i get paid to break into company and government …€¢i get paid to break into company and...
TRANSCRIPT
• I get paid to break into company and government networks for a living
• 23 years in various IT roles, both here and internationally
o 7 years in security consulting
o 5 years as a Pentester
• 1 of first 10 people globally to become a Certified Ethical Hacker
• 23 certifications
• Trainer of upcoming CEHs.
• The content presented today contains tools, techniques and resources used for hacking and illegal
activities
• The content is for education purposes only
• Hacking is illegal. You MUST have written permission from the associated target/party(s)
• The underground sites presented today should not be visited and are monitored by federal authorities
• Kiandra does not condone illegal hacking or malicious activities.
PHISHING MALWARE SOCIAL
ENGINEERING
IDENTITY
THEFT
BOT/
BOTNETEXPLOIT
• Identify threats to the business
• Eliminate risks
• Compliance
• Instil confidence for clients
• Availability and data security
• The rapid growth of Hacktivism and ‘Anonymous’ type hacking groups / local chapters.
• Internet environment complexity
• New technologies, new threats and new exploits
• Limited focus on security
• Limited security expertise
• Limited funding
• Unreported incidents.
Breached records in 2016
1bln+1,738,099,866
28 breaches per week reported
1512REPORTED BREACHES
In the US alone, 40 major breaches in Australia in 2016
1093BREACH INCIDENTS
In 47% of breaches the number of records compromised was
UNKNOWN
47%UNKNOWN
The Ponemon Institute Cost of Cybercrime 2016 study shows
on average cybercrime costs an Australian organisation
anywhere from $900,000 to $7,100,000 per breach. Average
is 2.64 million!
2.64MILLION
FINANCIAL
INDUSTRIAL
SERVICES
TECHNOLOGYRETAIL
PUBLIC/GOV
CONSUMER
OTHER (MISC)
14%
14%
12%
12%9%
8%
7%
24%
46%Malicious outsider/
cyber crims
27%27%
Accidental loss/human
errorSystem glitch
IDENTITY THEFT
64%
NUISANCE
4%
ACCOUNT ACCESS
11%
FINANCIAL ACCESS
16%
EXISTENTIAL DATA
5%
• Loss of reputation / good will and revenue
• Data loss
• Privacy implications
• Theft of data
• Downtime or permanent closures
• Loss of revenue, cost of downtime and
remediation $$$.
• Poor detection, response and escalation
• No formal policies for proactive auditing / event management or incident response
• Lack of security focus, expertise and expenditure. It costs too much money!
• Staff Awareness & Misconfiguration
• Not worth the bother! We have a firewall… Why would I be a target?
• Implementation of unauthorised devices into the network,
e.g. mobile devices, BYOD.
• Insecure Network Design
• No Physical Security
• Recon/information gathering
• Social engineering and phishing attacks
• Client side attacks
• Wireless and mobile devices
• Execute, implant, harvest and exfil.
• The demo about to be presented contains common techniques, information
leakage and vulnerabilities that EVERY organisation has
• It does not indicate that an organisation, person or entity is vulnerable or has
weakness or vulnerabilities in their environment in any way.
• Although a specific organisation will be targeted, the same outcomes would be
achieved against ANY organisation with an internet presence
• The demo's are for education purposes only.
• We live in a digital age
• Information is everywhere
• Everything is online
• It’s easy to get (no tech hacking)
• You just need to know how to piece it all together!
PATH OF LEAST RESISTANCE
Legacy systemsIT providerUSB
Mobile devicesPhishingWebsite
Physical access
WirelessEmployees/users
Passwords
• Security policies
• User awareness
• Security controls, firewalls, IDS/IPS’s, patching, AV
• Scheduled security assessments, such as penetration testing.
• Social engineering
• Everybody loves receiving emails, especially with
attachments
• Physical access – air-con/service, imitation of
employees
• Weak wireless and user passwords
• Forgotten accounts left in place.
• Rogue Devices & Access Points
• Missing Patches
• USB Access
1-2 repeat offenders every engagement
giving their passwords out multiple
times
Average 18% click rate
People respond fast
25% would give us passwords
Repeat offenders
25% would follow through with giving up
credentials
4% would click on the link and
give out their passwords in under
5 minutes
People love phishing emails
• Pentest
• Incident response policy
• Cyber insurance coverage
• IT are doing the right thing, Email and network protection, such as firewall
and an IPS (Intrusion Prevention System), endpoint protection, Blocking
USB, locking down the environment
• Monitoring, do you know when you are getting hacked?
• Staff awareness testing and regular training
• Pen-test, Have you had one, have the issues been remediated?
• Is an incident response policy in place and tested?
• Do you have Cyber insurance coverage in place and is the amount suitable?
• Have you got the necessary technical measures in place to reduce the risk
of a cyber event?
• Do you have sufficient budget allocations for training and security?
• Have all staff undertaken awareness training and is cyber security training
incorporated into on-boarding.
34
Will you be hacked?Daniel Weis
Cyber Underground and Cybercrime
• Anything that can be indexed by a typical search engine like Google,
Bing or Yahoo
• The “visible web”
• 4 billion indexed web pages
• This is the web you know
SURFACE WEB
• Is a small portion of the deep web that has been intentionally hidden
and is inaccessible through standard web browsers
• Can only be accessed with special software designed to hide you
• Contains darknet markets
• Anonymous marketplace ecosystem does in excess of $500,000 a
day.
DARK WEB
• The deep web is anything that a search engine can’t find,
• Data behind firewalls, like corporate resources, business intranets,
password protected websites, infrastructure etc
DEEP WEB
• When they get shut down, they just come back again a short time later on a
different provider
• Usually operate in countries with no jurisdictions, such as South America,
Eastern Europe, South East Asia
• Use bulletproof hosting
• Mini ISP’s (datacenters)
• Specialise in offering services that are largely immune from takedown
requests and pressure from western law enforcement agencies.
• Located six miles off coast of Suffolk,
England
• Built during WW2 as an anti-aircraft gun
platform
• Declared an independent nation in 1967
• Home to HavenCo the worlds first bulletproof
hoster
• “Its own nation, its own rules.”
• Former home of Wikileaks
• Inside White Mountains of Stockholm
• Located below 30 meters of granite and
secured by a 40-centimeter-thick door
• The data-center can withstand a hydrogen
bomb attack.
• Abandoned NATO bunker
• Netherlands
• Discarded by Dutch military in 1994
• Built to survive a 20-megaton nuclear attack
• 5 subterranean levels.
http://breachlevelindex.com
http://datalossdb.org/
www.Idtheftcenter.org
https://www.privacyrights.org
https://pages.riskbasedsecurity.com/2016-midyear-data-breach-year-
in-review
http://www.informationisbeautiful.net/visualizations/worlds-biggest-
data-breaches-hacks/
DATA BREACHES
http://www.trendmicro.com/vinfo/us/security/special-
report/cybercriminal-underground-economy-series/global-
black-market-for-stolen-data/
COST CALCULATOR
http://cybermap.kaspersky.com/
http://map.ipviking.com/
https://www.fireeye.com/cyber-map/threat-map.html
http://www.digitalattackmap.com/
THREAT MAPS
IOT / INTERNET FACING DEVICES
https://shodan.io
https://www.censys.io
https://ics-radar.shodan.io
• For more info, feel free to grab me after the presentation
• Drop an email to [email protected]
• Grab one of my business cards!
• Track me down on social networking
• Visit our website: kiandra.com.au