmail vulnerability and a fingerd vulnerability. Morris currently teaches computer science and artificial intelligence at MIT university. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 9 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 10. Hacker Never DiesSecurity History Kevin Poulsen is famous for taking over all telephone lines going into KIIS-FM, a radio station in Los Angeles. This ensured him to be the 102nd caller and made him win a Porsche 944 S2. Kevin admitted breaking into computer systems to get names of undercover businesses operated by the FBI. After serving a 3 year prison sentence he wasn’t allowed to use a computer for another 3 years. Kevin Poulsen was a journalist and the editorial director of SecurityFocus.com. Today, he is currently News Editor at Wired.com Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 10 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 11. Hacker Never DiesSecurity History Kevin Mitnick was the most-wanted computer criminal in the United Stated and the first hacker who ended up on FBI’s Most Wanted list. At age 12, Mitnick used social engineering to bypass the punch card system used in the Los Angeles bus system. Mitnick first gained unauthorized access to a computer network in 1979 and broke into DECs computer network and copied their software. Mitnick used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the countrys largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail. Today he runs Mitnick Security Consulting, an information security and pen-test firm, mitnicksecurity.com Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 11 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 12. Hacker Never DiesSecurity History tiger team n. [U.S. military jargon] Originally, a team (of sneakers) whose purpose is to penetrate security, and thus test security measures. sneaker n. An individual hired to break into places in order to test their security; analogous to tiger team. Today, penetration testing is the formal title of tiger team activity. Because the US military were the first to use Advanced Research Projects Agency Network (ARPANET), they were the first to conduct audits on computer security. When the Internet was becoming useful to corporations, some businesses saw the same need as the military – security has to be tested in order to be confirmed secure. However, many corporations didn’t see any need for security at all. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 12 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 13. Hacker Never DiesSecurity History Hack-Fu Today, hackers and some organization are actively developing and innovating new techniques towards offensive and defensive security including cyber warfare (CW), information warfare (IW) and electronic warfare (EW). Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 13 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:16 18 December 2012
  • 14. Offensive Security Awareness license to stealHalf seaman, half geek, sometimes musician, partial comedian, probably not a politician,virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 14 of 40haris.slash@gmail.comhttp://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 15. Offensive Security License To Steal know your enemy Awareness Hackers Cyber Terrorist Crackers Cyber Criminals Cyber Warrior Script Kiddies ’hackers’ are typically computer security experts, who specialize in penetration testing and other security testing methodologies. ‘crackers’ referred to a person who intentionally accesses a computer, or network of computers, for evil reasons Today these bad guy crackers are sometimes referred to as black hats, or mostly just hackers. ‘cyber warrior’ is an individual or group of people recruited and trained by the governments to use the Internet for offensive and defensive security. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 15 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 16. Offensive Security License To Steal know your enemy Awareness Hackers Cyber Terrorist Crackers Cyber Criminals Cyber Warrior Script Kiddies ‘cyber terrorist’ referred to individual or group of people who use the Internet to destroy computers or disrupt Internet-connected services for political reasons. ‘cyber criminals’ are typically referred to those who use the Internet to facilitate illegal or fraudulent activities including scammers and illegally distributed software, music, movies against copyright laws. ‘script kiddies’ usually have very limited computer skills and can be quite immature, trying to effect large numbers of attacks in order to obtain attention and reputation. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 16 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 17. License To Steal Basic Pentest MethodologyOffensive Security 1) Planning 2) Discovery 3) Attack ü  Define objective ü  Information gathering ü  Gaining Access Awareness ü  Define scope ü  Enumeration and vulnerability ü  Privilege Escalation ü  Define deliverable scanning ü  System browsing ü  Type of attack ü  Source code audits and fuzzing ü  Rootkit installation ü  Exploit research ü  Monitoring ü  Access Management A penetration test (pentest) is a method of evaluating the security of a computer system or network by simulating an attack from An attacker are actually spends malicious outsiders and malicious insiders. Today, there are 90% of their time in the numerous methodologies available for public, among them: discovery phase.. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 17 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 18. Offensive Security License To Steal Hack-Fu: Discovery Awareness Types: Passive information gathering involves acquiring information Information without directly interacting with the target. Gathering Active information gathering involves interacting with the target directly by any means. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 18 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 19. License To Steal Example #1: Passive information GatheringOffensive Security Hack-Fu: Last login: Fri Dec 7 23:42:03 on ttys001 Discovery [slash@sneakyrat-research_box]$ whois targetCompany.MY Awareness Registrant: targetCompany (targetCompany-MY) # street address city, province, state, postcode, country Domain Name: targetCompany.MY Administrative and Technical Contact: Fullname, email@targetCompany.MY targetCompany (targetCompany-MY) # street address, city, province, state, postcode, country Telephone: xxx-xxx-xx-xx Fax: xxx-xxx-xx-xx Information Gathering Domain servers: extdns1.targetCompany.MY 202.xxx.133.5 zaaba.targetCompany.MY 161.xxx.201.17 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 19 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:17 18 December 2012
  • 20. License To Steal Example #2: Passive information GatheringOffensive Security Hack-Fu: Collecting email address from Google search engine: Discovery Last login: Fri Dec 7 23:45:03 on ttys001 Awareness [slash@sneakyrat-research_box]$ ./googmail –d targetCompany.MY Listing email address, patient…. nazri.@targetCompany.MY found! amin@targetCompany.MY found! marzuki@targetCompany.MY found! Collecting sensitive document from Google search engine: Last login: Fri Dec 7 23:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./googdoc –d targetCompany.MY Information Listing document, patient…. Gathering memo-lampiran.pdf found! maccs-template.doc found! examanation-draft.pdf found! Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 20 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 21. License To Steal Example #3: Active information gatheringOffensive Security There is no patch to human, and therefore, there is no protection from Hack-Fu: social engineering. Based on history, social engineering has a Discovery magnificent success story. Awareness Information Gathering Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 21 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 22. Offensive Security License To Steal Hack-Fu: Discovery Awareness The attacker will try to identify specific weak points to test and how to test them. These activities include: ²  Identify vulnerable applications or services ²  Perform vulnerability scan to search for known vulnerabilities which can be obtained from the vendors’ security Enumeration and announcements, or from public databases such as SecurityFocus, CVE or CERT advisories. Vulnerability ²  Enumerate discovered vulnerabilities Mapping ²  Estimate probable impact (classify vulnerabilities found) ²  Identify attack paths and scenarios for exploitation Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 22 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 23. License To Steal Example #4: Googenum Samba EnumerationOffensive Security Hack-Fu: Enumeration is defined as a process of collecting and extracting user names, machine names, network resources, shares and services from a Discovery target system. Awareness Last login: Fri Dec 8 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./googenum.pl –r targetCompany.MY Starting Googenum…. --- Target information --- Target: targetCompany.MY RID Range: 500-550, 1000-1050 Username: ‘’ Password: ‘’ Known Username: root, admin, guest, azlan, neelofa --- Enumerating Workgroup --- [+] Got domain/workgroup name: WORKGROUP Enumeration and --- Users on targetCompany.MY --- Vulnerability [I] Assuming that user “root” and “admin” [+] Got ISD: S-1-5-21-1801674531-1482476501-725345543 Mapping S-1-5-21-1801674531-1482476501-725345543-500 ARTISzizan (local user) S-1-5-21-1801674531-1482476501-725345543-500 ARTISnurul (local user) Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 23 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 24. License To Steal Example #5: Nikto Web Application ScannerOffensive Security Hack-Fu: Vulnerability Scanning is a process of identifying security weaknesses. Discovery Awareness Last login: Fri Dec 8 11:38:15 on ttys001 [slash@sneakyrat-research_box]$ ./nikto.pl –host targetCompany.MY -  Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 202.xxx.xxx.xxx + Target Hostname: targetCompany.MY + Target Port: 80 + Start Time: 2012-12-08 22:38:08 (GMT8) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + Cookie ZM_TEST created without the httponly flag + No CGI Directories found (use -C all to force check all possible dirs) + Allowed HTTP Methods: GET, HEAD, POST, TRACE, OPTIONS + OSVDB-3092: /administrator: This might be interesting... Enumeration and + OSVDB-637: Enumeration of users is possible by requesting ~username (responds with Forbidden for users, not found for non-existent users). Vulnerability + OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. Scanning + OSVDB-3092: /tmp/: This might be interesting... Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 24 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 25. Offensive Security License To Steal Hack-Fu: Attack Awareness In any given situation a system can be enumerated further. Activities in this stage will allow the attacker to confirm and document probable intrusion and/or automated attacks Gaining Access propagation. and Privilege Escalation If access is obtained, the next step is to escalate access to a higher level such as administrative privileges. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 25 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 26. License To Steal Password StealingOffensive Security Hack-Fu: A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and Attack escalate to higher privilege such as root and administrator. Awareness How §  Observed during entry Social Engineering §  Password cracking §  Password stealing tools Trojans Phishing Why §  Password is written Password down somewhere stealing techniques   §  Password is stored somewhere in clear text Shoulder Gaining Access §  Password is encrypted Surfing Spying with weak encryption and Privilege algorithm Guessing/ Escalation Cracking Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 26 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 27. License To Steal Example #6: Password CrackingOffensive Security Hack-Fu: A password is used by the attacker to exploit user credentials. It allows attacker to access personal information, gain access to the system and Attack escalate to higher privilege such as root and administrator. Awareness Last login: Mon Dec 10 10:58:15 on ttys001 [slash@sneakyrat-research_box]$ ./hydra -L u -P pwd targetCompany.MY https-head /financials/ Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2012-12-10 11:00:15 [DATA] 16 tasks, 1 servers, 217 login tries (l:31/p:7), ~13 tries per task [DATA] attacking service http-head on port 443 [443][www] host: x.x.x.x login: bdouglas password: javajoe [443][www] host: x.x.x.x login: intan password: zygote [443][www] host: x.x.x.x login: audit password: qwerty [443][www] host: x.x.x.x login: ashrafpassword: javajoe Gaining Access [443][www] host: x.x.x.x login: aaron password: qwerty and Privilege [443][www] host: x.x.x.x login: testuser password: qwerty [STATUS] attack finished for targetCompany.MY (waiting for childs to Escalation finish) Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 27 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:18 18 December 2012
  • 28. License To Steal Example #7: PhishingOffensive Security Hack-Fu: Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by Attack masquerading as a trustworthy entity in an electronic communication. Awareness Normally, this can be easily achieve in three (3) simple steps: Ten (10) Types of Phishing Attack 1.  Man-in-the-Middle 6. Deceptive 2.  URL Obfuscation 7. Malware-Based Gaining Access 3.  Cross-Site Scripting 8. DNS-Based and Privilege 4.  Hidden 9. Content-Injection 5.  Client-side 10. Search Engine Escalation Vulnerabilities Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 28 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:19 18 December 2012
  • 29. License To Steal Example #7: Email PhishingOffensive Security Hack-Fu: Attack Phishing emails have two tactics to trick users: Awareness a)  They look like legitimate updates from Customer Service informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details. b)  They threaten you that suspicious activities were made using your account, and may take ‘legal action’ against you if you do not update your account. Phishing emails share a distinct and common similarity – It directs you Gaining Access to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will and Privilege then asks you to key in very, very personal details like name, IC Escalation number, phone number, email, account number and Pin No. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 29 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 30. License To Steal Example #7: Email Phishing (continue)Offensive Security Hack-Fu: Attack Phishing emails have two tactics to trick users: Awareness a)  They look like legitimate updates from Customer Service informing that to enhance or provide better security/ service or because of an error in the online banking system, you are ‘encouraged’ to submit personal information about your account details. b)  They threaten you that suspicious activities were made using your account, and may take ‘legal action’ against you if you do not update your account. Phishing emails share a distinct and common similarity – It directs you Gaining Access to a link. You will end up in a legitimate-looking website, with a similar website address so you can’t tell whether the website is fake. It will and Privilege then asks you to key in very, very personal details like name, IC Escalation number, phone number, email, account number and Pin No. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 30 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 31. Defensive Security Awareness technology is not enoughHalf seaman, half geek, sometimes musician, partial comedian, probably not a politician,virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 31 of 40haris.slash@gmail.comhttp://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 32. Defensive Security Technology Is Not Enough “If you think technology can solve your security problems, then you Awareness don’t understand the problems and you don’t understand the technology” – Bruce Schneier, Security Technologies, Cryptographer and Author “The Internet is the first thing that humanity has build that humanity doesn’t understand, the largest experiment in anarchy that we have ever had” – Eric Schmidt, Chairman and CEO, Google. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 32 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 33. Defensive Security Technology Is Not Enough Awareness Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 33 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:20 18 December 2012
  • 34. Defensive Security Technology Is Not Enough Awareness REMOVED Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 34 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:21 18 December 2012
  • 35. Technology Is Not Enough PeopleDefensive Security Major threats Awareness Management Process Human Resource Governance Technology Finance Policy Standard Information Procedure Technology Physical Access Network Application Data Guideline Security Security Security Security Security Project Management Specification   Office Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 35 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:21 18 December 2012
  • 36. Technology Is Not Enough Security Awareness Maturity ModelDefensive Security Non-Existent & Compliance Focused Promoting Awareness and Change º  No security awareness program º  Impact and change behaviours º  Annual or ad-hoc basis º  Proper plan before hand Awareness º  No attempt to change º  Continual reinforcement 1 2 behaviour Metrics Long Term Sustainment º  Progress tracking 4 3 º  Measure impact º  Add a proper process and º  A formal metrics program to monitor resources in place for long-term behaviour º  Ensure budget are made available º  Ultimately to reduce more risk º  Ensure support from stakeholder Appoint the right person(s) to lead the charge: Dedicate at least one person to focus 100 percent of their energy on security awareness across the organization. This person needs to be an individual who communicates well and knows how to sell, market, and build relationships with employees. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 36 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:23 18 December 2012
  • 37. Technology Is Not Enough Create content where people come to you.Defensive Security Provide security awareness Continue publish 70-80% of your video so people can take and distribute awareness program training on their own security awareness also applies to Awareness schedule. newsletter peoples’ personal life. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 37 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:23 18 December 2012
  • 38. Conclusion live and let’s complyHalf seaman, half geek, sometimes musician, partial comedian, probably not a politician,virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 38 of 40haris.slash@gmail.comhttp://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:25 18 December 2012
  • 39. Live and Let‘s ComplyConclusion Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 39 of 40 haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 23:52:25 18 December 2012
  • 40. Half seaman, half geek, sometimes musician, partial comedian, probably not a politician,virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. 40 of 40haris.slash@gmail.comhttp://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint

×