The document outlines the professional background and expertise of Shritam Bhowmick in information security, focusing on various domains such as application security, network security, and infrastructure security. It provides insights into his roles in penetration testing, security assessments, and threat intelligence along with a detailed agenda that includes demonstrations of hacks and security advisories. Additionally, it emphasizes the importance of ethical practices in handling security vulnerabilities and maintaining client confidentiality.

1. INFORMATION
SECURITY
1

2. About
■ Shritam Bhowmick
 Application Security/ Red Team Lead @Defencely – 2016
 Information Security Sciences Trainer @CTG Security Solutions – 2014
 Penetration Tester & Associate Consultant R&D @Lucideus Tech - 2012
■ Primary Focus
 Application Security
 R&D @Information Security Sciences – refer: http://pwntoken.github.io/
 Security Operations Center & Active Threat Intelligence (SOC)
 Accessing & Auditing Security Threats for Organizations & “others”
2

3. AGENDA
■ Information Security - Explaination
■ Domains of Information Security - Explaination
■ Demonstration of Hacks
■ Information Security Advisory
■ Conclusion & Questionnaire
3

4. Why Information Security!?
4

5. What Information Security!?
5
■ Science of post-exploitation
& maintaining access
privileges
■ Science of reporting
advisories to governments &
corporate clients into
contract security
engagements
■ Science of public
disclosures
■ Science of enumeration of
active services, hosts,
networks & applications
■ Science of information
gathering regarding the
active hosts, services,
networks & applications
■ Science of research to
manually figure
vulnerabilities & proceed to
exploitation phase

6. How Domains of Information Security
Application Security
■Web Application Security
■Web Business Logic Security
■Web Database Security
■JavaScript Security
6
Network Security
■Internal Network Security
■External Network Security
■VOIP Network Security
■Wireless Network Security
Infrastructure Security
■Network Security Architectural
Review
■Application Security Architectural
Review
■Network Configuration Security
Audits
■Infrastructure Security Compliances
& Audits
e.g. PCI-DSS, ISO 27001, NIST,
OWASP, WASCAlert! Boring part!

7. Domains of Information Security
Application Security
■Perform security application security
assessments
■Perform validation, authentication,
authorization security checks
■Perform Application Security checks
against RFI, LFI, SQL Injections &
other complicated security test cases
■Perform Business Logic flow
security checks such as parameter
tampering, session handling &
management security checks
7
Network Security
■Perform network security
assessments
■Perform network security services
assessment checks
■Perform network security internal +
external perimeter checks &
assessments which are exploitable
■Perform Wireless Security protocols
security check such as weak
protocols supported, etc.
Infrastructure Security
■Perform security audits & reviews –
these are not assessments but
reviews
■Perform network architectural
security checks
■Perform application architectural
security checks
■Perform compliance security checks
for top e-commerce & govt. sectors &
baking industries
THREAT REPORTING BENCHMARK

8. 8
THREAT REPORTING BENCHMARK SAMPLE
CLIENTS HATE THIS PART!!

9. Demonstration of Hacks
9

10. Demonstration of Hacks
10

11. Demonstration of Hacks
11

12. Demonstration of Hacks
12

13. Getting Hacks Ethically Resolved!?
- contracts, engagements, corporate agreements, patches
13

14. Demonstration of Hacks
14
Refer:
https://www.facebook.com/whitehat/thanks/

15. Information Security Advisory
Public Disclosure Non-Disclosure Agreement
15

16. 16
CURRENTLY SERVING

17. Blogs .. Connect. Leverage.
17
■ Blog @ http://pwntoken.github.io/
■ LinkedIn: /in/shritambhowmick

18. Thank You!
18
Questions!?