COMPUTER AND NETWORK SECURITY OVERVIEW R Nunez - UP Diliman Network Janitor
… BROKEN INTO A LOT OF CORPORATE AND GOVERNMENT INFRASTRUCTURE.
LEGALLY OF COURSE
WHAT IS A HACKER? "In academia, a hacker is a person who follows a spirit of playful cleverness and enjoys programming. The context of academic hackers forms a voluntary subculture termed the academic hacking culture."
•
This is why I got into security. I like to take things apart to see how they work, break things, and try to put them back together.
DEFINITIONS ... •
•
•
Hackers •
Access computer system or network without authorization
•
Breaks the law; can go to prison
Crackers •
Break into systems to steal or destroy data
•
U.S. Department of Justice calls both hackers
Security Engineers •
Performs most of the same activities but with owner’s permission
•
Employed by companies to perform penetration tests
SECURITY PROFESSIONALS VS
SCRIPT KIDDIES •
•
Script kiddies •
Young inexperienced hackers
•
Copy codes and techniques from knowledgeable hackers
Experienced penetration testers write programs or scripts using these languages •
PERL, C, C++, Python, JavaScript, PowerShell, BASH, SQL, and many others
MASTERY TAKES TIME •
This talk alone won’t make you a hacker, or an expert
•
It takes years of studying and experience to gain the knowledge and earn respect in the hacker community
•
It’s a hobby, a lifestyle, and an attitude •
A drive to figure out how things work
WHAT IT TAKES TO BE A SECURITY ENGINEER •
Knowledge of computer and network technology
•
Ability to communicate with management and IT personnel
•
Understanding of the laws
•
Ability to understand, use and write necessary tools
TECHNICAL FIELDS IN IT SECURITY
FIELDS IN IT SECURITY • • • • •
Risk Audit / Management Security Operations Center (SOC) Secure Code Auditing Reverse Engineering Offensive Security: • Penetration Testing • Vulnerability Management • Vulnerability and Exploit R&D • Red Teaming
FIELDS IN IT SECURITY Cyber Defense: • Network Security • Systems Security • Mobile / Application Security • Digital Forensics & Incident Response (DFIR): • Incident Response and Handling • Disk, Memory, and System Forensics • Network Forensics • Smartphone / Mobile Forensics •
PENETRATION-TESTING METHODOLOGIES
TYPES OF SECURITY TESTING •
Vulnerability Assessment •
•
Penetration Test •
•
Enumerate a system’s vulnerability and threat landscape
Legal attempt to find a company’s weakest link and break into its network
Security Assessment •
More than an attempt to break in; also includes analyzing company’s security policy and procedures
•
Offers solutions to secure or protect the network
WHITE BOX MODEL •
Tester is told everything about the network topology and technology
•
Network Diagram provided
•
Tester is authorized to interview IT personnel and company employees
•
Makes tester’s job a little easier
NETWORK DIAGRAM
http://www.hp.com/rnd/images/pdf_html/highavailabilityWLANtopolog.jpg
FLOOR PLAN
http://www.bwtp.com/uploads/cablingdraft.gif
BLACK BOX MODEL •
Company staff does not know about the test
•
Tester is not given details about the network
•
Burden is on the tester to find these details
•
Tests if security personnel are able to detect an attack
•
Think James Bond
GRAY BOX MODEL
•
Hybrid of the white and black box models
•
Company gives tester partial information
•
Walk - through
TOOLS AND GADGETS
TIGER BOX •
Collection of OSs and hacking tools
•
Usually on a Laptop/Notebook
•
Helps penetration testers and security testers conduct vulnerabilities assessments and attacks
•
What OS Should I Use?
•
What hardware specs?
JUMPSTARTING INFOSEC CAREER
STEP 1 Focus on the Core Concepts • Windows • Linux • Networking • Python • Checkout Security Standards • CIS, NIST 800 •
STEP 1 - WINDOWS
STEP 1 - NETWORKING Get your stuff at home to work • Know what it is doing • Get some simulators •
• •
•
http://www.brianlinkletter.com/open-source-network-simulators/ GNS3, Cisco Packet Tracer, etc.
Finally, get some gear • •
MikroTik and Ubiquiti is cheap and very powerful Full crazy router for ~ $60
HAVE A PLAY GROUND ...
STEP 1 - LINUX •
Install Everything From Scratch
STEP 1 - SPECIFICS •
Learn BASH
•
Learn Python Online
FIND A MENTOR …
ACCEPT APPRENTICES…
STEP 2
Start Projects • Start Security Groups • Learn Power Shell • Keep up with Security •
CONTRIBUTE TO OPEN SOURCE
STEP 3
Web Apps - PHP and ASP.NET • Do networked iOS and Android •
STEP 4 • • • • •
Start Hackin Learn IDA and Immunity Debugger Pick and Understand a Protocol Hit Online Challenges ZAP from OWASP
STEP 5
SANS PENTEST POSTER
READ READ READ ...
CERTIFICATIONS
CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL - CISSP •
Issued by the International Information Systems Security Certifications Consortium (ISC2)
•
Usually more concerned with policies and procedures than technical details
•
www.isc2.org
•
$599 - Exam Cost
•
6 Hours Exam
•
5 Year Experience Required for Certification
CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL - CISSP •
Access control
•
Telecommunications and network security
•
Information security governance and risk management
•
Software development security
•
Cryptography
•
Security architecture and design
•
Operations security
•
Business continuity and disaster recovery planning
•
Legal, regulations, investigations and compliance
•
Physical (environmental) security
CERTIFIED INFORMATION SYSTEMS AUDITOR - CISA •
Issued by ISACA
•
$710 - Exam Cost
•
4 Hours / Paper Based
•
5 Year Experience Required for Certification
CERTIFIED INFORMATION SECURITY MANAGER - CISM •
Issued by ISACA
•
$710 - Exam Cost
•
4 Hours / Paper Based
•
5 Year Experience Required for Certification
SANS - GSEC •
SysAdmin, Audit, Network, Security (SANS)
•
Offers certifications through Global Information Assurance Certification (GIAC)
•
Security Essentials (401)
•
60 Mostly Technical Topics
•
$6210 - Boot Camp Training Cost
•
$729 - Certification Exam Cost
OSCP •
Offensive Security Certified Professional
•
24 - Hour Certification Exam
•
From the Makers of BackTrack/Kali Linux
•
Web / Wireless / Exploitation etc.
•
Approx $1500
15 TOP PAYING CERTIFICATIONS FOR 2015 •
ISACA - CRISC - $119,227
•
ISACA - CISM - $118,348
•
ISC2 - CISSP - $110,603
•
PMP - $109,405
•
ISACA - CISA - $106,181
http://www.globalknowledge.com/training/generic.asp?pageid=3
10 BEST IT JOBS - 2010 1. Security Specialist "If you know how to keep your company's data secure, you were in demand yesterday, are in demand today and will be in demand tomorrow," - Tom Silver, senior vice president with Dice.com, said in a recent interview with Network World. http://www.networkworld.com/news/2010/020110-best-it-jobs.html
6 HIGH PAYING JOBS OF THE FUTURE - 2013 2. Security professional It turns out that many companies hire these experts to purposefully hack systems in order to pinpoint problems in security measures before their lessethical counterparts get the chance. http://www.forbes.com/sites/learnvest/2013/09/16/6-high-paying-jobs-of-the-future/
NOT SO RECENT CASES
GOOGLE HACKED!!!
GOOGLE HACKED!!!
RECENT CASES
RECENT CASES •
Google Hacked – Aurora Exploit
•
Lockheed Hacked
•
AB Gary Hacked – Social Engineering
•
Citibank Hacked
•
RSA Hacked
•
Sony Hacked – TWICE! – for the nth Time!
•
Hacking Team – Hacked! Oh the Irony …
•
ASHLEY MADISON – Dumped!
SONY ENTERTAINMENT 11/24/14
In one of Sony Pictures’ many hacked emails, producer Scott Rudin sent an email to Sony Chairman Amy Pascal and called Jolie, an Oscar winner and recipient of the Jean Hersholt Humanitarian Award , “a minimally talented spoiled brat”.
PASCAL MET JOLIE
114 DOMAINS FROM PH
.GOV.PH 1 doe.gov.ph 1 gsis.gov.ph 1 hgc.gov.ph 1 roxas.gov.ph
.EDU.PH 6 dlsu.edu.ph 2 apc.edu.ph 2 benilde.edu.ph 2 bicol-u.edu.ph 2 su.edu.ph 2 up.edu.ph 2 upd.edu.ph 2 xs.edu.ph 1 ama.edu.ph 1 amaes.edu.ph 1 antiquespride.edu.ph
1 bulsu.edu.ph 1 eac.edu.ph 1 evsu.edu.ph 1 faith.edu.ph 1 informatics.edu.ph 1 mcl.edu.ph 1 mymail.mapua.edu.ph 1 neu.edu.ph 1 rtu.edu.ph 1 shall.edu.ph 1 uplb.edu.ph
DONT'S • • • • • • • •
Sink into video games Waste you time going after epic Pokémon Binge watch shows on Netflix Use Bing for anything Just barely learn Metasploit to impress women/men Spend more time on the hacker “look” than learning Get angry Blame others
"Being able to break security doesn’t make you a hacker anymore than being able to hotwire cars makes you an automotive engineer. " – Eric S. Raymond