Ch01 Security Overview.pdf

COMPUTER AND NETWORK SECURITY OVERVIEW R Nunez - UP Diliman Network Janitor

… BROKEN INTO A LOT OF CORPORATE AND GOVERNMENT INFRASTRUCTURE.

LEGALLY OF COURSE

WHAT IS A HACKER? "In academia, a hacker is a person who follows a spirit of playful cleverness and enjoys programming. The context of academic hackers forms a voluntary subculture termed the academic hacking culture."


•


 This is why I got into security. I like to take things apart to see how they work, break things, and try to put them back together.

DEFINITIONS ... •

•

•

Hackers •

Access computer system or network without authorization

•

Breaks the law; can go to prison

Crackers •

Break into systems to steal or destroy data

•

U.S. Department of Justice calls both hackers

Security Engineers •

Performs most of the same activities but with owner’s permission

•

Employed by companies to perform penetration tests

SECURITY PROFESSIONALS VS 
 SCRIPT KIDDIES •

•

Script kiddies •

Young inexperienced hackers

•

Copy codes and techniques from knowledgeable hackers

Experienced penetration testers write programs or scripts using these languages •

PERL, C, C++, Python, JavaScript, PowerShell, BASH, SQL, and many others

MASTERY TAKES TIME •

This talk alone won’t make you a hacker, or an expert

•

It takes years of studying and experience to gain the knowledge and earn respect in the hacker community

•

It’s a hobby, a lifestyle, and an attitude •

A drive to figure out how things work

WHAT IT TAKES TO BE A SECURITY ENGINEER •

Knowledge of computer and network technology

•

Ability to communicate with management and IT personnel

•

Understanding of the laws

•

Ability to understand, use and write necessary tools

TECHNICAL FIELDS IN IT SECURITY

FIELDS IN IT SECURITY • • • • •

Risk Audit / Management Security Operations Center (SOC) Secure Code Auditing Reverse Engineering Offensive Security: • Penetration Testing • Vulnerability Management • Vulnerability and Exploit R&D • Red Teaming

FIELDS IN IT SECURITY Cyber Defense: • Network Security • Systems Security • Mobile / Application Security • Digital Forensics & Incident Response (DFIR): • Incident Response and Handling • Disk, Memory, and System Forensics • Network Forensics • Smartphone / Mobile Forensics •

PENETRATION-TESTING METHODOLOGIES

TYPES OF SECURITY TESTING •

Vulnerability Assessment •

•

Penetration Test •

•

Enumerate a system’s vulnerability and threat landscape

Legal attempt to find a company’s weakest link and break into its network

Security Assessment •

More than an attempt to break in; also includes analyzing company’s security policy and procedures

•

Offers solutions to secure or protect the network

WHITE BOX MODEL •

Tester is told everything about the network topology and technology

•

Network Diagram provided

•

Tester is authorized to interview IT personnel and company employees

•

Makes tester’s job a little easier

NETWORK DIAGRAM

http://www.hp.com/rnd/images/pdf_html/highavailabilityWLANtopolog.jpg

FLOOR PLAN

http://www.bwtp.com/uploads/cablingdraft.gif

BLACK BOX MODEL •

Company staff does not know about the test

•

Tester is not given details about the network

•

Burden is on the tester to find these details

•

Tests if security personnel are able to detect an attack

•

Think James Bond

GRAY BOX MODEL

•

Hybrid of the white and black box models

•

Company gives tester partial information

•

Walk - through

TOOLS AND GADGETS

TIGER BOX •

Collection of OSs and hacking tools

•

Usually on a Laptop/Notebook

•

Helps penetration testers and security testers conduct vulnerabilities assessments and attacks

•

What OS Should I Use?

•

What hardware specs?

JUMPSTARTING INFOSEC CAREER

STEP 1 Focus on the Core Concepts • Windows • Linux • Networking • Python • Checkout Security Standards • CIS, NIST 800 •

STEP 1 - WINDOWS

STEP 1 - NETWORKING Get your stuff at home to work • Know what it is doing • Get some simulators •

• •

•

http://www.brianlinkletter.com/open-source-network-simulators/ GNS3, Cisco Packet Tracer, etc.

Finally, get some gear • •

MikroTik and Ubiquiti is cheap and very powerful Full crazy router for ~ $60

HAVE A PLAY GROUND ...

STEP 1 - LINUX •

Install Everything From Scratch

STEP 1 - SPECIFICS •

Learn BASH

•

Learn Python Online

FIND A MENTOR …

ACCEPT APPRENTICES…

STEP 2

Start Projects • Start Security Groups • Learn Power Shell • Keep up with Security •

CONTRIBUTE TO OPEN SOURCE

STEP 3

Web Apps - PHP and ASP.NET • Do networked iOS and Android •

STEP 4 • • • • •

Start Hackin Learn IDA and Immunity Debugger Pick and Understand a Protocol Hit Online Challenges ZAP from OWASP

STEP 5

SANS PENTEST POSTER

READ READ READ ...

CERTIFICATIONS

CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL - CISSP •

Issued by the International Information Systems Security Certifications Consortium (ISC2)

•

Usually more concerned with policies and procedures than technical details

•

www.isc2.org

•

$599 - Exam Cost

•

6 Hours Exam

•

5 Year Experience Required for Certification

CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL - CISSP •

Access control

•

Telecommunications and network security

•

Information security governance and risk management

•

Software development security

•

Cryptography

•

Security architecture and design

•

Operations security

•

Business continuity and disaster recovery planning

•

Legal, regulations, investigations and compliance

•

Physical (environmental) security

CERTIFIED INFORMATION SYSTEMS AUDITOR - CISA •

Issued by ISACA

•

$710 - Exam Cost

•

4 Hours / Paper Based

•

5 Year Experience Required for Certification

CERTIFIED INFORMATION SECURITY MANAGER - CISM •

Issued by ISACA

•

$710 - Exam Cost

•

4 Hours / Paper Based

•

5 Year Experience Required for Certification

SANS - GSEC •

SysAdmin, Audit, Network, Security (SANS)

•

Offers certifications through Global Information Assurance Certification (GIAC)

•

Security Essentials (401)

•

60 Mostly Technical Topics

•

$6210 - Boot Camp Training Cost

•

$729 - Certification Exam Cost

OSCP •

Offensive Security Certified Professional

•

24 - Hour Certification Exam

•

From the Makers of BackTrack/Kali Linux

•

Web / Wireless / Exploitation etc.

•

Approx $1500

15 TOP PAYING CERTIFICATIONS FOR 2015 •

ISACA - CRISC - $119,227

•

ISACA - CISM - $118,348

•

ISC2 - CISSP - $110,603

•

PMP - $109,405

•

ISACA - CISA - $106,181

http://www.globalknowledge.com/training/generic.asp?pageid=3

10 BEST IT JOBS - 2010 1. Security Specialist "If you know how to keep your company's data secure, you were in demand yesterday, are in demand today and will be in demand tomorrow," - Tom Silver, senior vice president with Dice.com, said in a recent interview with Network World.   http://www.networkworld.com/news/2010/020110-best-it-jobs.html

6 HIGH PAYING JOBS OF THE FUTURE - 2013 2. Security professional It turns out that many companies hire these experts to purposefully hack systems in order to pinpoint problems in security measures before their lessethical counterparts get the chance. http://www.forbes.com/sites/learnvest/2013/09/16/6-high-paying-jobs-of-the-future/

NOT SO RECENT CASES

GOOGLE HACKED!!!

GOOGLE HACKED!!!

RECENT CASES

RECENT CASES •

Google Hacked – Aurora Exploit

•

Lockheed Hacked

•

AB Gary Hacked – Social Engineering

•

Citibank Hacked

•

RSA Hacked

•

Sony Hacked – TWICE! – for the nth Time!

•

Hacking Team – Hacked! Oh the Irony …

•

ASHLEY MADISON – Dumped!

SONY ENTERTAINMENT 11/24/14

In one of Sony Pictures’ many hacked emails, producer Scott Rudin sent an email to Sony Chairman Amy Pascal and called Jolie, an Oscar winner and recipient of the Jean Hersholt Humanitarian Award , “a minimally talented spoiled brat”.

PASCAL MET JOLIE

114 DOMAINS FROM PH

.GOV.PH 1 doe.gov.ph 1 gsis.gov.ph 1 hgc.gov.ph 1 roxas.gov.ph

.EDU.PH 6 dlsu.edu.ph 2 apc.edu.ph 2 benilde.edu.ph 2 bicol-u.edu.ph 2 su.edu.ph 2 up.edu.ph 2 upd.edu.ph 2 xs.edu.ph 1 ama.edu.ph 1 amaes.edu.ph 1 antiquespride.edu.ph

1 bulsu.edu.ph 1 eac.edu.ph 1 evsu.edu.ph 1 faith.edu.ph 1 informatics.edu.ph 1 mcl.edu.ph 1 mymail.mapua.edu.ph 1 neu.edu.ph 1 rtu.edu.ph 1 shall.edu.ph 1 uplb.edu.ph

DONT'S • • • • • • • •

Sink into video games Waste you time going after epic Pokémon Binge watch shows on Netflix Use Bing for anything Just barely learn Metasploit to impress women/men Spend more time on the hacker “look” than learning Get angry Blame others

"Being able to break security doesn’t make you a hacker anymore than being able to hotwire cars makes you an automotive engineer. " – Eric S. Raymond