JMU GenCyber Boot Camp Summer, 2015. Introduction to Reconnaissance Information gathering – Social engineering – Physical break-in – Dumpster diving Scanning.

Slides:



Advertisements
Similar presentations
Lesson 3-Hacker Techniques
Advertisements

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1 MIS 2000 Class 22 System Security Update: Winter 2015.
Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
SECURITY AND SOCIAL ENGINEERING US Department of Commerce Office of Security Updated 09/26/11 Security is Everyone's Responsibility – See Something, Say.
Safe Computing Dave Carter, CISSP Michigan State University College of Agriculture and Natural Resources.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Social Engineering Networks Reid Chapman Ciaran Hannigan.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Network Security Testing Techniques Presented By:- Sachin Vador.
Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 5 Reconnaissance Information Networking Security.
Hacking and Network Defense. Introduction  With the media attention covering security breaches at even the most tightly controlled organization, it is.
Reconnaissance Steps. EC-Council Gathering information from Open Sources  Owner of IP-address range  Address Range  Domain Names  Computing Platforms.
Computer Security and Penetration Testing
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
Factors to be taken into account when designing ICT Security Policies
Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Course ILT Security Unit objectives Configure operating system and file system security Install a fingerprint scanner and card reader Manage the human.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
Network Security Kevin Diep. Outline The five phrases of network penetration How to prevent exploitations and network vulnerability Ethical issues behind.
JMU GenCyber Boot Camp Summer, Cyberspace Risks and Defenses Facebook Snapchat P2P filesharing Apps Craigslist Scams JMU GenCyber Boot Camp© 2015.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Chapter 4.  Can technology alone provide the best security for your organization?
1.1 System Performance Security Module 1 Version 5.
Chapter 16 Designing Effective Output. E – 2 Before H000 Produce Hardware Investment Report HI000 Produce Hardware Investment Lines H100 Read Hardware.
©Holm Publications Security Awareness Presentation.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
CIS 450 – Network Security Chapter 3 – Information Gathering.
Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.
DIYTP Assessing a System - Basics  Why?  Vulnerabilities  What to look at:  The six ‘P’s  Patch  Ports  Protect  Policies  Probe  Physical.
Information Systems Security Operations Security Domain #9.
FLOOR CANDY.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Dimeji Ogunshola 10b  There are many threats to your computer system. The computer threats can be mainly transferred through unknown s or accidental.
About Phishing Phishing is a criminal activity using social engineering techniques.criminalsocial engineering Phishers attempt to fraudulently acquire.
3.05 Protect Your Computer and Information Unit 3 Internet Basics.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Topic 5: Basic Security.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
What is Spam? d min.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Computer Security By Duncan Hall.
Lesson 4-General Security Concepts. The Role of People in Security  This presentation discusses: – The human element and the role that people play in.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Creating and Managing Networks CSC February, 1999.
Web Security Introduction to Ethical Hacking, Ethics, and Legality.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Computer Security Sample security policy Dr Alexei Vernitski.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
ARE YOU A CYBER SECURITY RISK?. Pass the Hat Al QaedaFARCHezbollahIRAHAMAS.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Social Engineering: The Human Element of Computer Security
Social Engineering Dr. X.
Common Methods Used to Commit Computer Crimes
Lesson 3 Safe Computing.
Answer the questions to reveal the blocks and guess the picture.
Cybersecurity Awareness
Robert Leonard Information Security Manager Hamilton
Social Engineering No class today! Dr. X.
Information Security Session October 23, 2006
Lesson 2: Epic Security Considerations
6. Application Software Security
Presentation transcript:

JMU GenCyber Boot Camp Summer, 2015

Introduction to Reconnaissance Information gathering – Social engineering – Physical break-in – Dumpster diving Scanning – Modems/Wireless Access Points – Hosts – Network hardware – Services – Vulnerabilities JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 2

Reconnaissance – Step 1 Information gathering – investigate the target using publicly-available information Analogy: a bank robber “casing the joint” – Visit the bank – Note times employees (especially security guard) arrive and leave – Note location of security cameras, guards, safe, etc. – Determine make and model of alarm system and safe; Research them – Plan the robbery – Plan getaway route JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 3

Information Gathering Prior to launching an attack, skilled computer attackers often try to learn as much as possible about: – The systems and networks they plan to attack Hardware and software Topology Typical operation – Owners, users, and administrators JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 4

Tools for Information Gathering JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 5 The Web – Target organization’s web site may contain: Employee contact information and phone numbers Business partners Technologies in use – Other information about the target: Search engines Customers and business partners Whois databases ARIN DNS servers

Goals of Information Gathering Determine: – What is available to steal/deface/shutdown? – What avenue of attack is most likely to succeed? – What are the chances of getting caught? – Etc. JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 6

Social Engineering Deceiving people into revealing sensitive/useful information May be attempted: – In person or remotely (e.g. phone, , etc.) – Once or over a period of time Can result in: – Sensitive information – Unauthorized access – Passwords – Etc. JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 7

Social Engineering from The Master  The Art of Deception by Kevin Mitnick JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 8

Social Engineering - Examples A “new employee” calls the help desk to get help with a particular task An “angry manager” calls a lower-level employee because the manager’s password has suddenly stopped working An “administrator” calls an employee because there is something wrong with the employee’s account An “employee” in the field calls to get a remote access phone number JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 9

Defenses Against Social Engineering Policies – Information that should never be divulged over the phone – Procedures for maintenance, password resets, etc. User education JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 10

Social Engineering Examples Lottery Tickets Inheritance from Africa I Love You Virus Disk Space Over Quota Bank Account Suspicious Activity Bank Account updating system JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 11

Physical Break-ins An attacker might show up at an organization and attempt to: – Physically access computer systems – Install malicious hardware or software – Steal sensitive documents, storage media, or a computer system – Etc. JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 12

Defenses Against Physical Break-ins Policy – Locks – Alarms – Badges – Guards User education JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 13

Dumpster Diving What might an attacker be able to find by going through the trash? – Old versions of sensitive documents or – Discarded disks, tapes, and other media – Post-it note with a username and password – Etc. JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 14

Defenses Against Dumpster Diving Policy – Paper shredders – Media cleansers – Special trash cans for sensitive material User education JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 15

Reconnaissance – Step 2 Scanning – many tools are available to automate the search for: – Modems – Hosts – Network hardware – Services – Vulnerabilities JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 16

War Dialers Obtain a range of phone numbers used by the target organization – Phone book – Web – Social engineering A war dialer is a program that will dial each number and record whether or not a modem answers (ever seen War Games?) JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 17

War Dialers (cont) Once modems are found: – Nudging – send characters to modem and note the reply (hopefully a banner) – Look for modems which do not require passwords – For those that do require passwords, try some guesses Finding modems can be very valuable: – Can give remote (sometimes privileged) access to networks and systems PCanywhere, LapLink, ControlIT – Completely bypass Internet gateways and firewalls JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 18

Defenses Against War Dialers Policies – Who can have a modem? – How will it be secured? – How can employees remotely access their systems? Periodic checks for compliance User education JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 19

WarDriving/WarBiking/WarWalkin g Search for accessible wireless networks Examples: – Kismet ( ) – NetStumbler ( ) Defenses – Policy – Periodic compliance checks – User education JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 20

Reconnaissance - Summary Information gathering – Social engineering – Physical break-in – Dumpster diving Scanning – Modems – Wireless Access Points User Education! JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 21

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.