Presentation is loading. Please wait.

Presentation is loading. Please wait.

John Butters Running Tiger Teams

Published byThomaz Aranha de Santarém Modified over 5 years ago

Similar presentations

Presentation on theme: "John Butters Running Tiger Teams"— Presentation transcript:

1 John Butters Running Tiger Teams
19 September 2018 John Butters Running Tiger Teams - What’s the point?

2 Outline what we do Do’s and don’ts
19 September 2018 Agenda Outline what we do Do’s and don’ts

3 19 September 2018 What is it? Using the techniques of hackers or crackers under legitimate and in controlled environment to find and/or exploit security vulnerabilities Includes Internal External Social Engineering War Dialling Wireless Application Vulnerability Scans Typical Findings Technical - missing patches misconfigurations no IDS Non-technical - human practices poor processes to monitor & respond poor reaction times Trophies - access to wide range of resources sensitive and non-sensitive

4 Anatomy of a hack

5 Trace route Password Cracking Bank hack
19 September 2018 Video Clips Trace route Password Cracking Bank hack

6 19 September 2018

7 19 September 2018

8 19 September 2018

9 War Stories Global Oil Company
19 September 2018 War Stories Global Oil Company Able to administer process control unit for a gas pipeline Global Chemicals Company Access to HR information, strategic merger target information; personal credit card details, secret formulas/recipes Large Utilities Company Control of large portion of network including business critical systems Global Hotel Chain Central reservation system, business plans, board report, executive compensation, guest and credit card details

10 Why do people buy it? Example one
19 September 2018 Why do people buy it? Example one Buyer internal audit Objective ) To prove inadequacy of security - 2) To score points, personal cudos Scope known weak application - limited by budget - “safe” targets - single site external attack

11 19 September 2018 Scenario one - Results Technical report for IT to address (Symptomatic response) Exec summary saying “you’re vulnerable to hackers” Increased distrust and animosity between IT and IA High profile, resulting in total focus on solutions to the findings After actions to address report everyone relaxes because – “we’ve had our security tested and we’ve fixed all the holes. Report to the business customers and the world that we’re OK because we have regular testing and have addressed all the vulnerabilities. Conclusion: The exercise has done more harm than good.

12 Scenario two Buyer – Global CISO
19 September 2018 Scenario two Buyer – Global CISO Objective – Determine vulnerability of corporate websites to defacement or DoS at time of global launch of brand ($40million spend) Scope Corporate websites with specific emphasis on vulnerability by external attack to DoS or defacement Result - Some issues to address pre launch - comfort that reasonable steps taken to protect corporate brand during period of launch. Conclusion - Right tool for the right purpose. Happy client.

13 Pro’s and Con’s Pro’s Cons FUD (fear, uncertainty, doubt)
19 September 2018 Pro’s and Con’s Pro’s Attention & awareness Positive result implies weakness Relatively quick and inexpensive Keeps people on their toes Useful component of overall assurance programme Cons FUD (fear, uncertainty, doubt) Potential agendas, internal conflicts Unbalanced view of security Negative result doesn’t ensure security May be unrelated to business context Highlights problems not solutions Tells techies nothing new Results misused to give false assurance Legal and risk implications Professional ethical hackers don’t know all that the underground hacking world does Focus on perimeter – perimeters are breaking down Like a baseball bat – a useful tool for the right purpose, but more improper than proper uses

14 Doing it for the right reason
19 September 2018 Doing it for the right reason As part of overall security programme/assurance function or for a specific purpose Clear objectives & scope Report relating to - Objectives - The business - Addressing causes as well as symptoms Consider presentation alterations Clear follow-up actions Manage, politics, legal issues & risk

15 Scoping & Objectives Business Input Develop Penetration
Tests Used By Threat Groups Business Input Remote Dial Up Attack Internet Attack Web Browser Attack Internal Attack Social Engineering Assess Threats Perform Tests Simulating Threat Groups Strategic Actions Short Term Fixes Medium term actions Exposure Feedback

16 19 September 2018 Questions

Download ppt "John Butters Running Tiger Teams"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
ETHICAL HACKING.

ETHICAL HACKING.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Implications and Security Issues of the Internet By Neelesh Patel.

Implications and Security Issues of the Internet By Neelesh Patel.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
 Ethical Hacking is testing the resources for a good cause and for the betterment of technology.  Technically Ethical Hacking means penetration.

 Ethical Hacking is testing the resources for a good cause and for the betterment of technology.  Technically Ethical Hacking means penetration.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Ethical Hacking by Shivam.

Ethical Hacking by Shivam.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Hacking and Network Defense. Introduction  With the media attention covering security breaches at even the most tightly controlled organization, it is.

Hacking and Network Defense. Introduction  With the media attention covering security breaches at even the most tightly controlled organization, it is.
Hewitt.com Redesign Security Considerations Jorgen Hesselberg, MITP’07 Brute Force.

Hewitt.com Redesign Security Considerations Jorgen Hesselberg, MITP’07 Brute Force.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Controls for Information Security

Controls for Information Security
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Pen testing to ensure your security

Pen testing to ensure your security
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Similar presentations

Ads by Google