John Butters Running Tiger Teams

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

ETHICAL HACKING.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

Implications and Security Issues of the Internet By Neelesh Patel.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

 Ethical Hacking is testing the resources for a good cause and for the betterment of technology.  Technically Ethical Hacking means penetration.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Ethical Hacking by Shivam.

1 Telstra in Confidence Managing Security for our Mobile Technology.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Hacking and Network Defense. Introduction  With the media attention covering security breaches at even the most tightly controlled organization, it is.

Hewitt.com Redesign Security Considerations Jorgen Hesselberg, MITP’07 Brute Force.

Web server security Dr Jim Briggs WEBP security1.

Controls for Information Security

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Pen testing to ensure your security

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

Penetration Test

# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.

AASSA Conference 2012 Quito, Ecuador March 16 th 2012 All the rights reserved.Instructor: Francisco Bolaños, Ing. InterAmerican Academy Ethical Hacking.

INTRUDERS BY VISHAKHA RAUT TE COMP OUTLINE INTRODUCTION TYPES OF INTRUDERS INTRUDER BEHAVIOR PATTERNS INTRUSION TECHNIQUES QUESTIONS ON INTRUDERS.

IS Network and Telecommunications Risks Chapter Six.

What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

SecSDLC Chapter 2.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.

Ethical Hacking License to hack. OVERVIEW Ethical Hacking ? Why do ethical hackers hack? Ethical Hacking - Process Reporting Keeping It Legal.

Web Security Introduction to Ethical Hacking, Ethics, and Legality.

Regional Telecommunications Workshop on FMRANS 2015 Presentation.

IT Audit and Penetration Testing What’s the difference and why should I care?

THE CENTRAL SECURITY PLATFORM GUARDIAN360 IS PART OF THE INTERMAX GROUP.

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

PRESENTED BY : Bhupendra Singh

HACKING Submitted By: Ch. Leela Sasi, I M.C.A, Y11MC29011, CJJC P.G College.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

Vulnerability Management Programs & The Lessons Learned

Technology Audit Brandon Hall.

Topic 5 Penetration Testing 滲透測試

Seminar On Ethical Hacking Submitted To: Submitted By:

Cybersecurity - What’s Next? June 2017

إدارة الأعمال الإلكترونية عمادة التعلم الإلكتروني والتعليم عن بعد

INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

Security Testing Methods

Agenda Control systems defined

Secure Software Confidentiality Integrity Data Security Authentication

Wireless Network Security

Teaching Computing to GCSE

Web Penetration Testing and Ethical Hacking Capture the Flag

Intro to Ethical Hacking

Intro to Ethical Hacking

A Proposed New Standard: Common Privacy Vulnerability Scoring System (CPVSS) Jonathan Fox, Privacy Office/PDIT Harold A. Toomey, PSG/ISecG Jason M. Fung,

Security Essentials for Small Businesses

David J. Carter, CISO Commonwealth Office of Technology

Lorenzo Biasiolo 3°AI INFORMATION SECURITY.

Cyber security and Computer Misuse

Ethical Hacking ‘Ethical hacking’ is the branch of computer science that involves cybersecurity and preventing cyberattacks. Ethical hackers are not malicious.

How hackers do it Ron Woerner Security Administrator CSG Systems, Inc.

Dark Web Domain Status Report

Chapter 1 Key Security Terms.

Ethical Hacker Pro IT Fundamentals Pro

Anatomy of a Common Cyber Attack

Presentation transcript:

John Butters Running Tiger Teams 19 September 2018 John Butters Running Tiger Teams - What’s the point?

Outline what we do Do’s and don’ts 19 September 2018 Agenda Outline what we do Do’s and don’ts

19 September 2018 What is it? Using the techniques of hackers or crackers under legitimate and in controlled environment to find and/or exploit security vulnerabilities Includes Internal External Social Engineering War Dialling Wireless Application Vulnerability Scans Typical Findings Technical - missing patches - misconfigurations - no IDS Non-technical - human practices - poor processes to monitor & respond - poor reaction times Trophies - access to wide range of resources sensitive and non-sensitive

Anatomy of a hack

Trace route Password Cracking Bank hack 19 September 2018 Video Clips Trace route Password Cracking Bank hack

19 September 2018

19 September 2018

19 September 2018

War Stories Global Oil Company 19 September 2018 War Stories Global Oil Company Able to administer process control unit for a gas pipeline Global Chemicals Company Access to HR information, strategic merger target information; personal credit card details, secret formulas/recipes Large Utilities Company Control of large portion of network including business critical systems Global Hotel Chain Central reservation system, business plans, board report, executive compensation, guest and credit card details

Why do people buy it? Example one 19 September 2018 Why do people buy it? Example one Buyer - internal audit Objective - 1) To prove inadequacy of security - 2) To score points, personal cudos Scope - known weak application - limited by budget - “safe” targets - single site external attack

19 September 2018 Scenario one - Results Technical report for IT to address (Symptomatic response) Exec summary saying “you’re vulnerable to hackers” Increased distrust and animosity between IT and IA High profile, resulting in total focus on solutions to the findings After actions to address report everyone relaxes because – “we’ve had our security tested and we’ve fixed all the holes. Report to the business customers and the world that we’re OK because we have regular testing and have addressed all the vulnerabilities. Conclusion: The exercise has done more harm than good.

Scenario two Buyer – Global CISO 19 September 2018 Scenario two Buyer – Global CISO Objective – Determine vulnerability of corporate websites to defacement or DoS at time of global launch of brand ($40million spend) Scope - Corporate websites with specific emphasis on vulnerability by external attack to DoS or defacement Result - Some issues to address pre launch - comfort that reasonable steps taken to protect corporate brand during period of launch. Conclusion - Right tool for the right purpose. Happy client.

Pro’s and Con’s Pro’s Cons FUD (fear, uncertainty, doubt) 19 September 2018 Pro’s and Con’s Pro’s Attention & awareness Positive result implies weakness Relatively quick and inexpensive Keeps people on their toes Useful component of overall assurance programme Cons FUD (fear, uncertainty, doubt) Potential agendas, internal conflicts Unbalanced view of security Negative result doesn’t ensure security May be unrelated to business context Highlights problems not solutions Tells techies nothing new Results misused to give false assurance Legal and risk implications Professional ethical hackers don’t know all that the underground hacking world does Focus on perimeter – perimeters are breaking down Like a baseball bat – a useful tool for the right purpose, but more improper than proper uses

Doing it for the right reason 19 September 2018 Doing it for the right reason As part of overall security programme/assurance function or for a specific purpose Clear objectives & scope Report relating to - Objectives - The business - Addressing causes as well as symptoms Consider presentation alterations Clear follow-up actions Manage, politics, legal issues & risk

Scoping & Objectives Business Input Develop Penetration Tests Used By Threat Groups Business Input Remote Dial Up Attack Internet Attack Web Browser Attack Internal Attack Social Engineering Assess Threats Perform Tests Simulating Threat Groups Strategic Actions Short Term Fixes Medium term actions Exposure Feedback

19 September 2018 Questions