COMPUTER AND NETWORK

SECURITY OVERVIEW
R Nunez - UP Diliman Network Janitor
 …

BROKEN INTO A LOT OF CORPORATE AND

GOVERNMENT INFRASTRUCTURE.

LEGALLY OF COURSE
 WHAT IS A HACKER?
• "In academia, a hacker is a person who follows a
spirit of playful cleverness and enjoys programming.
The context of academic hackers forms a voluntary
subculture termed the academic hacking culture."



This is why I got into security. I like to take things
apart to see how they work, break things, and try
to put them back together.
 DEFINITIONS ...
• Hackers
• Access computer system or network without authorization
• Breaks the law; can go to prison
• Crackers
• Break into systems to steal or destroy data
• U.S. Department of Justice calls both hackers
• Security Engineers
• Performs most of the same activities but with owner’s permission
• Employed by companies to perform penetration tests
 SECURITY PROFESSIONALS
VS 

SCRIPT KIDDIES
• Script kiddies

• Young inexperienced hackers

• Copy codes and techniques from knowledgeable hackers

• Experienced penetration testers write programs or scripts

using these languages

• PERL, C, C++, Python, JavaScript, PowerShell, BASH, SQL,

and many others
 MASTERY TAKES TIME

• This talk alone won’t make you a hacker, or an expert

• It takes years of studying and experience to gain the

knowledge and earn respect in the hacker
community

• It’s a hobby, a lifestyle, and an attitude

• A drive to figure out how things work

 WHAT IT TAKES TO BE A
SECURITY ENGINEER
• Knowledge of computer and network technology

• Ability to communicate with management and IT

personnel

• Understanding of the laws

• Ability to understand, use and write necessary

tools
TECHNICAL FIELDS IN
IT SECURITY
 FIELDS IN IT SECURITY
• Risk Audit / Management
• Security Operations Center (SOC)
• Secure Code Auditing
• Reverse Engineering
• Offensive Security:
• Penetration Testing
• Vulnerability Management
• Vulnerability and Exploit R&D
• Red Teaming
 FIELDS IN IT SECURITY
• Cyber Defense:
• Network Security
• Systems Security
• Mobile / Application Security
• Digital Forensics & Incident Response (DFIR):
• Incident Response and Handling
• Disk, Memory, and System Forensics
• Network Forensics
• Smartphone / Mobile Forensics
PENETRATION-TESTING
METHODOLOGIES
 TYPES OF SECURITY TESTING
• Vulnerability Assessment

• Enumerate a system’s vulnerability and threat landscape

• Penetration Test

• Legal attempt to find a company’s weakest link and break into its
network
• Security Assessment

• More than an attempt to break in; also includes analyzing company’s

security policy and procedures

• Offers solutions to secure or protect the network

 WHITE BOX MODEL
• Tester is told everything about the network
topology and technology

• Network Diagram provided

• Tester is authorized to interview IT personnel and

company employees

• Makes tester’s job a little easier

 NETWORK DIAGRAM

http://www.hp.com/rnd/images/pdf_html/highavailabilityWLANtopolog.jpg
 FLOOR PLAN

http://www.bwtp.com/uploads/cablingdraft.gif
 BLACK BOX MODEL
• Company staff does not know about the test

• Tester is not given details about the network

• Burden is on the tester to find these details

• Tests if security personnel are able to detect an

attack

• Think James Bond

 GRAY BOX MODEL

• Hybrid of the white and black box models

• Company gives tester partial information

• Walk - through
TOOLS AND GADGETS
 TIGER BOX
• Collection of OSs and hacking tools

• Usually on a Laptop/Notebook

• Helps penetration testers and security testers

conduct vulnerabilities assessments and attacks

• What OS Should I Use?

• What hardware specs?

 JUMPSTARTING
INFOSEC CAREER
 STEP 1

• Focus on the Core Concepts

• Windows
• Linux
• Networking
• Python
• Checkout Security Standards
• CIS, NIST 800
STEP 1 - WINDOWS
 STEP 1 - NETWORKING

• Get your stuff at home to work

• Know what it is doing
• Get some simulators
• http://www.brianlinkletter.com/open-source-network-simulators/
• GNS3, Cisco Packet Tracer, etc.

• Finally, get some gear

• MikroTik and Ubiquiti is cheap and very powerful
• Full crazy router for ~ $60
HAVE A PLAY GROUND ...
 STEP 1 - LINUX
• Install Everything From Scratch
 STEP 1 - SPECIFICS

• Learn BASH

• Learn Python Online

FIND A MENTOR …
ACCEPT APPRENTICES…
 STEP 2

• Start Projects
• Start Security Groups
• Learn Power Shell
• Keep up with Security
CONTRIBUTE TO OPEN SOURCE
 STEP 3

• Web Apps - PHP and ASP.NET

• Do networked iOS and Android
 STEP 4

• Start Hackin
• Learn IDA and Immunity Debugger
• Pick and Understand a Protocol
• Hit Online Challenges
• ZAP from OWASP
STEP 5
SANS PENTEST POSTER
READ READ READ ...
CERTIFICATIONS
CERTIFIED INFORMATION SYSTEMS
SECURITY PROFESSIONAL - CISSP
• Issued by the International Information Systems Security
Certifications Consortium (ISC2)

• Usually more concerned with policies and procedures than

technical details

• www.isc2.org

• $599 - Exam Cost

• 6 Hours Exam

• 5 Year Experience Required for Certification

CERTIFIED INFORMATION SYSTEMS
SECURITY PROFESSIONAL - CISSP
• Access control
• Telecommunications and network security
• Information security governance and risk management
• Software development security
• Cryptography
• Security architecture and design
• Operations security
• Business continuity and disaster recovery planning
• Legal, regulations, investigations and compliance
• Physical (environmental) security
 CERTIFIED INFORMATION
SYSTEMS AUDITOR - CISA
• Issued by ISACA

• $710 - Exam Cost

• 4 Hours / Paper Based

• 5 Year Experience Required for Certification

 CERTIFIED INFORMATION
SECURITY MANAGER - CISM
• Issued by ISACA

• $710 - Exam Cost

• 4 Hours / Paper Based

• 5 Year Experience Required for Certification

 SANS - GSEC
• SysAdmin, Audit, Network, Security (SANS)

• Offers certifications through Global Information Assurance

Certification (GIAC)

• Security Essentials (401)

• 60 Mostly Technical Topics

• $6210 - Boot Camp Training Cost

• $729 - Certification Exam Cost

 OSCP
• Offensive Security Certified Professional

• 24 - Hour Certification Exam

• From the Makers of BackTrack/Kali Linux

• Web / Wireless / Exploitation etc.

• Approx $1500
 15 TOP PAYING
CERTIFICATIONS FOR 2015

• ISACA - CRISC - $119,227

• ISACA - CISM - $118,348
• ISC2 - CISSP - $110,603
• PMP - $109,405
• ISACA - CISA - $106,181

http://www.globalknowledge.com/training/generic.asp?pageid=3
 10 BEST IT JOBS - 2010
1. Security Specialist

"If you know how to keep your company's data

secure, you were in demand yesterday, are in
demand today and will be in demand tomorrow,"

- Tom Silver, senior vice president with Dice.com, said

in a recent interview with Network World.  
http://www.networkworld.com/news/2010/020110-best-it-jobs.html
 6 HIGH PAYING JOBS OF THE
FUTURE - 2013

2. Security professional

It turns out that many companies hire these experts

to purposefully hack systems in order to pinpoint
problems in security measures before their less-
ethical counterparts get the chance.

http://www.forbes.com/sites/learnvest/2013/09/16/6-high-paying-jobs-of-the-future/
NOT SO RECENT CASES
GOOGLE HACKED!!!
GOOGLE HACKED!!!
RECENT CASES
 RECENT CASES
• Google Hacked – Aurora Exploit
• Lockheed Hacked
• AB Gary Hacked – Social Engineering
• Citibank Hacked
• RSA Hacked
• Sony Hacked – TWICE! – for the nth Time!
• Hacking Team – Hacked! Oh the Irony …
• ASHLEY MADISON – Dumped!
SONY ENTERTAINMENT -
11/24/14
In one of Sony Pictures’ many hacked emails,
producer Scott Rudin sent an email to Sony
Chairman Amy Pascal and called Jolie, an Oscar
winner and recipient of the Jean Hersholt
Humanitarian Award , “a minimally talented
spoiled brat”.
PASCAL MET JOLIE
114 DOMAINS FROM PH
 .GOV.PH

1 doe.gov.ph

1 gsis.gov.ph

1 hgc.gov.ph

1 roxas.gov.ph
 .EDU.PH
6 dlsu.edu.ph 1 bulsu.edu.ph
2 apc.edu.ph 1 eac.edu.ph
2 benilde.edu.ph 1 evsu.edu.ph
2 bicol-u.edu.ph 1 faith.edu.ph
2 su.edu.ph 1 informatics.edu.ph
2 up.edu.ph 1 mcl.edu.ph
2 upd.edu.ph 1 mymail.mapua.edu.ph
2 xs.edu.ph 1 neu.edu.ph
1 ama.edu.ph 1 rtu.edu.ph
1 amaes.edu.ph 1 shall.edu.ph
1 antiquespride.edu.ph 1 uplb.edu.ph
 DONT'S
• Sink into video games
• Waste you time going after epic Pokémon
• Binge watch shows on Netflix
• Use Bing for anything
• Just barely learn Metasploit to impress women/men
• Spend more time on the hacker “look” than learning
• Get angry
• Blame others
"Being able to break security doesn’t make you a
hacker anymore than being able to hotwire cars
makes you an automotive engineer. "
– Eric S. Raymond