hacking the little guy
play

Hacking the Little Guy slides: redsiege.com/ntxissa Tim Medin - PowerPoint PPT Presentation

May 25, 2023 •155 likes •398 views

Hacking the Little Guy slides: redsiege.com/ntxissa Tim Medin Principal Consultant, Founder Red Siege Oct 5, 2018 NTXISSA.org Contact Tim Medin Red Siege Principal Consultant, Founder > 10 years offense Background in ICS, networking,

  1. Hacking the Little Guy slides: redsiege.com/ntxissa Tim Medin Principal Consultant, Founder Red Siege Oct 5, 2018 NTXISSA.org

  2. Contact Tim Medin Red Siege Principal Consultant, Founder > 10 years offense Background in ICS, networking, and software dev SANS Author and Principal Instructor Program Director SANS MSISE Masters Program IANS Faculty 2 NTXISSA.org

  3. I’m Not a Target 3 NTXISSA.org

  4. I’m Not a Target Do you have money? 4 NTXISSA.org

  5. I’m Not a Target But we’re too small to be a target Are you willing to bet your business on that assumption? 5 NTXISSA.org

  6. I’m Not a Target But we’re too small to be a target Are you willing to bet your business on that assumption? 6 NTXISSA.org

  7. False Sense of Security Breaches happen, but only to someone else 7 NTXISSA.org

  8. History • Nearly 61% of breaches are small to medium sized businesses (Up by from 53%) • Larger business can handle an incident, small-medium simply cannot • Small businesses: The worst ones can cost between $84,000-$148,000 • Doesn’t include cost of contacting clients • Doesn’t count loss of reputation • 60% of smaller business are out of business within 6 months of a breach https://upscapital.com/product-services/cyber-liability-insurance/ http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ 8 NTXISSA.org

  9. Why So Damaging? • Lack of preparedness • Lack of policies • Lack of procedures • Excessive sharing 9 NTXISSA.org

  10. Limitations • No security personnel • Maybe no IT either • Sharing and openness is easy • Policies are seen as bureaucracy 10 NTXISSA.org

  11. AV has Limited Value • 37% of Malware has a unique has (VBIR) • Defensive tools can provide a false sense of security 11 NTXISSA.org

  12. Excel Macro 12 NTXISSA.org

  13. Simple Bypass 13 NTXISSA.org

  14. Endpoint Protection Bypass 14 NTXISSA.org

  15. Advantages • Attacker • Only needs to win once • Defender • Home field advantage • Know where data is • Know “normal” • Sadly, most organizations squander this advantage 15 NTXISSA.org

  16. Complexity is the Enemy of Security • Small organizations have the advantage of being simple • Lack personnel and processes • Big organizations have personnel and processes • Extremely complex • Medium size – Optimal position 16 NTXISSA.org

  17. Simple Steps – Asset Management • Know your hardware • Know your software • Apply patches, regularly 17 NTXISSA.org

  18. Passwords • Stop rotating • Stop requiring complexity requirements • Rotation and complexity works against you • Increase the length • Use password managers – Unique is key!! • Use two factor when/where you can https://pages.nist.gov/800-63-3/sp800-63b.html 18 NTXISSA.org

  19. Rotation • Ever work the helpdesk on January 2 nd ? 19 NTXISSA.org

  20. Credential Reuse • Credential stuffing • Credentials compromised on site 1 • Credentials then reused at location 2 • Many “hacks” are due to bad password selection and reuse 20 NTXISSA.org

  21. Oversharing • Does everyone need access to the data • Really? • Common misconception that the attacker needs to escalate locally or on the domain 21 NTXISSA.org

  22. Contact Tim Medin tim@redsiege.com @TimMedin 22 NTXISSA.org

  23. Thank you 23 NTXISSA.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

485 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

481 views • 37 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

CLIMATE CHANGE IN HELTHCARE : Driving Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking engelen GIB DE MEDEIROS, PH.D. Digital Hospital Transformation Forum at HIC 2017 Brisbane, Australia HACKING

644 views • 27 slides
Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS Laurent Ghigonis P1 Security 2014, Hackito Ergo Sum - Security Conference What are we talking about ? A mobile

724 views • 59 slides
Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Mr. Robot, an Emmy Award-winning TV drama starring a vigilante hacker CS 88S Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review last weeks material Hack Hollywood Hacking: The Good, The

718 views • 45 slides
Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized cybercrime Joseph Menn Agenda Agenda Why Russia matters (and differs from China) Why Russia matters (and differs from China) How three hackers got

557 views • 12 slides
Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Outline Google Hacking Privacy Searches Countermeasures Future Work Conclusion Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de Department of Computer Science, University of Mannheim (on leave to the

389 views • 21 slides
Introduction to Information Retrieval: IR Basics and Evaluation Prof. Srijan Kumar 1 Srijan

Introduction to Information Retrieval: IR Basics and Evaluation Prof. Srijan Kumar 1 Srijan

CSE 6240: Web Search and Text Mining. Spring 2020 Introduction to Information Retrieval: IR Basics and Evaluation Prof. Srijan Kumar 1 Srijan Kumar, Georgia Tech, CSE6240 Spring 2020: Web Search and Text Mining Logistics Class size: Due

947 views • 63 slides
Encoding algorithms NRZ Bits 0 0 1 0 1 1 1 1 0 1 0 0 0 0 1 0 High = 1 Low

Encoding algorithms NRZ Bits 0 0 1 0 1 1 1 1 0 1 0 0 0 0 1 0 High = 1 Low

CSE 123 Computer Networks Lecture 3: Data Link I Framing and Error Control July 10, 2006 Chris Kanich Portions courtesy Jeannie Albrecht, Lecture 3 Framing and Error Control CSE 123 Robin Kravets and Steve Lumetta Last time:

365 views • 10 slides
Lancaster County Transportation Strategy Jeff McKerrow, PE, PTOE Nick Weander, PTP, MPA April

Lancaster County Transportation Strategy Jeff McKerrow, PE, PTOE Nick Weander, PTP, MPA April

Lancaster County Transportation Strategy Jeff McKerrow, PE, PTOE Nick Weander, PTP, MPA April 5, 2018 1 Agenda Team Introductions Study Goals Community Profile Existing Conditions Preservation and Optimization Baseline

588 views • 58 slides
NOTES ON TECHNICAL PRESENTATIONS Informal Presentations Purpose - idea interchange,

NOTES ON TECHNICAL PRESENTATIONS Informal Presentations Purpose - idea interchange,

NOTES ON TECHNICAL PRESENTATIONS Informal Presentations Purpose - idea interchange, brainstorming, status, report, training, education. Audience - friendly, peers, small to medium size, technical Visual Aids - blackboard,

174 views • 13 slides
Point-to-Point Links modulate electromagnetic waves e.g., vary voltage Encode binary

Point-to-Point Links modulate electromagnetic waves e.g., vary voltage Encode binary

Encoding Signals propagate over a physical medium Point-to-Point Links modulate electromagnetic waves e.g., vary voltage Encode binary data onto signals Outline e.g., 0 as low signal and 1 as high signal Encoding Framing

463 views • 6 slides
$ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

$ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

Presentation Slides $ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I really need this item? Is it worth the time I spend making the money to pay for it? Is there a better use for my money

489 views • 18 slides
Back to Basics 15-441/641: Physical and 1. Physical layer. 2. Datalink layer Application

Back to Basics 15-441/641: Physical and 1. Physical layer. 2. Datalink layer Application

11/9/2019 Back to Basics 15-441/641: Physical and 1. Physical layer. 2. Datalink layer Application Datalink Layers introduction, framing, Presentation error coding, switched Session networks. 15-441 Fall 2019 Transport Profs Peter

435 views • 12 slides
LoWS Lo cation-based W i-Fi S ervices A Complete Open Source Solution for Wi-Fi Beacon Stuffing

LoWS Lo cation-based W i-Fi S ervices A Complete Open Source Solution for Wi-Fi Beacon Stuffing

LoWS Lo cation-based W i-Fi S ervices A Complete Open Source Solution for Wi-Fi Beacon Stuffing Based Location-based Services WMNC 2016 Sven Zehl , Niels Karowski, Anatolij Zubow and Adam Wolisz Telecommunication Networks Group Technische

1.13k views • 69 slides

More recommend