Women in ICT and Newbie Night August 15 Introduction Statistics - - PowerPoint PPT Presentation

women in ict and newbie night
SMART_READER_LITE
LIVE PREVIEW

Women in ICT and Newbie Night August 15 Introduction Statistics - - PowerPoint PPT Presentation

Feb 17, 2023 288 likes •474 views

Women in ICT and Newbie Night August 15 Introduction Statistics Who here is from some form of social media? Who here is a developer? Cyber Security FM (Women in ICT and Newbie Night) August 15 Cyber Governance, Risk

slide-1
SLIDE 1

August 15

Women in ICT and Newbie Night

slide-2
SLIDE 2

Introduction…

  • Statistics
  • Who here is from some form of social media?
  • Who here is a developer?

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-3
SLIDE 3

Cyber – Governance, Risk and Compliance

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-4
SLIDE 4

Cyber Security can be difficult to define..

August 15 Cyber Security FM (Women in ICT and Newbie Night)

Integrity Auditability Confidentiality

slide-5
SLIDE 5

August 15 Cyber Security FM (Women in ICT and Newbie Night)

Cyber risk - Think business risk, not IT

People Process Technology

  • Employees
  • Contractors
  • Vendors
  • Incident Management
  • Change Management
  • Patch Management
  • Firewalls
  • Anti-virus
  • DLP (Data Loss Prevention)

device

slide-6
SLIDE 6

Security Breach

Are we secure yet?

Firewall

August 15 Cyber Security FM (Women in ICT and Newbie Night)

Cyber Attack on US Military The attackers used a spear-phishing e- mail to penetrate the system and gain access to sensitive information. This attack was made possible by poor human performance. NSA Data Breach An American computer professional, former CIA employee, and former government contractor. He leaked classified information from the U.S. National Security Agency (NSA) in 2013 to reveal secrets about NSA surveillance programs.

slide-7
SLIDE 7

August 15 Cyber Security FM (Women in ICT and Newbie Night)

Property Description Examples

Actor Person at the source of an attack with specific goal and motivation.  Hackers  Employees  Third Parties Motive Deliberate or accidental  To steal personal information  Damage reputation Asset Assets which the threat actor intends to steal or affect in some way to achieve their goals.  Sensitive data  Mail server  Staff member Outcome The effect of an attack.  Disclosure of Information  Service Disruption

Threat elements of a Cyber attack

Motive

slide-8
SLIDE 8

August 15 Cyber Security FM (Women in ICT and Newbie Night)

Risk Actor Asset Risk Impact Mitigating Controls What is the business risk? Who performs the attack? What is the attacker targeting? What is the potential impact? What can we do to mitigate the risk? Data Breach – Company X is breached and sensitive information is stolen.

  • Employee

Sensitive data

  • PII (Personally

Identifiable Data)

  • PHI (Personal Health

Information) Loss of confidential or sensitive data resulting in financial, reputation or compliance impact. People

  • Security training and awareness

for third party service provider Process

  • Safe transportation of back up

tapes Technology

  • Encryption of backup tapes

Threat Scenario – Company X

Company X (Healthcare Service Provider) PII (Personally Identifiable Data), PHI (Personal Health Information) Personal information stored in backup tapes transferred to a bank safe Backup tapes stolen during transportation

Data Breach

slide-9
SLIDE 9

Security Assessment / Pentest

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-10
SLIDE 10

Pentest

Try to break into things

  • Single, “point-in-time” check
  • As much coverage as we can

Provide invalid input

  • Is an application expecting a number? Give it ‘ OR ‘1’=‘1
  • Is an application expecting a filename? Give it ../../../etc/passwd
  • Is an application expecting a URL? Give it file:// or supply a hostname and a port number

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-11
SLIDE 11

Demo - SQLi

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-12
SLIDE 12

Demo - SQLi

Try using a single quote for a password:

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-13
SLIDE 13

Demo - SQLi

query expression 'username = 'admin' AND password = ''''. query expression 'username = 'admin' AND password = ''''. query expression 'username = 'admin' AND password = '1' OR '1'='1''. Huzzah !

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-14
SLIDE 14

“The Magic”

Carefully passed down through generations of pentesters

  • Single quote: breaks SQL statements
  • Percent sign: breaks SQL LIKE
  • Double quote: breaks DOM attributes, string concatenation
  • Angle bracket: breaks DOM when inserted directly into DOM
  • ../: breaks when string is part of the filename
  • Semicolon: breaks shell/interpreters, breaks when string is a filename (and filtering for ../)
  • Asdf: Invalid syntax, designed to trigger an error
  • Double forward slash, double hyphen, # sign: Comment. Invalidates rest of original command

I will give you $10 if you enter this into every field for a week and nothing breaks.

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-15
SLIDE 15

Using “The Magic”

Proxy

  • Intercept traffic, manually replace parameters
  • Burst (https://github.com/tweksteen/burst)
  • Burpsuite

In-browser

  • Put things in the URL
  • Write a browser plugin
  • Developer tools (to reveal hidden fields)

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-16
SLIDE 16

If you’re interested…

Wargames

  • Google Gruyere
  • Exploit-exercises.com
  • Vulnhub
  • Bugcrowd

Tools and techniques

  • Learn systems very thoroughly
  • Learn a low-level programming language
  • Learn something like Perl – flexibility is awesome

August 15 Cyber Security FM (Women in ICT and Newbie Night)

slide-17
SLIDE 17

Thank you!

August 15 Cyber Security FM (Women in ICT and Newbie Night)