its ok to get hacked
DESCRIPTION
Presentation by Jaco van Gaan at IIA in 2001. This presentation is about the use of ethical hackers in business. The presentation begins with a series of discussions about hackers, what they do, how they do it and the different types of hackers.TRANSCRIPT
- 1. Its OK to get H@CK3D
- 2. Introduction
- About me
- About SensePost
- References
-
- http://www.sensepost.com
-
- [email_address]
-
- [email_address]
- 3.
- Who got h@ck3d?
- Hackers - the enemy or close friend?
- Evaluating the work of Ethical hackers
- Internal Audit tips and tricks
- Questions
- 4.
- Problem vs Origin
- De-Face
-
- Unauthorized change to web page
-
- Not necessary damage or data loss
-
- Loss in reputation
-
- http://www.attrition.org/mirrors
- 5. What Hackers do:
- Steal
-
- Information - to use and to sell
-
- Money from accounts
-
- Goods through e-buying
-
- Resource - time and equipment
- Talk, Boast
- Leave backdoors open
-
- Launch new attacks
- 6. How do they do it?
- Social engineering
- Networking
- Resources from the web...
- 7.
- Information gathering
- Foot printing
- ID servers/services by portscan
- ID OS, services types (MS, IIS)
- Check vulnerability databases
- Run vulnerability checker (whisker)
- Search for exploit tool / build exploit tool
- Use tool
- Gain control
- De- face, delete, cover tracks.
- 8.
- 9.
- Understand the origin of the problem, before trying to address it
- Different types
-
- Script kiddies
-
- Professional hackers
-
- Government agencies
-
- Ethical hackers
- Motivation behind attempts
-
- Hacker manifesto:
- Our only crime is curiosity
- 10.
- Who would target you?
- 11. Evaluating the work of Ethical Hackers
- 12.
- ID Vulnerabilities proactively
- Measure effectiveness of controls and Security investment
- Verify vendor and technology claims
- Create awareness
- Improve IT staff skills and knowledge
- Motivate Security expenditure
- Get objective, independent results
- Business pressure
- Setting benchmarks
- Continual measure and monitor
- 13. External Assessment (Audit)
- Collect and evaluate evidence to determine whether a computer system :
-
- safeguards assets
-
- maintain data integrity
-
- allow the goals of an organisation to be achieved efficiently and effectively
- Security policy as control document
- International standards: SAS 70, BS 7799.
- 14. Ethical Hackers- Evaluation
- Organization
-
- Independence
-
- References
-
- Experience
-
- Certification
-
- Cost
-
- Ethics
-
- Services offered
-
- Backing: subsidiary/insurance
- 15. Ethical Hackers - Evaluation
- Methodology
-
- Certification/benchmark
-
- Audit plan
-
- Execution according to plan
-
- Report
-
- Recommendations & resolution
- 16. Ethical Hackers - Evaluation
- Resources
-
- Business skills
-
- Experience: qualification, Certifications, Bodies
-
- Individual background
- The brief How, What, Where?
-
- Type: logical, physical or social
-
- Restrictions / conditions
-
- Internal /external
- 17. Ethical Hackers - Evaluation
- Toolbox
-
- Tool combinations: wider vulnerability exposure
-
- Proprietary or off the shelf
- Confidentiality
-
- NDA
- 18.
- 19.
- 20.
- 21.
- Value your information assets
- Evaluate your risk
- Be requirement driven, not technology driven
- Enable your business
- 22. The Internal Auditor
- Separation of duties
- Security policy
- Use of a specialist
- Be cautious of strange software
- 23. questions?
- 24.