Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Hit by a Cyberattack: lesson
learned
How are we hacked and what to do when it happens
IFE – 8 december 2015
Jan Guldentops...
Wie ben ik ?

Jan Guldentops (°1973)
• This year I'll be designing, building and securing server
and network infrastructu...
In Short:
COMMON SENSE
AS A SERVICE
(CAAS)
The question is not if you're
going to be hacked but
when...
So what goes wrong ?
How do you get hacked ?
The human factor
● Stupidity, laziness and ignorance
Amateurisme
● The successful hack implies that the current network setup and / or procedures at
DigiNotar are not sufficie...
Social engineering
● If you want to know something,
just ask !
● People talk to much
● Your organization is leaking info :...
Phishing
● You are thinking about :
● Blond, Ukrainian ladies who can tell from your e-
mail address you are the man of th...
Spear Phishing
● Sinterklaas
● A custom built phishing
expedition :
– Surprise from Sinterklaas ;
– Well written e-mail
– ...
I am not who I am
● We still use userid/password for authentication
● Bad passwords
● Badly managed password
● Unrealistic...
Tunnels
● Dozens of ways to set up
a return tunnel from the
inside of an organisation
● Openvpn, ssh, iodine ( ip-
over-dn...
Others
● Bad software ;
● No structured updates ;
● Security bolton instead of by design ;
● Stuck in perimeter-security ;...
The stakes have changed
● Globalization
● Cyberpunks versus mob
● Speed, damage
● Target :
● 70.000.000 personal data
● Ex...
So how do you know you are
hacked ?
● Obvious hacker :
● Defaces your website ;
● Send all your contacts stupid spam ;
● U...
So how do you find these ?
● Integrity checks
● Host-based IDS
● Honeypot
● Network-based IDS
● Analyze your logs
● SIEM
●...
What to do when you find
something strange ?
Don't panic!
● You're not the first to be hacked and certainly
not the last.
● Focus on analyzing the problems and securin...
Handle the situation
● Collect a team to handle the security situation.
● These days there are cyber insurances
● AIG, Cyb...
Isolate or offline
● Get the compromised applications, machines,
account, data isolated and preferably offline.
● Take car...
Collect data
● Collect as much data as you can :
● Log files ;
● Network traffic ;
● Forensic copies of compromised system...
Find out what happened
● Analyze the attack, find out what happened
● Check what data and systems are
compromised
● Presum...
Disclose and communicate
● Disclose what
happened in a
structured, complete
way:
● To law enforcement ;
● To partners ;
● ...
Learn and adapt
● Learn from your mistakes :
● Change your security policy and procedures
● Learn from the hack and how yo...
Thank You
Contact us
016/29.80.45
016/29.80.46
www.ba.be / Twitter: batweets
Remy Toren
Vaartdijk 3/501
B-3018 Wijgmaal
j@...
 Hit by a Cyberattack: lesson learned
 Hit by a Cyberattack: lesson learned
Upcoming SlideShare
Loading in …5
×

of

 Hit by a Cyberattack: lesson learned Slide 1  Hit by a Cyberattack: lesson learned Slide 2  Hit by a Cyberattack: lesson learned Slide 3  Hit by a Cyberattack: lesson learned Slide 4  Hit by a Cyberattack: lesson learned Slide 5  Hit by a Cyberattack: lesson learned Slide 6  Hit by a Cyberattack: lesson learned Slide 7  Hit by a Cyberattack: lesson learned Slide 8  Hit by a Cyberattack: lesson learned Slide 9  Hit by a Cyberattack: lesson learned Slide 10  Hit by a Cyberattack: lesson learned Slide 11  Hit by a Cyberattack: lesson learned Slide 12  Hit by a Cyberattack: lesson learned Slide 13  Hit by a Cyberattack: lesson learned Slide 14  Hit by a Cyberattack: lesson learned Slide 15  Hit by a Cyberattack: lesson learned Slide 16  Hit by a Cyberattack: lesson learned Slide 17  Hit by a Cyberattack: lesson learned Slide 18  Hit by a Cyberattack: lesson learned Slide 19  Hit by a Cyberattack: lesson learned Slide 20  Hit by a Cyberattack: lesson learned Slide 21  Hit by a Cyberattack: lesson learned Slide 22  Hit by a Cyberattack: lesson learned Slide 23  Hit by a Cyberattack: lesson learned Slide 24  Hit by a Cyberattack: lesson learned Slide 25  Hit by a Cyberattack: lesson learned Slide 26  Hit by a Cyberattack: lesson learned Slide 27
Upcoming SlideShare
Huddle IceCold Overview
Next
Download to read offline and view in fullscreen.

3 Likes

Share

Download to read offline

Hit by a Cyberattack: lesson learned

Download to read offline

Hit by a Cyberattack: lesson learned. When you get hacked, how did it happen and what do you do? Rough side notes of a presentation for IFE, 8 december 2015.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Hit by a Cyberattack: lesson learned

  1. 1. Hit by a Cyberattack: lesson learned How are we hacked and what to do when it happens IFE – 8 december 2015 Jan Guldentops ( j@ba.be ) BA N.V. ( http://www.ba.be )
  2. 2. Wie ben ik ?  Jan Guldentops (°1973) • This year I'll be designing, building and securing server and network infrastructure for 20 years. • Founder of ULYSSIS (°1994), Better Access (°1996) en BA (°2003) • Open Source Fundamentalist (after hours ) • Strong practical, background in ICT security. ➢ Security consultant by accident ➢ 1996 beroepskrediet  Pass a lot of my time in the lab ( R&D)
  3. 3. In Short: COMMON SENSE AS A SERVICE (CAAS)
  4. 4. The question is not if you're going to be hacked but when...
  5. 5. So what goes wrong ? How do you get hacked ?
  6. 6. The human factor ● Stupidity, laziness and ignorance
  7. 7. Amateurisme ● The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack. ● The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN. ● The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced. ● The software installed on the public web servers was outdated and not patched. ● No antivirus protection was present on the investigated servers. ● An intrusion prevention system is operational. It is not clear at the moment why it didn't block some of the outside web server attacks. No secure central network logging is in place.
  8. 8. Social engineering ● If you want to know something, just ask ! ● People talk to much ● Your organization is leaking info : – Google is your friend – Stupid leaks : leaking confidential info in references, etc. ● Key employees who are passionate about their work often tell you everything
  9. 9. Phishing ● You are thinking about : ● Blond, Ukrainian ladies who can tell from your e- mail address you are the man of their live. ● Badly written or translated ● So obvious ● But what if a phishing expedion was custom made to push your buttons ?
  10. 10. Spear Phishing ● Sinterklaas ● A custom built phishing expedition : – Surprise from Sinterklaas ; – Well written e-mail – Perfect house style – Official url with a registered certificate ● Send to 200+ it people – 35% tried to fill in their userid/password. – Before the security-team blocked the URL
  11. 11. I am not who I am ● We still use userid/password for authentication ● Bad passwords ● Badly managed password ● Unrealistic password policies ● One password for everything ; ● Clear text storage of passwords ● No one centralised user and role management
  12. 12. Tunnels ● Dozens of ways to set up a return tunnel from the inside of an organisation ● Openvpn, ssh, iodine ( ip- over-dns), httptunnel, etc. ● Teamviewer, N-Able, Logmein, etc. ● Hard to detect ● Usually accidents waiting to happen
  13. 13. Others ● Bad software ; ● No structured updates ; ● Security bolton instead of by design ; ● Stuck in perimeter-security ; ● Bad system management ● Mobilization ; ● Bring your own device ;
  14. 14. The stakes have changed ● Globalization ● Cyberpunks versus mob ● Speed, damage ● Target : ● 70.000.000 personal data ● Exit security officer, CIO, CEO ● Ashley Madison
  15. 15. So how do you know you are hacked ? ● Obvious hacker : ● Defaces your website ; ● Send all your contacts stupid spam ; ● Uses all your cpu to mine bitcoins ; ● Attacks the whole world directly from your systems ; ● The discrete hacker ; ● Compromises your system and collects information ● Eg Belgacom hack – Compromised since at least 2007 !
  16. 16. So how do you find these ? ● Integrity checks ● Host-based IDS ● Honeypot ● Network-based IDS ● Analyze your logs ● SIEM ● Monitor your infrastructure
  17. 17. What to do when you find something strange ?
  18. 18. Don't panic! ● You're not the first to be hacked and certainly not the last. ● Focus on analyzing the problems and securing your environment. ● At least you know you are compromised... ● That's a good sign !
  19. 19. Handle the situation ● Collect a team to handle the security situation. ● These days there are cyber insurances ● AIG, Cyber contract, ADD, etc. ● This can be made up of internal staff and or external consultants ● Draft a plan ● Execute it
  20. 20. Isolate or offline ● Get the compromised applications, machines, account, data isolated and preferably offline. ● Take care no other parts of your environment are infected. ● Literally or virtually pulling the etherne tcable or power plug. ● Preserve as much data as you can ● Secure backups !
  21. 21. Collect data ● Collect as much data as you can : ● Log files ; ● Network traffic ; ● Forensic copies of compromised systems ; – e.g Kali Linux ● You'll need this to analyze what happened, what they took and who did it. ● Also legally important.
  22. 22. Find out what happened ● Analyze the attack, find out what happened ● Check what data and systems are compromised ● Presume everything is compromised until you know ● Try to understand what happened ● Find out what the consequences are...
  23. 23. Disclose and communicate ● Disclose what happened in a structured, complete way: ● To law enforcement ; ● To partners ; ● To employees ; ● To customers ;
  24. 24. Learn and adapt ● Learn from your mistakes : ● Change your security policy and procedures ● Learn from the hack and how your organization responded to it ● Adapt ● It will happen again, so get more ready for it
  25. 25. Thank You Contact us 016/29.80.45 016/29.80.46 www.ba.be / Twitter: batweets Remy Toren Vaartdijk 3/501 B-3018 Wijgmaal j@ba.be Twitter: JanGuldentops http://be.linkedin.com/in/janguldentops/
  • CyberSafe2

    Jan. 5, 2016
  • markieturbo

    Dec. 28, 2015
  • jimhelsen

    Dec. 10, 2015

Hit by a Cyberattack: lesson learned. When you get hacked, how did it happen and what do you do? Rough side notes of a presentation for IFE, 8 december 2015.

Views

Total views

675

On Slideshare

0

From embeds

0

Number of embeds

5

Actions

Downloads

11

Shares

0

Comments

0

Likes

3

×