Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jayesh Mowjee Security Consultant Microsoft Services Session Code: SIA330.

Similar presentations


Presentation on theme: "Jayesh Mowjee Security Consultant Microsoft Services Session Code: SIA330."— Presentation transcript:

1

2 Jayesh Mowjee Security Consultant Microsoft Services Session Code: SIA330

3 The Disclaimer! In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk. Microsoft Corporation, & the other 3 rd party vendors whose software is demonstrated as part of this session are not responsible for any subsequent loss or damage whatsoever.

4 This Session Covers The Top 10 security nightmares Covert information gathering techniques How it’s done! - identity theft Tools the bad guy use Hiding your tracks Possible solutions The need to know principle Conclusions and Q&A

5 The Top 10 Security Nightmares 1. Physical 2. Human Error 3. Malfunction 4. Malware 5. Spoofing 6. Scanning 7. Eavesdropping 8. Scavenging 9. Spamming 10. Out of Band!

6 How Severe is the Threat? Professional Cyber Criminals & Terrorists Disgruntled Employees Competitors Hacktivists Script Kiddies (Advertises Actions) THREATTHREAT

7 Problem: Identifying the Threat Uneducated Employees Disgruntled Employees Competitors Hackers Foreign Governments

8 Problem: It’s the way we’ve always done it!

9 Problem: Unorganized Response What should I do? Who should I call? Should I shut the system down? Should I run the virus cleaner? Should I trust my Anti-virus quarantine? Should I re-image the system?

10 People can be Your Greatest Asset

11 Or your Weakest !!

12 If You Look Hard Enough Bad Security is Everywhere!

13

14

15 Places!

16

17

18 No Seriously! The Hotel Intrusion

19 Employees on the Road: The Soft Target!

20 The Office Intrusion

21 Organized Security…Er!

22 Badges: Instant Credibility

23 Free Floor Plans!

24

25 Get on the Inside with a Job!

26 Too much Information

27 Office Security Tips Ensure Employees are Security Aware Adopt an “Acceptable Use” Policy in terms of IT, Email, Internet etc Ensure Employees are Security Vetted Wear ID Badges Question Visitors – “Offer Help” Secure all Entrances & Exits Know Emergency Procedures Secure your Valuables Laptops, Phones, Keys, IDs Etc

28 Security Headlines

29 Consequences of Poor Security: Brett Kingstone Nexus Lighting! “What took us $10 million and 10 years to develop, they were able to do for $1.4 million in six months”Brett Kingstone http://people.forbes.com/profile/brett-m-kingstone/57603 http://www.gss.co.uk/news/article/5613/Cyberthieves_mine_onl ine_for_corporate_data_nuggets/?highlight=Finjan

30 Hacker 101 Target Selection & Information Gathering

31 Hacker 101: Target Selection Person Identity Theft Revenge Invasion of Privacy Company Trade Secrets Hostile Takeover Industrial Espionage Government Military Coup Political Corruption Bribery Country Destabilisation

32 So Who are You? Information required: ID number Full name Birth date Address Possibly Drivers license number Sources Doctor Accountant Lawyer School place of work Hotels health insurance carrier many others

33 5 Pages of Heaven! Aka a CV Once you get someone's CV, you know all about the person You can search for it...or... You can get people to send it to you Recruitment is easy: Post a job ad and wait for people to send their life story You can even specify which types of people...:) “Looking for nuclear scientist/engineer with experience in Uranium enrichment and military background. Earn top dollar, 401K plan, dental coverage, 25days leave. Flexi time. Apply within...”

34 A Growing Problem Revealed: 8 Million Victims in the Worlds Biggest Cyber Heist! – Best Western Hotels. (Aug 08) – Russian Gangs involved. Details offered for sale on underground website. (www.cuxxxx0.ru)www.cuxxxx0.ru 10,000 Criminal Records Go Missing on Memory Stick! (July 08) Fasthosts UK ISP – 50,000 Websites Hacked. (Nov 07) ID Theft costs the UK economy £1.6bn Per Year* UK Child Support Agency: 25 Million Records Missing. MI5 ordered to recover data. Bank of India etc... *Sunday Times

35 How it's Done - Identity Theft

36 You are Unique...Keep it that Way! Check your credit rating regularly Don't reveal too much personal information, especially on on-line forums & social networking groups. Watch out for shoulder surfers. Learn to ask questions...”Why you need this information, How will it be used. Be aware of your privacy rights. Make use of new encryption technologies

37 Corporate ID Theft Employee Stupidity (Xxx Dept work & Pensions 25 Million records LOST because of a mistake... Fraudulent use of business identity "account takeover" fraud that hijacks a clean identity for illicit trading Certain countries Companies House – does not validate any data provided Spoof emails and “phishing“, “Spear Phishing” Corporate Governance implications

38 Tools the Bad Guys Use! Google hacking!

39 Google Hacking Various usernames and passwords (both encrypted and in plain text) Internal documents Internal site statistics Intranet access Database access Open Webcams VNC Connections Mail server access And much more

40 Google Hacking Examples! Site:com filetype:xls "Accounts" site:gov.uk filetype:xls users site:gov.uk filetype:doc staff site:gov.uk filetype:ini WS_FTP PWD site:gyhs.co.uk "index of /" password.txt site:co.uk "index of /" +passwd site:dk +hotel filetype:xls site:com +password filetype:xls Inurl:admin users passwords inurl:admin intitle:index.of "Microsoft-IIS/5.0 Server at"intitle:index.of

41 Don’t Get Google Hacked! Keep sensitive information off the internet Be careful how you write your scripts and access your databases Use robots.txt to let Google know what parts of your website it is ok to index. Specify which parts of the website are “off bounds” Ensure directory rights on your web server are in order Monitor your site for common errors “Google hack” your own website

42 Hacking #102 Hide your Tracks!

43 Hiding Data - Steganography! Steganography: The art of storing information in such a way that the existence of the information is hidden To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. The duck flies at midnight. Tame uncle Sam Simple but effective when done well

44 How it’s Done - Steganography

45 What the Bad Guys Use!

46 Pro-Active Cybercrime Prevention Tips Learn to Identify Threats Monitoring Staff & Ensure Corporate Awareness Reward Corporate Loyalty Internal & External Legislation Anonymiser Services Right Management Software Make use of Cryptography Use good o’l fashioned Cash

47 The Need to Know Principle!

48 Keeping up Appearances! Although I don't know the overall network security posture of the airport, this didn't look good Good security is simply appearing to be secure The military teach that the appearance of a hard target can deter attacks.

49 Developments Biometric Passports, DNA Identity Solutions Cloud Data centre Solutions Credit Cards with Biometrics Project Goldeneye / Goldfinger! Identity Cards Cut the myriad of means to prove identity Proposed new criminal offence of "identity fraud" Civil liberties arguments Criminalize legitimate anonymity? National Criminal Intelligence Service

50 Conclusions! The Top 10 security nightmares Covert information gathering techniques How it’s done! - identity theft Tools the bad guys use Hiding your tracks Possible solutions The need to know principle Conclusions & Q&A

51

52 www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification & Training Resources Resources

53 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Jayesh Mowjee Security Consultant Microsoft Services Session Code: SIA330."

Similar presentations


Ads by Google