the seven secrets of offensive security seven secrets of offensive security your are an infosec rock...

The Seven Secrets of Offensive SecurityGary S. Miliefsky, CEO of SnoopWall, Inc.www.snoopwall.com

About the Speaker – SnoopWall’s CEO

I’m Gary S. Miliefsky, CEO, SnoopWall, Inc.Inventor. Entrepreneur. Founding Member, DHS.govCyberSecurity Expert. Breach Prevention Pioneer.

My bio is online at: http://www.snoopwall.com/media/

Miliefsky’s Cyber Dictionary – Making Sure I’m at the Right Conference…

Miliefsky’s Cyber Dictionary Malware – Not very nice software. Malicious in nature.

DDoS – Distributed Denial of Service Attack – many computers or internet devices (including IoT) that are secretly infected and accessed remotely by the cyber hackers to send tons of packets (usually 500mb/sec to 1GB/sec) at a target (such as an online retailer or website or gaming network) to temporarily take it down.

IoT – Internet of Things

Ransomware – Encryption Malware Charging Ransom

Virus – old fashioned name for malware.

Spyware – malware that spies on your keyboard and/or other hardware ports like webcam and microphone

Remote Access Trojan (RAT) – malware that remotely spies on you. Allows hackers to take control of your computer remotely over the internet without you even noticing

Spear Phishing Attack – an Email (or SMS message) that looks like it came from someone you trust with a malicious (malware) attachment that usually is a RAT or Ransomware.

PII – Personally Identifiable Information..stolen by cyber criminals using malware

Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 5

45% of breaches in the private sector are of companies with less than 1,000 employees

Source: Verizon Breach Investigations Report

Are You A Target? YES!


Your Network is a Sitting Duck!


Breaches are on an Exponential Rise…1. Last year, according to World Bank, Cybercrime

reached $600B, that’s $100B more than Drug Crime.

2. Cybercrime is now the #1 form of criminal activity globally.

3. I predict 2017 will be a One Trillion Dollar Year for Cyber Criminals.


The Average Cost of a Breach?It’s over $3M…this could put you out of business.

Loss of current and future customersTarnished brand and reputationLawsuit/legal feesFines and PenaltiesSignificant Administrative & Remediation Costs

If it’s a ransomware breach, add “Paying Ransom” to the list…


Why are Breaches So Frequent?It’s easy when there is NO SECURITY BY DESIGN:Backdoors…Late Patches…Poor Configuration Management…ExploitableVulnerabilities… Innovative Threats…Easily Exploited People… Infrequent Backups…Little to No Strong Encryption (and proper key management)…


Everything running the TCP/IP Stack (internet protocols) is INSECURE by DESIGN…

Autonomous Delivery Drones (Amazon) crashes into property or a person and harms them Autonomous Cars (Google, Uber, etc.) crashes into another vehicle and harms people Internet of Things (Apple, Google, Samsung, Microsoft, LG, etc.)

– Smart Phones – receives ransomware over SMS – pay or your phone becomes a brick– Smart TVs – used to eavesdrop on the consumer by companies, governments and hackers– Smart Watches – remotely accessed to steal personal information, wireless car & hotel keys, etc.– Smart Doorbells – lets burglars know when you are not home, backdoor to home wifi– Smart Refrigerators – receives ransomware over internet – pay or your food is spoiled– Smart Climate Controls (Nest) – receives ransomware – pay or your house freezes in the winter

Internet Entertainment Centers– In our cars – remotely exploited to take control of the car – speed it up, slow it down, crash it– On our trains - remotely exploited to take control of the train – speed it up, slow it down, crash it– In the passenger cabin of airlines – exploited to hijack a plane – cause panic and fear


YOUR SMART REFRIGERATOR RECEIVES RANSOMWARE

You purchased the LG Unitthat has a safety lock tokeep your young childrenout…when suddenly itreceives ransomwareover the internet (wifi)


So How About Security By Design?– Threats exploit Vulnerabilities– Vulnerabilities are Holes or Weaknesses– The latest threats take advantage of the inherent weaknesses in the Internet protocols– The Internet protocols are used to create home, business and government networks– These protocols enable devices to communicate with each other– These protocols allow Threat actors anywhere in the world to attempt to exploit any

Internet connected device (Car, Phone, TV, Computer, etc.)– Threats leveraging the Internet include…

• Denial of service attacks• Remote Access Trojans• Spear Phishing Attacks• Ransomware


So How About Security By Design?– Hardware and software is developed with backdoors for ‘remote access’ – many claim

this is for support teams to help customers remotely:

• Look at the new Samsung Smartphone, it’s running an SSH server (remote access server) and if you have the keys at Samsung, you can remotely access any of these new phones. If a hacker gets these keys, so can they.

– Software is developed with inherent coding flaws (buffer overflow, hard coded passwords and other exploitable bugs)

– Some vulnerabilities can be closed:• Patches that work.• Reconfiguration that work around the hole.• Turning off vulnerable services or features until a fix is available.


So How About Security By Design?Demand the following of market leaders…

– NO BACKDOORS– STRONG ENCRYPTION– HARDWARE DESIGN SECURITY AUDITS– SOFTWARE SOURCE CODE SECURITY AUDITS– PRE-RELEASE PENETRATION & VULNERABILITY TESTING OF END PRODUCTS– SECURITY PATCH UPDATES BAKED INTO THE DESIGN– WRITTEN POLICIES AND PROCEDURES FOR SECURITY PATCH UPDATES– RAPIDLY DEPLOYED, WELL TESTED SECURITY PATCH UPDATES– WELL DOCUMENTED PRIVACY POLICIES

– PUBLICLY NOTICED - PAID AND OPEN BUG BOUNTY PROGRAM


Short Intermission…Let’s all play…

Lifeline: http://tinyurl.com/snoopwall-breaches


How Vulnerable is Sensitive Data?

Source: Vormetric 2017 Global Data Threat Report

of Sensitive Data is Very Vulnerable, Overall


Are Insider Threats Really That Serious?

Source: Insider Threat Report of 2017, by Crowd Research Partners

Drumroll Please….THE SECRET FORMULA OF OFFENSIVE SECURITY

Make sure you are taking notes…

Make sure you are taking notes…

Drumroll Please….THE SECRET FORMULA OF OFFENSIVE SECURITY


7 SECRETS OF OFFENSIVE SECURITY

SECRET #1:YOU HAVE REASONABLE PHYSICAL

SECURITY AGAINST UNWANTED VISITORS…YET YOU HAVE INCREDIBLY POOR

NETWORK SECURITY BEHIND THOSE CLOSED DOORS…


SECRET #2:YOU BELIEVE FIREWALLS AND ANTIVIRUS WILL PROTECT YOU

THEY WON’T. IN FACT: 95% of BREACHES Including Sony Pictures

Entertainment and YAHOO! happen behind firewalls on systems protected by Anti-virus software.



SECRET #3:YOU NEED TO FOCUS ON WHERE MOST

ATTACKS HAPPEN…ON TRUSTED “PROTECTED” ASSETS

SPEAR PHISHING ATTACKS & REMOTE ACCESS TROJANS (RATS) ARE THE TOP

FORM OF SUCCESSFUL ATTACKS AGAINST ANY NETWORK.



SECRET #4:RANSOMWARE IS COSTING US MILLIONS BUT

THERE’S A SIMPLE WAY TO AVOID IT…

FREQUENT, TESTED, DAILY BACKUPS.IF YOU COULD ISOLATE THE RANSOMWARE AND REBUILD THE

INFECTED SYSTEM QUICKLY, THE DAMAGE IS NEAR ZERO.



SECRET #5:DATA THEFT (ex. 4TB of SONY PICTURES

ENTERTAINMENT MOVIES AND EMAILS) IS USELESS IF….

YOU ALWAYS ENCRYPT THE DATA.IF YOU COULD ALWAYS ENCRYPT THE DATA (AT REST AND IN TRANSIT) AND MANAGE THE KEYS, WELL, THEN THE CYBER

CRIMINALS GET NOTHING OF VALUE!!!



SECRET #6:DON’T RISK BEING A VICTIM AS TIME IS AGAINST YOU…

NOW IS THE TIME TO GET PROACTIVE AND GO ON THE OFFENSE

FIND A RISK MANAGEMENT OR INTRUSION PREVENTION SYSTEM OR BREACH PREVENTION SOLUTION THAT HELPS YOU BEHINDYOUR CORPORATE FIREWALL AND FOCUSES ON THE WORST

THREATS, HELPS YOU FIND AND FIX YOUR VULNERABILITIES AND PROTECT YOUR NETWORK ASSETS. IT MAY TAKE A

COMBINATION OF POLICIES, PROCESSES, PRODUCTS AND SERVICES.



SECRET #7:YOU NEED TO MANAGE AND REDUCE RISKS, DAILY, BEHIND YOUR CORPORATE FIREWALLLEARN AND UTILIZE THE RISK FORMULA (BIG SECRET)

R = T X V X ARisk = Threats (strength of each) x Vulnerabilities (exploitability) x

Assets (value of each)



IN SUMMARY…

1. FIX YOUR INTERNAL NETWORK SECURITY – ITS VERY WEAK!2. MOST BREACHES ARE INTERNAL, BEHIND FIREWALL & AV3. FOCUS ON STOPPING SPEAR PHISHING & RATS4. PERFORM FREQUENT, DAILY BACKUPS – AND TEST THEM!5. ENCRYPT THE DATA, ALWAYS. W/ STRONG KEY MANAGEMENT6. GO ON THE OFFENSE, GET PROACTIVE. RISK MANAGEMENT.7. LEARN AND UTILIZE THE RISK FORMULA

Do this and you’ll be an INFOSEC ROCK STAR…



Q & A FOLLOWED BY LOUD

MANDATORY APPLAUSE (OK, OK, ACTUALLY THE QUESTIONS ARE OPTIONAL)

Gary S. [email protected] 731-1800 If you ever need help, we stop

breaches… so call me anytime…


BEFORE MY PRESENTATION YOU WERE AN INFOSEC TALENT…

NOW THAT YOU KNOW

THE SEVEN SECRETS OF OFFENSIVE SECURITY

YOUR ARE AN INFOSEC ROCK STAR…

the seven secrets of offensive security seven secrets of offensive security your are an infosec rock...

Documents