About The Presentation 11/3/2017. Hacker HiJinx-Human Ways to Steal Data. Who We Are? Ethical Hackers & Security Consultants

Similar documents
Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Accounting Information Systems

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

How Cyber-Criminals Steal and Profit from your Data

5. Execute the attack and obtain unauthorized access to the system.

OPSEC and defense agains social engineering for devels, execs, and sart-ups

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

Personal Cybersecurity

SECURITY TESTING. Towards a safer web world

Ethical Hacking & Information Security. Justin David G. Pineda Asia Pacific College

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

How Breaches Really Happen

Cybersecurity The Evolving Landscape

Security Awareness. Chapter 2 Personal Security

Fraud and Social Engineering in Community Banks

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

10 FOCUS AREAS FOR BREACH PREVENTION

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

CHAPTER 8 SECURING INFORMATION SYSTEMS

Managing an Active Incident Response Case. Paul Underwood, COO

Mobile MOUSe HACKING REVEALED ONLINE COURSE OUTLINE

2014 CliftonLarsonAllen LLP Cyber Crime and Payment Fraud Trends Key Threats to All Businesses CliftonLarsonAllen LLP. CLAconnect.

Protect Your Organization from Cyber Attacks

Application vulnerabilities and defences

CYBER SECURITY AND MITIGATING RISKS

How to Build a Culture of Security

Cyber Security Audit & Roadmap Business Process and

Pass Microsoft Exam

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Secure Application Development. OWASP September 28, The OWASP Foundation

2018 Edition. Security and Compliance for Office 365

Cyber security tips and self-assessment for business

Synchronized Security

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

2017 Annual Meeting of Members and Board of Directors Meeting

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

HACKER S DELIGHT DESTROYING THE SYSTEM ONLY MAKES IT STRONGER

Building Trust in the Internet of Things

Cyber Security Practice Questions. Varying Difficulty

Curso: Ethical Hacking and Countermeasures

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Phishing Read Behind The Lines

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Cyber Crime and Online Payment Fraud Trends

Personal Physical Security

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Who We Are! Natalie Timpone

CTS2134 Introduction to Networking. Module 08: Network Security

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

The Data Breach: How to Stay Defensible Before, During & After the Incident

Security and Compliance for Office 365

Notice to our customers regarding Toll Fraud

Wireless LAN Security (RM12/2002)

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Offensive Security. Learn to think as an attacker. The aim of this talk is to discover why and how you can use OS X and vsphere together

CE Advanced Network Security Phishing I

CYBERSECURITY PENETRATION TESTING - INTRODUCTION


JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

Reviewing the 2017 Verizon DBIR

Securing Information Systems Barbarians at the Gateway

Cyber Crime and Payment Fraud Trends

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

Are You Avoiding These Top 10 File Transfer Risks?

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

Security Pitfalls. A review of recurring failures. Dr. Dominik Herrmann. Download slides at

Social Engineering Hacking the Human Element

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Preparing for a Breach October 14, 2016

ANATOMY OF AN ATTACK!

HIPAA SECURITY RISK ASSESSMENT

Remote Desktop Security for the SMB

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Cyber Security Updates and Trends Affecting the Real Estate Industry

Home Computer and Internet User Security

epldt Web Builder Security March 2017

Security+ CompTIA Certification Boot Camp

Becoming the Adversary

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

You ve Been Hacked Now What? Incident Response Tabletop Exercise

POST GRADUATE DIPLOMA IN CYBER SECURITY (PGDCS)

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

1) Are employees required to sign an Acceptable Use Policy (AUP)?

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

Ethical Hacking and Prevention

Transcription:

November 3, 2017 Hacker HiJinx-Human Ways to Steal Data Who We Are? Ethical Hackers & Security Consultants Respond To Incidents & Breaches Perform Digital Forensic Investigations Data Mine Internet Intelligence About The Presentation Common Vulnerabilities We Often See Security Practices Your Users Should Know Best Practices to Harden Security 1

Businesses & People Get Hacked Everyday Too Many To Count 1 Billion Accounts 56 Million Credit Card Owners 45.7 Million Credit Card Owners 32 Million Personal Identities/ Divorces? 80 Million Personal Identities & Healthcare Data Incident/Breach Statistics for 2016 Financial Motive On Average only 3% of the Victims of Spear Phishing Attacks Alerted Information Technology? Confirmed Data Breaches Involved Weak, Default or Stolen Passwords Increase In Ransomware Incidents Sources: 2016 Verizon Data Breach; Symantec IR Response Team, SNT 2016 Annual Report Typical Attack Vectors Hack In From The Internet Hack In From Wireless Hack Over the Phone Lines Hack Web Applications Hack Via Social Engineering Vulnerabilities Are Often Unaddressed 2

Attack Vector Hack In From The Internet Internet Facing Systems Internet Facing Vulnerabilities UNNECESSARY OPEN FIREWALL PORTS Port 80 Port 443 Internet Facing Vulnerabilities UNNECESSARY OPEN FIREWALL PORTS FTP (Port 21) 3

Internet Facing Vulnerabilities UNNECESSARY OPEN FIREWALL PORTS RDP (Port 3389) We See This To Often! Internet Facing Vulnerabilities UNPATCHED SYSTEMS Operating System Updates Third Party Updates Internet Facing Vulnerabilities RUNNING SERVICES Two Factor! PATCH! LEAKEDSOURCE? 4

Accounts in the Database Internet Facing Vulnerabilities Internet Facing Vulnerabilities DEFAULT & WEAK AUTHENTICATION PASSWORD??? Hmmm admin? 5

Internet Facing Vulnerabilities If Successful With Any of the Previous Methods. Gain Shell! SAM File! Security Account Manager (SAM File) PW Dump Internet Facing Vulnerabilities Now We Crack Your Password! I m Admin! Password Cracker Typical Attack Vectors Hacking In From Wireless 6

Wireless Vulnerabilities ROGUE DEVICES Employees Often Install Them! With Little To NO Security Wireless Vulnerabilities POOR WIRELESS SECURITY WPA2 BETTER WPA OK WEP POOR! Wireless Vulnerabilities POOR WIRELESS SECURITY Capture Packet When They Try To Reconnect TARGET USERS Crack Packet Use Credentials 7

Wireless Vulnerabilities Wireless EVIL Twin SSID: ACMEFCU Wireless SSID: ACME-FCU Wireless For Internet Connect to AcmeFCU Wireless Wireless Vulnerabilities Wireless EVIL Twin SSID: ACME-FCU Wireless SSID: ACMEFCU Wireless Wireless Vulnerabilities Wireless EVIL Twin SSID: ACME-FCU Wireless SSID: ACMEFCU Wireless 8

Wireless Vulnerabilities Thanks For The Creds! Wireless EVIL Twin WOW! We have a 9G Wireless Network? Attack Vector Hack Over the Phone Lines Still A Great way to Hack! Telephony Vulnerabilities War Dialing Acme FCU Phone Numbers 9

Telephony Vulnerabilities War Dialing Alarm Systems HVAC Systems What Answered! Integrated Lights Out Enabled Systems Building Systems Telephony Vulnerabilities War Dialing Toll Fraud!!! Telephony Vulnerabilities EavesDropping Wireshark Cain VOMIT 10

Web App Vulnerabilities Cross Site Scripting & Sql Injection Web App Vulnerabilities Cross Site Scripting & Sql Injection WOW! Two Admin Accounts! Web App Vulnerabilities Cross Site Scripting & Sql Injection 11

Attack Vector Hack Via Social Engineering Attack Vector Hack Via Social Engineering Dumpster Diving Attack Vector Hack Via Social Engineering Of Course! Can I Have Your Password? Pretexting 12

Attack Vector Hack Via Social Engineering Tail-Gating Attack Vector Hack Via Social Engineering Shoulder Surfing Attack Vector Hack Via Social Engineering Baiting 13

Attack Vector Hack Via Social Engineering Baiting Attack Vector Hack Via Social Engineering We Forge Badges Then Tailgate Into Building We Put Them Everywhere! In Breakrooms We Also Handed Them Out In The Cafeteria 14

What Happens When They Get Plugged In. People Were Instructed to Give Us Credentials The Results? 1000 USB Devices 288 Inserted Them 180 People Gave Us Their User Name & PW Human Error Phishing is King 15

Human Error Spear Phishing Fear Was The Hook The Results? Fooled To Go Here! Thanks! User Name Password The Results? 694 Phishing Emails Sent 220 People Clicked On The Link 197 People Gave Us Their User Name & PW 16

Human Error NOT FAIR! (Industry Term) Human Error Spear Phishing Free Stuff Was The Hook The Results? Fooled Them To Go Here! User Name Password That s Me! We Gave Them A Hint 17

The Results? 694 Phishing Emails Sent 160 People Clicked On The Link 128 People Gave Us Their User Name & PW With Just One (1) User Name & Password. Read Your Email Control The Network Steal Your Identity Delete or Ransom Your Data Control Business Systems Control Office Equipment Control Physical Systems Steal Company Money Shutdown Your Business Don t Get Hooked Who Is Sending This? If Not Sure. DO NOT Open Attachment? They Didn t Know Your Name? They Threaten You To Do Something? They Instruct You To Do Something? Hover Over The Link.. http://mal+hak-vctm-$.br 18

Don t Get Hooked Royal Inheritance http:\\hacksite_malware_ http:\\www.acmefcu.org Hover Over the Link Is It Different? Notice the URL If Its Too Good To Be True? When in Doubt Throw it Out Don t Get Hooked Suspect Email? When in Doubt? Verify The Email is Legit Question Any Instructions in the Email If Suspicious Report it to I.T. When in Doubt Throw it Out Physical Access 19

Sheeva or Pwn Plug Power Pwn Plug Trusted Vendors? 20

Open every panel on copier, dismantle it Disconnect copier from network. Imposter Copier Technicians-Spoof IP of Copier Plug In your laptop and collect data. Scan Network Exploit Vulnerable Systems Escalate Privileges Become Domain Admin 21

Tested at Other Locations Behind Teller Line In Drive Thru Teller Area Tested at Other Locations Inside Data Centers Heating & Ventilation System 22

Posed As HVAC Guys To Gain Access To Internal Network Explain You Need To Work Above Ceiling Imposter HVAC Technician Plant Wireless Access Point 23

Work In Data Center 24

The Vampire Rule Invited Into Location 25

Complete Datacenter Access QUESTIONS? 26

Thankyou 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback