SlideShare a Scribd company logo

Cyber Hacking & Security - IEEE - Univ of Houston 2015-04

Kyle Lai
Kyle Lai

What is CyberSecurity? Who are the threats? Why is cyber attack happening? How bad is it? How do attackers do it? What can we learn from Star Wars? This presentations Cyber Attacks, State of CyberSecurity, some guidance for the students interested in getting into the field, and some great resources.

Technology
1 of 21
Download to read offline
KLC Consulting 1 Kyle Lai President & CTO KLC Consulting April 2015
KLC Consulting 2 Career Highlights CISSP, CISA, CSSLP, CIPP/US/G 20 years in IT, 15 year specializing in security CISO, DISA Operations Manager for Security Portal ISO 27001/2, Regulatory Compliance, Third-Party Risk, Penetration/Vulnerability Tester, IT Auditor, Network Admin, Developer, DBA, Sys Admin Consultant for Boeing | HP | PWC | DoD | Fidelity | ExxonMobil Fannie Mae | RBS | Federal Gov’t | Akamai | Brandeis Univ Author of SMAC MAC Address Changer (SMAC) tool WebDAV Scanner tool Administer Linkedin Groups CyberSecurity Community Cloud Computing Security Community Third Party Security Risk Management Married, 2 kids, 1 teenage dog! Graduated from UCONN with BS in Electrical Engineering
KLC Consulting 3
KLC Consulting 4 Recent huge cyber attacks: (1/2015) Primera Blue Cross : 11 million customer records in May 2014, went undiscovered until 1/29/2015 (2/2015) Anthem (including Blue Cross Blue Shield members) : 80 million insured’s health records stolen (11/2014) SONY Picture : 11/2014 (10/2014) Staples : 1.16 million customer credit cards (9/2014) Home Depot : 56 million customer credit cards (8/2014) JPMorgan Chase : 83 million household and business accounts (6/2014) Community Health Systems : 4.5 million patient records (4/2014) Michaels Stores: 3 million customer payment cards (12/2013) Target : 40 million customer credit and debit cards. CEO was fired!
KLC Consulting 5
KLC Consulting 6 CyberSecurity Definition: The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation. (http://niccs.us-cert.gov/glossary) In Straight Talk: Your Capability and Readiness for attacks against your technology / system / applications: Prevention / protection / monitoring / detection React / respond / attack* / counter attack* / handle breach notifications *Authorization required
KLC Consulting 7 Source: https://buildsecurityin.us-cert.gov/sites/default/files/BobMartin-CybersecurityEcosystem.pdf
KLC Consulting 8 * “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Cloud / Outsource
KLC Consulting 9 92% OF THE INCIDENTS WE’VE SEEN OVER THE LAST 10 YEARS — AND 94% OF THE BREACHES IN 2013 — CAN BE DESCRIBED WITH JUST NINE PATTERNS. Source: VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
KLC Consulting 10 Advanced Persistent Threat (APT) Distributed Denial of Service (DDoS) Cross-Platform Malware Metamorphic and Polymorphic Malware Phishing Source: Recorded Future - Cyber Threat Landscape: Basic Overview and Attack Methods
KLC Consulting 11 A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Known Vulnerable Components A10: Unvalidated Redirects and Forwards
KLC Consulting 12
KLC Consulting 13 Critical Infrastructure Power grid / Oil pipelines Financial Services Banking / Wall Street Government Services Fire / Police / Water / Traffic Light Several nations are capable of launching large-scale attacks against the USA
KLC Consulting 14 Live Attacks - http://map.ipviking.com (no sensors in China so cannot see attacks made upon China)
KLC Consulting 15 Source: http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet • Cyber Weapon – Stuxnet attacked Iranian nuclear centrifuge in 2010 • It is claimed to be the first effective cyber weapon • Infect the environment by USB • Attack industrial programmable logic controllers (PLCs) • Only target Siemens system running on Windows • Reportedly compromised Iranian PLCs • Collects information about industrial systems • Causes the high speed centrifuges to tear themselves apart • Who made Stuxnet??? No one claimed the responsibility…
KLC Consulting 16 Denial Of Service AMIDALA : We must continue to rely on negotiation. BIBBLE : Negotiation? We've lost all communications! (Also used in Russia-Georgia war) Compromise Integrity, Escalation of Privilege... OBI-WAN: This is where it ought to be... but it isn’t. Gravity is pulling all the stars in this area inward to this spot. There should be a star here... but there isn’t. JEDI CHILD: Because someone erased it from the archive memory. OBI-WAN: But Master Yoda who could have erased information from the archives? That’s impossible, isn’t it? YODA: (frowning) Much harder to answer, that question is.
KLC Consulting 17 You Possess Fundamental Skills for CyberSecurity Strong PROBLEM SOLVING SKILLS Programming Skills Advanced Computer skills Understand a mix of technologies Acquire new skills Think outside the box when it comes to creative problem solving Learn penetration testing skills Think like a BAD hacker, and see how you can protect your employer Learn Risk Assessment. Identify vulnerabilities, potential areas of exposure, estimate cost of damage should attack come via this vulnerability, estimate cost to fix, the cost to not fix, the cost of carrying business insurance to cover the risk, is the risk acceptable?
KLC Consulting 18 Learn the basics (network, database, application, web) Learn programming languages (Python – most useful) Be passionate! You will learn more if you have the interest Try out all the hacking practice sites. Lots of free training. Youtube. Google - research!!! Follow websites, tweets, security news Follow the new security threats, vulnerabilities Learn the hacking tools, stay current with existing and newest Jedi tricks Pay attention to the trend... Setup a lab and try out Jedi tricks at home! A few computers A few Virtual Machines
KLC Consulting 19 Sample CyberSecurity Opportunities Vulnerability Management Secure Software Development Encryption Security Operations Center Patch Management Malware Analysis Security Policy / Procedure Forensics ERP / SAP / Oracle Network / Firewall / VPN Threat Intelligence Incident Response Application Security Penetration Testing Project Manager Database Security Third-Party Security Risk Regulatory Compliance SCADA / PLC Security Certification & Accreditation Cyber Warfare (DoD, DHS, NSA, CIA) Cloud Security / VM Security Audit / Logging / Log coordination Researcher – Focus on security issues POS Security IoT Hardware Security
KLC Consulting 20 Verizon Data Breach Investigation Report - http://www.verizonenterprise.com/DBIR/2014 DHS CyberSecurity Portal - http://www.dhs.gov/topic/cybersecurity DoD Information Assurance Portal – http://iase.disa.mil Hacking Practice (Web App Pentest) Hack This Site - https://www.hackthissite.org Multillidae - http://sourceforge.net/projects/mutillidae Damn Vulnerable Web App - http://www.dvwa.co.uk Security Knowledge OWASP – www.owasp.org DarkReading - www.darkreading.com SANS Reading Room - https://www.sans.org/reading-room/ FireEye / Mandiant Threat Intelligence Reports - https://www.fireeye.com/current-threats/threat- intelligence-reports.html Youtube, Twitter Security Intel Twitter – follow news, alerts – i.e. @Symantec, @TheHackersNews, @SCMagazine SANS Internet Storm Center US-CERT Alerts - Subscribe - https://www.us-cert.gov/ncas/alerts NIST Vulnerability Database - https://nvd.nist.gov Tools Kali Linux - https://www.kali.org (Linux Distro – comes with many tools – MUST HAVE) Metasploit – http://www.metasploit.com System Internals - https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx Basic Certifications Security+ CEH
KLC Consulting 21 Kyle Lai CISSP, CSSLP, CISA, CIPP/US/G President & CTO KLC Consulting, Inc. @KLCConsulting klai@klcconsulting.net www.KLCConsulting.net

Recommended

Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
cyber security
cyber securitycyber security
cyber securityabithajayavel
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Cyber security
Cyber securityCyber security
Cyber securityBhavin Shah
 
Cyber security
Cyber securityCyber security
Cyber securityManjushree Mashal
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber SecurityGTreasury
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for businessDaniel Thomas
 

Recommended

Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
cyber security
cyber securitycyber security
cyber securityabithajayavel
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Cyber security
Cyber securityCyber security
Cyber securityBhavin Shah
 
Cyber security
Cyber securityCyber security
Cyber securityManjushree Mashal
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber SecurityGTreasury
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for businessDaniel Thomas
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Cyber security
Cyber securityCyber security
Cyber securityManjushree Mashal
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defensefantaghost
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYVaishak Chandran
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018joshquarrie
 
Hot Cyber Security Technologies
Hot Cyber Security TechnologiesHot Cyber Security Technologies
Hot Cyber Security TechnologiesRuchikaSachdeva4
 
Cyber security
Cyber securityCyber security
Cyber securityvishakha bhagwat
 
Cyber Security - Flier
Cyber Security - FlierCyber Security - Flier
Cyber Security - FlierSunit Belapure
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017R-Style Lab
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarVishwadeep Badgujar
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsinLabFIB
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYMohammad Shakirul islam
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group
 
Cyber Security Threats and Data Breaches
Cyber Security Threats and Data BreachesCyber Security Threats and Data Breaches
Cyber Security Threats and Data BreachesBijay Senihang
 
Computer Security Threats
Computer Security ThreatsComputer Security Threats
Computer Security ThreatsQuick Heal Technologies Ltd.
 
Importance of cyber crime security
Importance of cyber crime security Importance of cyber crime security
Importance of cyber crime security Pavan Kuls
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitySharath Raj
 
Cyber security 22-07-29=013
Cyber security 22-07-29=013Cyber security 22-07-29=013
Cyber security 22-07-29=013Dr. Amitabha Yadav
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chainaletarw
 

More Related Content

What's hot

Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defensefantaghost
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018joshquarrie
 
Hot Cyber Security Technologies
Hot Cyber Security TechnologiesHot Cyber Security Technologies
Hot Cyber Security TechnologiesRuchikaSachdeva4
 
Cyber Security - Flier
Cyber Security - FlierCyber Security - Flier
Cyber Security - FlierSunit Belapure
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017R-Style Lab
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarVishwadeep Badgujar
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsinLabFIB
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group
 
Cyber Security Threats and Data Breaches
Cyber Security Threats and Data BreachesCyber Security Threats and Data Breaches
Cyber Security Threats and Data BreachesBijay Senihang
 
Importance of cyber crime security
Importance of cyber crime security Importance of cyber crime security
Importance of cyber crime security Pavan Kuls
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitySharath Raj
 

What's hot (20)

Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defense
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018
 
Hot Cyber Security Technologies
Hot Cyber Security TechnologiesHot Cyber Security Technologies
Hot Cyber Security Technologies
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber Security - Flier
Cyber Security - FlierCyber Security - Flier
Cyber Security - Flier
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep Badgujar
 
Cyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutionsCyber Security - awareness, vulnerabilities and solutions
Cyber Security - awareness, vulnerabilities and solutions
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
 
Cyber Security Threats and Data Breaches
Cyber Security Threats and Data BreachesCyber Security Threats and Data Breaches
Cyber Security Threats and Data Breaches
 
Computer Security Threats
Computer Security ThreatsComputer Security Threats
Computer Security Threats
 
Importance of cyber crime security
Importance of cyber crime security Importance of cyber crime security
Importance of cyber crime security
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 

Viewers also liked

Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chainaletarw
 
Clearance barriers to Cyber Security Profession
Clearance barriers to Cyber Security ProfessionClearance barriers to Cyber Security Profession
Clearance barriers to Cyber Security Professionaletarw
 
What's Next in Cybersecurity Policy
What's Next in Cybersecurity PolicyWhat's Next in Cybersecurity Policy
What's Next in Cybersecurity PolicyEly Kahn
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittJack Whitsitt
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesWAJAHAT IQBAL
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityRamiro Cid
 
Smarter cyber security v8
Smarter cyber security v8Smarter cyber security v8
Smarter cyber security v8John Palfreyman
 
Teacher Zen with Google Tools and Apps
Teacher Zen with Google Tools and AppsTeacher Zen with Google Tools and Apps
Teacher Zen with Google Tools and AppsShelly Sanchez Terrell
 
Cyber-Security in Education
Cyber-Security in EducationCyber-Security in Education
Cyber-Security in EducationTyrone Grandison
 

Viewers also liked (11)

Cyber security 22-07-29=013
Cyber security 22-07-29=013Cyber security 22-07-29=013
Cyber security 22-07-29=013
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
 
Clearance barriers to Cyber Security Profession
Clearance barriers to Cyber Security ProfessionClearance barriers to Cyber Security Profession
Clearance barriers to Cyber Security Profession
 
What's Next in Cybersecurity Policy
What's Next in Cybersecurity PolicyWhat's Next in Cybersecurity Policy
What's Next in Cybersecurity Policy
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Smarter cyber security v8
Smarter cyber security v8Smarter cyber security v8
Smarter cyber security v8
 
Teacher Zen with Google Tools and Apps
Teacher Zen with Google Tools and AppsTeacher Zen with Google Tools and Apps
Teacher Zen with Google Tools and Apps
 
Cyber-Security in Education
Cyber-Security in EducationCyber-Security in Education
Cyber-Security in Education
 

Similar to Cyber Hacking & Security - IEEE - Univ of Houston 2015-04

CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Cyber handbook enterprise v1.6
Cyber handbook enterprise v1.6Cyber handbook enterprise v1.6
Cyber handbook enterprise v1.6hymasakhamuri
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to InfrastructureJorge Orchilles
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 

Similar to Cyber Hacking & Security - IEEE - Univ of Houston 2015-04 (20)

CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
 
Cyber handbook enterprise v1.6
Cyber handbook enterprise v1.6Cyber handbook enterprise v1.6
Cyber handbook enterprise v1.6
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA Compliance
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 

More from Kyle Lai

Isaca app sec presentation - v3
Isaca app sec presentation - v3Isaca app sec presentation - v3
Isaca app sec presentation - v3Kyle Lai
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2Kyle Lai
 
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt SystemsWhitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt SystemsKyle Lai
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04Kyle Lai
 

More from Kyle Lai (7)

Isaca app sec presentation - v3
Isaca app sec presentation - v3Isaca app sec presentation - v3
Isaca app sec presentation - v3
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
 
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt SystemsWhitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
Whitepaper - Cybersecurity Threats for Treasure and Payment Mgmt Systems
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 

Recently uploaded

Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Cyber Hacking & Security - IEEE - Univ of Houston 2015-04

  • 1. KLC Consulting 1 Kyle Lai President & CTO KLC Consulting April 2015
  • 2. KLC Consulting 2 Career Highlights CISSP, CISA, CSSLP, CIPP/US/G 20 years in IT, 15 year specializing in security CISO, DISA Operations Manager for Security Portal ISO 27001/2, Regulatory Compliance, Third-Party Risk, Penetration/Vulnerability Tester, IT Auditor, Network Admin, Developer, DBA, Sys Admin Consultant for Boeing | HP | PWC | DoD | Fidelity | ExxonMobil Fannie Mae | RBS | Federal Gov’t | Akamai | Brandeis Univ Author of SMAC MAC Address Changer (SMAC) tool WebDAV Scanner tool Administer Linkedin Groups CyberSecurity Community Cloud Computing Security Community Third Party Security Risk Management Married, 2 kids, 1 teenage dog! Graduated from UCONN with BS in Electrical Engineering
  • 4. KLC Consulting 4 Recent huge cyber attacks: (1/2015) Primera Blue Cross : 11 million customer records in May 2014, went undiscovered until 1/29/2015 (2/2015) Anthem (including Blue Cross Blue Shield members) : 80 million insured’s health records stolen (11/2014) SONY Picture : 11/2014 (10/2014) Staples : 1.16 million customer credit cards (9/2014) Home Depot : 56 million customer credit cards (8/2014) JPMorgan Chase : 83 million household and business accounts (6/2014) Community Health Systems : 4.5 million patient records (4/2014) Michaels Stores: 3 million customer payment cards (12/2013) Target : 40 million customer credit and debit cards. CEO was fired!
  • 6. KLC Consulting 6 CyberSecurity Definition: The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation. (http://niccs.us-cert.gov/glossary) In Straight Talk: Your Capability and Readiness for attacks against your technology / system / applications: Prevention / protection / monitoring / detection React / respond / attack* / counter attack* / handle breach notifications *Authorization required
  • 7. KLC Consulting 7 Source: https://buildsecurityin.us-cert.gov/sites/default/files/BobMartin-CybersecurityEcosystem.pdf
  • 8. KLC Consulting 8 * “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Cloud / Outsource
  • 9. KLC Consulting 9 92% OF THE INCIDENTS WE’VE SEEN OVER THE LAST 10 YEARS — AND 94% OF THE BREACHES IN 2013 — CAN BE DESCRIBED WITH JUST NINE PATTERNS. Source: VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
  • 10. KLC Consulting 10 Advanced Persistent Threat (APT) Distributed Denial of Service (DDoS) Cross-Platform Malware Metamorphic and Polymorphic Malware Phishing Source: Recorded Future - Cyber Threat Landscape: Basic Overview and Attack Methods
  • 11. KLC Consulting 11 A1: Injection A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Known Vulnerable Components A10: Unvalidated Redirects and Forwards
  • 13. KLC Consulting 13 Critical Infrastructure Power grid / Oil pipelines Financial Services Banking / Wall Street Government Services Fire / Police / Water / Traffic Light Several nations are capable of launching large-scale attacks against the USA
  • 14. KLC Consulting 14 Live Attacks - http://map.ipviking.com (no sensors in China so cannot see attacks made upon China)
  • 15. KLC Consulting 15 Source: http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet • Cyber Weapon – Stuxnet attacked Iranian nuclear centrifuge in 2010 • It is claimed to be the first effective cyber weapon • Infect the environment by USB • Attack industrial programmable logic controllers (PLCs) • Only target Siemens system running on Windows • Reportedly compromised Iranian PLCs • Collects information about industrial systems • Causes the high speed centrifuges to tear themselves apart • Who made Stuxnet??? No one claimed the responsibility…
  • 16. KLC Consulting 16 Denial Of Service AMIDALA : We must continue to rely on negotiation. BIBBLE : Negotiation? We've lost all communications! (Also used in Russia-Georgia war) Compromise Integrity, Escalation of Privilege... OBI-WAN: This is where it ought to be... but it isn’t. Gravity is pulling all the stars in this area inward to this spot. There should be a star here... but there isn’t. JEDI CHILD: Because someone erased it from the archive memory. OBI-WAN: But Master Yoda who could have erased information from the archives? That’s impossible, isn’t it? YODA: (frowning) Much harder to answer, that question is.
  • 17. KLC Consulting 17 You Possess Fundamental Skills for CyberSecurity Strong PROBLEM SOLVING SKILLS Programming Skills Advanced Computer skills Understand a mix of technologies Acquire new skills Think outside the box when it comes to creative problem solving Learn penetration testing skills Think like a BAD hacker, and see how you can protect your employer Learn Risk Assessment. Identify vulnerabilities, potential areas of exposure, estimate cost of damage should attack come via this vulnerability, estimate cost to fix, the cost to not fix, the cost of carrying business insurance to cover the risk, is the risk acceptable?
  • 18. KLC Consulting 18 Learn the basics (network, database, application, web) Learn programming languages (Python – most useful) Be passionate! You will learn more if you have the interest Try out all the hacking practice sites. Lots of free training. Youtube. Google - research!!! Follow websites, tweets, security news Follow the new security threats, vulnerabilities Learn the hacking tools, stay current with existing and newest Jedi tricks Pay attention to the trend... Setup a lab and try out Jedi tricks at home! A few computers A few Virtual Machines
  • 19. KLC Consulting 19 Sample CyberSecurity Opportunities Vulnerability Management Secure Software Development Encryption Security Operations Center Patch Management Malware Analysis Security Policy / Procedure Forensics ERP / SAP / Oracle Network / Firewall / VPN Threat Intelligence Incident Response Application Security Penetration Testing Project Manager Database Security Third-Party Security Risk Regulatory Compliance SCADA / PLC Security Certification & Accreditation Cyber Warfare (DoD, DHS, NSA, CIA) Cloud Security / VM Security Audit / Logging / Log coordination Researcher – Focus on security issues POS Security IoT Hardware Security
  • 20. KLC Consulting 20 Verizon Data Breach Investigation Report - http://www.verizonenterprise.com/DBIR/2014 DHS CyberSecurity Portal - http://www.dhs.gov/topic/cybersecurity DoD Information Assurance Portal – http://iase.disa.mil Hacking Practice (Web App Pentest) Hack This Site - https://www.hackthissite.org Multillidae - http://sourceforge.net/projects/mutillidae Damn Vulnerable Web App - http://www.dvwa.co.uk Security Knowledge OWASP – www.owasp.org DarkReading - www.darkreading.com SANS Reading Room - https://www.sans.org/reading-room/ FireEye / Mandiant Threat Intelligence Reports - https://www.fireeye.com/current-threats/threat- intelligence-reports.html Youtube, Twitter Security Intel Twitter – follow news, alerts – i.e. @Symantec, @TheHackersNews, @SCMagazine SANS Internet Storm Center US-CERT Alerts - Subscribe - https://www.us-cert.gov/ncas/alerts NIST Vulnerability Database - https://nvd.nist.gov Tools Kali Linux - https://www.kali.org (Linux Distro – comes with many tools – MUST HAVE) Metasploit – http://www.metasploit.com System Internals - https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx Basic Certifications Security+ CEH
  • 21. KLC Consulting 21 Kyle Lai CISSP, CSSLP, CISA, CIPP/US/G President & CTO KLC Consulting, Inc. @KLCConsulting klai@klcconsulting.net www.KLCConsulting.net