Presentation by Jaco van Gaan at IIA in 2001. This presentation is about the use of ethical hackers in business. The presentation begins with a series of discussions about hackers, what they do, how they do it and the different types of hackers.
Citation preview
1. Its OK to get H@CK3D
2. Introduction
About me
About SensePost
References
http://www.sensepost.com
[email_address]
[email_address]
3.
Who got h@ck3d?
Hackers - the enemy or close friend?
Evaluating the work of Ethical hackers
Internal Audit tips and tricks
Questions
Agenda
4.
Problem vs Origin
De-Face
Unauthorized change to web page
Not necessary damage or data loss
Loss in reputation
http://www.attrition.org/mirrors
Who got hacked?
5. What Hackers do:
Steal
Information - to use and to sell
Money from accounts
Goods through e-buying
Resource - time and equipment
Talk, Boast
Leave backdoors open
Launch new attacks
6. How do they do it?
Social engineering
Networking
Resources from the web...
7.
Information gathering
Foot printing
ID servers/services by portscan
ID OS, services types (MS, IIS)
Check vulnerability databases
Run vulnerability checker (whisker)
Search for exploit tool / build exploit tool
Use tool
Gain control
De- face, delete, cover tracks.
How do they do it 2?
8.
9.
Understand the origin of the problem, before trying to address
it
Different types
Script kiddies
Professional hackers
Government agencies
Ethical hackers
Motivation behind attempts
Hacker manifesto:
Our only crime is curiosity
Hackers enemy or close friend?
10.
Who would target you?
What me worry?!
11. Evaluating the work of Ethical Hackers
12.
ID Vulnerabilities proactively
Measure effectiveness of controls and Security investment
Verify vendor and technology claims
Create awareness
Improve IT staff skills and knowledge
Motivate Security expenditure
Get objective, independent results
Business pressure
Setting benchmarks
Continual measure and monitor
Why get Hacked?
13. External Assessment (Audit)
Collect and evaluate evidence to determine whether a computer
system :
safeguards assets
maintain data integrity
allow the goals of an organisation to be achieved efficiently
and effectively