SlideShare uma empresa Scribd logo

Computerworld Conference (2002)

Skeeve Stevens
Skeeve Stevens

Computerworld Conference (2002)

Tecnologia
1 de 16
Baixar para ler offline
Hackers Why? Who? What do they want? Where are you most vulnerable? SKEEVE STEVENS [Former(?) Hacker] I.T Security Consultant Specialising in Security Theory, Trends, Policy, Disaster Prevention Email: skeeve@skeeve.org www.skeeve.org Copyright © 2002 by Skeeve Stevens All Rights Reserved
! Australian Computer Crime and Security Survey (May 02) n  ACCS Survey (only every survey of its kind in .au) reports more than 67% of respondents have been attacked/hacked during the 2001 period – 7% higher than the U.S in the same period. ! InternetWeek n  50% of U.S Corporations have had 30 or more penetrations n  60% lost up to $200K/intrusion ! Federal Computing World n  Over 50% of (U.S) Federal government agencies report unauthorised access (some are massive numbers) ! FBI/Computer Security Institute n  48% of all attacks originated from within the organization ! WarRoom Research Survey n  90% of Fortune 500 companies in the U.S surveyed admitted to inside security breaches ! Very few companies will talk. Too much fear of losing investor confidence and perhaps panicking the customer base (i.e. banks) Networks Under Assault
Why? - Hacker Motivations ! There are many different motivations to hack n  Experimentation and desire to learn n  “Gang” mentality n  Psychological needs (i.e.. to be noticed?) n  Misguided trust in other individuals n  Altruistic reasons n  Self-gratification n  Revenge and malicious reasons n  Emotional issues n  Desire to embarrass the target (many reasons) n  “Joyriding” n  “Scorekeeping” n  Espionage (corporate, governmental) n  Criminal – Stalking, Intimidation, Hostage, Blackmail
Types of Hackers Shades of Grey - Are all Hackers Bad? ! Black Hats (The Bad Ones) n  Professional Crackers (Crime Gangs) n  Corporate Espionage (Criminal in a suit – more common than companies realise – everyone has a competitor.) n  e-Terrorists (with or without a motivation [eco-hackers]) n  ? ! White Hats (The Good Ones) n  Corporate Security n  Tiger Teams (with reputations – ISS) n  Big 5 Audit/Testing Teams (PWC, etc) n  Law Enforcement Hackers / Military eSecurity ! Grey Hats (The Not-so-Bad / Not-so-Good Ones) n  Depends who’s paying n  Freelancers – to the highest bidder, which can include LEAs
Who are the Hackers? ! 49% are inside employees or contractors on the internal network ! 17% come from dial-up (still inside people) ! 34% are from Internet or an external connection to another company of some sort ! The major area of financial loss in hacking is internal: more money is lost via internal hacking and exploitation (by a factor of 30 or more) ! Most of the hacking that is done is from technical personnel in technical positions within the company
Perimeter Security Is Not Enough ! Even the best perimeter firewall can be breached ! What happens to your corporate assets if the perimeter is breached? ! What protects your internal network if the perimeter security fails? Most Businesses = Nothing ! How do you know you have been breached? Most Businesses = Never Know INTERNET Firewall External Router Internal Servers Production Network Desktops Workstations
Perimeter Security Is Not Enough ! Many companies with “insider access” - dissolve the perimeter protection (firewalls): n  customers, consultants, contractors, temps, supply chain partners, employees – unhappy / rogue (espionage) / snoopy (the curious/ambitious) / terminated (fired) ! Many widely disseminated vulnerabilities, backdoors, firewall holes, firewall pole vaults - such as dial-up modems, shareware password crackers ! Majority of breaches and financial losses - from those with “insider access”
Typical Inside Network Attacks ! Insider attack ! Social engineering ! Virus infiltration ! Denial of Service ! OS or application bug ! Infiltration via passwords ! Infiltration via “no security” ! Spoofing ! Trojan horse ! Brute force ! Stealth infiltration ! Protocol flaw or exploit
Biggest Mistakes in Internal Security ! Everybody trusts everybody ! “Any” theory: “We don’t have anything anyone would want anyway” – never true ! No internal monitoring of any kind ! No internal intrusion detection ! No internal network isolation methods ! No separation of critical networks or subnetworks via VLAN or VPNs ! Infrastructure ignorance
Network Security IS a Serious Issue ! $202 Billion Lost every year by companies to “e-Crime” in the US, Australian/rest of the world statistics are hard to estimate. ! 90% of e-Crime financial losses are INTERNAL ! U.S. Government alone will experience over 300,000 Internet attacks this year, Australian Government has not publicised any numbers ! Hundreds of thousands of websites contain some form of Hacker Tools / Information ! e-Crimes are estimated to take place every 20 seconds...
eSecurity / Hacking Insurance Policies ! Yes, you can actually buy hacking insurance policies for some situations ! One level allows for liability reduction due to protective measures taken (What sort of firewalls / policies / operating systems / training / etc…) ! Another provides a vendor security warranty level of assurance ! Others on their way…
????????????Future Server Threats ! Digital Nervous System components ! Infrastructure Dependencies n  Index Server/LDAP Servers n  Terminal Server with thin clients n  Exchange servers being used for office and workgroup flow applications n  DNS and other naming services servers n  Voice over IP (VoIP) n  Telephony servers for desktop telephony n  Netmeeting / Video collaboration servers n  NT servers being implemented in factories and industrial networks for process control. These require real-time network security features ! Home implementations for broadband/DSL access ! Small business via broadband/DSL access ! Seasonal threats (holiday hacker gangs)
$ Information Store A company’s most valuable assets are on its Information Store An attack on your Information Store can result in: Loss of access Loss of data integrity Theft of data Loss of privacy Legal liability Loss of Confidence (Owners/Stock market/Customers) Financial Loss (Fraud) Financials HR Records Patient Medical Records R&D Information Legal Records
Summary (I) ! It is a matter of “when” not a matter of “if” you will be attacked or hacked - the statistics are against you ! Internal network security is still the most pervasive corporate threat ! Many different levels of security are necessary to deal with the threats ! Apply internal security in proper measure to meet the actual or perceived threat environment
Summary (II) ! A Hacker can be anyone – an employee with a grudge, a contractor, a family member. They just want something they are not supposed to have. ! Hacking is gaining access to anything you shouldn’t have access to, using means you shouldn’t be using (illegal?) ! eSecurity is as important as real security. If you have a security guard to protect you, you should have an eSecurity guard. ! Many different levels of security are necessary to deal with the threats
Computerworld Conference (2002)

Recomendados

Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defense
fantaghost
 
The IBM X-Force 2016 Cyber Security Intelligence Index
The IBM X-Force 2016 Cyber Security Intelligence IndexThe IBM X-Force 2016 Cyber Security Intelligence Index
The IBM X-Force 2016 Cyber Security Intelligence Index
Kanishka Ramyar
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Knowledge Group
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber Security
GTreasury
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
GGV Capital
 
Cyber security mis
Cyber security misCyber security mis
Cyber security mis
Aditya Singh Rana
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber Security
Mastel Indonesia
 

Recomendados

Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defense
fantaghost
 
The IBM X-Force 2016 Cyber Security Intelligence Index
The IBM X-Force 2016 Cyber Security Intelligence IndexThe IBM X-Force 2016 Cyber Security Intelligence Index
The IBM X-Force 2016 Cyber Security Intelligence Index
Kanishka Ramyar
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Knowledge Group
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber Security
GTreasury
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
GGV Capital
 
Cyber security mis
Cyber security misCyber security mis
Cyber security mis
Aditya Singh Rana
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber Security
Mastel Indonesia
 
NTXISSACSC3 - Evolution of Cyber Threats and Defense Approaches by Antony Abr...
NTXISSACSC3 - Evolution of Cyber Threats and Defense Approaches by Antony Abr...NTXISSACSC3 - Evolution of Cyber Threats and Defense Approaches by Antony Abr...
NTXISSACSC3 - Evolution of Cyber Threats and Defense Approaches by Antony Abr...
North Texas Chapter of the ISSA
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
UthsoNandy
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
Stephen Cobb
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and Solutions
Goutama Bachtiar
 
Data Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples StoryData Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples Story
International Institute for Learning
 
Cyber Security Threats and Data Breaches
Cyber Security Threats and Data BreachesCyber Security Threats and Data Breaches
Cyber Security Threats and Data Breaches
Bijay Senihang
 
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiAddressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Knowledge Group
 
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Plus Consulting
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
Aaron White
 
Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat Awareness
Eric Schiowitz
 
2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting
IBM Security
 
Security/Compliance - Advanced Threat Detection and Compliance
Security/Compliance - Advanced Threat Detection and ComplianceSecurity/Compliance - Advanced Threat Detection and Compliance
Security/Compliance - Advanced Threat Detection and Compliance
Advanced Technology Consulting (ATC)
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Ade Ismail Isnan
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
Stephen Cobb
 
Cyber Security in the Manufacturing Industry: New challenges in the informati...
Cyber Security in the Manufacturing Industry: New challenges in the informati...Cyber Security in the Manufacturing Industry: New challenges in the informati...
Cyber Security in the Manufacturing Industry: New challenges in the informati...
Ekonomikas ministrija
 
Data breach
Data breachData breach
Data breach
Burhan Ahmed
 
Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...
Mark John Lado, MIT
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, Future
Priyanka Aash
 
Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say? Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say?
Phil Agcaoili
 
Presentation on cyber security
Presentation on cyber securityPresentation on cyber security
Presentation on cyber security
9784
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
SensePost
 
Module0&1 intro-foundations-b
Module0&1 intro-foundations-bModule0&1 intro-foundations-b
Module0&1 intro-foundations-b
BbAOC
 

Mais conteúdo relacionado

Mais procurados

Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
Aaron White
 
2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting
IBM Security
 
Data breach
Data breachData breach
Data breach
Burhan Ahmed
 
Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...
Mark John Lado, MIT
 

Mais procurados (20)

NTXISSACSC3 - Evolution of Cyber Threats and Defense Approaches by Antony Abr...
NTXISSACSC3 - Evolution of Cyber Threats and Defense Approaches by Antony Abr...NTXISSACSC3 - Evolution of Cyber Threats and Defense Approaches by Antony Abr...
NTXISSACSC3 - Evolution of Cyber Threats and Defense Approaches by Antony Abr...
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and Solutions
 
Data Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples StoryData Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples Story
 
Cyber Security Threats and Data Breaches
Cyber Security Threats and Data BreachesCyber Security Threats and Data Breaches
Cyber Security Threats and Data Breaches
 
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiAddressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
 
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat Awareness
 
2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting
 
Security/Compliance - Advanced Threat Detection and Compliance
Security/Compliance - Advanced Threat Detection and ComplianceSecurity/Compliance - Advanced Threat Detection and Compliance
Security/Compliance - Advanced Threat Detection and Compliance
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
HIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good BusinessHIPAA, Privacy, Security, and Good Business
HIPAA, Privacy, Security, and Good Business
 
Cyber Security in the Manufacturing Industry: New challenges in the informati...
Cyber Security in the Manufacturing Industry: New challenges in the informati...Cyber Security in the Manufacturing Industry: New challenges in the informati...
Cyber Security in the Manufacturing Industry: New challenges in the informati...
 
Data breach
Data breachData breach
Data breach
 
Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, Future
 
Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say? Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say?
 
Presentation on cyber security
Presentation on cyber securityPresentation on cyber security
Presentation on cyber security
 

Semelhante a Computerworld Conference (2002)

Module0&1 intro-foundations-b
Module0&1 intro-foundations-bModule0&1 intro-foundations-b
Module0&1 intro-foundations-b
BbAOC
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
Abdelfatah hegazy
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
seadeloitte
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
arnoldmeredith47041
 
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
alinainglis
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
MAXfocus
 

Semelhante a Computerworld Conference (2002) (20)

Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
Module0&1 intro-foundations-b
Module0&1 intro-foundations-bModule0&1 intro-foundations-b
Module0&1 intro-foundations-b
 
Cyber security
Cyber securityCyber security
Cyber security
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
CYBER51-FYLER
CYBER51-FYLERCYBER51-FYLER
CYBER51-FYLER
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
 
Cyber security for ia and risk 150601
Cyber security for ia and risk 150601Cyber security for ia and risk 150601
Cyber security for ia and risk 150601
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
Hackers
HackersHackers
Hackers
 
Hackers
HackersHackers
Hackers
 
Hackers
HackersHackers
Hackers
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
 
Why_TG
Why_TGWhy_TG
Why_TG
 
What Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersWhat Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security Providers
 
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
 
It security &_ethical_hacking
It security &_ethical_hackingIt security &_ethical_hacking
It security &_ethical_hacking
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 

Mais de Skeeve Stevens

Mais de Skeeve Stevens (14)

Building an Elastic Fabric
Building an Elastic FabricBuilding an Elastic Fabric
Building an Elastic Fabric
 
The Cloud ISP
The Cloud ISPThe Cloud ISP
The Cloud ISP
 
Elastic Fabrics & Cloud ISPs
Elastic Fabrics & Cloud ISPsElastic Fabrics & Cloud ISPs
Elastic Fabrics & Cloud ISPs
 
Wholesale services over VxC Fabrics
Wholesale services over VxC FabricsWholesale services over VxC Fabrics
Wholesale services over VxC Fabrics
 
Future of Wearable Technology
Future of Wearable TechnologyFuture of Wearable Technology
Future of Wearable Technology
 
Service Provider Models using the NBN
Service Provider Models using the NBNService Provider Models using the NBN
Service Provider Models using the NBN
 
World Youth Day 2008 - Lightening Talk
World Youth Day 2008 - Lightening TalkWorld Youth Day 2008 - Lightening Talk
World Youth Day 2008 - Lightening Talk
 
The Impact of Social Media with Mobile Devices
The Impact of Social Media with Mobile DevicesThe Impact of Social Media with Mobile Devices
The Impact of Social Media with Mobile Devices
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
IPv6 Readiness - Preparing for the Inevitable
IPv6 Readiness - Preparing for the InevitableIPv6 Readiness - Preparing for the Inevitable
IPv6 Readiness - Preparing for the Inevitable
 
Social Media Trends and the Network
Social Media Trends and the NetworkSocial Media Trends and the Network
Social Media Trends and the Network
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
 
Wholesale Options for Small ISPs
Wholesale Options for Small ISPsWholesale Options for Small ISPs
Wholesale Options for Small ISPs
 
Why Being a Small ISP is still Viable
Why Being a Small ISP is still ViableWhy Being a Small ISP is still Viable
Why Being a Small ISP is still Viable
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Computerworld Conference (2002)

  • 1. Hackers Why? Who? What do they want? Where are you most vulnerable? SKEEVE STEVENS [Former(?) Hacker] I.T Security Consultant Specialising in Security Theory, Trends, Policy, Disaster Prevention Email: skeeve@skeeve.org www.skeeve.org Copyright © 2002 by Skeeve Stevens All Rights Reserved
  • 2. ! Australian Computer Crime and Security Survey (May 02) n  ACCS Survey (only every survey of its kind in .au) reports more than 67% of respondents have been attacked/hacked during the 2001 period – 7% higher than the U.S in the same period. ! InternetWeek n  50% of U.S Corporations have had 30 or more penetrations n  60% lost up to $200K/intrusion ! Federal Computing World n  Over 50% of (U.S) Federal government agencies report unauthorised access (some are massive numbers) ! FBI/Computer Security Institute n  48% of all attacks originated from within the organization ! WarRoom Research Survey n  90% of Fortune 500 companies in the U.S surveyed admitted to inside security breaches ! Very few companies will talk. Too much fear of losing investor confidence and perhaps panicking the customer base (i.e. banks) Networks Under Assault
  • 3. Why? - Hacker Motivations ! There are many different motivations to hack n  Experimentation and desire to learn n  “Gang” mentality n  Psychological needs (i.e.. to be noticed?) n  Misguided trust in other individuals n  Altruistic reasons n  Self-gratification n  Revenge and malicious reasons n  Emotional issues n  Desire to embarrass the target (many reasons) n  “Joyriding” n  “Scorekeeping” n  Espionage (corporate, governmental) n  Criminal – Stalking, Intimidation, Hostage, Blackmail
  • 4. Types of Hackers Shades of Grey - Are all Hackers Bad? ! Black Hats (The Bad Ones) n  Professional Crackers (Crime Gangs) n  Corporate Espionage (Criminal in a suit – more common than companies realise – everyone has a competitor.) n  e-Terrorists (with or without a motivation [eco-hackers]) n  ? ! White Hats (The Good Ones) n  Corporate Security n  Tiger Teams (with reputations – ISS) n  Big 5 Audit/Testing Teams (PWC, etc) n  Law Enforcement Hackers / Military eSecurity ! Grey Hats (The Not-so-Bad / Not-so-Good Ones) n  Depends who’s paying n  Freelancers – to the highest bidder, which can include LEAs
  • 5. Who are the Hackers? ! 49% are inside employees or contractors on the internal network ! 17% come from dial-up (still inside people) ! 34% are from Internet or an external connection to another company of some sort ! The major area of financial loss in hacking is internal: more money is lost via internal hacking and exploitation (by a factor of 30 or more) ! Most of the hacking that is done is from technical personnel in technical positions within the company
  • 6. Perimeter Security Is Not Enough ! Even the best perimeter firewall can be breached ! What happens to your corporate assets if the perimeter is breached? ! What protects your internal network if the perimeter security fails? Most Businesses = Nothing ! How do you know you have been breached? Most Businesses = Never Know INTERNET Firewall External Router Internal Servers Production Network Desktops Workstations
  • 7. Perimeter Security Is Not Enough ! Many companies with “insider access” - dissolve the perimeter protection (firewalls): n  customers, consultants, contractors, temps, supply chain partners, employees – unhappy / rogue (espionage) / snoopy (the curious/ambitious) / terminated (fired) ! Many widely disseminated vulnerabilities, backdoors, firewall holes, firewall pole vaults - such as dial-up modems, shareware password crackers ! Majority of breaches and financial losses - from those with “insider access”
  • 8. Typical Inside Network Attacks ! Insider attack ! Social engineering ! Virus infiltration ! Denial of Service ! OS or application bug ! Infiltration via passwords ! Infiltration via “no security” ! Spoofing ! Trojan horse ! Brute force ! Stealth infiltration ! Protocol flaw or exploit
  • 9. Biggest Mistakes in Internal Security ! Everybody trusts everybody ! “Any” theory: “We don’t have anything anyone would want anyway” – never true ! No internal monitoring of any kind ! No internal intrusion detection ! No internal network isolation methods ! No separation of critical networks or subnetworks via VLAN or VPNs ! Infrastructure ignorance
  • 10. Network Security IS a Serious Issue ! $202 Billion Lost every year by companies to “e-Crime” in the US, Australian/rest of the world statistics are hard to estimate. ! 90% of e-Crime financial losses are INTERNAL ! U.S. Government alone will experience over 300,000 Internet attacks this year, Australian Government has not publicised any numbers ! Hundreds of thousands of websites contain some form of Hacker Tools / Information ! e-Crimes are estimated to take place every 20 seconds...
  • 11. eSecurity / Hacking Insurance Policies ! Yes, you can actually buy hacking insurance policies for some situations ! One level allows for liability reduction due to protective measures taken (What sort of firewalls / policies / operating systems / training / etc…) ! Another provides a vendor security warranty level of assurance ! Others on their way…
  • 12. ????????????Future Server Threats ! Digital Nervous System components ! Infrastructure Dependencies n  Index Server/LDAP Servers n  Terminal Server with thin clients n  Exchange servers being used for office and workgroup flow applications n  DNS and other naming services servers n  Voice over IP (VoIP) n  Telephony servers for desktop telephony n  Netmeeting / Video collaboration servers n  NT servers being implemented in factories and industrial networks for process control. These require real-time network security features ! Home implementations for broadband/DSL access ! Small business via broadband/DSL access ! Seasonal threats (holiday hacker gangs)
  • 13. $ Information Store A company’s most valuable assets are on its Information Store An attack on your Information Store can result in: Loss of access Loss of data integrity Theft of data Loss of privacy Legal liability Loss of Confidence (Owners/Stock market/Customers) Financial Loss (Fraud) Financials HR Records Patient Medical Records R&D Information Legal Records
  • 14. Summary (I) ! It is a matter of “when” not a matter of “if” you will be attacked or hacked - the statistics are against you ! Internal network security is still the most pervasive corporate threat ! Many different levels of security are necessary to deal with the threats ! Apply internal security in proper measure to meet the actual or perceived threat environment
  • 15. Summary (II) ! A Hacker can be anyone – an employee with a grudge, a contractor, a family member. They just want something they are not supposed to have. ! Hacking is gaining access to anything you shouldn’t have access to, using means you shouldn’t be using (illegal?) ! eSecurity is as important as real security. If you have a security guard to protect you, you should have an eSecurity guard. ! Many different levels of security are necessary to deal with the threats