Vous êtes sur la page 1sur 65

COMPUTER AND NETWORK

SECURITY OVERVIEW
R Nunez - UP Diliman Network Janitor

BROKEN INTO A LOT OF CORPORATE AND


GOVERNMENT INFRASTRUCTURE.

LEGALLY OF COURSE
WHAT IS A HACKER?
• "In academia, a hacker is a person who follows a
spirit of playful cleverness and enjoys programming.
The context of academic hackers forms a voluntary
subculture termed the academic hacking culture."


This is why I got into security. I like to take things
apart to see how they work, break things, and try
to put them back together.
DEFINITIONS ...
• Hackers
• Access computer system or network without authorization
• Breaks the law; can go to prison
• Crackers
• Break into systems to steal or destroy data
• U.S. Department of Justice calls both hackers
• Security Engineers
• Performs most of the same activities but with owner’s permission
• Employed by companies to perform penetration tests
SECURITY PROFESSIONALS
VS 

SCRIPT KIDDIES
• Script kiddies

• Young inexperienced hackers

• Copy codes and techniques from knowledgeable hackers

• Experienced penetration testers write programs or scripts


using these languages

• PERL, C, C++, Python, JavaScript, PowerShell, BASH, SQL,


and many others
MASTERY TAKES TIME

• This talk alone won’t make you a hacker, or an expert

• It takes years of studying and experience to gain the


knowledge and earn respect in the hacker
community

• It’s a hobby, a lifestyle, and an attitude

• A drive to figure out how things work


WHAT IT TAKES TO BE A
SECURITY ENGINEER
• Knowledge of computer and network technology

• Ability to communicate with management and IT


personnel

• Understanding of the laws

• Ability to understand, use and write necessary


tools
TECHNICAL FIELDS IN
IT SECURITY
FIELDS IN IT SECURITY
• Risk Audit / Management
• Security Operations Center (SOC)
• Secure Code Auditing
• Reverse Engineering
• Offensive Security:
• Penetration Testing
• Vulnerability Management
• Vulnerability and Exploit R&D
• Red Teaming
FIELDS IN IT SECURITY
• Cyber Defense:
• Network Security
• Systems Security
• Mobile / Application Security
• Digital Forensics & Incident Response (DFIR):
• Incident Response and Handling
• Disk, Memory, and System Forensics
• Network Forensics
• Smartphone / Mobile Forensics
PENETRATION-TESTING
METHODOLOGIES
TYPES OF SECURITY TESTING
• Vulnerability Assessment

• Enumerate a system’s vulnerability and threat landscape


• Penetration Test

• Legal attempt to find a company’s weakest link and break into its
network
• Security Assessment

• More than an attempt to break in; also includes analyzing company’s


security policy and procedures

• Offers solutions to secure or protect the network


WHITE BOX MODEL
• Tester is told everything about the network
topology and technology

• Network Diagram provided

• Tester is authorized to interview IT personnel and


company employees

• Makes tester’s job a little easier


NETWORK DIAGRAM

http://www.hp.com/rnd/images/pdf_html/highavailabilityWLANtopolog.jpg
FLOOR PLAN

http://www.bwtp.com/uploads/cablingdraft.gif
BLACK BOX MODEL
• Company staff does not know about the test

• Tester is not given details about the network

• Burden is on the tester to find these details

• Tests if security personnel are able to detect an


attack

• Think James Bond


GRAY BOX MODEL

• Hybrid of the white and black box models

• Company gives tester partial information

• Walk - through
TOOLS AND GADGETS
TIGER BOX
• Collection of OSs and hacking tools

• Usually on a Laptop/Notebook

• Helps penetration testers and security testers


conduct vulnerabilities assessments and attacks

• What OS Should I Use?

• What hardware specs?


JUMPSTARTING
INFOSEC CAREER
STEP 1

• Focus on the Core Concepts


• Windows
• Linux
• Networking
• Python
• Checkout Security Standards
• CIS, NIST 800
STEP 1 - WINDOWS
STEP 1 - NETWORKING

• Get your stuff at home to work


• Know what it is doing
• Get some simulators
• http://www.brianlinkletter.com/open-source-network-simulators/
• GNS3, Cisco Packet Tracer, etc.

• Finally, get some gear


• MikroTik and Ubiquiti is cheap and very powerful
• Full crazy router for ~ $60
HAVE A PLAY GROUND ...
STEP 1 - LINUX
• Install Everything From Scratch
STEP 1 - SPECIFICS

• Learn BASH

• Learn Python Online


FIND A MENTOR …
ACCEPT APPRENTICES…
STEP 2

• Start Projects
• Start Security Groups
• Learn Power Shell
• Keep up with Security
CONTRIBUTE TO OPEN SOURCE
STEP 3

• Web Apps - PHP and ASP.NET


• Do networked iOS and Android
STEP 4

• Start Hackin
• Learn IDA and Immunity Debugger
• Pick and Understand a Protocol
• Hit Online Challenges
• ZAP from OWASP
STEP 5
SANS PENTEST POSTER
READ READ READ ...
CERTIFICATIONS
CERTIFIED INFORMATION SYSTEMS
SECURITY PROFESSIONAL - CISSP
• Issued by the International Information Systems Security
Certifications Consortium (ISC2)

• Usually more concerned with policies and procedures than


technical details

• www.isc2.org

• $599 - Exam Cost

• 6 Hours Exam

• 5 Year Experience Required for Certification


CERTIFIED INFORMATION SYSTEMS
SECURITY PROFESSIONAL - CISSP
• Access control
• Telecommunications and network security
• Information security governance and risk management
• Software development security
• Cryptography
• Security architecture and design
• Operations security
• Business continuity and disaster recovery planning
• Legal, regulations, investigations and compliance
• Physical (environmental) security
CERTIFIED INFORMATION
SYSTEMS AUDITOR - CISA
• Issued by ISACA

• $710 - Exam Cost

• 4 Hours / Paper Based

• 5 Year Experience Required for Certification


CERTIFIED INFORMATION
SECURITY MANAGER - CISM
• Issued by ISACA

• $710 - Exam Cost

• 4 Hours / Paper Based

• 5 Year Experience Required for Certification


SANS - GSEC
• SysAdmin, Audit, Network, Security (SANS)

• Offers certifications through Global Information Assurance


Certification (GIAC)

• Security Essentials (401)

• 60 Mostly Technical Topics

• $6210 - Boot Camp Training Cost

• $729 - Certification Exam Cost


OSCP
• Offensive Security Certified Professional

• 24 - Hour Certification Exam

• From the Makers of BackTrack/Kali Linux

• Web / Wireless / Exploitation etc.

• Approx $1500
15 TOP PAYING
CERTIFICATIONS FOR 2015

• ISACA - CRISC - $119,227


• ISACA - CISM - $118,348
• ISC2 - CISSP - $110,603
• PMP - $109,405
• ISACA - CISA - $106,181

http://www.globalknowledge.com/training/generic.asp?pageid=3
10 BEST IT JOBS - 2010
1. Security Specialist

"If you know how to keep your company's data


secure, you were in demand yesterday, are in
demand today and will be in demand tomorrow,"

- Tom Silver, senior vice president with Dice.com, said


in a recent interview with Network World.  
http://www.networkworld.com/news/2010/020110-best-it-jobs.html
6 HIGH PAYING JOBS OF THE
FUTURE - 2013

2. Security professional

It turns out that many companies hire these experts


to purposefully hack systems in order to pinpoint
problems in security measures before their less-
ethical counterparts get the chance.

http://www.forbes.com/sites/learnvest/2013/09/16/6-high-paying-jobs-of-the-future/
NOT SO RECENT CASES
GOOGLE HACKED!!!
GOOGLE HACKED!!!
RECENT CASES
RECENT CASES
• Google Hacked – Aurora Exploit
• Lockheed Hacked
• AB Gary Hacked – Social Engineering
• Citibank Hacked
• RSA Hacked
• Sony Hacked – TWICE! – for the nth Time!
• Hacking Team – Hacked! Oh the Irony …
• ASHLEY MADISON – Dumped!
SONY ENTERTAINMENT -
11/24/14
In one of Sony Pictures’ many hacked emails,
producer Scott Rudin sent an email to Sony
Chairman Amy Pascal and called Jolie, an Oscar
winner and recipient of the Jean Hersholt
Humanitarian Award , “a minimally talented
spoiled brat”.
PASCAL MET JOLIE
114 DOMAINS FROM PH
.GOV.PH

1 doe.gov.ph

1 gsis.gov.ph

1 hgc.gov.ph

1 roxas.gov.ph
.EDU.PH
6 dlsu.edu.ph 1 bulsu.edu.ph
2 apc.edu.ph 1 eac.edu.ph
2 benilde.edu.ph 1 evsu.edu.ph
2 bicol-u.edu.ph 1 faith.edu.ph
2 su.edu.ph 1 informatics.edu.ph
2 up.edu.ph 1 mcl.edu.ph
2 upd.edu.ph 1 mymail.mapua.edu.ph
2 xs.edu.ph 1 neu.edu.ph
1 ama.edu.ph 1 rtu.edu.ph
1 amaes.edu.ph 1 shall.edu.ph
1 antiquespride.edu.ph 1 uplb.edu.ph
DONT'S
• Sink into video games
• Waste you time going after epic Pokémon
• Binge watch shows on Netflix
• Use Bing for anything
• Just barely learn Metasploit to impress women/men
• Spend more time on the hacker “look” than learning
• Get angry
• Blame others
"Being able to break security doesn’t make you a
hacker anymore than being able to hotwire cars
makes you an automotive engineer. "
– Eric S. Raymond