Getting Started in Security - SIST

Transcript

1. GETTING STARTED IN CYBERSECURITY APPLICATIONS, ATTACKS, TOOLS 1 RAKESHELAMARAN ©Rakesh

   Elamaran

2. WHO AM I ✧ Security Engineer 2 @COMCAST ✧ Security

   Researcher | Licensed Penetration Tester Master | Bug Hunter ✧ SIH - 2019 Finalist | CSI - Student Icon ✧ FOUNDER - Rootecstak and SVCE CyberHub ✧ OWASP Cuddalore Chapter - Leader ✧ Mentor | Speaker | Blogger 2 ©Rakesh Elamaran

3. CYBERSECURITY Cybersecurity Consists of technologies, processes and controls designed to

   protect systems, networks, programs, devices and data from cyber attacks. 3 ©Rakesh Elamaran

4. MAIN PURPOSE ✧ To prevent data breaches, identity theft and

   cyber-attacks as well as risk management in some cases. ✧ It encompasses everything that pertains to protecting our PII Data. ✧ Software changes when its updated and modified that leads to welcome new bugs,issues, and vulnerabilities and allows for cyber attacks. 4 ©Rakesh Elamaran

5. CIA TRIAD ✧ Confidentiality - Data is Kept Secret ✧

   Integrity - Data is trustworthy and free from tampering ✧ Availability - Data should be available to authorized users 5 ©Rakesh Elamaran

6. DATA BREACH ✧ The business world is not new to

   data breaches and cyber threats.Digital transformation has accelerated the growth of online platforms, showing us just how crucial security in the digital age is. ✧ But it’s not just the big companies and organizations that get hit.Everyday consumers experience phishing schemes, ransomware attacks, identity theft, data breaches, and financial losses. ✧ It is very easy to hack a device connected to the internet the more we rely on, the more we are prone to attacks. 6 ©Rakesh Elamaran

7. PROTECTION  Cyber attacks occurring every 14 seconds, firewalls, antivirus

   softwares and tools must be in place.  Strong security infrastructure includes multiple layers of protection.  Organizations must remain up-to-date with the emerging technologies, threat and security intelligence trends in order to design the ideal cyber- security measures.  Encryption,secure passwords, constant software upgradation helps. 7 ©Rakesh Elamaran

8. ETHICAL HACKING  Ethical Hacking is an authorized practice of

   bypassing system security to identify potential data breaches and threats in a network.  The company that owns the system or network allows Cybersecurity Engineers to perform such activities in order to test the system’s defenses. 8 ©Rakesh Elamaran

9. TYPES OF HACKERS ✧ WHITE HAT - Ethical hackers or

   Security Researchers do not intend to harm the system or organization. ✧ BLACK HAT - Contrary to an ethical hacker,they perform hacking to fulfill their selfish intentions to collect monetary benefits. ✧ GREY HAT - They hack without any malicious intention for fun. They perform the hacking without any approval from the targeted organization. 9 ©Rakesh Elamaran

10. PENETRATION TESTING ✧ Penetration testing is a part of ethical

    hacking, where it focuses explicitly on penetrating only the information systems. ✧ The ultimate goal is to identify and prioritize Security Risks. 10 ©Rakesh Elamaran

11. VULNERABILITY ANALYSIS/ASSESSMENT ✧ The process of identifying risks and vulnerabilities

    in computer networks, systems, hardware, applications. ✧ Do Evaluation, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation. ✧ Vulnerability scanners tools are used to identify threats and flaws within an organization's. 11 ©Rakesh Elamaran

12. ETHICAL HACKING VS PEN TESTING ✧ Ethical hacking is a

    practice.The skills employed by an ethical hacker allow them to practice a continuous assessment cycle of an organization’s security posture by employing the same tools, methods, and techniques of a malicious hacker. ✧ Ethical Hacking is NOT Penetration Testing! ✧ Penetration Testing is Ethical Hacking! 12 ©Rakesh Elamaran

13. DEMO STEGANOGRAPHY: ✧ It is the technique of hiding secret

    data within an ordinary, non-secret, file or message in order to avoid detection; the secret data is then extracted at its destination. ✧ Data can be audio, video, image or text file. 13 ©Rakesh Elamaran

14. APPLICATIONS ✧ To use the Built in Applications Virtual Box

    and Kali Linux / Parrot OS is Mandatory. ✧ Applications are Easy to Use. ✧ For Everything there is a tool. ( A-Z) 14 ©Rakesh Elamaran

15. DEMO Information Gathering Social Engineering SYSTEM HACKING 15 ©Rakesh Elamaran

16. INFORMATION GATHERING ✧ Process of collecting information about something you

    are interested in. ✧ In the digital world, a lot of information can be gathered in different ways, not with your senses, but with several methods, tools and techniques. 16 ©Rakesh Elamaran

17. SOCIAL ENGINEERING  Social engineering is the art of manipulating

    people so they give up confidential information. Attacks can happen online, in-person, and via other interactions. 17 ©Rakesh Elamaran

18. FOR WHO?  Young Professionals Starting their careers  Experienced

    professionals moving from one career into Cybersecurity  Professionals at all levels wanting to learn more about it to better protect their personal and business lives 18 ©Rakesh Elamaran

19. GRC VS TECHNICAL ✧ Strategic includes Governance, Risk, and Compliance

    (GRC), Policy, IT Audit, security frameworks and management. ✧ Tactical includes everything technical security systems administration, networking, application security, security operations, incident response, vulnerability management, and penetration testing. ✧ Pick the one where you have most strength. ✧ Caution: Don't try to do both but Be aware of the other Side . 19 ©Rakesh Elamaran

20. WHAT SHOULD I CHOOSE?  DEGREE  MASTERS  CERTIFICATION

     JOB - HOP IN 20 ©Rakesh Elamaran

21. ROLES 21 ©Rakesh Elamaran

22. CERTIFICATIONS 22 ©Rakesh Elamaran

23. HOW TO START ↴ knowledge of computer and how Internet

    works ↴ Computer Networks - Protocols,ports,servers,etc | Basics to Advanced ↴ Linux Concepts - Learn Linux strongly and practice in Kali ↴ Cryptography and Network Security - Encryption,Decryption,Algorithms,etc ↴ CYBERSECURITY - Practice Strongly and learn new concepts ↴ Tryhackme, Hack the Box, Portswigger labs,Capture the flag challenges - To Sharpen your skills ↴ Bug Bounty - Lots of practice,patience and efforts. 23 ©Rakesh Elamaran

24. WHAT TO LEARN  Malware and Reverse Engineering: C,C++,C#,Embedded C,Assembly

     Scripting: Python, Ruby, Perl.  Security Testing : Html,css,java script,php,java,SQL  Shell Scripting: Bash,Shell Scripting 24 ©Rakesh Elamaran

25. DOMAINS ✧ Web Application Security ✧ Android Security ✧ Cloud

    Security ✧ Cyber Forensics ✧ Malware Analysis ✧ Red Teaming ✧ Vulnerability Assessment & Exploit Development ✧ IOT and RFID Pentesting ✧ API Pentesting ✧ Blockchain & Decentralised Systems ✧ Cryptography and Network Security ✧ Hardware Security 25 ©Rakesh Elamaran

26. GOOD CHOICE? ✧ Unlimited Growth ✧ Set your style ✧

    Easy to explore different paths ✧ Learn and EARN ✧ Engineers with cybersecurity chops and more than three years of experience can make up to Rs30 lakhs a year, HR experts said. ✧ On the other hand, a software developer with five years at a multinational firm would earn only around Rs15 lakhs a year. 26 ©Rakesh Elamaran

27. INTERVIEW PREPARATION ✧ Follow the Roadmap ✧ Be Strong in

    Basics ✧ Choose domain and prepare accordingly ✧ Stay updated in the cybersecurity industry ✧ Explain In terms of Real time and its impact ✧ Attain Value added Certifications ✧ Descent Resume - Projects,Research Works,Achievements ✧ Achievements - Hall of fame, CVES , Bounty , Recognition ✧ Be passionate and confident 27 ©Rakesh Elamaran

28. ATTACKS 28 ©Rakesh Elamaran

29. BUG ✧ Bug Bounties aka responsible disclosure programmes are setup

    by companies to encourage researchers to report potential issues on their sites ✧ Some companies chose to reward a researcher with money,swag, or hall of fame ✧ Values your Resume and Skills | Glory and Fame | Practical Knowledge | Money 29 ©Rakesh Elamaran

30. BOUNTY ✧ Platforms ✧ BugCrowd,Hackerone Synack , Intigriti ✧ Go

    for rvdp programs ✧ Duplicates are Painful ✧ Quality >> Quantity ✧ Patience >> Bounty - Money 30 ©Rakesh Elamaran

31. PARAMETER TAMPERING ✧ Parameter tampering attack relies on the manipulation

    of parameters changed by the user so as to change application information like user credentials and permissions and amount of product, etc. ✧ Usually, this data is passed in post request or in hidden kind fields. ✧ This vulnerability is almost present in every online shopping carts and payment gateways these days. ✧ Ex: bewakoof.com, donacakes.com 31 ©Rakesh Elamaran

32. SQL INJECTION ✧ SQL injection is a code injection technique

    that might destroy your database. ✧ It is one of the most common web hacking techniques. ✧ It usually occurs when you ask a user for input, like their username/userid 32 ©Rakesh Elamaran

33. ONLINE CYBER SAFETY ✧ Refrain publishing sensitive information on any

    social media ✧ Keep Complex Passwords and never share to anyone ✧ Printers, wifi, webcams and computers, should be shut down when not in use ✧ Don't Meet online acquaintances alone ✧ Don't Share more than necessary ✧ Check for Https lock symbol ✧ Update Device Regularly, Keep 2FA, Use antivirus ✧ Visit banks website by typing the URL in the address bar ✧ Unlink Card details from E-commerce sites ✧ Don't share Personal Emails and phone number, have backup ✧ There is no such thing as freebies. Ex: Amazon,flipkart URL's ✧ Block people you don’t want to interact with 33 ©Rakesh Elamaran

34. WHAT WE DO ✧ Act as a Security Professional ✧

    Tests the security and identifies loopholes ✧ Conduct Threat Modeling ✧ Create Reports and analysis ✧ Authorized with proper permissions ✧ Spread Awareness to students and professionals ✧ Earns money and respect too 34 ©Rakesh Elamaran

35. WHERE IT ENDS ✧ Start career as Security Researcher or

    Associate ✧ Cybersecurity Analyst / Consultant - Penetration Tester ✧ Cybersecurity Manager / Engineer / Architect ✧ Security Director ✧ Chief Information Security officer - CISO 35 ©Rakesh Elamaran

36. HOW CYBERSECURITY IS NOW? ↳ Organizations Understood the Importance of

    security ↳ Expanding Security Teams ↳ Conducting Threat Modeling ↳ IOT and Cloud Evolving ↳ Social Engineering attacks getting smarter ↳ Rise of Ransomware and security threats ↳ Data Privacy as a discipline ↳ Having Responsible Disclosure policy ↳ Appreciation | Recognition | Swags | Hall of Fame | BugBounty 36 ©Rakesh Elamaran

37. DISCLAIMER  Any time the word “Hacking/Hacker” that is used

    shall be regarded as Ethical Hacking/Hacker.  These materials are for educational and awareness purposes only.Do not attempt to violate the law with anything contained here.  If so,Speaker or College/Club is not responsible for the actions that individual violate. 37 ©Rakesh Elamaran

38. CONCLUSION ✧ "Choose a job you love" ✧ The number

    of cybersecurity jobs is increasing every single day.The key is identifying the skills and strengths. ✧ Hackers attack every 39 seconds, on an average of 2,244 times a day! When you give this a thought, you will realize how important Cybersecurity is? 38 ©Rakesh Elamaran

39. SOME TIPS ✧ Get Ready to deal with errors ✧

    Learn how to use google and find resources like pro ✧ Stay updated and Make progress ✧ Consistency is the key to success ✧ Be Active in Linkedin,Security Forums,and communities ✧ Connect with like minded students and Infosec professionals ✧ ROOTECSTAK 39 ©Rakesh Elamaran

40. ANY QUERIES? 40 ©Rakesh Elamaran

41. REACH OUT  www.rakeshelamaran.tech  Linked In: Rakesh Elamaran 

    Instagram: rakesh_elamaran 41 ©Rakesh Elamaran