View
108
Download
0
Category
Tags:
Preview:
DESCRIPTION
Copied directly from :Chris John Riley blog http://blog.c22.cc/2010/09/25/brucon-top-5-ways-to-destroy-a-company/Top 5 ways to destroy a company (Chris Nickerson)No one cares about your findings. We work all day and the ignore your reports!Well why does that happen? * What we give them isn’t important. Managers don’t care about shells! * They don’t care about what we care about!What do they care about? * The product line * The brand * The employees * The bottom lineWhat do you know about the company’s product line? If you didn’t research it, then why not! Don’t you think you should care about what the company cares about.How do you figure out whats important * Step 1: Your opinion doesn’t matter (unless you’re one of the execs that really are in the know) * Step 2: Think like them. You need to translate your speech to something they understand. * Step 3: Do work.. not on shells, on process, models, informationIf you get paid to just go in and hack fuck somebody, then you’re a prostitute.What kind of stuff are you looking for? * Secret * Confidential * Internal Use Only * PublicGoing for the secret stuff is great, but what if the Confidential stuff gives you access to the secret stuff? what if the public stuff should be secret?The business understand CIA (Confidentiality, Integrity, Availability)… all of these factors link into criticality. If you don’t do this, you’re a bad tester!Customer needs to give you information on what assets exist, the risks, and therefore how critical it is to a company.Sometimes you’re wrong… email isn’t the most important thing in your company!You only have a limited time to test, you don’t have an unlimited time to test like blackhats do!Top 5 ways to destroy a company * Tarnish the brand * Alter the product * Attack the employees * Effect financials directly * ** Your turn! **Tarnish the brand (How to do it) * Understand the brand * Identify key words to market * Knowledge of the competitor advantage/disadvantage * Intelligence profiles on the “keepers of the brand” o Face of the brand o Executives o Key personnel o Entire marketing/design team * Reverse engineering the “go to market” * Take over the “indicators of quality” o False issues (product misdirection) o Negative reviews o Use by non standard customers o False company responseAlter the product (How to do it) * Compare listing of products/services depending on the organization * Chain of command for product development or service integrity * Historical review of the products timeline * …Attack the product (How to do it)Company specific! * Software companies o Create bugs o Make backdoor (then tell the media) o Cause errors in function o Add hidden features! o Divert their code to your servers…. * Hospitals o Change patient diagnosis o Attack HVAC and crank the heat o Disable critical alerts o Attack crash carts to disable on the fly care o Attack narcotic dispensing stations o Alter patient doses * Manufacturing plants o Alter the product line (make something different) o Change design specs o Speed up the line… overflow o Slow down the line… underflow (deadlines) o Add or remove the product features o Decrease quality o Break shit.. a lotAttack the employees (How to do it) * Profile who they are (Nessus doesn’t tell you that!) * Find out where they live * Figure out what “dangers” they might have at the office * Figure out there daily routine then make a kidnapping profile * Use the company against them o Food? o Manufacturing equipment? o General Terrorism
Citation preview
TOP 5 WAYS TO DESTROY A COMPANY
I’M CHRIS
MY CREDENTIALS
Shell doesn’t matter
What do companies care about and how do we know?
Top 5
Born from the Fire
No one cares about your findings!
HOW WE FEEL ABOUT IT
HOW THEY FEEL ABOUT IT
You don’t know… Admit it!
WHAT DO THEY CARE ABOUT?
THE PRODUCT LINE
THE BRAND
THE EMPLOYEES
THE BOTTOM LINE
You don’t know… Admit it!
HOW TO FIGURE OUT WHAT IS IMPORTANT
STEP #1 YOUR OPINION DOESN’T MATTER
STEP #2 THINK LIKE THEM
STEP #3: DO WORKYea… this is the boring stuff…but u gotta do it….
• Information that would be severely damaging to the company and brand.Secret
• Information that would impede or cause significant financial damage to the organization if made public or shared internally.
Confidential
• Information generally available to all or most employees but not approved for general circulation outside the organization
Internal Use Only
• Information approved for general circulation outside the organizationPublic
Confidentiality
Integrity
Availability
Criticality
Confidentiality
Integrity
Availability
Risk Factors
Confidentiality Integrity Availability
Patient Data
Credit card Numbers
Marketing Information
Cash
Cus
tom
er A
sset
s
Risk Factors
Confidentiality Integrity Availability
Patient Data H H HCredit card Numbers H M MMarketing Information L M LCash L M LC
usto
mer
Ass
ets
Legal/ Compliance/ Financial risk
Inconvenience
Possible Image/Brand Effect
Possible profitability loss
Risk Factors
Confidentiality Integrity Availability SCORE
Patient Data H H H 5Credit card Numbers H M M 4.3Marketing Information M M L 1.6Cash L M L 1.6C
usto
mer
Ass
ets
HIGH 5
MEDIUM 3
LOW 1
X
X
Changed to H after conversation of how it impacts profitability
Changed to L after conversation of how it was already public information
But we had to do it to make sure we have a PROCESS to let them tell us what they care about……. Even
when they don’t know what it is…
HOLY CRAP!!! THAT WAS BORING
THE TOP 5 WAYS TO DESTROY A COMPANY
• Tarnish the brand
• Alter the Product
• Attack the Employees
• Effect financials directly
• **It’s your turn…**
TARNISH THE BRANDWhat’s in a name?
TARNISH THE BRAND (WHAT YOU WILL NEED)
• Understanding of the overall brand values
• Identification of key words used in marketing message
• Knowledge of competitor advantages/disadvantages
• Intelligence profiles on the “Keepers of the Brand”
• Executives
• Key personnel
• Entire Marketing/Design Team
• Reverse engineering of the “go to market” strategy
• Identification of the “Customer Feedback” loop
• Identification of the Market’s “Indicators of Quality” and what drives customers to the “product”
TARNISH THE BRAND (HOW TO DO IT)• Attack the marketing team
• Compromise the marketing process
• Alter marketing communication
• Alter brand messaging (logo/slogans/tone)
• Extend Marketing deliverable times through deletion, alteration, confusion
• Increase Time to market
• Pollute the customer feedback loop
• Take over the “Indicators of quality” and create
• False issues (product misdirection)
• Negative reviews
• Use by non standard customers
• False company response
ALTER THE PRODUCTOopse… did I do that?
ALTER THE PRODUCT(WHAT YOU WILL NEED)
• Complete listing of products (or services) depending on the organization
• Chain of command for product development or service integrity
• Historical review of the products timeline
• Understanding of where alteration can cause
• Degradation of the product quality
• Effect to the consumer
• Direct financial loss
• Physical loss
• General Harm
• Loss of competitive advantage
ATTACK THE PRODUCT (HOW TO DO IT)
VERY Company Specific (examples?!)
#1 The Software Company
• Create bugs
• Make backdoors
• Cause errors in function (What if the calculations of a CRM product are off?)
• Add hidden features into their SVN/Software release cycle
• Remove feature tests or other parts of QA process
ATTACK THE PRODUCT (HOW TO DO IT)
VERY Company Specific (examples?!)
#2 The Hospital/Healthcare business
• Change patient diagnosis or history (like allergies)
• Attack HVAC systems to cause heat into Operating rooms
• Disable critical alert functions for disease control
• Attack crashcarts to disable on the fly patient care and records
• Attack Pyxis and automated narcotic dispensing stations
• Alter patient doses through in line network monitored administration devices.
ATTACK THE PRODUCT (HOW TO DO IT)VERY Company Specific (examples?!)
#3 Manufacturing Company
• Alter the production line/process
• Cause the robots to over spray, weld, install wrong parts, go rogue
• Change formulas
• Speed or slow the line
• Create issues causing the company to fall out of compliance (9001/2 etc..)
• Add or remove features of the product
• Decrease quality
• Break shit..... Like a lot…. I mean… like all of it…. Beyond repair…
ATTACK THE EMPLOYEESTonight…..you!
ATTACK THE EMPLOYEES (WHAT YOU WILL NEED)
• Profile who they are
• Find out where they live
• Figure out what “dangers” they may have at the office ;)
• Can you get them sick (attack scada/water/etc)
• Can you attack them with company property (robots!)
• Do they operate anything that could … fail?
• Do they make things that could be dangerous?
• Can you put them in dangerous situations?
ATTACK THE EMPLOYEES (HOW TO DO IT)
• Figure out their daily routine then MAKE A KIDNAPPING PROFILE
• Use the company against them
• Food?
• Manufacturing equipment?
• General Terrorism
• Releasing the horde?
• Kill their benefits
• Reduce their pay
• Charge their accounts (amex DOS)
DIRECTLY EFFECT BOTTOM LINE
All your $$$ are belong to me
DIRECTLY EFFECT THE BOTTOM LINE (WHAT YOU WILL NEED)
• Understanding of the overall of how they make $
• Identify what systems generate income
• Do they take credit cards?
• Do they have cash?
• Do they have other assets that have $$
• Is there a market for their internal information (CI)
• Is there a secret formula?
• Products that they create
PROCESS
Figure Out What the Company
Thinks is ImportantSteal It !
DIRECTLY EFFECT THE BOTTOM LINE(HOW TO DO IT)
YOUR TURNWhat is #5
TRY AND MAKE THE WORLD BURN
WHAT ELSE?
KEEP BEATING THEM DOWN
WHAT DO WE TAKE AWAY FROM THIS
• Shell doesn’t do anything
• Speak in their language
• Remove white/black hat and DO WORK
• Stop trying to rationalize why you are right…and change the game
Recommended