Embed Size (px)
Citation preview
Penetrating the Perimeter: Tales from the Battlefield
Phil Grimes
@grap3_ap3
Security Consultant
I am an adventurer
I have a computer
and a motorcycle
I do a lot of riding
And exploring
And breaking things you hold dear
@grap3_ap3
Your Mission: Should You Choose to Accept it.
Highly regulated industry
-Expected to be protected
High value target - lots to steal!
-Money, hardware, data
One of the “Best Places to Work”
-Fun, open, helpful culture
Supposedly Secure
- > $100k in new security controls
“We want you to come break in. Give it your
best shot. Do your worst.”
Making Entry
Made entry ~ 7 minutes
Gained unauthorized access
just before lunch
Wandered the facility at will for
the day, unobstructed
Joined in an employee pot-luck
Access the Executive offices
Found empty office, camped
out and watched until most of
the people were gone for the
day.
Tank, I need an exit… FAST!
Tuesday
Stopped for coffee
Persistent access
Office was still empty
---- so I moved in
Came back after lunch, settled in to
work
Hands all over machines, malware
installed
Returned again, blended in with
employees
In and out at will
Getting to know the people
Hands all over more machines
Gained access to data center
Approached by “security” after lunch
- who’s team are you on?
Wednesday
Thursday
Returned for debrief
Still didn’t “check in”
Security manager
himself greeted me
and LET ME IN
This Message Will Self Destruct
We are all warriors in an army
Change the culture
Fancy controls != security
Know what “normal” is
Question things that arent!
”…the average consolidated total cost of a data breach is $3.8
million representing a 23% increase since 2013.”
- IBM 2015 Cost of Data Breach Study
Thanks and Q & A
• securicon.com
• phillipgrimes.com
• Security is NOT a part time job!
He wins his battles by making no mistakes. Making
no mistakes is what establishes the certainty of
victory, for it means conquering an enemy that is
already defeated. -Sun Tzu
