Florent Batard, profile picture
Uploaded byFlorent Batard
334 views

Ethical hacking for fun and profit

The document discusses the importance of ethical hacking and security within the IT industry, emphasizing the need for security awareness and responsibility. It outlines various approaches to learning hacking, essential tools, and resources, as well as the current challenges and status of cybersecurity in companies across different regions. The text also highlights both offensive and defensive security services and encourages integration of security into development operations.

Technology
Related topics:
Information Security

Embed presentation

Download to read offline
SUMMARY • ETHICAL HACKING • SECURITY AS A WAY TO LEARN • IMAGE VS REALITY • HACKER MINDSET • THE REAL FULLSTACK • WHERE TO BEGIN • SECURITY AS A WAY TO MAKE BUSINESS • CURRENT STATUS • OFFENSIVE SECURITY SERVICES • DEFENSIVE SECURITY SERVICES • DEV SEC OPS Join the IT Security
WHO THE HELL ARE YOU ? • BATARD FLORENT @SHENRIL • HTTP://CODE-ARTISAN.IO • FRENCH • DEVELOPER & SECURITY ENGINEER FOR 10 YEARS (FRANCE, SWITZERLAND, USA, JAPAN) • TRY TO MIX THE DEVOPS TRENDS WITH SECURITY
ETHICAL HACKING •HACKING WITH A SENSE OF RESPONSIBILITY •TRY TO IMPROVE THE OVERALL SECURITY AWARENESS SITUATION •TRY TO HELP THE PEOPLE REALLY BUILDING THE STUFF (REDTEAM/BLUETEAM) •ALSO REFERRED AS WHITE HAT •TRY TO MAKE BUILT-IN SECURITY THE EASIEST CHOICE YOU CAN MAKE
SECURITY AS A WAY TO LEARN SECURITY CAN BE FUN
IMAGE What is Hacking to you ?
REALITY • STATE SPONSORED CYBER ATTACKS • NSA DEVELOPED ATTACKS MADE PUBLIC • VULNERABILITY BUSINESS (VUPEN, COSEINC) • ORGANIZED CRIME • DARKWEB • ECONOMIC ESPIONNAGE • AND EVENTUALLY SOME LONELY GENIUSES DOING IT FOR THE FAME AND THE INTEL • THERE IS A MIDDLE GROUND • COMING TO MATURITY FOR SOME COMPANIES • LITTLE AWARENESS FROM THE PUBLIC ON WHAT S REALLY POSSIBLE • TOOLS AND MEANS TO HACK GOT OPENED TO EVERYONE (METASPLOIT, LOIC, SCANNERS, SQLMAP)
HACKER MINDSET • HACKER WAS THE TERM FOR CURIOUS PEOPLE WHO FOUND NEW WAYS TO USE TECHNOLOGIES • NEW WAYS OFTEN MEANT NOT PAYING FOR SOMETHING AND BECAME SECURITY RELATED • LOVE TO SOLVE PROBLEMS AND INVESTIGATE • LET’S DO THIS TODAY AND TAKE SOMETHING USUALLY PAINFUL TO MAKE IT YOUR STRENGTH
THE REAL FULLSTACK •SECURITY IS THE MOST TRANSVERSAL DISCIPLINE IN I.T • WEB / IOT / OS / MOBILE / CONTAINERS • FROM MEMORY(BUFFER OVERFLOW) TO UI (WEB XSS) •IT ALLOWS YOU TO DISCOVER A WIDE RANGE OF TECHNOLOGIES • LANGUAGES • FRAMEWORKS • SYSTEMS • NETWORKS
WHERE TO BEGIN •TWO APPROACHES • BEGIN WITH WHAT YOU KNOW • TAKE YOUR BELOVED TECHNOLOGY • FIND THE SECURITY ASPECT OF IT • GO HACK YOURSELF • BEGIN WITH WHAT YOU WANT TO KNOW • BROWSE THE HACKING SCENE • INVESTIGATE AREA YOU RE INTERESTED ABOUT • JOIN EVENTS OR CONTESTS (CTF) TO CHALLENGE YOURSELF
WHAT CAN YOU DO • TONS OF RESOURCES FOR TOOLS ONLINE • SYSTEM HACKING: METASPLOIT, OPENVAS, NESSUS, GITHUB • NETWORK HACKING: CAIN&ABEL, WIRESHARK, SCAPY, NMAP , AIRCRACK • WEB HACKING : SQLMAP, WPSCAN, WPSEKU, BURP SUITE, OWASP ZAP, NIKTO, BEEF • REVERSE ENGINEERING: IDA PRO, HEX RAYS, CFF • PASSWORD CRACKING: HASHCAT , HYDRA, JOHN • SOCIAL ENGINEERING: MALTEGO, SET, USB KEYS, YOUR BALLS AND A PHONE • TRAIN TO HACK : • ONLINE CTF , SECURITY EVENTS, ONLINE CONTESTS • METASPLOITABLE 1/2/3, REGULAR WINDOWS XP • DAMN VULNERABLE LINUX, DAMN VULNERABLE WEBAPP • WEBGOAT, MUTILLIDAE
METASPLOIT DEMO • SCAN A REMOTE MACHINE • EXPLOIT A REMOTE MACHINE • DISCOVER METERPRETER AND GO PARANOID
SQLMAP DEMO • SCAN A REMOTE WEBSITE • TRY TO EXPLOIT PARAMETERS • DUMP THE DATABASE AND PASSWORDS
STEPS TO ENLIGHTMENT 1. LEARN THE TOOLS – REALLY ! ATTACKS PRACTICES , OPTIONS 2. LEARN THE CONCEPTS BEHIND THE TOOLS – NETWORK , OVERFLOW, INJECTIONS 3. LEARN THE TOOLS – HOW THEY DO IT 4. GO CTF AND JOIN A TEAM ! 5. WRITE YOUR OWN TOOL, EXPLOIT CVE ? 6. SELL YOUR HACK TO BUG BOUNTY
SECURITY AS A WAY TO MAKE BUSINESS SECURITY CAN BE GOOD BUSINESS
CURRENT STATUS • AWARENESS IS STILL SHALLOW • THEY SENSE THE DANGER BUT DON’T ALWAYS KNOW HOW TO PREVENT IT OR IF THEY ARE VULNERABLE • MOST COMPANIES MISS THE BASIC HYGIENE ABOUT INFORMATION SECURITY • EXAMPLE : WANNACRY / PETYA/ NOT-PETYA • VULNERABILITY DEVELOPED BY THE NSA • ETERNALBLUE MS17-010 • AVAILABLE IN METASPLOIT FOR FREE EITHER TO SCAN AND TO EXPLOIT • ONLY NEED AN UPDATE • JAPAN IS NOT A GOOD STUDENT ON THIS TOPIC AND IS QUITE FAR BEHIND • LITTLE ECOSYSTEM: ABOUT 5 EVENTS ON THE TOPIC • FEW PROFESSIONALS: THINKING OF THE BOX IS PRETTY RARE • FEW BUSINESS RELATED TO SECURITY : TRENDMICRO, LAC, KCCS, KDL • GOOD IN OPERATION BUT NOT IN R&D FOR SECURITY
OFFENSIVE SECURITY SERVICES • SCAN OF VULNERABILITIES • APPLICATION SCANNING • INFRASTRUCTURE SCANNING • CHECK OF OPEN PORTS AND AUTHORIZATION ON RESOURCES (S3 BUCKETS, SSH, RIGHTS) • SOCIAL ENGINEERING CAMPAIGN: SEND FAKE EMAIL AND DO REPORTS • REAL SECURITY ASSESSMENT • LICENSE TO PWN: NEED TIGHT CONTRACT • GO FURTHER INTO SCANNING AND EXPLOITING • EXPLOIT UNTIL PROOF OF CORRUPTION : SCREENSHOTS, DATA • TRY TO STEAL DATA IN PERSO : THE CONMAN
DEFENSIVE SECURITY SERVICES • AWARENESS • HTTPS://HAVEIBEENPWNED.COM/ • TEST THEIR DEFENSE: SEND PLACEBO VIRUS , SCAN OPEN PORTS FROM OUTSIDE • PACKAGES VULNERABILITIES MAILING LIST : CVE COMES OUT , GET TAILORED EMAIL • REVIEW OF CONFIGS ON TOOLS/ ENV : WAF, SECRETS, UNIX RIGHTS • DEVELOPERS • SECURITY CODE REVIEWS • SECURITY DEPENDENCIES : BRAKEMAN , APPCANARY • AUTOMATIC SCANNING OF VULNERABILITIES ON TEST ENV : VADDY • CREATE CHECKLIST FOR DEVELOPERS : ASVS
STEP UP YOUR GAME • PROPOSE SECURITY OPTIONS TO YOUR CURRENT WORK • SECURITY MAINTENANCES • REGULAR SECURITY SCANS • THREAT INTELLIGENCE • PROPOSE SECURITY SOLUTIONS TO YOUR CLIENTS • CODE REVIEWS • PENETRATION TESTING • REGULAR / REAL-TIME SCANS • AWARENESS VERIFICATION • INCIDENT HANDLING • INTRODUCE TO SECURITY SOLUTIONS
DEV SEC OPS • MAKE SECURITY THE EASIEST CHOICE TO MAKE • INTEGRATE INTO PIPELINES • USE RECIPES TO BUILD SECURITY • AUTOMATIC DEPENDENCIES CHECK • AUTOMATIC KNOWN VULNERABILITY CHECK • UPDATE POLICY ON SECURITY EVENTS • WHAT OS VERSION DO YOU USE FOR PRODUCTION?
JOIN SECURITY ECOSYSTEM • OWASP events worldwide, Kansai too • Security topics at your favorite events • DevSecOps practices • Podcasting and Blogging • Defensive Security Podcast • Troy Hunt • Exploit-db • IPA / CERT
THANK YOU • FEEL FREE TO ASK QUESTIONS !

More Related Content

PPTX
EEAS - Cultivate your data protection
byTommy Vandepitte
 
PPTX
Cyber Security for 5th and 6th Graders
byStephen Thomas, CISSP
 
PPTX
Protecting online data unit 1
bycallum321
 
PPTX
Security Compensation - How to Invest in Start-Up Security
byChristopher Grayson
 
PPTX
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
byAndrew Schwabe
 
PPTX
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
byEC-Council
 
PPTX
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
byMohammed Adam
 
PPTX
Don’t Fall Victim to Social Engineering Traps
byAventis Systems, Inc.
 
EEAS - Cultivate your data protection
byTommy Vandepitte
 
Cyber Security for 5th and 6th Graders
byStephen Thomas, CISSP
 
Protecting online data unit 1
bycallum321
 
Security Compensation - How to Invest in Start-Up Security
byChristopher Grayson
 
Reigning in the Data (FOSSCON 2014) - Ephemeral Messaging and Privacy In Post...
byAndrew Schwabe
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
byEC-Council
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
byMohammed Adam
 
Don’t Fall Victim to Social Engineering Traps
byAventis Systems, Inc.
 

What's hot

PDF
Security for Human Beings
byzekivazquez
 
PDF
eFolder Webinar_Expert Series_Six Best Practices for Complete Laptop Protection
byDropbox
 
PPTX
Introduction to null villupuram community
byMohammed Adam
 
PDF
Online passwords – understanding "credential stuffing" cyberattack
byOVHcloud
 
PDF
Cyber Security Dr Sally Ernst
byCissy Ma FCPA GAICD
 
PDF
Internet security lessons for IoT
byDirk Zittersteyn
 
PDF
HSB15 - Thijs Bosschert - Radically Open Security
bySplend
 
PPTX
9 ways to protect yourself from hackers on
byRamón Guerra
 
PPTX
Audit and security
byRaymond Long
 
PDF
Introduction to Personal Privacy and Security
byRobert Hurlbut
 
ZIP
Protecting Public Hotspots
byAlex Payne
 
PPTX
Netiquette
bytracy Wilsom
 
PPTX
Apartment Renting Tips
byWest Village Suites
 
PDF
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
byNick Malcolm
 
PDF
High Level Overview of RPKI & DNSSEC
byMukom Akong Tamon
 
DOCX
Vvvv
bylocksmithindallas
 
PPT
Internet Safety
bystrifman
 
PPTX
WordPress Security - The "No-BS" Version
byTony Perez
 
PPT
Twitter advanced
byGarry Kousoulou - Social Media Guy
 
Security for Human Beings
byzekivazquez
 
eFolder Webinar_Expert Series_Six Best Practices for Complete Laptop Protection
byDropbox
 
Introduction to null villupuram community
byMohammed Adam
 
Online passwords – understanding "credential stuffing" cyberattack
byOVHcloud
 
Cyber Security Dr Sally Ernst
byCissy Ma FCPA GAICD
 
Internet security lessons for IoT
byDirk Zittersteyn
 
HSB15 - Thijs Bosschert - Radically Open Security
bySplend
 
9 ways to protect yourself from hackers on
byRamón Guerra
 
Audit and security
byRaymond Long
 
Introduction to Personal Privacy and Security
byRobert Hurlbut
 
Protecting Public Hotspots
byAlex Payne
 
Netiquette
bytracy Wilsom
 
Apartment Renting Tips
byWest Village Suites
 
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
byNick Malcolm
 
High Level Overview of RPKI & DNSSEC
byMukom Akong Tamon
 
Vvvv
bylocksmithindallas
 
Internet Safety
bystrifman
 
WordPress Security - The "No-BS" Version
byTony Perez
 
Twitter advanced
byGarry Kousoulou - Social Media Guy
 

Similar to Ethical hacking for fun and profit

PDF
ISACA Ethical Hacking Presentation 10/2011
byXavier Mertens
 
PDF
Living with Determined Attackers MOSI Edition
byJames '​-- Mckinlay
 
PPTX
Ethical Hacking & Network Security
byLokender Yadav
 
PPTX
Implementing security for your library | PLAN Tech Day Conference
byBrian Pichman
 
PPTX
Web hacking 1.0
byQ Fadlan
 
PPTX
It security the condensed version
byBrian Pichman
 
PPTX
How To Start Your InfoSec Career
byAndrew McNicol
 
PDF
Information Security
byMadushan Sandaruwan
 
PPT
Hacking 1224807880385377-9
byGeoff Pesimo
 
PPTX
What is the Cybersecurity plan for tomorrow?
bySamvel Gevorgyan
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
PDF
Living with the threat of Determined Attackers - RANT0214
byJames '​-- Mckinlay
 
PPT
Hackers are innocent
bydanish3
 
PPTX
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
byShivam Sahu
 
PDF
Introduction to the Current Threat Landscape
byMelbourne IT
 
PPT
Hackers Cracker Network Intruder
byErdo Deshiant Garnaby
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
PPT
Hacking Presentation
byAnimesh Behera
 
PPTX
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
byAvansa Mid- en Zuidwest
 
PDF
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 
ISACA Ethical Hacking Presentation 10/2011
byXavier Mertens
 
Living with Determined Attackers MOSI Edition
byJames '​-- Mckinlay
 
Ethical Hacking & Network Security
byLokender Yadav
 
Implementing security for your library | PLAN Tech Day Conference
byBrian Pichman
 
Web hacking 1.0
byQ Fadlan
 
It security the condensed version
byBrian Pichman
 
How To Start Your InfoSec Career
byAndrew McNicol
 
Information Security
byMadushan Sandaruwan
 
Hacking 1224807880385377-9
byGeoff Pesimo
 
What is the Cybersecurity plan for tomorrow?
bySamvel Gevorgyan
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
Living with the threat of Determined Attackers - RANT0214
byJames '​-- Mckinlay
 
Hackers are innocent
bydanish3
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
byShivam Sahu
 
Introduction to the Current Threat Landscape
byMelbourne IT
 
Hackers Cracker Network Intruder
byErdo Deshiant Garnaby
 
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
Hacking Presentation
byAnimesh Behera
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
byAvansa Mid- en Zuidwest
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 

Recently uploaded

PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
How to build hackthon projects from ZERO!
byishantyadav1111
 

Ethical hacking for fun and profit

  • 2.
    SUMMARY • ETHICAL HACKING •SECURITY AS A WAY TO LEARN • IMAGE VS REALITY • HACKER MINDSET • THE REAL FULLSTACK • WHERE TO BEGIN • SECURITY AS A WAY TO MAKE BUSINESS • CURRENT STATUS • OFFENSIVE SECURITY SERVICES • DEFENSIVE SECURITY SERVICES • DEV SEC OPS Join the IT Security
  • 3.
    WHO THE HELLARE YOU ? • BATARD FLORENT @SHENRIL • HTTP://CODE-ARTISAN.IO • FRENCH • DEVELOPER & SECURITY ENGINEER FOR 10 YEARS (FRANCE, SWITZERLAND, USA, JAPAN) • TRY TO MIX THE DEVOPS TRENDS WITH SECURITY
  • 4.
    ETHICAL HACKING •HACKING WITHA SENSE OF RESPONSIBILITY •TRY TO IMPROVE THE OVERALL SECURITY AWARENESS SITUATION •TRY TO HELP THE PEOPLE REALLY BUILDING THE STUFF (REDTEAM/BLUETEAM) •ALSO REFERRED AS WHITE HAT •TRY TO MAKE BUILT-IN SECURITY THE EASIEST CHOICE YOU CAN MAKE
  • 5.
    SECURITY AS AWAY TO LEARN SECURITY CAN BE FUN
  • 6.
  • 7.
    REALITY • STATE SPONSOREDCYBER ATTACKS • NSA DEVELOPED ATTACKS MADE PUBLIC • VULNERABILITY BUSINESS (VUPEN, COSEINC) • ORGANIZED CRIME • DARKWEB • ECONOMIC ESPIONNAGE • AND EVENTUALLY SOME LONELY GENIUSES DOING IT FOR THE FAME AND THE INTEL • THERE IS A MIDDLE GROUND • COMING TO MATURITY FOR SOME COMPANIES • LITTLE AWARENESS FROM THE PUBLIC ON WHAT S REALLY POSSIBLE • TOOLS AND MEANS TO HACK GOT OPENED TO EVERYONE (METASPLOIT, LOIC, SCANNERS, SQLMAP)
  • 8.
    HACKER MINDSET • HACKERWAS THE TERM FOR CURIOUS PEOPLE WHO FOUND NEW WAYS TO USE TECHNOLOGIES • NEW WAYS OFTEN MEANT NOT PAYING FOR SOMETHING AND BECAME SECURITY RELATED • LOVE TO SOLVE PROBLEMS AND INVESTIGATE • LET’S DO THIS TODAY AND TAKE SOMETHING USUALLY PAINFUL TO MAKE IT YOUR STRENGTH
  • 9.
    THE REAL FULLSTACK •SECURITYIS THE MOST TRANSVERSAL DISCIPLINE IN I.T • WEB / IOT / OS / MOBILE / CONTAINERS • FROM MEMORY(BUFFER OVERFLOW) TO UI (WEB XSS) •IT ALLOWS YOU TO DISCOVER A WIDE RANGE OF TECHNOLOGIES • LANGUAGES • FRAMEWORKS • SYSTEMS • NETWORKS
  • 10.
    WHERE TO BEGIN •TWOAPPROACHES • BEGIN WITH WHAT YOU KNOW • TAKE YOUR BELOVED TECHNOLOGY • FIND THE SECURITY ASPECT OF IT • GO HACK YOURSELF • BEGIN WITH WHAT YOU WANT TO KNOW • BROWSE THE HACKING SCENE • INVESTIGATE AREA YOU RE INTERESTED ABOUT • JOIN EVENTS OR CONTESTS (CTF) TO CHALLENGE YOURSELF
  • 11.
    WHAT CAN YOUDO • TONS OF RESOURCES FOR TOOLS ONLINE • SYSTEM HACKING: METASPLOIT, OPENVAS, NESSUS, GITHUB • NETWORK HACKING: CAIN&ABEL, WIRESHARK, SCAPY, NMAP , AIRCRACK • WEB HACKING : SQLMAP, WPSCAN, WPSEKU, BURP SUITE, OWASP ZAP, NIKTO, BEEF • REVERSE ENGINEERING: IDA PRO, HEX RAYS, CFF • PASSWORD CRACKING: HASHCAT , HYDRA, JOHN • SOCIAL ENGINEERING: MALTEGO, SET, USB KEYS, YOUR BALLS AND A PHONE • TRAIN TO HACK : • ONLINE CTF , SECURITY EVENTS, ONLINE CONTESTS • METASPLOITABLE 1/2/3, REGULAR WINDOWS XP • DAMN VULNERABLE LINUX, DAMN VULNERABLE WEBAPP • WEBGOAT, MUTILLIDAE
  • 12.
    METASPLOIT DEMO • SCANA REMOTE MACHINE • EXPLOIT A REMOTE MACHINE • DISCOVER METERPRETER AND GO PARANOID
  • 13.
    SQLMAP DEMO • SCANA REMOTE WEBSITE • TRY TO EXPLOIT PARAMETERS • DUMP THE DATABASE AND PASSWORDS
  • 14.
    STEPS TO ENLIGHTMENT 1.LEARN THE TOOLS – REALLY ! ATTACKS PRACTICES , OPTIONS 2. LEARN THE CONCEPTS BEHIND THE TOOLS – NETWORK , OVERFLOW, INJECTIONS 3. LEARN THE TOOLS – HOW THEY DO IT 4. GO CTF AND JOIN A TEAM ! 5. WRITE YOUR OWN TOOL, EXPLOIT CVE ? 6. SELL YOUR HACK TO BUG BOUNTY
  • 15.
    SECURITY AS AWAY TO MAKE BUSINESS SECURITY CAN BE GOOD BUSINESS
  • 16.
    CURRENT STATUS • AWARENESSIS STILL SHALLOW • THEY SENSE THE DANGER BUT DON’T ALWAYS KNOW HOW TO PREVENT IT OR IF THEY ARE VULNERABLE • MOST COMPANIES MISS THE BASIC HYGIENE ABOUT INFORMATION SECURITY • EXAMPLE : WANNACRY / PETYA/ NOT-PETYA • VULNERABILITY DEVELOPED BY THE NSA • ETERNALBLUE MS17-010 • AVAILABLE IN METASPLOIT FOR FREE EITHER TO SCAN AND TO EXPLOIT • ONLY NEED AN UPDATE • JAPAN IS NOT A GOOD STUDENT ON THIS TOPIC AND IS QUITE FAR BEHIND • LITTLE ECOSYSTEM: ABOUT 5 EVENTS ON THE TOPIC • FEW PROFESSIONALS: THINKING OF THE BOX IS PRETTY RARE • FEW BUSINESS RELATED TO SECURITY : TRENDMICRO, LAC, KCCS, KDL • GOOD IN OPERATION BUT NOT IN R&D FOR SECURITY
  • 17.
    OFFENSIVE SECURITY SERVICES •SCAN OF VULNERABILITIES • APPLICATION SCANNING • INFRASTRUCTURE SCANNING • CHECK OF OPEN PORTS AND AUTHORIZATION ON RESOURCES (S3 BUCKETS, SSH, RIGHTS) • SOCIAL ENGINEERING CAMPAIGN: SEND FAKE EMAIL AND DO REPORTS • REAL SECURITY ASSESSMENT • LICENSE TO PWN: NEED TIGHT CONTRACT • GO FURTHER INTO SCANNING AND EXPLOITING • EXPLOIT UNTIL PROOF OF CORRUPTION : SCREENSHOTS, DATA • TRY TO STEAL DATA IN PERSO : THE CONMAN
  • 18.
    DEFENSIVE SECURITY SERVICES •AWARENESS • HTTPS://HAVEIBEENPWNED.COM/ • TEST THEIR DEFENSE: SEND PLACEBO VIRUS , SCAN OPEN PORTS FROM OUTSIDE • PACKAGES VULNERABILITIES MAILING LIST : CVE COMES OUT , GET TAILORED EMAIL • REVIEW OF CONFIGS ON TOOLS/ ENV : WAF, SECRETS, UNIX RIGHTS • DEVELOPERS • SECURITY CODE REVIEWS • SECURITY DEPENDENCIES : BRAKEMAN , APPCANARY • AUTOMATIC SCANNING OF VULNERABILITIES ON TEST ENV : VADDY • CREATE CHECKLIST FOR DEVELOPERS : ASVS
  • 19.
    STEP UP YOURGAME • PROPOSE SECURITY OPTIONS TO YOUR CURRENT WORK • SECURITY MAINTENANCES • REGULAR SECURITY SCANS • THREAT INTELLIGENCE • PROPOSE SECURITY SOLUTIONS TO YOUR CLIENTS • CODE REVIEWS • PENETRATION TESTING • REGULAR / REAL-TIME SCANS • AWARENESS VERIFICATION • INCIDENT HANDLING • INTRODUCE TO SECURITY SOLUTIONS
  • 20.
    DEV SEC OPS •MAKE SECURITY THE EASIEST CHOICE TO MAKE • INTEGRATE INTO PIPELINES • USE RECIPES TO BUILD SECURITY • AUTOMATIC DEPENDENCIES CHECK • AUTOMATIC KNOWN VULNERABILITY CHECK • UPDATE POLICY ON SECURITY EVENTS • WHAT OS VERSION DO YOU USE FOR PRODUCTION?
  • 21.
    JOIN SECURITY ECOSYSTEM •OWASP events worldwide, Kansai too • Security topics at your favorite events • DevSecOps practices • Podcasting and Blogging • Defensive Security Podcast • Troy Hunt • Exploit-db • IPA / CERT
  • 22.
    THANK YOU • FEELFREE TO ASK QUESTIONS !