• I get paid to break into company and government networks for a living

• 23 years in various IT roles, both here and internationally

o 7 years in security consulting

o 5 years as a Pentester

• 1 of first 10 people globally to become a Certified Ethical Hacker

• 23 certifications

• Trainer of upcoming CEHs.

• The content presented today contains tools, techniques and resources used for hacking and illegal

activities

• The content is for education purposes only

• Hacking is illegal. You MUST have written permission from the associated target/party(s)

• The underground sites presented today should not be visited and are monitored by federal authorities

• Kiandra does not condone illegal hacking or malicious activities.

PHISHING MALWARE SOCIAL

ENGINEERING

IDENTITY

THEFT

BOT/

BOTNETEXPLOIT

• Identify threats to the business

• Eliminate risks

• Compliance

• Instil confidence for clients

• Availability and data security

• The rapid growth of Hacktivism and ‘Anonymous’ type hacking groups / local chapters.

• Internet environment complexity

• New technologies, new threats and new exploits

• Limited focus on security

• Limited security expertise

• Limited funding

• Unreported incidents.

Breached records in 2016

1bln+1,738,099,866

28 breaches per week reported

1512REPORTED BREACHES

In the US alone, 40 major breaches in Australia in 2016

1093BREACH INCIDENTS

In 47% of breaches the number of records compromised was

UNKNOWN

47%UNKNOWN

The Ponemon Institute Cost of Cybercrime 2016 study shows

on average cybercrime costs an Australian organisation

anywhere from $900,000 to $7,100,000 per breach. Average

is 2.64 million!

2.64MILLION

FINANCIAL

INDUSTRIAL

SERVICES

TECHNOLOGYRETAIL

PUBLIC/GOV

CONSUMER

OTHER (MISC)

14%

14%

12%

12%9%

8%

7%

24%

46%Malicious outsider/

cyber crims

27%27%

Accidental loss/human

errorSystem glitch

IDENTITY THEFT

64%

NUISANCE

4%

ACCOUNT ACCESS

11%

FINANCIAL ACCESS

16%

EXISTENTIAL DATA

5%

• Loss of reputation / good will and revenue

• Data loss

• Privacy implications

• Theft of data

• Downtime or permanent closures

• Loss of revenue, cost of downtime and

remediation $$$.

• Poor detection, response and escalation

• No formal policies for proactive auditing / event management or incident response

• Lack of security focus, expertise and expenditure. It costs too much money!

• Staff Awareness & Misconfiguration

• Not worth the bother! We have a firewall… Why would I be a target?

• Implementation of unauthorised devices into the network,

e.g. mobile devices, BYOD.

• Insecure Network Design

• No Physical Security

• Recon/information gathering

• Social engineering and phishing attacks

• Client side attacks

• Wireless and mobile devices

• Execute, implant, harvest and exfil.

• The demo about to be presented contains common techniques, information

leakage and vulnerabilities that EVERY organisation has

• It does not indicate that an organisation, person or entity is vulnerable or has

weakness or vulnerabilities in their environment in any way.

• Although a specific organisation will be targeted, the same outcomes would be

achieved against ANY organisation with an internet presence

• The demo's are for education purposes only.

• We live in a digital age

• Information is everywhere

• Everything is online

• It’s easy to get (no tech hacking)

• You just need to know how to piece it all together!

PATH OF LEAST RESISTANCE

Legacy systemsIT providerUSB

Mobile devicesPhishingWebsite

Physical access

WirelessEmployees/users

Passwords

• Security policies

• User awareness

• Security controls, firewalls, IDS/IPS’s, patching, AV

• Scheduled security assessments, such as penetration testing.

• Social engineering

• Everybody loves receiving emails, especially with

attachments

• Physical access – air-con/service, imitation of

employees

• Weak wireless and user passwords

• Forgotten accounts left in place.

• Rogue Devices & Access Points

• Missing Patches

• USB Access

1-2 repeat offenders every engagement

giving their passwords out multiple

times

Average 18% click rate

People respond fast

25% would give us passwords

Repeat offenders

25% would follow through with giving up

credentials

4% would click on the link and

give out their passwords in under

5 minutes

People love phishing emails

• Pentest

• Incident response policy

• Cyber insurance coverage

• IT are doing the right thing, Email and network protection, such as firewall

and an IPS (Intrusion Prevention System), endpoint protection, Blocking

USB, locking down the environment

• Monitoring, do you know when you are getting hacked?

• Staff awareness testing and regular training

• Pen-test, Have you had one, have the issues been remediated?

• Is an incident response policy in place and tested?

• Do you have Cyber insurance coverage in place and is the amount suitable?

• Have you got the necessary technical measures in place to reduce the risk

of a cyber event?

• Do you have sufficient budget allocations for training and security?

• Have all staff undertaken awareness training and is cyber security training

incorporated into on-boarding.

34

Will you be hacked?Daniel Weis

Cyber Underground and Cybercrime

• Anything that can be indexed by a typical search engine like Google,

Bing or Yahoo

• The “visible web”

• 4 billion indexed web pages

• This is the web you know

SURFACE WEB

• Is a small portion of the deep web that has been intentionally hidden

and is inaccessible through standard web browsers

• Can only be accessed with special software designed to hide you

• Contains darknet markets

• Anonymous marketplace ecosystem does in excess of $500,000 a

day.

DARK WEB

• The deep web is anything that a search engine can’t find,

• Data behind firewalls, like corporate resources, business intranets,

password protected websites, infrastructure etc

DEEP WEB

• When they get shut down, they just come back again a short time later on a

different provider

• Usually operate in countries with no jurisdictions, such as South America,

Eastern Europe, South East Asia

• Use bulletproof hosting

• Mini ISP’s (datacenters)

• Specialise in offering services that are largely immune from takedown

requests and pressure from western law enforcement agencies.

• Located six miles off coast of Suffolk,

England

• Built during WW2 as an anti-aircraft gun

platform

• Declared an independent nation in 1967

• Home to HavenCo the worlds first bulletproof

hoster

• “Its own nation, its own rules.”

• Former home of Wikileaks

• Inside White Mountains of Stockholm

• Located below 30 meters of granite and

secured by a 40-centimeter-thick door

• The data-center can withstand a hydrogen

bomb attack.

• Abandoned NATO bunker

• Netherlands

• Discarded by Dutch military in 1994

• Built to survive a 20-megaton nuclear attack

• 5 subterranean levels.

http://breachlevelindex.com

http://datalossdb.org/

www.Idtheftcenter.org

https://www.privacyrights.org

https://pages.riskbasedsecurity.com/2016-midyear-data-breach-year-

in-review

http://www.informationisbeautiful.net/visualizations/worlds-biggest-

data-breaches-hacks/

DATA BREACHES

http://www.trendmicro.com/vinfo/us/security/special-

report/cybercriminal-underground-economy-series/global-

black-market-for-stolen-data/

COST CALCULATOR

http://cybermap.kaspersky.com/

http://map.ipviking.com/

https://www.fireeye.com/cyber-map/threat-map.html

http://www.digitalattackmap.com/

THREAT MAPS

IOT / INTERNET FACING DEVICES

https://shodan.io

https://www.censys.io

https://ics-radar.shodan.io

• For more info, feel free to grab me after the presentation

• Drop an email to securityservices@kiandra.com.au

• Grab one of my business cards!

• Track me down on social networking

• Visit our website: kiandra.com.au