Embed Size (px)
Citation preview
KLC Consulting 2
Career HighlightsCISSP, CISA, CSSLP, CIPP/US/G
20 years in IT, 15 year specializing in securityCISO, DISA Operations Manager for Security Portal
ISO 27001/2, Regulatory Compliance, Third-Party Risk,
Penetration/Vulnerability Tester, IT Auditor, Network Admin,
Developer, DBA, Sys Admin
Consultant forBoeing | HP | PWC | DoD | Fidelity | ExxonMobilFannie Mae | RBS | Federal Gov’t | Akamai | Brandeis Univ
Author of SMAC MAC Address Changer (SMAC) tool
WebDAV Scanner tool
Administer Linkedin GroupsCyberSecurity Community
Cloud Computing Security Community
Third Party Security Risk Management
Married, 2 kids, 1 teenage dog!
Graduated from UCONN with BS in Electrical Engineering
KLC Consulting 3
KLC Consulting 4
Recent huge cyber attacks:
(1/2015) Primera Blue Cross : 11 million customer records in May 2014, went
undiscovered until 1/29/2015
(2/2015) Anthem (including Blue Cross Blue Shield members) : 80 million
insured’s health records stolen
(11/2014) SONY Picture : 11/2014
(10/2014) Staples : 1.16 million customer credit cards
(9/2014) Home Depot : 56 million customer credit cards
(8/2014) JPMorgan Chase : 83 million household and business accounts
(6/2014) Community Health Systems : 4.5 million patient records
(4/2014) Michaels Stores: 3 million customer payment cards
(12/2013) Target : 40 million customer credit and debit cards. CEO was fired!
KLC Consulting 5
KLC Consulting 6
CyberSecurity Definition:
The activity or process, ability or capability, or state whereby information and
communications systems and the information contained therein are protected
from and/or defended against damage, unauthorized use or modification, or
exploitation. (http://niccs.us-cert.gov/glossary)
In Straight Talk:Your Capability and Readiness for attacks against your technology / system /
applications:
Prevention / protection / monitoring / detection
React / respond / attack* / counter attack* / handle breach notifications
*Authorization required
KLC Consulting 7
Source: https://buildsecurityin.us-cert.gov/sites/default/files/BobMartin-CybersecurityEcosystem.pdf
KLC Consulting 8
* “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com
Cloud /Outsource
KLC Consulting 9
92% OF THE INCIDENTS WE’VE SEEN OVER THE LAST 10 YEARS — AND 94% OF THE BREACHES IN 2013 —CAN BE DESCRIBED WITH JUST NINE PATTERNS.Source: VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
KLC Consulting 10
Advanced Persistent Threat (APT)
Distributed Denial of Service (DDoS)
Cross-Platform Malware
Metamorphic and Polymorphic Malware
Phishing
Source: Recorded Future - Cyber Threat Landscape: Basic Overview and Attack Methods
KLC Consulting 11
A1: InjectionA2: Broken Authentication and Session ManagementA3: Cross-Site Scripting (XSS)A4: Insecure Direct Object ReferencesA5: Security MisconfigurationA6: Sensitive Data ExposureA7: Missing Function Level Access ControlA8: Cross-Site Request Forgery (CSRF)A9: Using Known Vulnerable ComponentsA10: Unvalidated Redirects and Forwards
KLC Consulting 12
KLC Consulting 13
Critical Infrastructure
Power grid / Oil pipelines
Financial Services
Banking / Wall Street
Government Services
Fire / Police / Water / Traffic Light
Several nations are capable of launching large-scale attacks against the
USA
KLC Consulting 14
Live Attacks - http://map.ipviking.com (no sensors in China so cannot see attacks made upon China)
KLC Consulting 15
Source: http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
• Cyber Weapon – Stuxnet attacked Iranian nuclear centrifuge in 2010
• It is claimed to be the first effective cyber weapon
• Infect the environment by USB• Attack industrial programmable
logic controllers (PLCs)• Only target Siemens system
running on Windows• Reportedly compromised Iranian
PLCs• Collects information about
industrial systems• Causes the high speed centrifuges
to tear themselves apart
• Who made Stuxnet??? No one claimed the responsibility…
KLC Consulting 16
Denial Of Service
AMIDALA : We must continue to rely on negotiation.
BIBBLE : Negotiation? We've lost all communications!
(Also used in Russia-Georgia war)
Compromise Integrity, Escalation of Privilege...
OBI-WAN: This is where it ought to be... but it isn’t. Gravity is pulling
all the stars in this area inward to this spot. There should be a star
here... but there isn’t.
JEDI CHILD: Because someone erased it from the archive memory.
OBI-WAN: But Master Yoda who could have erased information
from the archives? That’s impossible, isn’t it?
YODA: (frowning) Much harder to answer, that question is.
KLC Consulting 17
You Possess Fundamental Skills for CyberSecurityStrong PROBLEM SOLVING SKILLS
Programming Skills
Advanced Computer skills
Understand a mix of technologies
Acquire new skills
Think outside the box when it comes to creative problem solving
Learn penetration testing skills
Think like a BAD hacker, and see how you can protect your employer
Learn Risk Assessment.Identify vulnerabilities, potential areas of exposure, estimate cost of damage should attack come via this vulnerability, estimate cost to fix, the cost to not fix, the cost of carrying business insurance to cover the risk, is the risk acceptable?
KLC Consulting 18
Learn the basics (network, database, application, web)
Learn programming languages (Python – most useful)
Be passionate! You will learn more if you have the interest
Try out all the hacking practice sites. Lots of free training. Youtube. Google -research!!!
Follow websites, tweets, security news
Follow the new security threats, vulnerabilities
Learn the hacking tools, stay current with existing and newest Jedi tricks
Pay attention to the trend...
Setup a lab and try out Jedi tricks at home!A few computers
A few Virtual Machines
KLC Consulting 19
Sample CyberSecurity Opportunities
VulnerabilityManagement
Secure Software Development
Encryption
Security Operations Center
Patch Management Malware Analysis
Security Policy / Procedure
Forensics ERP / SAP / Oracle
Network / Firewall / VPN Threat Intelligence Incident Response
Application Security Penetration Testing Project Manager
Database Security Third-Party Security Risk Regulatory Compliance
SCADA / PLC Security Certification & Accreditation
Cyber Warfare(DoD, DHS, NSA, CIA)
Cloud Security / VM Security
Audit / Logging / Logcoordination
Researcher – Focus on security issues
POS Security IoT Hardware Security
KLC Consulting 20
Verizon Data Breach Investigation Report - http://www.verizonenterprise.com/DBIR/2014DHS CyberSecurity Portal - http://www.dhs.gov/topic/cybersecurityDoD Information Assurance Portal – http://iase.disa.milHacking Practice (Web App Pentest)
Hack This Site - https://www.hackthissite.orgMultillidae - http://sourceforge.net/projects/mutillidaeDamn Vulnerable Web App - http://www.dvwa.co.uk
Security KnowledgeOWASP – www.owasp.orgDarkReading - www.darkreading.comSANS Reading Room - https://www.sans.org/reading-room/FireEye / Mandiant Threat Intelligence Reports - https://www.fireeye.com/current-threats/threat-intelligence-reports.htmlYoutube, Twitter
Security IntelTwitter – follow news, alerts – i.e. @Symantec, @TheHackersNews, @SCMagazineSANS Internet Storm CenterUS-CERT Alerts - Subscribe - https://www.us-cert.gov/ncas/alertsNIST Vulnerability Database - https://nvd.nist.gov
ToolsKali Linux - https://www.kali.org (Linux Distro – comes with many tools – MUST HAVE)Metasploit – http://www.metasploit.comSystem Internals - https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
Basic CertificationsSecurity+CEH
KLC Consulting 21
Kyle LaiCISSP, CSSLP, CISA, CIPP/US/G
President & CTOKLC Consulting, Inc.
www.KLCConsulting.net
