GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution

2. DTS Solution

3. Hackers are NOT Criminals

4. Wrong Conceptions About Hackers • Hackers don't break into computer systems to steal information, that's Crackers. • There’s NO ethical hackers, either you have a hacker or a cyber criminal (Cracker). • Blackhat, Whitehat and Grayhat hackers are all hackers and they only seek knowledge. Hackers They will hack into your computer systems to learn new things and to enhance their technical skills, your sensitive information can get into their hands but luckily they’re only interested in the back-end technology and how it really works, they won’t cause any harm nor damage to your business and you won’t notice their presence, a blackhat hacker won’t report the threat while a whitehat hacker will do. Damage: Minimal Knowledge: Extensive Crackers They will hack into your computer systems to achieve financial gain or to cause damage to your business for different kind of reasons, your sensitive information will get into their hands and they’re willing to abuse them to the maximum extend, you won’t notice their presence and most probably they’ll back-door your systems to visit again whenever they want easily and without duplicating the effort. Damage: Extensive Knowledge: Minimal

5. The Truth About Hackers • Hackers are highly skilled individuals, they’re capable of adapting new technologies in the matter of hours and they have a sharp attention to details (the devil is in the details). • Hackers are web designers, web developers, system engineers, infrastructure engineers, programmers, database engineers and virtualization engineers combined (overqualified). • Hackers are not engineers, they’re scientists, they achieve the impossible every minute and they know how your systems really work even better than your best senior engineer. Hacker Fast Adaptive Knowledgeable Creative Persistent Stealthy

6. Security is an Illusion

7. Wrong Conceptions About Security • Investing in Firewalls, Antiviruses, WAFs, IPSs, NACs…etc will not secure your systems. • Hiring security engineers to maintain your security solutions will not achieve security. • Complying with international standards and best practices will not grant you security. Security is NOT Policy Project Standard Training Appliance Magic

8. Security Can Easily Let You Down Exploiting FortiGate Next Generation Firewall

9. Security Can Easily Let You Down Exploiting McAfee ePolicy Orchestrator (ePO)

10. Security Can Easily Let You Down Exploiting Infoblox Netcordia NetMRI

11. Security is an Architecture, not an Appliance Art Wittmann

12. Why UAE is a Vulnerable Target The economy of the United Arab Emirates is the second largest in the Arab world, with a gross domestic product (GDP) of $570 billion (AED2.1 trillion) in 2014. 71% of UAE's total GDP comes from non-oil sectors. Public Wikipedia The underlying IT infrastructure for almost every entity in United Arab Emirates is very weak (for every 10 entities, there’s 9 entities which are heavily vulnerable), the attack surface is massively increasing with no proper security controls. Private Research The disaster recovery plan is absent in 83% of United Arab Emirates' entities, there’s no proper logging and monitoring of security violations and the response time for a security breach is critically long with no proper action plan. Private Research

13. What Security Experts are Saying According to a survey carried out jointly by Kaspersky Lab and B2B International, 51% of users in the UAE faced financial cyber-attacks during the past year while only 10% of them admitted that they were victims - July, 2014. Kaspersky Lab According to Cisco Annual Security Report, businesses in the Middle East are facing a growing risk of cyber-attacks with a sharp rise in sophisticated malware attacks on the oil, gas, power and utilities sectors - Jan, 2014. Cisco Systems According to a survey commissioned by global Application Delivery Networking F5 Networks, 81% of surveyed UAE IT decision-makers believed their organization was more vulnerable than ever to cyber-attacks - Feb, 2014. F5 Networks

14. Serious Legal Warning • All information displayed will be totally obfuscated for privacy reasons. • We condone cracking and any computer mis-use or unauthorized access. • All our PT activities are carried out based on a strict Rule of Engagement. • Any security vulnerabilities discovered are reported back to TRA aeCERT. • Our aim is to raise information security awareness through the work we do. Please don’t get too excited and try this at home or work DTS Offensive Division

15. Gigantic Construction Entity Security Controls in Place: • FortiGate Next Generation Firewalls with IPS enabled. • BIG-IP F5 Load Balancer with no direct IP access nor ping. • McAfee ePolicy Orchestrator (ePO) with HIPS enabled. • IBM QRadar (SIEM) centralized monitoring and logging server. • Imperva Incapsula cloud security and content delivery network. Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the internal network through the DMZ without getting caught by security controls in place nor getting logged by the SIEM solution (QRadar). Challenge Accepted

16. Gigantic Construction Entity HTTP Enabled Methods: GET PUT <<<<<<<<<<<<<<  POST DEBUG TRACE

17. Gigantic Construction Entity

18. Gigantic Construction Entity

19. Major Transportation Authority Security Controls in Place: • Juniper Next Generation Firewalls with IPS and UTM enabled. • Barracuda Web Application Firewall with no direct IP access nor ping. • Kaspersky Endpoint Security for Business with application control enabled. • Basic monitoring and logging for the entire infrastructure activated. • ISO 27001 Certified with good security awareness and regular trainings. Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the fleet management system without getting caught by security controls in place nor getting logged. Challenge Accepted

20. Major Transportation Authority

21. Major Transportation Authority

22. Sensitive Governmental Entity Security Controls in Place: Censored  Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the back-end database without getting caught by security controls in place nor getting spotted by security agents. Challenge Accepted

23. Sensitive Governmental Entity

26. Massive Financial Market Security Controls in Place: Censored  Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the primary web application without getting caught by security controls in place nor getting spotted by the SOC team. Challenge Accepted

27. Massive Financial Market

28. Massive Financial Market

29. Sensitive Governmental Entity Security Controls in Place: Censored  Attack Exposure and Technique: External Black-Box Penetration Testing with Zero knowledge of the underlying technologies. Activity Goal and Deliverables: Gaining full administrative access to the ERP application without getting caught by security controls in place nor getting spotted by the SIEM Solution. Challenge Accepted

30. 30 By March 2015 – 3298 SAP Security Notes Vulnerabilities in ERP (SAP and Oracle) 1 1 13 10 10 27 14 77 130 833 731 641 363 389 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 0 100 200 300 400 500 600 2007 2008 2009 2010 2011 2012 2013 2014 Oracle vulnerabilities per year Only one vulnerability is enough to get access to ALL your business critical data

31. Threat Modelling – Attacks between systems – Attacks on systems – Overall security status • Misconfiguration status • Vulnerability status • SAP Notes status Understand which system can be attacked, how SAP is connected with other enterprise apps and how crackers can escalate privileges Threat Modelling and Map

33. TOP 10 Mobile Application in UAE 1- Salik recharge 2-RTA Dubai 3-Dubai mParking 4-DUBAI POLICE 5-mPay 6-DHA & Sehaty 7- HbMPSG 8- Carrefour UAE 9- DEWA 10- Cinema UAE

34. M1 - Weak Server Side Controls Mobile App Attacker Backend Server Internet SQL Injection

35. Very Popular Mobile Application in UAE :( Backend Database Vulnerable to SQLInjection

36. Vulnerable! Lead to full Data Leakage Very Popular Mobile Application in UAE :(

37. Vulnerable! Lead to full Data Leakage Very Popular Mobile Application in UAE :( Public Profile Full Name Password User ID Email Emirates ID >>>> Used Everywhere and Needed by Everyone <<< Increase Security Risk

38. On that bombshell… How Secure do you Think you are ?

39. DTS Solution is Exhibiting at GISEC

40. Thanks and Have a Good Day

GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution

Esté a ler uma amostra.

Confira estes a seguir

GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (18)

Semelhante a GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution (20)

Mais de Shah Sheikh (11)

Mais recentes (20)