SlideShare uma empresa Scribd logo

From your Pocket to your Heart and Back

Iftach Ian Amit
Iftach Ian Amit

This document discusses cyber security risks in the financial and healthcare industries and their impact on homeland security. It covers three parts: examples of information disclosure vulnerabilities in access points; connecting these vulnerabilities to critical infrastructure protection and homeland security; and arguing that an asset-centric rather than product-centric approach is needed to address industry-specific security challenges.

NegóciosTecnologia
1 de 66
Baixar para ler offline
FromYour Pocket, to Your Heart, and Back Cyber Security in the Financial and Healthcare Industries, and How They Affect Homeland Security! ! Ian Amit, Director of Services
Hi!
Always remember that you are absolutely unique.! Just like everyone else.! Margaret Mead
Part I ! Where we look at some examples
The RAP Console is unauthenticated and displays information about the access point. Figure 1 shows a screenshot of the RAP Console home page. Figure 1: Unauthenticated RAP Console On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper debug logs. The rapper debug log will log the PAP Username:
The RAP Console is unauthenticated and displays information about the access point. Figure 1 shows a screenshot of the RAP Console home page. Figure 1: Unauthenticated RAP Console On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper debug logs. The rapper debug log will log the PAP Username: Wireless Network Penetration Testing Services setup_tunnel Initialized Timers IKE_init: completed after (0.0) (pid:16341) time:1999-12-31 16:37:53 seconds. Before getting PSK PSK:****** User:xiaobo1 Pass:****** A more serious information disclosure is the “Generate & save support file” option available on the home page of the RAP Console. The support.tgz file contained 73 files, including the ikepsk, pappasswd, and papuser files, as shown in Figure 2.
What’s the problem there?
Medical or Financial? What’s the problem there?
Medical or Financial? What’s the problem there? Who cares?
Medical or Financial? What’s the problem there? Who cares?
Fairly unique to healthcare, right?! Need to provide people access to medical facilities… Kind’a like a financial institution needs to provide customers access to facilities, and their money…
ASSETS Traditionally protected? Mapping all access paths? Mapping all storage locations? Secondary? Tertiary?…
Human Resources What can it tell on your organization? Business plans? Access to resources? Motivation (i.e. opportunity…)
Part II ! Where we try to connect MORE dots
The single biggest problem in communication is the illusion that it has taken place.! George Bernard Shaw
Homeland security? Critical Infrastructure!
Homeland security? Critical Infrastructure!
Homeland security? Critical Infrastructure!
Homeland security? Critical Infrastructure!
Homeland security? Critical Infrastructure!
Part III ! Where we “disprove” what we just learned :-P
Always remember that you are absolutely unique. ! Just like everyone else.! Margaret Mead Remember this?:
Always remember that you are absolutely unique. ! Just like everyone else.! Margaret Mead Remember this?:
We can't solve problems by using the same kind of thinking we used when we created them! Albert Einstein
Yes, you do need your! own special way of dealing! with your security posture.
What makes me “tick”? • What can take the business down?! ! • Who is involved???
vs. Product Centric Threat/Asset Centric
Let that last one sit there for a second… Product Centric Threat/Asset Centric
Let that last one sit there for a second… Product Centric Threat/Asset Centric
Let that last one sit there for a second… Produc RiskProduct Centric Threat/Asset Centric
Let that last one sit there for a second… Produc Risk Zero lateral knowledge transfer Peer knowledge transfer Product Centric Threat/Asset Centric
Let that last one sit there for a second… Produc Risk Zero lateral knowledge transfer Peer knowledge transfer Zero self learning (experience) Improves with practice Product Centric Threat/Asset Centric
Let that last one sit there for a second… Produc Risk Zero lateral knowledge transfer Peer knowledge transfer Zero self learning (experience) Improves with practice Based on lab threats Based on real (relevant) threats Product Centric Threat/Asset Centric
Let that last one sit there for a second… Produc Risk Zero lateral knowledge transfer Peer knowledge transfer Zero self learning (experience) Improves with practice Based on lab threats Based on real (relevant) threats “Industry Best Practice” Tailored for YOUR practice Product Centric Threat/Asset Centric
Product / Event Risk / Asset Vertical Lateral
Product / Event Risk / Asset Vertical Lateral
We all know the “how” ! Start asking “why”!
We all know the “how” ! Start asking “why”!
Thank YOU! ! @iiamit

Recomendados

Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis WebinarJody Keyser
 
Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk QuantificationJoel Baese
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info SecurityEd Bellis
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for DummiesWilliam L. McGill
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR"Apolonio \"Apps\"" Garcia
 

Recomendados

Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis WebinarJody Keyser
 
Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk QuantificationJoel Baese
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info SecurityEd Bellis
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for DummiesWilliam L. McGill
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR"Apolonio \"Apps\"" Garcia
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Ethical Dilemmas in AI/ML-based systems
Ethical Dilemmas in AI/ML-based systemsEthical Dilemmas in AI/ML-based systems
Ethical Dilemmas in AI/ML-based systemsDr. Kim (Kyllesbech Larsen)
 
AI for Finance
AI for FinanceAI for Finance
AI for FinanceDr. Kim (Kyllesbech Larsen)
 
How do we Humans feel about AI?
How do we Humans feel about AI?How do we Humans feel about AI?
How do we Humans feel about AI?Dr. Kim (Kyllesbech Larsen)
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Lars Trieloff
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk ManagementOsama Salah
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk judythornell
 
Business Reasons for Predictive Applications
Business Reasons for Predictive ApplicationsBusiness Reasons for Predictive Applications
Business Reasons for Predictive ApplicationsLars Trieloff
 
Smart life 3.0
Smart life 3.0Smart life 3.0
Smart life 3.0Dr. Kim (Kyllesbech Larsen)
 
How can algorithms be biased?
How can algorithms be biased?How can algorithms be biased?
How can algorithms be biased?Software Guru
 
Stay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer VisionStay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer VisionNUS-ISS
 
Unravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking LensUnravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking LensNUS-ISS
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?Iftach Ian Amit
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?Iftach Ian Amit
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applicationsIftach Ian Amit
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamitIftach Ian Amit
 
ISTS12 Keynote
ISTS12 KeynoteISTS12 Keynote
ISTS12 KeynoteIftach Ian Amit
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and BlueIftach Ian Amit
 
Creación de tablas y relaciones en MySQL y wamp server
Creación de tablas y relaciones en MySQL y wamp serverCreación de tablas y relaciones en MySQL y wamp server
Creación de tablas y relaciones en MySQL y wamp serverJair Ospino Ardila
 

Mais conteúdo relacionado

Mais procurados

ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Lars Trieloff
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk ManagementOsama Salah
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk judythornell
 
Business Reasons for Predictive Applications
Business Reasons for Predictive ApplicationsBusiness Reasons for Predictive Applications
Business Reasons for Predictive ApplicationsLars Trieloff
 
How can algorithms be biased?
How can algorithms be biased?How can algorithms be biased?
How can algorithms be biased?Software Guru
 
Stay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer VisionStay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer VisionNUS-ISS
 
Unravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking LensUnravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking LensNUS-ISS
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti
 

Mais procurados (14)

ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
Ethical Dilemmas in AI/ML-based systems
Ethical Dilemmas in AI/ML-based systemsEthical Dilemmas in AI/ML-based systems
Ethical Dilemmas in AI/ML-based systems
 
AI for Finance
AI for FinanceAI for Finance
AI for Finance
 
How do we Humans feel about AI?
How do we Humans feel about AI?How do we Humans feel about AI?
How do we Humans feel about AI?
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk Management
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk
 
Business Reasons for Predictive Applications
Business Reasons for Predictive ApplicationsBusiness Reasons for Predictive Applications
Business Reasons for Predictive Applications
 
Smart life 3.0
Smart life 3.0Smart life 3.0
Smart life 3.0
 
How can algorithms be biased?
How can algorithms be biased?How can algorithms be biased?
How can algorithms be biased?
 
Stay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer VisionStay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer Vision
 
Unravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking LensUnravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking Lens
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability Management
 

Destaque

Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?Iftach Ian Amit
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?Iftach Ian Amit
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and BlueIftach Ian Amit
 
Creación de tablas y relaciones en MySQL y wamp server
Creación de tablas y relaciones en MySQL y wamp serverCreación de tablas y relaciones en MySQL y wamp server
Creación de tablas y relaciones en MySQL y wamp serverJair Ospino Ardila
 

Destaque (8)

Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applications
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamit
 
ISTS12 Keynote
ISTS12 KeynoteISTS12 Keynote
ISTS12 Keynote
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
Creación de tablas y relaciones en MySQL y wamp server
Creación de tablas y relaciones en MySQL y wamp serverCreación de tablas y relaciones en MySQL y wamp server
Creación de tablas y relaciones en MySQL y wamp server
 

Semelhante a From your Pocket to your Heart and Back

Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
The First of Me! Insights from the Future of Digital at SxSW 2019
The First of Me! Insights from the Future of Digital at SxSW 2019The First of Me! Insights from the Future of Digital at SxSW 2019
The First of Me! Insights from the Future of Digital at SxSW 2019Inês Almeida
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Evan Francen
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasEvan Francen
 
Asq elliot format
Asq elliot formatAsq elliot format
Asq elliot formatkcmani15
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Gabriel (Gaby) Bar Giora
 
Simulating Real World Attack
Simulating Real World AttackSimulating Real World Attack
Simulating Real World Attacktmacuk
 
DeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSODeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSOAlexander Hutton
 
Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05hgoodnight
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course StoryboardJim Piechocki
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
The Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantThe Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantJohn Bedrick
 
Zero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdfZero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdfThijs Ebbers
 

Semelhante a From your Pocket to your Heart and Back (20)

Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
The First of Me! Insights from the Future of Digital at SxSW 2019
The First of Me! Insights from the Future of Digital at SxSW 2019The First of Me! Insights from the Future of Digital at SxSW 2019
The First of Me! Insights from the Future of Digital at SxSW 2019
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
How to Secure America
How to Secure AmericaHow to Secure America
How to Secure America
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
 
Asq elliot format
Asq elliot formatAsq elliot format
Asq elliot format
 
R af d
R af dR af d
R af d
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
 
Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
 
Simulating Real World Attack
Simulating Real World AttackSimulating Real World Attack
Simulating Real World Attack
 
DeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSODeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSO
 
Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Prof m02 v2
Prof m02 v2Prof m02 v2
Prof m02 v2
 
The Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being CompliantThe Difference Between Being Secure And Being Compliant
The Difference Between Being Secure And Being Compliant
 
Zero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdfZero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdf
 

Mais de Iftach Ian Amit

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVIftach Ian Amit
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing KeynoteIftach Ian Amit
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itIftach Ian Amit
 
Infecting Python Bytecode
Infecting Python BytecodeInfecting Python Bytecode
Infecting Python BytecodeIftach Ian Amit
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer GamesIftach Ian Amit
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723Iftach Ian Amit
 
Stuxnet - the worm and you
Stuxnet - the worm and youStuxnet - the worm and you
Stuxnet - the worm and youIftach Ian Amit
 
Pushing in, leaving a present, and pulling out slowly without anyone noticing
Pushing in, leaving a present, and pulling out slowly without anyone noticingPushing in, leaving a present, and pulling out slowly without anyone noticing
Pushing in, leaving a present, and pulling out slowly without anyone noticingIftach Ian Amit
 
Mesh network presentation
Mesh network presentationMesh network presentation
Mesh network presentationIftach Ian Amit
 
Advanced Data Exfiltration
Advanced Data ExfiltrationAdvanced Data Exfiltration
Advanced Data ExfiltrationIftach Ian Amit
 
LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723Iftach Ian Amit
 
An intoroduction to the IS-IS IGP routing protocol
An intoroduction to the IS-IS IGP routing protocolAn intoroduction to the IS-IS IGP routing protocol
An intoroduction to the IS-IS IGP routing protocolIftach Ian Amit
 

Mais de Iftach Ian Amit (20)

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLV
 
Devsecops at Cimpress
Devsecops at CimpressDevsecops at Cimpress
Devsecops at Cimpress
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing Keynote
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Cyber state
Cyber stateCyber state
Cyber state
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done it
 
Infecting Python Bytecode
Infecting Python BytecodeInfecting Python Bytecode
Infecting Python Bytecode
 
Exploiting Second life
Exploiting Second lifeExploiting Second life
Exploiting Second life
 
Dtmf phreaking
Dtmf phreakingDtmf phreaking
Dtmf phreaking
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer Games
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723
 
Stuxnet - the worm and you
Stuxnet - the worm and youStuxnet - the worm and you
Stuxnet - the worm and you
 
Pushing in, leaving a present, and pulling out slowly without anyone noticing
Pushing in, leaving a present, and pulling out slowly without anyone noticingPushing in, leaving a present, and pulling out slowly without anyone noticing
Pushing in, leaving a present, and pulling out slowly without anyone noticing
 
Mesh network presentation
Mesh network presentationMesh network presentation
Mesh network presentation
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
Advanced Data Exfiltration
Advanced Data ExfiltrationAdvanced Data Exfiltration
Advanced Data Exfiltration
 
LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723
 
An intoroduction to the IS-IS IGP routing protocol
An intoroduction to the IS-IS IGP routing protocolAn intoroduction to the IS-IS IGP routing protocol
An intoroduction to the IS-IS IGP routing protocol
 
Turtles dc9723
Turtles dc9723Turtles dc9723
Turtles dc9723
 

Último

Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyEthan lee
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...Any kyc Account
 

Último (20)

Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case studyThe Coffee Bean & Tea Leaf(CBTL), Business strategy case study
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
KYC-Verified Accounts: Helping Companies Handle Challenging Regulatory Enviro...
 

From your Pocket to your Heart and Back

  • 1. FromYour Pocket, to Your Heart, and Back Cyber Security in the Financial and Healthcare Industries, and How They Affect Homeland Security! ! Ian Amit, Director of Services
  • 2. Hi!
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15. Always remember that you are absolutely unique.! Just like everyone else.! Margaret Mead
  • 16. Part I ! Where we look at some examples
  • 17. The RAP Console is unauthenticated and displays information about the access point. Figure 1 shows a screenshot of the RAP Console home page. Figure 1: Unauthenticated RAP Console On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper debug logs. The rapper debug log will log the PAP Username:
  • 18. The RAP Console is unauthenticated and displays information about the access point. Figure 1 shows a screenshot of the RAP Console home page. Figure 1: Unauthenticated RAP Console On the Diagnostics tab it is possible to view the conn_log, sapd_debug, dmseg, and rapper debug logs. The rapper debug log will log the PAP Username: Wireless Network Penetration Testing Services setup_tunnel Initialized Timers IKE_init: completed after (0.0) (pid:16341) time:1999-12-31 16:37:53 seconds. Before getting PSK PSK:****** User:xiaobo1 Pass:****** A more serious information disclosure is the “Generate & save support file” option available on the home page of the RAP Console. The support.tgz file contained 73 files, including the ikepsk, pappasswd, and papuser files, as shown in Figure 2.
  • 19.
  • 21. Medical or Financial? What’s the problem there?
  • 22. Medical or Financial? What’s the problem there? Who cares?
  • 23. Medical or Financial? What’s the problem there? Who cares?
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. Fairly unique to healthcare, right?! Need to provide people access to medical facilities… Kind’a like a financial institution needs to provide customers access to facilities, and their money…
  • 31.
  • 32.
  • 33.
  • 34. ASSETS Traditionally protected? Mapping all access paths? Mapping all storage locations? Secondary? Tertiary?…
  • 35.
  • 36.
  • 37. Human Resources What can it tell on your organization? Business plans? Access to resources? Motivation (i.e. opportunity…)
  • 38. Part II ! Where we try to connect MORE dots
  • 39.
  • 40.
  • 41. The single biggest problem in communication is the illusion that it has taken place.! George Bernard Shaw
  • 47. Part III ! Where we “disprove” what we just learned :-P
  • 48. Always remember that you are absolutely unique. ! Just like everyone else.! Margaret Mead Remember this?:
  • 49. Always remember that you are absolutely unique. ! Just like everyone else.! Margaret Mead Remember this?:
  • 50. We can't solve problems by using the same kind of thinking we used when we created them! Albert Einstein
  • 51. Yes, you do need your! own special way of dealing! with your security posture.
  • 52. What makes me “tick”? • What can take the business down?! ! • Who is involved???
  • 54. Let that last one sit there for a second… Product Centric Threat/Asset Centric
  • 55. Let that last one sit there for a second… Product Centric Threat/Asset Centric
  • 56. Let that last one sit there for a second… Produc RiskProduct Centric Threat/Asset Centric
  • 57. Let that last one sit there for a second… Produc Risk Zero lateral knowledge transfer Peer knowledge transfer Product Centric Threat/Asset Centric
  • 58. Let that last one sit there for a second… Produc Risk Zero lateral knowledge transfer Peer knowledge transfer Zero self learning (experience) Improves with practice Product Centric Threat/Asset Centric
  • 59. Let that last one sit there for a second… Produc Risk Zero lateral knowledge transfer Peer knowledge transfer Zero self learning (experience) Improves with practice Based on lab threats Based on real (relevant) threats Product Centric Threat/Asset Centric
  • 60. Let that last one sit there for a second… Produc Risk Zero lateral knowledge transfer Peer knowledge transfer Zero self learning (experience) Improves with practice Based on lab threats Based on real (relevant) threats “Industry Best Practice” Tailored for YOUR practice Product Centric Threat/Asset Centric
  • 61. Product / Event Risk / Asset Vertical Lateral
  • 62. Product / Event Risk / Asset Vertical Lateral
  • 63. We all know the “how” ! Start asking “why”!
  • 64. We all know the “how” ! Start asking “why”!
  • 65.