Cyber Security, Companies like yours!
Last week Vincent Olsthoorn (http://www.linkedin.com/pub/vincent-olsthoorn/15/a42/952) gave a presentation about cyber security during a NCIM TechTalk.
Here are the presentation slides (in Dutch)
Vincent started with explaining some common definitions like malware, fishing, baiting, vulnerability, exploit, zero-day and social engineering. Most of the definitions are explained in http://en.wikipedia.org/wiki/Computer_security
Vincent came with an example on how a determined hacker might attack a specific organisation with an online IT service in order to retrieve secret information. The first step will be passive information retrieval on all sources he is able to find. For example this includes searching for job vacancies containing technical details that already could point on vulnerabilities to attack. Step 2 will be scanning all public services on the front-end layer to get a better understanding of the network infrastructure and the software versions that are used (OS, Webserver, database etc). This is necessary for the third step: finding vulnerabilities to exploit.
A good hacker knows which tool to use for the job. Products like ‘Nessus’ might be helpful to point out vulnerabilities on popular software. But also testing the website for Cross Side Scripting (XXS) and SQL injection includes vulnerability testing and finally also exploiting. Exploiting a vulnerability can range from packet sniffing; causing inaccessibility for users; take over the admin user or even get shell access to server. For self-preservation, the hacker will clear all the traces he has caused during exploiting, including log files.
The OWASP (Open Web Application Security Project, http://www.owasp.org) is a worldwide not-for-profit charitable organization focused on improving the security of software. It gives organisations and individuals guidelines on how to deal with web application security risks.
There are a lot of stolen username/password combinations that can be downloaded from various websites. It is important to change your password often. Vincent started a discussion on the question which of these two password is less sensitive to be brute-forced:
[email protected] or olifantbradwurst?
Opinions were divided between multiple attendees.
Vincent finished his presentation with a short film about cyber security created by Deloitte (http://www.deloitte.com). The movie gives you an insight in the world of Cyber Security.
Cyber Security Movie: Companies like yours!