The document is a presentation by Heba Hamdy Farahat on various aspects of cybersecurity, including data breaches, capture the flag (CTF) competitions, and how to get started in the field. It highlights famous incidents, necessary skills, and resources for learning and practicing cybersecurity techniques through various CTF platforms. Additionally, it provides insights into penetration testing, incident response, and the importance of hands-on experience in the cybersecurity industry.

1. PLAY,LEARN AND HACK
Presented by
Heba Hamdy Farahat
Information Security Consultant, SecureMisr
IFSEC Global Influencer in Security & Fire 2019- #3 in Young Professionals category-

2. WHOAMI
• Information Security Consultant, SecureMisr
• One of three finalists Women in Cybersecurity Awards “New Comers” , ISW
Conference’19, Vienna
• Top Influencers in Security & Fire” for 2019. Ranked #3 in the Young Professionals /
Ones-to-Watch category
• Recent certifications: OSCP and eWPT
• https://www.linkedin.com/in/heba-hamdy-farahat-5501595b/

3. AGENDA
• Introduction to cybersecurity
• Famous data breaches
• How to start in cybersecurity
• What is a CTF
• CTF types
• CTF resources
• CTF demo “Let’s play CTF together ;)”

4. HOW MANY WAYS CAN A THIEF
STEAL THIS CAR?

5. EVERYTHING & EVERYONE CAN BE HACKED

6. DATA BREACHES

7. FACEBOOK ADMITS CYBER ATTACK MAY
HAVE EXPOSED INFO FROM 50 MILLION
ACCOUNTS
A vulnerability in Facebook’s code that impacted “View As”.
This allowed attackers to steal Facebook access tokens which they could then use to take over
people’s accounts![*]
[*] Reference:
https://newsroom.fb.com/news/2018/09/security-update/

8. TWITTER CEO AND CO-FOUNDER JACK DORSEY
HAS ACCOUNT HACKED[*]
[*]Reference: https://www.wired.com/story/jack-dorsey-twitter-hacked/

9. IOT ATTACKS

10. THE MIRAI BOTNET (AKA DYN ATTACK)
The largest DDoS attack ever was launched on service provider Dyn
Reference: https://www.youtube.com/watch?v=UMTTaMPJ8fc

12. HUMAN HEART CAN BE HACKED
What hackers can do?
Gain access
Disable some functions
Or even Stop device!
Reference: https://www.newsmax.com/Health/health-news/heart-pacemaker-device-hack/2018/03/15/id/848918/

13. Have you been hacked also?
WHAT ABOUT YOU?
https://haveibeenpwned.com/

14. HOW TO START IN CYBERSECURITY ?

15. CYBERSECURITY FUNDAMENTALS
 Programming:
• JavaScript, HTML, PHP, C,Python,..etc
 Network Fundamentals:
• CCNA routing & switching
 Database Fundamentals
 Operating Systems Fundamentals
 Linux and Windows Administration

16. CORE COURSES
 Security Fundamentals
CEH course ( No need to get certificated),Security+
 Network Security Fundamentals
• CCNA Security/CCNP Security
VPN- Firewall –Network security concepts –IPS –IDS ..etc
Information Security
Offensive security which covers all penetration testing aspects (network, web, IOT,
etc...)
Malware Analysis and Reverse Engineering
Incident handling and Digital forensics

17. WEB APPLICATION PENETRATION
TESTING
• How does web work? Protocols used?
• Learn about web attacks
• Practice on web attacks and make sure you understand them well
• Useful Resources:
• OWASP TOP 10
• https://www.cybrary.it/course/web-application-pen-testing/
• https://www.hacker101.com/videos

18. WEB APPLICATION PENETRATION
TESTING
• Resources to practice from:
• Vulnerable machines deduced for web attacks such as:
web for pentester machine
https://www.vulnhub.com/entry/pentester-lab-web-for-pentester,71/
• DVWA (DAMN Vulnerable Web Application)
• CTFs websites: will be mentioned in details later

19. NETWORK PENETRATION TESTING
• Hackthebox
• Vulnhub
• Certification: OSCP ( has market value)

20. DIGITAL FORENSICS AND INCIDENT
RESPONSE
• Reference : SANS 500 & 504 & 508
• Note: digital forensics in real world is quite different than CTFs

21. REVERSE ENGINEERING
• Prerequisites before starting to study reverse:
Basic programming knowledge ( Preferably C++ ) - Basic understanding of Data
structures ( Stack )
• Malware unicorn – Reverse Engineer at Facebook:
https://malwareunicorn.org/workshops/re101.html#1
https://malwareunicorn.org/workshops/re102.html#0
• References: Practical Malware Analysis (Great start)
• CTF:
• http://reversing.kr/
• http://flare-on.com/

22. WHAT IS A CTF?
• CTF (Capture The Flag)
• A kind of information security competition that challenges contestants to solve a
variety of tasks with different difficulty level( easy  hard)

23. CTFS(CAPTURE THE FLAG)
• “Knowing is not enough; we must apply. Willing is not enough; we must do.” -
Johann Wolfgang von Goethe

24. CTF TYPES
1. Jeopardy style CTFs
2. Attack/Defense style CTFs

25. JEOPARDY STYLE CTFS
Jeopardy style CTFs challenges are typically divided into categories:
• Cryptography - Typically involves decrypting or encrypting a piece of data
• Forensic: This consists of investigating and analyzing some type of data, such as network
captures (.pcap), core dumps or hard drives.
• Steganography - Tasked with finding information hidden in files or images
References:
https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04
https://www.sothis.tech/en/ctf-learn-hacking-by-playing/

26. JEOPARDY STYLE CTFS
• Web - This type of challenge is focused on finding and exploiting vulnerabilities in the web
application such as: SQL Injection, Cross-Site Scripting (XSS), brute force, CRLF, CSRF….
• Pwn - Exploiting a server to find the flag
• Reverse Engineering- An executable binary file (BIN, EXE, ELF, APK…) is usually analyzed.
Participants must find the flag or key by decompiling the file.Web - Exploiting web pages to
find the flag
References:
https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04
https://www.sothis.tech/en/ctf-learn-hacking-by-playing/

27. ATTACK/DEFENSE STYLE CTFS
• It focus on either attacking an opponent's servers or defending one's own.
References:
https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04
https://www.sothis.tech/en/ctf-learn-hacking-by-playing/

28. LEARN HACKING BY PLAYING=CTF

29. CTF RESOURCES& LINKS

30. • https://ctftime.org/ - Announces upcoming CTFs worldwide
• https://ctftime.org/writeups - CTFs’ writeup
• There are many CTFs however that are online 24/7 that can be used as practice and
learning tools. Here are some of them:
• https://overthewire.org/wargames/bandit/ - To get familiar with linux commands
• https://2019game.picoctf.com/problems- Yearly time-limited CTF now available to use
as practice – My favorite one-
References:
https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04
https://www.sothis.tech/en/ctf-learn-hacking-by-playing/
CTF RESOURCES& LINKS

31. CTF RESOURCES& LINKS
• Root me https://www.root-me.org/?lang=en -Site with many different types of
challenges, classified by levels.
• NACTF https://www.nactf.com/
• https://ctflearn.com - A collection of various user-submitted challenges aimed
towards newcomers
• https://github.com/apsdehal/awesome-ctf - Comprehensive list of tools and more
References:
https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04
https://www.sothis.tech/en/ctf-learn-hacking-by-playing/

32. CTF RESOURCES& LINKS
- These aren’t really in a CTF style like the other ones. They are vulnerable machines
with multiple vulnerabilities some of these vulnerabilities are related to web or any
other vulnerable running service. This will combine knowledge gained in web along
with skills required to do network penetration testing.
• Hack The Box: One of the most famous and fashionable hacking laboratories in the
world, they have machines with all kinds of operating systems and challenges with
different themes.
• VulnHub: Vulnerable virtual machines (.OVA) to download and mount on your own
computer.
References:
https://dev.to/atan/what-is-ctf-and-how-to-get-started-3f04
https://www.sothis.tech/en/ctf-learn-hacking-by-playing/

33. THE MOST IMPORTANT RESOURCE
Hacking is about learning something on the fly and CTFs give you this skill

34. LET’S START GAINING MONEY

35. BUG BOUNTY
• Hackerone
• Hacker101 CTF to start receiving invitations to private programs
• Intigriti
• Cesppa
• Bugcrowd
• Yogosha
• Synack

36. HACKING CONFERENCES
• Defcon, La Vegas, USA
• Bsides Delhi, India
• NULLCON, India
• HITB Security Conference, Amsterdam
• OWASP Seasides,India

37. CTF DEMO
• Let’s play CTF together ;)
• I will choose my favorite one – PICOCTF
https://2019game.picoctf.com/

38. CRYPTO-WARMUP
• The numbers
flag format of PICOCTF is picoCTF{}

39. THE NUMBERS SOLUTION
• We see that there are exactly 7 letters before {, so each number represents one
letter ( ‘P’ -> 16, ‘I’ -> 9, ‘C’ -> 3, etc.).
Aha, rule is easy!
the letter ‘P’ is on the 16th position in the alphabet, the letter ‘I’ on the 9th, and so on.

40. THE NUMBERS SOLUTION
16 9 3 15 3 20 6 { 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14}

41. THE NUMBERS SOLUTION
16 9 3 15 3 20 6 { 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14}
P I C O C T F {T H E N U M B E R S M A S O N}
PICOCTF{THENUMBERSMASON}

42. WEB CHALLENGES
• First of all, what is burp suite?
https://2019shell1.picoctf.com/problem/9509/

43. WEB CHALLENGES
How to configure burp proxy?
https://2019shell1.picoctf.com/problem/9509/

44. INSP3CT0R-WEB CHALLENGE
https://2019shell1.picoctf.com/problem/9509/

45. INSP3CT0R-WEB CHALLENGE
• Solution:
• Wget –r https://2019shell1.picoctf.com/problem/9509/

46. OPEN TO ADMINS-WEB CHALLENGE

47. OPEN TO ADMINS-WEB CHALLENGE

48. GOOD LUCK IN YOUR CTF 
• Feel free to contact me through LinkedIn
https://www.linkedin.com/in/heba-hamdy-farahat-5501595b