Ethical Hacking TEC HGIG EXPERT SPEAK SESSION – AUG 21 ST 2015

SPEAKER – RASOOL KAREEM IRFAN

Agenda

• State of information security and its importance in the digital era

• Hacking concepts and various phases

• Types of attacks and organization’s security controls

• Necessity of ethical hacking and skills for an ethical hacker

• Industry specific – India’s telecom Infrastructure and regulatory compliance

State of Information Security

Government Healthcare Retail Financial Government

The personal details of 31 world leaders at the last G20

summit were accidentally disclosed by the Australian immigration department.

The cause of the breach was Human Error

Attackers exfiltrated more than 80 million customer

records from Anthem Inc.,

The cause of the breach was spear-phishing, browser

exploit and gaining admin access

Massive credit & debit card belong to 40 million customer

reported stolen

The cause of the breach was card-stealing malicious software intruded via

contractor

The theft of personal information from more than

100million South Korean credit cards and accounts

The cause of the breach was insider job

Hackers stole the sensitive data of 21.5 million

applicants for security clearance who were

undergoing background checks.

The cause of the breach was unknown (but claiming

China)

Hacking concepts and various phases Background

Security Incident:Any event that compromises the confidentiality, integrity, or

availability of an information asset.

Data breach: An incident that resulted in confirmed data compromise

(not just exposure) to an unauthorized party.

Who is doing ? Why are they doing

Source : Verizon 2014 Data Breach Report

Hacking concepts and various phases

7 million vulnerabilities exploited in 2014

99% compromised more than a year after CVE

10 CVEs account for 97% of 2014 exploits

• Customers are most immediately concerned with direct

personal damage from loss of data

• Employees can be overwhelmed by negative publicity and

increased chaos in both their work and personal lives

• Business partners are concerned about the immediate

threat of cross contamination and the longer-term integrity of

business transactions

• Regulators are concerned about consumer protection,

existential threats to the business, and the broader

soundness of the industry

• Capital markets and shareholders are highly attuned to

potential impacts to revenue and earnings in the near term and the viability of the brand over a longer time horizon.

How they do?

Hacking concepts and various phases

RECONNAISANCE: Attacker gathers as much information as possible about the target prior launching the attack

SCANNING: Attacker scans the network for specific information on the basis of information gathered during reconnaissance

GAINING ACCESS: Attacker obtain access to the operating system or application on the system or network

MAINTAINING ACCESS: Attacker retain ownership of access to launch further attacks

CLEARING TRACKS: Attacker destroy evidence for various reasons such as maintaining access and evading punitive actions

Hacking tools

RECONNAISANCE

DNS InterrogationEmail Tracking

Monitoring Web UpdatesWebsite Foot printing

SCANNING

Network ScanningBanner Grabbing

Vulnerability ScanningDatabase Scanning

GAINING ACCESS

LDAP EnumerationSniffing

DDoS AttackSession Hijacking

MAINTAINING ACCESS

Wi-Fi Hacking ios Jailbreaking

Evading FirewallsCode Analysis

CLEARING TRACKSCovering Tracks Tools

Depending on the device under target – the tool may vary

Types of attacks and organization’s security controls

Firewall

email Security

Web Security

IDS & IPS

NetworkBehaviorAnalysis

Footprintreduction, scripts, etc.

APT, Zero-Day, Exploit Kits& Polymorphic malware…

Virus,Trojans,Span, etc.

Filtering, XXSSQL Inj., etc.

Attack Patternsmalware, etc.

• 50% attacks take days to months of reconnaissance for a successful breach

• 70% of victims allow a breach to persist for weeks to months before detecting a compromise

Necessity and skills for an ethical hacker

Ethical hacking is necessary because it allows the countering of attacks from

malicious hackers by anticipating methods they can use to break into a system

What can the intruder see on the target system?(Reconnaissance and Scanning phases)

Skills

What can an intruder do with that information?(Gaining Access and Maintaining Access phases)Does anyone at the target notice the intruders'attempts or successes? (Reconnaissance andCovering Tracks phases)

If all the components of information system areadequately protected, updated, and patched

How much effort, time, and money is required toobtain adequate protection?

Does the information security measures are incompliance to industry and legal standards?

Industry | Telecom infrastructure

4G (3G LTE/SAE)

Core Network

3G/ 3.5G

IMS

Femto cell

OSI Model of network stack

SS7/ Sigtran core network protocol stack

Industry | Telecom infrastructure

Sample tour

Sniffmap

SS7map

Industry | India’s telecom infrastructure

According to DoT Security Amendment dated 31-May-2011,

• Once a year operator to carry out Security audit (Internal/external) of the network• The telecom operator shall create facilities for monitoring all intrusions, attacks and

frauds and report the same to the Licensor and to CERT-IN.• Network forensics, Network Hardening, Network penetration test, Risk assessment,

Actions to fix problems and to prevent such problems from reoccurring • A penalty upto Rs 50 crores will be levied for any security breach which has been

caused due to inadvertent inadequacy/inadequacies• In case of inadequate measures prescribed under this amendment, act of intentional

omissions, deliberate vulnerability left into the equipment or in case of deliberate attempt for a security breach, penalty amount will be Rs. 50 crores per breach

• Besides the penalty, liability and criminal proceedings under the relevant provisions of various Acts such as Indian Telegraph Act, Information Technology Act, Indian Penal Code (IPC), Criminal Procedure Code (Cr PC) etc can be initiated

Telecom threats & recommendations

Legal and Regulatory:

Are legal and regulatory driven

security requirements adequately

addressed and effectively

enforced?

Security Governance :

Is governance through security

policies, processes, procedures

and standards adequate and

working as desired?

Vendor Security :

Are the vendor

operations secure? Are

they increasing security

risk?Technical Security:

Is the technical infrastructure

securely designed and

configured. Does it have

exploitable security

weaknesses?

Process Security

Concern:

Are business critical

services secure?

• 50% of mobile operators world-wide could be suffering hour-long outages at a rate of once a year as a result of cyber attacks

• Growing security threats due to changing business models, emerging trends and technologies like Internet of Things (IoT), IPv6, IP based 4G networks (LTE)

DoT Security Compliance Assessment

Ethical Hacking (Vulnerability & Penetration

Testing)

ISO27001 Governance Assessment

Vendor contract audit

Managed & Monitored Security

Questions?

Thank you

@rasoolirfan https://in.linkedin.com/in/rasoolirfan