Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Social Engineering: "We Were Here To Be Frightened by Them" Lol

    Încărcat de

    Herbert Tagudin
    60 vizualizări6 pagini
    The document summarizes talks from a cybersecurity conference about social engineering, application security, security loopholes, and preventing fraud through cybersecurity. The talks covered topics like how cybercrime has lower risks but higher rewards than traditional crimes; how developers need to focus on security alongside functionality; common website vulnerabilities; and how proper cybersecurity controls and a risk assessment can help prevent fraud.

    Descriere originală:

    Web Security notes

    Titlu original

    Security

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    The document summarizes talks from a cybersecurity conference about social engineering, application security, security loopholes, and preventing fraud through cybersecurity. The talks covered topics like how cybercrime has lower risks but higher rewards than traditional crimes; how developers need to focus on security alongside functionality; common website vulnerabilities; and how proper cybersecurity controls and a risk assessment can help prevent fraud.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    60 vizualizări6 pagini

    Social Engineering: "We Were Here To Be Frightened by Them" Lol

    Încărcat de

    Herbert Tagudin
    The document summarizes talks from a cybersecurity conference about social engineering, application security, security loopholes, and preventing fraud through cybersecurity. The talks covered topics like how cybercrime has lower risks but higher rewards than traditional crimes; how developers need to focus on security alongside functionality; common website vulnerabilities; and how proper cybersecurity controls and a risk assessment can help prevent fraud.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 6

    Social Engineering

    Wednesday, September 21, 2016 1:06 PM

    "WE WERE HERE TO BE FRIGHTENED BY THEM" LOL

    Speaker 1: Drexx Lagui


    The Art and Science of Advanced Social Engineering

    - Human Hacking
    - Deception
    - Manipulation
    Online Presence leads to Cybercrime

    1. Cybercrime
    a. Cost Benefit Analysis
    i. Bank Robber
    1) Profit : 5m
    2) Members : 10
    3) CAPEX: 50k x 10
    4) Detection Time : ~mins
    5) Risks: Serious Injuries and Death
    6) Share: 450k
    7) Job opportunity: once a year
    ii. Cyber criminals
    1) Profit: 50m
    2) Members: 5
    3) Capex: 50k x 5
    4) Detection time: ~ up to 9 months
    5) Risks: none , to slap on the wrist lol (nakakawala)
    6) Share: 9.75 m
    7) Job: once per hr
    b. PNP Anti Cybercrime
    i. Online paluwagan, scams
    c. Anonymity
    i. Criminals are never anonymous given time and resources
    2. Social Engg
    a. Something to manipulate people
    b. Physical manipulation people
    3. Evil thought processes ( SE attack)
    a. Step 0 : preparation
    i. Law 29 , 47 - 48 laws of power
    b. Step 1: choose the right victim (the fraud triangle)
    i. Fraud triangle
    1) Pressure/incentive
    2) Opportunity - devs focus on this (logs, pw auth)
    3) Rationalization
    ii. 7 deadly sins to profile people
    c. Step 2: establish Friendship
    i. Insinuation
    ii. Temptation
    d. Step 3: Attack
    i. Ransomware
    1) Bitcoin
    ii. Phishing
    1) RA 10175
    iii. Payload malware

    PSIA 22nd ES - Deep Security Page 1


    iii. Payload malware
    iv. Credit Card Fraud

    PSIA 22nd ES - Deep Security Page 2


    Application Security
    Wednesday, September 21, 2016 3:43 PM

    Speaker 2: Rene Jaspe


    Application Security

    - Biggest threat in business


    - Dev guys, not Network Guys
    1. 2015 security attacks
    a. SQL injection
    b. DDoS
    c. Misconfiguration
    2. Gone are the days : "Once it works, its OK"
    a. VA every week
    i. Outside the fw
    b. PenTest every week
    i. Internal and External
    3. Market Drivers
    a. DPA, BSP
    4. App Security Challenges
    a. Devs lack Security Insights
    i. Ontime and on budget vs secure apps
    ii. Rare education
    b. Security Team = SDLC Bottleneck
    5. Software Security using MOB
    a. Should be strategic level (Top level) - risk of legal responsibility
    b. M - icrosoft Security Development Lifecucle
    i. Training
    ii. Requirements
    iii. Design (Threat Modeling) - login page depends on industry PCI
    iv. Implementation
    v. Verification
    vi. Release
    vii. Response
    c. SDL for Agile
    d. O - penSAMM (OWASP group)
    i. 12 key practices
    e. B - SIMM 6
    i. Measuring stick in industry

    PSIA 22nd ES - Deep Security Page 3


    Insecurities and Securities
    Wednesday, September 21, 2016 3:43 PM

    Speaker 3: Markku Kero


    Insecurities and Securities

    Security Loop hole case studies:

    Case Study: BPI


    - Server versions in HTTP headers
    - Old versions
    - EOL Support
    - 24 out of top 30 FTSE-listed companies uses IIS 6.0

    Case Study: Starbucks


    - Unaware breaches
    1. ADSL Routers vulnerable to hacking
    2. NMAP
    3. GDAP
    4. Defacing websites
    5. WORDPRESS! - source of hacking and defacement
    6. Tutorial hacking WP in 5minutes
    7. SSH, Ethernet and PC - IOT risk
    8. Startup Recommendations
    a. Authentication
    b. Indexing
    c. Load Balancing
    9. Vulnerabilities - Denominator = Bad Code!
    a. Bad Systems software and systems can be hacked
    i. Do not deploy bad systems
    ii. Fix and replace bad systems
    iii. Teach yourself skills of a hacker.
    iv. Use skills and practice.

    PSIA 22nd ES - Deep Security Page 4


    Prevention of Fraud with Cyber Security
    Wednesday, September 21, 2016 3:47 PM

    Speaker 4 : Angelo Radoble


    Preventing Fraud through CS

    1. Fraud Tree
    a. Bribery and Corruption
    b. Asset Misappropriation
    2. Fraud Triangle
    a. Opportunity has external/internal threats - Technology
    3. Common Areas of Fraud
    a. Purchase To Pay
    b. Corporate CC
    c. Payroll
    d. Sales & Receivables
    e. Financial Reporting
    f. IS and Critical Data
    4. Prevent Fraud
    a. Confidentiality
    b. Integrity
    c. Availability
    d. Accountability
    e. Traceability
    f. Non-Repudiation
    5. Risk Assessment
    a. IT Security - internal
    b. Cyber security - internal and external enterprise
    c. Risks
    i. Operational
    ii. Financial
    iii. Compliance
    iv. Reputational
    v. Strategic
    d. Controls (CyberSecurity)
    i. Technical - OSI layer
    ii. Physical - perpetrator gains access to assets
    iii. Administrative - use technology to enforce policy
    e. Security
    i. Outside in
    ii. Inside out - cores
    1) Encryption
    2) Secure Programming
    3) Server Hardening

    BackTrack - SQL injection


    SQL Map - sql injection tool
    Cali

    PSIA 22nd ES - Deep Security Page 5


    Files
    Wednesday, September 21, 2016 4:03 PM

    Speaker 2 Speaker 1 Voice


    and 3 001_sd

    Speaker 4

    PSIA 22nd ES - Deep Security Page 6

    S-ar putea să vă placă și