Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dealing with Offensive Security in Organization

Fardeen A.
December 27, 2021

Dealing with Offensive Security in Organization

A very short talk at DamnCon2021 over Introduction to Offensive Security

Fardeen A.

December 27, 2021
Tweet

More Decks by Fardeen A.

Other Decks in Education

Transcript

  1. DEALING WITH OFFENSIVE DEALING WITH OFFENSIVE DEALING WITH OFFENSIVE SECURITY

    IN ORGANIZATIONS SECURITY IN ORGANIZATIONS SECURITY IN ORGANIZATIONS
  2. MY NAME IS FARDEEN AHMED, A CYBERSECURITY ENGINEER AT HONEYWELL

    AND A FREELANCE SECURITY CONSULTANT APART FROM MY WORK AT THE ORGANIZATION, I PERFORM SECURITY RESEARCH AND IN MY FREE TIME I CODE. MY RECENT ACHIEVEMENTS INCLUDE FINDING CRITICAL FLAWS AT CENTRAL INDUSTRIAL SECURITY FORCES, SEEDLMS AND CISCO . APART FROM THAT, I HAVE SECURED CANVA, MASTERCARD, OLD-GAMES, ISC2, DELL, LENOVO AND OTHER COMPANIES
  3. 1) WHAT IS OFFENSIVE SECURITY AND ITS SIGNIFICANCE FOR ORGANIZATIONS

    IN CURRENT SITUATIONS 2) THE MAIN QUESTION WITH CONCERN : WHY OFFENSIVE SECURITY...????🤔 🤔 🤔 3) ARRANGEMENTS OF SECURITY WITH RESPECT TO ORGANIZATIONS. 4) OFFENSIVE SECURITY CONTRIBUTION : PUSHING FOR OPTIMUM SECURITY 5) THREAT INTELLIGENCE : OUTSIDERS, AS WELL AS INSIDER THREAT INTELLIGENCE 6) KEY LEARNINGS FOR GETTING STARTED IN OFFENSIVE SECURITY..?? 7) AREAS OF JOB OPPORTUNITY IN OFFENSIVE SECURITY IN DEVELOPED AND DEVELOPING COUNTRIES TOPIC OF DISCUSSIONS
  4. WHAT IS OFFENSIVE SECURITY AND ITS SIGNIFICANCE FOR ORGANIZATONS IF

    YOU BELIEVE THAT THIS ALONE IS OFFENSIVE SECURITY, THEN YOU MIGHT BE ABSOLUTELY WRONG.... OFFENSIVE SECURITY IS A MINDSET, WHERE EVERY STEP TAKEN BY THE ORGANIZATIONS AND ITS CORRESPONDENCE ARE TESTED FOR WEAKNESS, EXPLOITED ETHICALLY AND IS THEN REPORTED TO THE ORGANIZATION FOR MITIGATION. IT CONSISTS OF A COMPLETE SECURITY CHECK
  5. WHY OFFENSIVE SECURITY..??? BELOW ARE SOME KEY CYBER CRIMES FOR

    PERSONALLY IDENTIFIABLE INFORMATION LEAKAGE THAT TOOK PLACE IN ORGANIZATIONS (THAT WERE PROMINANT IN NATURE) HCL PII BREACH(2019) DOMINOZ BREACH (2021) ACCENTURE MASSIVE PII (2021)
  6. ARRANGEMENTS OF SECURITY WITH ORGANIZATIONS -> DIFFERENT ORGANIZATIONS HAVE DIFFERENT

    SECURITY INFRASTRUCTURES. SOME LAY STRESS ON DEFENSE WHILE SOME OVER STRENGTHENING THERE PRODUCTS MORE COMPARED TO DEFENSE MECHANISM -> THERE MIGHT BE SOME KEY DIFFERENCES (DEALING WITH SDLC) BUT MOST OF THEM HAVE SIMILAR MECHANISMS. -> CURRENT AND NEWLY FOUND ZERO-DAY VULNERABILITIES ARE TAKEN CARE BOTH WITH RESPECT TO AUTOMATED TOOLS AND MANUAL TESTING. -> DIFFERENT ORGANIZATIONS HAVE DIFFERENT TOOLS TO WORK ON FOR INFORMATION SECURITY. IBM Q-RADAR AND INFOSEC LIFE CYCLE PWC SECURITY LIFE CYCLE HONEYWELL INFOSEC LIFE-CYCLE +
  7. OFFENSIVE SECURITY CONTRIBUTION : OPTIMUM SECURITY 1) PII IS THE

    GOD-FATHER OF ALL THE ASSETS OF THE ORGANIZATION. IF THAT IS LOST, EVERYTHING IS BREACHED 2) CLIENTS RELY ON ORGANIZATIONS WITH LATEST UPDATES AND FEATURES WITH STRATEGIC TESTING. CLIENTS HAVE ALL THE RIGHT TO KNOW ABOUT FEATURES AND END GOALS. 3) USING FIREWALLS FROM DIFFERENT VENDORS IS GOOD, BUT THE ORGANIZATIONS SHOULD HAVE THE IDEA OF IMPLEMENTATION FROM CORE, SO THAT AFTER A BREACH (REAL LIFE OR WHILE TESTING), TEAMS SHOULD HAVE THE IDEA OF SECURING ITS ASSETS (AFTER THE EFFECTS) 4) DIFFERENT TEAMS WITH EQUAL SHARE OF RESPONSIBILITY AND RIGHT DISTRIBUTION IS THE KEY FEATURE OF OPTIMUM SECURITY. 5) DOCUMENTATIONS ABOUT PRODUCTS FEATURES SHOULD BE PRESENT, BUT NOT ABOUT ITS IMPLEMENTATIONS.
  8. THREAT INTELLIGENCE : OUTSIDERS VS INSIDERS -> OUTSIDER THREAT INTELLIGENCE

    ARE THE VERY BIG TROUBLE THAT WE DEAL IN OUR LIFE. IT IS LIKE, IF ONE HAS DEFAULT FIREWALLS, THEN IT CAN BE DDOS'D EASILY. IMPLEMENTATION OF MANUAL CONFIGURED FIREWALLS IS THE KEY STEP FOR OPTIMUM SECURITY. -> INSIDER THREAT INTELLIGENCE (ONCE IN A BLUE MOON, BUT CURRENTLY AT VERGE) IS OPTIMISED IN DIFFERENT WAYS, SUCH AS RESTRICTION POLICIES, AUTOMATED END-UP FEATURES OF USER ACCOUNTS AND MANY MORE. -> THREAT INTELLIGENCE IS NOT ONLY RESTRICTED TO TOOLS AND FIREWALLS, BUT IS ELABORATED TO DIFFERENT AREAS, STARTING FROM PROGRAMMING THE PRODUCT / INFRASTRUCTURE ARCHITECTURE BUILD-UP TO DEPLOYMENT. TEAMS NEED TO BE ATTENTIVE AND NEED NOT TO BE ALWAYS DEPENDED OVER AUTOMATED TOOLS AND TECHNIQUES.
  9. CERTIFICATIONS ARE COSTLY, WHAT AND HOW TO LEARN.....??? 1) HAVE

    THE BASIC KNOWLEDGE OF NETWORK ARCHITECTURES AND IMPLEMENTATIONS, OPERATING SYSTEMS AND DATABASE MANAGEMENT SYSTEMS. 2) START TO DEAL WITH MACHINES THAT ARE PRESENT AT VULNHUB, HACKTHEBOX AND TRYHACKME THAT ARE ABSOLUTELY FREE OF COST 3) ONE CAN ALSO TRY OWASP MACHINES FOR GETTING STARTED. 4) PORTSWIGGER, KONTRA ARE YOUR FRIEND FOR LEARNING OFFENSIVE SECURITY TESTING 5) ALWAYS REMEMBER : READ THE DOCUMENTATIONS OF TESTING PRODUCTS OF ORGANIZATIONS , AS MUCH AS POSSIBLE 6) REMEMBER TO WORK IN TEAMS MORE WITH RESPECT TO ORGANIZATIONS, TO ELIMINATE THE PROBLEM.