$30 off During Our Annual Pro Sale. View Details »

Getting Started in Security - SIST

Getting Started in Security - SIST

This talk covers the fundamentals of cybersecurity, data breach, social engineering, career opportunities and RoadMap, Interview preparation, Applications, Attacks, and a short note on Bug Bounty!

Presented at Sathyabama University!

Feel free to Reach out:
https://www.linkedin.com/in/rakeshelamaran98/
https://www.instagram.com/rakesh_elamaran/

Rakesh Elamaran

February 16, 2023
Tweet

More Decks by Rakesh Elamaran

Other Decks in Technology

Transcript

  1. GETTING STARTED IN
    CYBERSECURITY
    APPLICATIONS, ATTACKS,
    TOOLS
    1
    RAKESHELAMARAN
    ©Rakesh Elamaran

    View Slide

  2. WHO AM I
    ✧ Security Engineer 2 @COMCAST
    ✧ Security Researcher | Licensed Penetration Tester Master | Bug Hunter
    ✧ SIH - 2019 Finalist | CSI - Student Icon
    ✧ FOUNDER - Rootecstak and SVCE CyberHub
    ✧ OWASP Cuddalore Chapter - Leader
    ✧ Mentor | Speaker | Blogger
    2
    ©Rakesh Elamaran

    View Slide

  3. CYBERSECURITY
    Cybersecurity Consists of technologies,
    processes and controls designed to protect
    systems, networks, programs, devices and data
    from cyber attacks.
    3
    ©Rakesh Elamaran

    View Slide

  4. MAIN PURPOSE
    ✧ To prevent data breaches, identity theft and cyber-attacks as well as risk
    management in some cases.
    ✧ It encompasses everything that pertains to protecting our PII Data.
    ✧ Software changes when its updated and modified that leads to welcome
    new bugs,issues, and vulnerabilities and allows for cyber attacks.
    4
    ©Rakesh Elamaran

    View Slide

  5. CIA TRIAD
    ✧ Confidentiality - Data is Kept Secret
    ✧ Integrity - Data is trustworthy and free from tampering
    ✧ Availability - Data should be available to authorized users
    5
    ©Rakesh Elamaran

    View Slide

  6. DATA BREACH
    ✧ The business world is not new to data breaches and cyber threats.Digital
    transformation has accelerated the growth of online platforms, showing
    us just how crucial security in the digital age is.
    ✧ But it’s not just the big companies and organizations that get
    hit.Everyday consumers experience phishing schemes, ransomware
    attacks, identity theft, data breaches, and financial losses.
    ✧ It is very easy to hack a device connected to the internet
    the more we rely on, the more we are prone to attacks.
    6
    ©Rakesh Elamaran

    View Slide

  7. PROTECTION
     Cyber attacks occurring every 14 seconds, firewalls, antivirus softwares
    and tools must be in place.
     Strong security infrastructure includes multiple layers of protection.
     Organizations must remain up-to-date with the emerging technologies,
    threat and security intelligence trends in order to design the ideal cyber-
    security measures.
     Encryption,secure passwords, constant software upgradation helps.
    7
    ©Rakesh Elamaran

    View Slide

  8. ETHICAL HACKING
     Ethical Hacking is an authorized practice of
    bypassing system security to identify potential
    data breaches and threats in a network.
     The company that owns the system or network
    allows Cybersecurity Engineers to perform
    such activities in order to test the system’s
    defenses.
    8
    ©Rakesh Elamaran

    View Slide

  9. TYPES OF HACKERS
    ✧ WHITE HAT - Ethical hackers or Security Researchers do not intend to harm the system or organization.
    ✧ BLACK HAT - Contrary to an ethical hacker,they perform hacking to fulfill their selfish intentions to collect
    monetary benefits.
    ✧ GREY HAT - They hack without any malicious intention for fun. They perform the hacking without any
    approval from the targeted organization.
    9
    ©Rakesh Elamaran

    View Slide

  10. PENETRATION TESTING
    ✧ Penetration testing is a part of ethical
    hacking, where it focuses explicitly on
    penetrating only the information systems.
    ✧ The ultimate goal is to identify and
    prioritize Security Risks.
    10
    ©Rakesh Elamaran

    View Slide

  11. VULNERABILITY
    ANALYSIS/ASSESSMENT
    ✧ The process of identifying risks and vulnerabilities in
    computer networks, systems, hardware, applications.
    ✧ Do Evaluation, assigns severity levels to those
    vulnerabilities, and recommends remediation or
    mitigation.
    ✧ Vulnerability scanners tools are used to identify
    threats and flaws within an organization's.
    11
    ©Rakesh Elamaran

    View Slide

  12. ETHICAL HACKING VS PEN TESTING
    ✧ Ethical hacking is a practice.The skills employed by an ethical hacker
    allow them to practice a continuous assessment cycle of an
    organization’s security posture by employing the same tools, methods,
    and techniques of a malicious hacker.
    ✧ Ethical Hacking is NOT Penetration Testing!
    ✧ Penetration Testing is Ethical Hacking!
    12
    ©Rakesh Elamaran

    View Slide

  13. DEMO
    STEGANOGRAPHY:
    ✧ It is the technique of hiding secret data within an ordinary, non-secret,
    file or message in order to avoid detection; the secret data is then
    extracted at its destination.
    ✧ Data can be audio, video, image or text file.
    13
    ©Rakesh Elamaran

    View Slide

  14. APPLICATIONS
    ✧ To use the Built in Applications Virtual Box and Kali Linux / Parrot OS is
    Mandatory.
    ✧ Applications are Easy to Use.
    ✧ For Everything there is a tool. ( A-Z)
    14
    ©Rakesh Elamaran

    View Slide

  15. DEMO
    Information Gathering
    Social Engineering
    SYSTEM HACKING
    15
    ©Rakesh Elamaran

    View Slide

  16. INFORMATION GATHERING
    ✧ Process of collecting information about something you are interested
    in.
    ✧ In the digital world, a lot of information can be gathered in different
    ways, not with your senses, but with several methods,
    tools and techniques.
    16
    ©Rakesh Elamaran

    View Slide

  17. SOCIAL ENGINEERING
     Social engineering is the art of manipulating people so they give up
    confidential information. Attacks can happen online, in-person, and via
    other interactions.
    17
    ©Rakesh Elamaran

    View Slide

  18. FOR WHO?
     Young Professionals Starting their careers
     Experienced professionals moving from one career into Cybersecurity
     Professionals at all levels wanting to learn more about it to better
    protect their personal and business lives
    18
    ©Rakesh Elamaran

    View Slide

  19. GRC VS TECHNICAL
    ✧ Strategic includes Governance, Risk, and Compliance (GRC), Policy, IT Audit, security
    frameworks and management.
    ✧ Tactical includes everything technical security systems administration, networking,
    application security, security operations, incident response, vulnerability management, and
    penetration testing.
    ✧ Pick the one where you have most strength.
    ✧ Caution: Don't try to do both but Be aware of the other Side .
    19
    ©Rakesh Elamaran

    View Slide

  20. WHAT SHOULD I CHOOSE?
     DEGREE
     MASTERS
     CERTIFICATION
     JOB - HOP IN
    20
    ©Rakesh Elamaran

    View Slide

  21. ROLES
    21
    ©Rakesh Elamaran

    View Slide

  22. CERTIFICATIONS
    22
    ©Rakesh Elamaran

    View Slide

  23. HOW TO START
    ↴ knowledge of computer and how Internet works
    ↴ Computer Networks - Protocols,ports,servers,etc | Basics to Advanced
    ↴ Linux Concepts - Learn Linux strongly and practice in Kali
    ↴ Cryptography and Network Security -
    Encryption,Decryption,Algorithms,etc
    ↴ CYBERSECURITY - Practice Strongly and learn new concepts
    ↴ Tryhackme, Hack the Box, Portswigger labs,Capture the flag challenges - To
    Sharpen your skills
    ↴ Bug Bounty - Lots of practice,patience and efforts.
    23
    ©Rakesh Elamaran

    View Slide

  24. WHAT TO LEARN
     Malware and Reverse Engineering: C,C++,C#,Embedded C,Assembly
     Scripting: Python, Ruby, Perl.
     Security Testing : Html,css,java script,php,java,SQL
     Shell Scripting: Bash,Shell Scripting
    24
    ©Rakesh Elamaran

    View Slide

  25. DOMAINS
    ✧ Web Application Security
    ✧ Android Security
    ✧ Cloud Security
    ✧ Cyber Forensics
    ✧ Malware Analysis
    ✧ Red Teaming
    ✧ Vulnerability Assessment & Exploit Development
    ✧ IOT and RFID Pentesting
    ✧ API Pentesting
    ✧ Blockchain & Decentralised Systems
    ✧ Cryptography and Network Security
    ✧ Hardware Security
    25
    ©Rakesh Elamaran

    View Slide

  26. GOOD CHOICE?
    ✧ Unlimited Growth
    ✧ Set your style
    ✧ Easy to explore different paths
    ✧ Learn and EARN
    ✧ Engineers with cybersecurity chops and more than three years of
    experience can make up to Rs30 lakhs a year, HR experts said.
    ✧ On the other hand, a software developer with five years at a
    multinational firm would earn only around Rs15 lakhs a year.
    26
    ©Rakesh Elamaran

    View Slide

  27. INTERVIEW PREPARATION
    ✧ Follow the Roadmap
    ✧ Be Strong in Basics
    ✧ Choose domain and prepare accordingly
    ✧ Stay updated in the cybersecurity industry
    ✧ Explain In terms of Real time and its impact
    ✧ Attain Value added Certifications
    ✧ Descent Resume - Projects,Research Works,Achievements
    ✧ Achievements - Hall of fame, CVES , Bounty , Recognition
    ✧ Be passionate and confident
    27
    ©Rakesh Elamaran

    View Slide

  28. ATTACKS
    28
    ©Rakesh Elamaran

    View Slide

  29. BUG
    ✧ Bug Bounties aka responsible disclosure programmes are setup by
    companies to encourage researchers to report potential issues on their
    sites
    ✧ Some companies chose to reward a researcher with money,swag, or hall
    of fame
    ✧ Values your Resume and Skills | Glory and Fame | Practical Knowledge |
    Money
    29
    ©Rakesh Elamaran

    View Slide

  30. BOUNTY
    ✧ Platforms
    ✧ BugCrowd,Hackerone
    Synack , Intigriti
    ✧ Go for rvdp programs
    ✧ Duplicates are Painful
    ✧ Quality >> Quantity
    ✧ Patience >> Bounty - Money
    30
    ©Rakesh Elamaran

    View Slide

  31. PARAMETER TAMPERING
    ✧ Parameter tampering attack relies on the manipulation of parameters
    changed by the user so as to change application information like user
    credentials and permissions and amount of product, etc.
    ✧ Usually, this data is passed in post request or in hidden kind fields.
    ✧ This vulnerability is almost present in every online shopping carts and
    payment gateways these days.
    ✧ Ex: bewakoof.com, donacakes.com
    31
    ©Rakesh Elamaran

    View Slide

  32. SQL INJECTION
    ✧ SQL injection is a code injection technique that might destroy your database.
    ✧ It is one of the most common web hacking techniques.
    ✧ It usually occurs when you ask a user for input, like their username/userid
    32
    ©Rakesh Elamaran

    View Slide

  33. ONLINE CYBER SAFETY
    ✧ Refrain publishing sensitive information on any social media
    ✧ Keep Complex Passwords and never share to anyone
    ✧ Printers, wifi, webcams and computers, should be shut down when not in use
    ✧ Don't Meet online acquaintances alone
    ✧ Don't Share more than necessary
    ✧ Check for Https lock symbol
    ✧ Update Device Regularly, Keep 2FA, Use antivirus
    ✧ Visit banks website by typing the URL in the address bar
    ✧ Unlink Card details from E-commerce sites
    ✧ Don't share Personal Emails and phone number, have backup
    ✧ There is no such thing as freebies. Ex: Amazon,flipkart URL's
    ✧ Block people you don’t want to interact with
    33
    ©Rakesh Elamaran

    View Slide

  34. WHAT WE DO
    ✧ Act as a Security Professional
    ✧ Tests the security and identifies loopholes
    ✧ Conduct Threat Modeling
    ✧ Create Reports and analysis
    ✧ Authorized with proper permissions
    ✧ Spread Awareness to students and professionals
    ✧ Earns money and respect too
    34
    ©Rakesh Elamaran

    View Slide

  35. WHERE IT ENDS
    ✧ Start career as Security Researcher or Associate
    ✧ Cybersecurity Analyst / Consultant - Penetration Tester
    ✧ Cybersecurity Manager / Engineer / Architect
    ✧ Security Director
    ✧ Chief Information Security officer - CISO
    35
    ©Rakesh Elamaran

    View Slide

  36. HOW CYBERSECURITY IS NOW?
    ↳ Organizations Understood the Importance of security
    ↳ Expanding Security Teams
    ↳ Conducting Threat Modeling
    ↳ IOT and Cloud Evolving
    ↳ Social Engineering attacks getting smarter
    ↳ Rise of Ransomware and security threats
    ↳ Data Privacy as a discipline
    ↳ Having Responsible Disclosure policy
    ↳ Appreciation | Recognition | Swags | Hall of Fame | BugBounty
    36
    ©Rakesh Elamaran

    View Slide

  37. DISCLAIMER
     Any time the word “Hacking/Hacker” that is used shall be regarded as
    Ethical Hacking/Hacker.
     These materials are for educational and awareness purposes only.Do
    not attempt to violate the law with anything contained here.
     If so,Speaker or College/Club is not responsible for the actions that
    individual violate.
    37
    ©Rakesh Elamaran

    View Slide

  38. CONCLUSION
    ✧ "Choose a job you love"
    ✧ The number of cybersecurity jobs is increasing every single day.The key
    is identifying the skills and strengths.
    ✧ Hackers attack every 39 seconds, on an average of 2,244 times a day!
    When you give this a thought, you will realize how important
    Cybersecurity is?
    38
    ©Rakesh Elamaran

    View Slide

  39. SOME TIPS
    ✧ Get Ready to deal with errors
    ✧ Learn how to use google and find resources like pro
    ✧ Stay updated and Make progress
    ✧ Consistency is the key to success
    ✧ Be Active in Linkedin,Security Forums,and communities
    ✧ Connect with like minded students and Infosec professionals
    ✧ ROOTECSTAK
    39
    ©Rakesh Elamaran

    View Slide

  40. ANY QUERIES?
    40
    ©Rakesh Elamaran

    View Slide

  41. REACH OUT
     www.rakeshelamaran.tech
     Linked In: Rakesh Elamaran
     Instagram: rakesh_elamaran
    41
    ©Rakesh Elamaran

    View Slide