1. Its OK to get H@CK3D

2. Introduction

• About me

• About SensePost

• References

• • http://www.sensepost.com

• • [email_address]

• • [email_address]

3.

• Who got h@ck3d?

• Hackers - the enemy or close friend?

• Evaluating the work of Ethical hackers

• Internal Audit tips and tricks

• Questions

Agenda

4.

• Problem vs Origin

• De-Face

• • Unauthorized change to web page

• • Not necessary damage or data loss

• • Loss in reputation

• • http://www.attrition.org/mirrors

Who got hacked?

5. What Hackers do:

• Steal

• • Information - to use and to sell

• • Money from accounts

• • Goods through e-buying

• • Resource - time and equipment

• Talk, Boast

• Leave backdoors open

• • Launch new attacks

6. How do they do it?

• Social engineering

• Networking

• Resources from the web...

7.

• Information gathering

• Foot printing

• ID servers/services by portscan

• ID OS, services types (MS, IIS)

• Check vulnerability databases

• Run vulnerability checker (whisker)

• Search for exploit tool / build exploit tool

• Use tool

• Gain control

• De- face, delete, cover tracks.

How do they do it 2?

8.

9.

• Understand the origin of the problem, before trying to address it

• Different types

• • Script kiddies

• • Professional hackers

• • Government agencies

• • Ethical hackers

• Motivation behind attempts

• • Hacker manifesto:

• Our only crime is curiosity

Hackers enemy or close friend?

10.

• Who would target you?

What me worry?!

11. Evaluating the work of Ethical Hackers

12.

• ID Vulnerabilities proactively

• Measure effectiveness of controls and Security investment

• Verify vendor and technology claims

• Create awareness

• Improve IT staff skills and knowledge

• Motivate Security expenditure

• Get objective, independent results

• Business pressure

• Setting benchmarks

• Continual measure and monitor

Why get Hacked?

13. External Assessment (Audit)

• Collect and evaluate evidence to determine whether a computer system :

• • safeguards assets

• • maintain data integrity

• • allow the goals of an organisation to be achieved efficiently and effectively

• Security policy as control document

• International standards: SAS 70, BS 7799.

14. Ethical Hackers- Evaluation

• Organization

• • Independence

• • References

• • Experience

• • Certification

• • Cost

• • Ethics

• • Services offered

• • Backing: subsidiary/insurance

15. Ethical Hackers - Evaluation

• Methodology

• • Certification/benchmark

• • Audit plan

• • Execution according to plan

• • Report

• • Recommendations & resolution

16. Ethical Hackers - Evaluation

• Resources

• • Business skills

• • Experience: qualification, Certifications, Bodies

• • Individual background

• The brief How, What, Where?

• • Type: logical, physical or social

• • Restrictions / conditions

• • Internal /external

17. Ethical Hackers - Evaluation

• Toolbox

• • Tool combinations: wider vulnerability exposure

• • Proprietary or off the shelf

• Confidentiality

• • NDA

18.

19.

20.

21.

• Value your information assets

• Evaluate your risk

• Be requirement driven, not technology driven

• Enable your business

The Internal Auditor

22. The Internal Auditor

• Separation of duties

• Security policy

• Use of a specialist

• Be cautious of strange software

23. questions?

24.