Getting Started in Security - SIST

GETTING STARTED IN
CYBERSECURITY
APPLICATIONS, ATTACKS,
TOOLS
1
RAKESHELAMARAN
©Rakesh Elamaran

View Slide

WHO AM I
✧ Security Engineer 2 @COMCAST
✧ Security Researcher | Licensed Penetration Tester Master | Bug Hunter
✧ SIH - 2019 Finalist | CSI - Student Icon
✧ FOUNDER - Rootecstak and SVCE CyberHub
✧ OWASP Cuddalore Chapter - Leader
✧ Mentor | Speaker | Blogger
2
©Rakesh Elamaran

View Slide

CYBERSECURITY
Cybersecurity Consists of technologies,
processes and controls designed to protect
systems, networks, programs, devices and data
from cyber attacks.
3
©Rakesh Elamaran

View Slide

MAIN PURPOSE
✧ To prevent data breaches, identity theft and cyber-attacks as well as risk
management in some cases.
✧ It encompasses everything that pertains to protecting our PII Data.
✧ Software changes when its updated and modified that leads to welcome
new bugs,issues, and vulnerabilities and allows for cyber attacks.
4
©Rakesh Elamaran

View Slide

CIA TRIAD
✧ Confidentiality - Data is Kept Secret
✧ Integrity - Data is trustworthy and free from tampering
✧ Availability - Data should be available to authorized users
5
©Rakesh Elamaran

View Slide

DATA BREACH
✧ The business world is not new to data breaches and cyber threats.Digital
transformation has accelerated the growth of online platforms, showing
us just how crucial security in the digital age is.
✧ But it’s not just the big companies and organizations that get
hit.Everyday consumers experience phishing schemes, ransomware
attacks, identity theft, data breaches, and financial losses.
✧ It is very easy to hack a device connected to the internet
the more we rely on, the more we are prone to attacks.
6
©Rakesh Elamaran

View Slide

PROTECTION
 Cyber attacks occurring every 14 seconds, firewalls, antivirus softwares
and tools must be in place.
 Strong security infrastructure includes multiple layers of protection.
 Organizations must remain up-to-date with the emerging technologies,
threat and security intelligence trends in order to design the ideal cyber-
security measures.
 Encryption,secure passwords, constant software upgradation helps.
7
©Rakesh Elamaran

View Slide

ETHICAL HACKING
 Ethical Hacking is an authorized practice of
bypassing system security to identify potential
data breaches and threats in a network.
 The company that owns the system or network
allows Cybersecurity Engineers to perform
such activities in order to test the system’s
defenses.
8
©Rakesh Elamaran

View Slide

TYPES OF HACKERS
✧ WHITE HAT - Ethical hackers or Security Researchers do not intend to harm the system or organization.
✧ BLACK HAT - Contrary to an ethical hacker,they perform hacking to fulfill their selfish intentions to collect
monetary benefits.
✧ GREY HAT - They hack without any malicious intention for fun. They perform the hacking without any
approval from the targeted organization.
9
©Rakesh Elamaran

View Slide

PENETRATION TESTING
✧ Penetration testing is a part of ethical
hacking, where it focuses explicitly on
penetrating only the information systems.
✧ The ultimate goal is to identify and
prioritize Security Risks.
10
©Rakesh Elamaran

View Slide

VULNERABILITY
ANALYSIS/ASSESSMENT
✧ The process of identifying risks and vulnerabilities in
computer networks, systems, hardware, applications.
✧ Do Evaluation, assigns severity levels to those
vulnerabilities, and recommends remediation or
mitigation.
✧ Vulnerability scanners tools are used to identify
threats and flaws within an organization's.
11
©Rakesh Elamaran

View Slide

ETHICAL HACKING VS PEN TESTING
✧ Ethical hacking is a practice.The skills employed by an ethical hacker
allow them to practice a continuous assessment cycle of an
organization’s security posture by employing the same tools, methods,
and techniques of a malicious hacker.
✧ Ethical Hacking is NOT Penetration Testing!
✧ Penetration Testing is Ethical Hacking!
12
©Rakesh Elamaran

View Slide

DEMO
STEGANOGRAPHY:
✧ It is the technique of hiding secret data within an ordinary, non-secret,
file or message in order to avoid detection; the secret data is then
extracted at its destination.
✧ Data can be audio, video, image or text file.
13
©Rakesh Elamaran

View Slide

APPLICATIONS
✧ To use the Built in Applications Virtual Box and Kali Linux / Parrot OS is
Mandatory.
✧ Applications are Easy to Use.
✧ For Everything there is a tool. ( A-Z)
14
©Rakesh Elamaran

View Slide

DEMO
Information Gathering
Social Engineering
SYSTEM HACKING
15
©Rakesh Elamaran

View Slide

INFORMATION GATHERING
✧ Process of collecting information about something you are interested
in.
✧ In the digital world, a lot of information can be gathered in different
ways, not with your senses, but with several methods,
tools and techniques.
16
©Rakesh Elamaran

View Slide

SOCIAL ENGINEERING
 Social engineering is the art of manipulating people so they give up
confidential information. Attacks can happen online, in-person, and via
other interactions.
17
©Rakesh Elamaran

View Slide

FOR WHO?
 Young Professionals Starting their careers
 Experienced professionals moving from one career into Cybersecurity
 Professionals at all levels wanting to learn more about it to better
protect their personal and business lives
18
©Rakesh Elamaran

View Slide

GRC VS TECHNICAL
✧ Strategic includes Governance, Risk, and Compliance (GRC), Policy, IT Audit, security
frameworks and management.
✧ Tactical includes everything technical security systems administration, networking,
application security, security operations, incident response, vulnerability management, and
penetration testing.
✧ Pick the one where you have most strength.
✧ Caution: Don't try to do both but Be aware of the other Side .
19
©Rakesh Elamaran

View Slide

WHAT SHOULD I CHOOSE?
 DEGREE
 MASTERS
 CERTIFICATION
 JOB - HOP IN
20
©Rakesh Elamaran

View Slide

ROLES
21
©Rakesh Elamaran

View Slide

CERTIFICATIONS
22
©Rakesh Elamaran

View Slide

HOW TO START
↴ knowledge of computer and how Internet works
↴ Computer Networks - Protocols,ports,servers,etc | Basics to Advanced
↴ Linux Concepts - Learn Linux strongly and practice in Kali
↴ Cryptography and Network Security -
Encryption,Decryption,Algorithms,etc
↴ CYBERSECURITY - Practice Strongly and learn new concepts
↴ Tryhackme, Hack the Box, Portswigger labs,Capture the flag challenges - To
Sharpen your skills
↴ Bug Bounty - Lots of practice,patience and efforts.
23
©Rakesh Elamaran

View Slide

WHAT TO LEARN
 Malware and Reverse Engineering: C,C++,C#,Embedded C,Assembly
 Scripting: Python, Ruby, Perl.
 Security Testing : Html,css,java script,php,java,SQL
 Shell Scripting: Bash,Shell Scripting
24
©Rakesh Elamaran

View Slide

DOMAINS
✧ Web Application Security
✧ Android Security
✧ Cloud Security
✧ Cyber Forensics
✧ Malware Analysis
✧ Red Teaming
✧ Vulnerability Assessment & Exploit Development
✧ IOT and RFID Pentesting
✧ API Pentesting
✧ Blockchain & Decentralised Systems
✧ Cryptography and Network Security
✧ Hardware Security
25
©Rakesh Elamaran

View Slide

GOOD CHOICE?
✧ Unlimited Growth
✧ Set your style
✧ Easy to explore different paths
✧ Learn and EARN
✧ Engineers with cybersecurity chops and more than three years of
experience can make up to Rs30 lakhs a year, HR experts said.
✧ On the other hand, a software developer with five years at a
multinational firm would earn only around Rs15 lakhs a year.
26
©Rakesh Elamaran

View Slide

INTERVIEW PREPARATION
✧ Follow the Roadmap
✧ Be Strong in Basics
✧ Choose domain and prepare accordingly
✧ Stay updated in the cybersecurity industry
✧ Explain In terms of Real time and its impact
✧ Attain Value added Certifications
✧ Descent Resume - Projects,Research Works,Achievements
✧ Achievements - Hall of fame, CVES , Bounty , Recognition
✧ Be passionate and confident
27
©Rakesh Elamaran

View Slide

ATTACKS
28
©Rakesh Elamaran

View Slide

BUG
✧ Bug Bounties aka responsible disclosure programmes are setup by
companies to encourage researchers to report potential issues on their
sites
✧ Some companies chose to reward a researcher with money,swag, or hall
of fame
✧ Values your Resume and Skills | Glory and Fame | Practical Knowledge |
Money
29
©Rakesh Elamaran

View Slide

BOUNTY
✧ Platforms
✧ BugCrowd,Hackerone
Synack , Intigriti
✧ Go for rvdp programs
✧ Duplicates are Painful
✧ Quality >> Quantity
✧ Patience >> Bounty - Money
30
©Rakesh Elamaran

View Slide

PARAMETER TAMPERING
✧ Parameter tampering attack relies on the manipulation of parameters
changed by the user so as to change application information like user
credentials and permissions and amount of product, etc.
✧ Usually, this data is passed in post request or in hidden kind fields.
✧ This vulnerability is almost present in every online shopping carts and
payment gateways these days.
✧ Ex: bewakoof.com, donacakes.com
31
©Rakesh Elamaran

View Slide

SQL INJECTION
✧ SQL injection is a code injection technique that might destroy your database.
✧ It is one of the most common web hacking techniques.
✧ It usually occurs when you ask a user for input, like their username/userid
32
©Rakesh Elamaran

View Slide

ONLINE CYBER SAFETY
✧ Refrain publishing sensitive information on any social media
✧ Keep Complex Passwords and never share to anyone
✧ Printers, wifi, webcams and computers, should be shut down when not in use
✧ Don't Meet online acquaintances alone
✧ Don't Share more than necessary
✧ Check for Https lock symbol
✧ Update Device Regularly, Keep 2FA, Use antivirus
✧ Visit banks website by typing the URL in the address bar
✧ Unlink Card details from E-commerce sites
✧ Don't share Personal Emails and phone number, have backup
✧ There is no such thing as freebies. Ex: Amazon,flipkart URL's
✧ Block people you don’t want to interact with
33
©Rakesh Elamaran

View Slide

WHAT WE DO
✧ Act as a Security Professional
✧ Tests the security and identifies loopholes
✧ Conduct Threat Modeling
✧ Create Reports and analysis
✧ Authorized with proper permissions
✧ Spread Awareness to students and professionals
✧ Earns money and respect too
34
©Rakesh Elamaran

View Slide

WHERE IT ENDS
✧ Start career as Security Researcher or Associate
✧ Cybersecurity Analyst / Consultant - Penetration Tester
✧ Cybersecurity Manager / Engineer / Architect
✧ Security Director
✧ Chief Information Security officer - CISO
35
©Rakesh Elamaran

View Slide

HOW CYBERSECURITY IS NOW?
↳ Organizations Understood the Importance of security
↳ Expanding Security Teams
↳ Conducting Threat Modeling
↳ IOT and Cloud Evolving
↳ Social Engineering attacks getting smarter
↳ Rise of Ransomware and security threats
↳ Data Privacy as a discipline
↳ Having Responsible Disclosure policy
↳ Appreciation | Recognition | Swags | Hall of Fame | BugBounty
36
©Rakesh Elamaran

View Slide

DISCLAIMER
 Any time the word “Hacking/Hacker” that is used shall be regarded as
Ethical Hacking/Hacker.
 These materials are for educational and awareness purposes only.Do
not attempt to violate the law with anything contained here.
 If so,Speaker or College/Club is not responsible for the actions that
individual violate.
37
©Rakesh Elamaran

View Slide

CONCLUSION
✧ "Choose a job you love"
✧ The number of cybersecurity jobs is increasing every single day.The key
is identifying the skills and strengths.
✧ Hackers attack every 39 seconds, on an average of 2,244 times a day!
When you give this a thought, you will realize how important
Cybersecurity is?
38
©Rakesh Elamaran

View Slide

SOME TIPS
✧ Get Ready to deal with errors
✧ Learn how to use google and find resources like pro
✧ Stay updated and Make progress
✧ Consistency is the key to success
✧ Be Active in Linkedin,Security Forums,and communities
✧ Connect with like minded students and Infosec professionals
✧ ROOTECSTAK
39
©Rakesh Elamaran

View Slide

REACH OUT
 www.rakeshelamaran.tech
 Linked In: Rakesh Elamaran
 Instagram: rakesh_elamaran
41
©Rakesh Elamaran

View Slide

Getting Started in Security - SIST

Getting Started in Security - SIST

Rakesh Elamaran

More Decks by Rakesh Elamaran

Other Decks in Technology

Featured

Transcript