Get free access to the presentations by Dr. Phil Polstra, Wayne Tufek, Madhu Akula, Anant Shrivastava, Shomiron Das Gupta, Wasim Halani, Sahir Hidayatullah, Sudarshan Pisupati & more. SACON is one of the largest Security Architecture Conferences in APAC region. With over 500+ participants, this was the 6th edition of SACON and here are a few highlights we wanted to share with you. It was held on 15-16th Feb, Bangalore, India. All sessions were workshop style with 3-4 hours or 6-8 hours of hands on training.

We had with us Top Security Industry Leaders who helped SACON with great content. For more details visit: sacon.io

>> Pre-Register for SACON 2020

01. Cloud Pentesting (Anant Shrivastava)

This session includes Understanding attack surface of AWS, Azure, GCP, OpenStack.....Abusing cloud storage, Forensic analysis, Understanding & attacking IAM & much more

>> Pre-Register for SACON 2020

Meet the best security minds & learn @ SACON

02. Automated Defense Using Cloud Services For AWS, Azure, GCP (Madhu Akula)

This session includes environment setup using automated playbook, cloud provider account configuration, hardened elastic stack, configuring cloud infrastructure, centralized monitoring system, attack pattern analysis & detection, attack monitoring dashboards, SSH-brute force, AWS cloudwatch, AWS cloudtrail logs, AWS lambda, Container logs to defend Kubernetes security attacks(GCP), Content management system audit analysis (Azure) & more

>> Pre-Register for SACON 2020

Meet the best security minds & learn @ SACON

03.Practical Threat Hunting Using Open Source Tools (Wasim Halani & Shomiron Das Gupta)

This session was co-presented by 2speakers.

The first part by Wasim Halani included fundamentals, threat hunting approaches, elastic stack primer (elastic search, log stash, kibana, beats), concepts (nodes & cluster, index & shards, documents, fields, logstash), Logstash (configuration, plugins), GROK (basics,example), Kibana (examples), Filebeat, Winlogbeat, Demo (Investigating logs, creating visualizations, analysing data), Use Case.

The second part by Shomiron Das Gupta included the open source aspect of threat hunting - triggers for threat hunt, analytics (tools & techniques), phases in threat management life cycle, attach navigator (Mitre,Deep Panda, Lazarus Group, Inferencing (forward/reverse), building playbooks for standard threat hunt & more

>> Pre-Register for SACON 2020

Meet the best security minds & learn @ SACON

04.Linux & Windows Forensics (Phil Polstra)

This includes building a toolkit for digital forensics, live response analysis (data analyzying, detecting incident), preparing for dead analysis (memory image, filesystem images), FAT filesystems, NTFS filesystems, file analysis (slack space, file signature, recovery), registry, windows artifacts, memory analysis & more

>> Pre-Register for SACON 2020

Meet the best security minds & learn @ SACON

05.Practical Security Architecture (Wayne Tufek)

It includes a method of designing a security architecture brings together the following: Sherwood Applied Business Security Architecture (SABSA), Intel’s Threat Agent Risk Assessment (TARA), Lockheed Martin’s Cyber Kill Chain and threat driven approach, Mandiant’s M-Trends report, Verizon’s Data Breach Investigations Report, ASD Essential 8 and Mitre’s Adversarial Tactics, Techniques & Common

>> Pre-Register for SACON 2020

Meet the best security minds & learn @ SACON

06. Active Deception For Red & Blue Team (Sahir Hidayatullah & Sudarshan Pisupati)

Includes deception techniques for red team and counter-deception for blue teams. Techniques include that used in office files (MS Office), executable trusted files, scripts, active directories (groups, SPNs, ACLs) credentials (windows, SSH, AD), databases (credentials & more), host and enterprise applications, designing deception, wireless deception, identification, rapid deployment at scale using WMI & PowerShell

>> Pre-Register for SACON 2020

Meet the best security minds & learn @ SACON

07.IoT Network & Ecosystem Security Attacks & Secure Design (Sumanth Naropanth)

Includes attacking of IoT ecosystems, and learning how to securely design such platforms to prevent the demonstrated attacks. Students will learn to analyze the architecture of IoT market products from a security perspective, and using specialized hardware & software tools, perform hands-on security assessments, including packet capture/manipulation/injection in wireless sensor networks (WSN) and Bluetooth/BLE communication channels.

>> Pre-Register for SACON 2020

Meet the best security minds & learn @ SACON

Recently, you might have heard in news about COSMOS Bank, a 112-year old cooperative bank in India and the second largest in the country being hacked and crores were siphoned off. The bank lost 940 million (94 Crores) due to this breach on 11th & 13th August.

As per reports, the fraudulent transactions were carried out on August 11 and August 13 and the malware attack by the hackers originated in Canada, Cosmos Bank chairman Milind Kale told. In the first attack on August 11, using stolen card details, approximately Rs 78 crore was withdrawn in transactions in 28 countries. This included around 12,000 Visa card transactions. On the same day, approximately, Rs 2.5 crore was withdrawn through 2,800 debit card transactions in India at various locations. On August 13, the hackers transferred Rs 13.94 crore into an account in the Hang Seng Bank in Hong Kong by initiating a SWIFT transaction."In two days, hackers withdrew a total Rs 78 crore from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another Rs 2.5 crore were taken out within India," he said. It was observed that unusual repeated transactions were taking place through Visa and Rupay cards used at various ATMs for nearly two hours .

This report gives you an understanding of the COSMOS hack, how it happened, a detailed technical analysis, learning from it & more

What Will You Find In The Report ?

• Learn the hack fundamentals & how the breach happened ?
• A detailed technical analysis of the breach
• Top 7 key learnings from it

>> Download The Complete Report

Defining The Scope

• Embedding human security as a part of organization culture
• Empowering and enabling every individual

Understanding The Attack Surface & Risks

• Expansion of attack surface due to merging of official and personal spaces
• Non-obvious attack surface – IoT, BYOD
• Agentless malware
• Spear phishing
• Management is more vulnerable
• Identity theft
• 3rd and Vendor’s people risk
• APT/Ransomware
• Insider threats
• Complacency as a major cause

Strategies / Principles

• Getting management alignment …and budget
• Utilize Training budget
• Define responsibilities set the KRAs/KPIs
• Specialized training especially for the top management

Framework (In PPT)

Parameters include Identify, Protect, Detect, Respond, Recover

Identify

• Process
  • Identify most vulnerable users and key person
  • Compromise assessment
  • Red teaming with social engineering
  • Take audit and incident inputs
  • Metrics Program
• Technology
  • Phishing simulating technology
  • Vulnerability/Threat scanning for users, bad domains, spear phishing
  • Regular measurement and reporting

Protect

• DMARC/DKIM/SPF
• Awareness/Training
• Anti-APT
• Anti-Spear phishing solutions
• MFA

Detect

• Detect incidents
• UEBA/UAM
• Honeypots/Deception
• SOC/SIEM
• Actionable Threat intel (Internal+External)
• Email security solutions
  • Sandboxing, AI, Threat intel sources, ease of management,Spam filters, Geo-tagging
  • Ease of reporting/Multi channel
• Web filtering

Respond & Recover

• Crisis management training+playbook+simulations
• Breach reporting and compliance reporting
• BCP/DR testing
• IR playbooks specific to human centrics attacks
• Continuous Backups+resotration
• Email forensics
• Compromise assessment
• Cyber insurance

Detailed Presentation

SACON is India's 1st & Only Security Architecture Conference. With over 70+ participants, this was the 5th edition of SACON and here are a few highlights we wanted to share with you. It was held on 18-19th May, Hotel Hyatt, Pune, India.

We had with us Top Security Industry Leaders who helped SACON with great content. For more details visit: sacon.io

What We Covered? (Key Highlights)

• Applications of AI, Machine Learning, Deep Learning
• Machine Learning - Classical Definition & Types Of Algorithms
• Data Modeling
• How The Algorithm Works
• Linear Regression
• Logistic Regression
• Basic Of Protection - Confidentiality, Integrity, Authenticity, Availability, Reliability
• Targeted & Non-Targeted Attacks
• Attack Life Cycle - Kill Chain
• Cyber Threat Intelligence
• OSINT
• OSINT Using Google
• Deep Web Search Engine
• Operation Security (OPSEC) - Basics & Best Practices
• Cyber Threat - Data Breaches
• Communication Channels

Presentations

Click on each presentation name to open slide in new tab

• Learning Machine Learning
• Exploring DarkWeb For Threat Intelligence
• Codes from the Machine Learning Workshop can be found here (GitHub link)

Contributors are Subrat Panda, Arnab Chattopadhayay, Rohit Srivastwa

Photo Albums

Some great photographs have been compiled into an album. Help us Tag you ( Tag yourself  ) and let us know if you want to add some pictures you took at the event. Email - pritha.aash@cisoplatform.com

Here's the Photo Album link - Click Here

CISO Platform Decision Summit @Pune, last week saw over 200+ attendees for over 2 days making the the spirit of knowledge sharing and learning a huge success in the Information Security Executives of India. Here are the highlights of the awesome keynotes, electrocuting Turbo sessions and some great knowledge boost training sessions.

It was held on 18th & 19th May, Hyatt, Pune, India.

Some Exciting Sessions & Task Force Meetups:

1. Open House : Enterprise OSINT - From Surface Web To Dark Web

2. (Panel Discussion) Top Emerging Innovations In Cyber Security

3. (Panel Discussion) Exploring Dark Web For Managing Cyber Security Posture

4. Task Force Session On Cyber Security Initiative For Kids

5. (Panel Discussion) How To Measure Your Breach Response Readiness

6. (Panel Discussion) Planning Your Board / Management Engagements For 2018

7. (Panel Discussion) Quantitative Approaches For Measuring 3rd and 4th Party Risks

Photo Album

Some great photographs have been compiled into an album. Help us Tag you ( Tag yourself ) and let us know if you want to add some pictures you took at the event. Email - pritha.aash@cisoplatform.com

Here's the Photo Album link - Click Here

Here's the CISO Platform 100 Recognition Photo Album Link - Click Here

Speaker : Rohit Srivastwa, Founder of ClubHack, Quick Heal Technologies, Senior Director Cyber Education & Services

Please Note - Speaker presentations represent the views of the individual speakers and not of CISO Platform or their employers

Speaker : Subrat Panda, Capillary Technologies, Principal Architect AI & Data Sciences

Please Note - Speaker presentations represent the views of the individual speakers and not of CISO Platform or their employers

Why Is OSINT So Important ?

OSINT (Open-Source Intelligence) is intelligence collected from publicly available sources.

It is becoming a key resource for collecting threat intelligence even in enterprise space. A factor being that now we live in a very connected world, so the amount of data and analysis is becoming more key and relevant. A good example here would be the Stuxnet attack. 

Open Source Movement was also a reason for the push for OSINT usage.

OSINT can find great use in the fields and sectors like Goverment, Defence, Banking, Finance, Telecom, Critical Infrastructure, Cyber Security Advisory Firms, Cyber Threat Intelligence Teams, Law, Cyber Forensic Teams.

Typical OSINT Process

It will include (in order)

• Source Identification
• Data Harvesting
• Data Processing & Integration
• Data Analysis
• Results Delivery

This process could be time based leading to offensive or defensive OSINT. Studying before the attack makes it defensive and post attack would be offensive.

OSINT Workshops at SACON

SACON (Security Architecture Conference) 2018 has OSINT workshops by industry experts. Pre-Registrations Open for best discounts.

>> Pre-Register for SACON 2018

OSINT Tool Examples

Palantir, I2 - Commercial products.

Maltego - free and commercial version. Free has some limitations

NodeXL - completely free. An extension to excel. Allows data mining, visualization, some machine learning & clustering capabilities

SpiderFoot - a combination of VA and OSINT that can be automated/scheduled to run from time to time. It automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names etc.

ShodanHQ - google like search engine for all devices connected to the internet. Initially called Google Hacking Database. It focuses on identifying and connecting to anything reachable via a public IP.

Some other tools could be namely - FOCA, Tapir, Creepy, theHarvester, Metagoofil

OSINT Workshops at SACON

SACON (Security Architecture Conference) 2018 has OSINT workshops by industry experts. Pre-Registrations Open for best discounts.

>> Pre-Register for SACON 2018

Reference :

Pointers were derived from a talk at Annual Summit 2015 here and Offensive OSINT Talk from Black hat here

The Playbook Round Table was set in 3 cities - mumbai, bangalore & delhi where security heads got together to contribute in building a plan to measure an organisation's security program against 2018's application attacks

Key Highlights

• Key Expectations Of An Appsec Program
• Key Frameworks To Measure Appsec Maturity
• Key Metrics To Measure Appsec Maturity
• Critical Capabilities Of Some Technologies (eg. WAF,DDOS)
• Creating Appsec Program Architecture

Detailed Presentation (PPT)

Contributors

Vikas Yadav,Max Life Insurance,CISO
Dhirendra Kumar,Barclays,Head Of Cyber Resilience
Yask, Indian Oil Corporation Ltd, CISO
Pravesh Sharma, Fidelity, Head IT & IS
H S Hora, NIC, Sr. Technical Director
R. Manikant Kumar, Orbis Financial Corporation, Head-IT & Security
Mohit Mendiratta, Havells India Limited, General Manager - IT
Deepak Tiwari, Aircel Limited, DGM IT
Gomeet Pant, Cairn India, Lead - IT Security And Compliance
Hema Gupta, NCR, Sr. Manager Security Governance
Sunil Gupta, Ministry of Steel, Chief Information Officer
Rekha Atri, Cairn India, IT Security & Compliance

Sridhar Govardhan, Wipro General, Manager - Cyber Security
Rejo Thomas, Exide Life Insurance, DGM
Roshan Williams, Cognizant, Director Global Information Security
Somanath NG, Alstom, Head Of Security
Sathish Sreenivasiah, TCS, Information Technology Service
Ajay Agrawal, Wipro, Senior Manager
Nitin Gaur, Omega Healthcare, Associate Director- CISO
Lopa Mudraa Basuu, Ocwen Finanical Solutions, Director IT Risk Operations
Raghavendra Bhat, SAP, Head Of Security
Satish Kumar Dwibhashi, WIBMO, CISO
Shaik J Ahmed, Virtusa Polaris Director, Head Cyber Security
Shobha Jagathpal, Walmart Labs, Security Manager
Sushil Nahar, Happiest Minds, GM
Vinod Kumar Vasudevan, Honeywell, Head- Cyber Security
Chidanand, Eminent Minds, IT Head
Kalyana M, Kotra, Manager

Vikas Gupta, State Bank of India, Assistant General Manager(Systems)
Prasanna Lohar, DCB BANK LTD, Head Technology
Kotni Srihari Rao, Reliance Payment solutions ltd, Associate Vice President
Mohd Imran, L&T Finance Group, Head- IT Sec
Bhuvanesh Shukla, Axis Securities Limited, CTO
Rajendra Bhalerao, NPCI, CISO
Bharat Chitroda, Paypoint India Network Pvt. Ltd., IT-Head
Raj Naik, Indus Ind bank, Asst. Manager
Prashant Mhapomkar, Indus Ind bank, Deputy Manager
Manthan Babu K, NPCI, CISO
Dilip Panjwani, L&T Infotech, CISO
Rajesh Kathuria, rediff.com, Associate Director - IT

January 2018 started with 2 small community meets for Security Priority Planning for 2018. With 35+ members joining us in Bangalore & Mumbai, we gathered some interesting insights to share here.

Dates - 17th & 18th Jan, 2018

Do share with your friends. Let us know your comments from the survey analysis.

Continuation Sessions For Windows Forensic Workshop (By Dr. Philip Polstra)

Session 1

Continuation where we left off

Session 2

Let's talk NTFS

Session 3

NTFS Timelines

Session 4

Talking Registry and Artifacts

Keynotes & Speakers

Get free access to the presentations by Moshe Ferber, Gregory Pickett, Murray Goldschmidt, Dr.Philip Polstra & more. SACON is one of the largest Security Architecture Conferences in APAC region. With over 400+ participants, this was the 4th edition of SACON and here are a few highlights we wanted to share with you. It was held on 10th-11th Nov, Hotel Lalit Ashok, Bangalore, India.

We had with us Top Security Industry Leaders who helped SACON with great content. For more details visit: sacon.io

Check out the full list of speakers here

>> Pre-Register for SACON 2018

01. Cloud Security Architecture (Moshe Ferber)

This session includes understanding IaaS, threats & risks of cloud computing, securing IaaS platforms, securing IaaS instances

>> Pre-Register for SACON 2018

02. Windows Forensic (Dr. Philip Polstra) 

Have you ever wanted to investigate a Windows and/or Linux breach but could not justify the 8 lakh rupees in software? This workshop will introduce attendees to Windows and Linux forensics using 100% free and open source software. Python and shell scripting will be used to easily analyze both Windows and Linux systems at a deep level.

>> Pre-Register for SACON 2018

03. SecOps Workshop (Gregory Pickett)

Adaptive Network Protocol (ANP) allows systems to share events with each other. When one system sees a threat, they all see it and can respond in a coordinated fashion. Your network can, quite literally, respond to a threat all on its own. In this session, we’ll show you how ANP works, how to install it, and cover all the use cases from generating your own Threat Intelligence feed, to sharing fail2ban jails across clouds, to automatically NATing threats to honeypots, and many more. To show you how it works, there will be demos of some of these scenarios.

>> Pre-Register for SACON 2018

04. Automating SecOps (Murray Goldschmidt)

Dynamic, high-velocity DevOps production environments deliver impressive results to enterprises. Security Teams now need to catch-up and be effective immediately. This 4-hour lab, on Security Automation for DevOps teaches ways improve security at the source and manage a secure environment across the lifecycle. Understand the DevSecOps stack and how to protect it by gaining visibility using automation, across development, applications, operating systems and the cloud covering SAST, DAST, 3rd party library scanning, continuous monitoring, vulnerability management and self-healing. Attendees will learn how start with simple security automation to protect DevOps environments - without becoming a bottle-neck in the process.

>> Pre-Register for SACON 2018

05. Beyond Corp (Arnab Chattopadhayay)

It includes Google Beyond Corp principles, Beyond Corp Architecture Components, Types Of Data, Data Processing Flow, Correlation, Exceptions, Deployment, 3rd party systems, Challenges & more

>> Pre-Register for SACON 2018

06. Enterprise Security Architecture (Bikash Barai)

Includes Architectural Methodologies, Major frameworks - Zachman & SABSA, challenges, CP - SSM, Key Elements, Threat Repository, NIST CSF & more

>> Pre-Register for SACON 2018

07. Immutable Architecture (Nilanjan De)

Includes Immutable Infrastructure, Advantages, Disadvantages, How to implement, demo & more

>> Pre-Register for SACON 2018

08. Cyber Risk Assessment Using Bayesian Network (R Venkat)

Includes Heat Map, Range Compression Problem, Uncertainty, Probability & Bayes Theorem, Bayesian Network & more

>> Pre-Register for SACON 2018

09. DevOps Container (Richard Bussiere) 

Includes understanding of security risk posed by containers, what to do, demo & more

>> Pre-Register for SACON 2018

10. Incident Response Automation & Orchestration (Amit Modi)

This session covers how to increase the efficiency of one's SOC

>> Pre-Register for SACON 2018

11. Security Architecture (Arnab Chattopadhayay)

Includes a brief history of Enterprise Architecture,Zachman framework, SABSA (in-depth), Security standards & more

>> Pre-Register for SACON 2018

12. API Security (Suhas Desai)

Includes API Security Trends, Risks & Security Governance

>> Pre-Register for SACON 2018

13. Threat Modeling Overview (Abhishek Datta)

Includes Threat Modeling Basics, Approach, Purpose, Threat Vs Vulnerability, STRDE Framework, Threat Rating, Risk Analysis Model, DREAD, Countermeasures & more

>> Pre-Register for SACON 2018

14. Threat Hunting (Chandra Prakash)

Includes threat hunting platform drivers, hunting styles, hunting maturity model (HMM), hunting strategy, data domains, data diversity, toolset diversity, kill chain, hunting process, data type & location, analytic technique, beacon, LatMov, staging, exfil & more

>> Pre-Register for SACON 2018

15.Deception Technology (Sahir Hidayatullah)

This includes an understanding of deception and who should use it

>> Pre-Register for SACON 2018

16. Threat Hunting Workshop (Shomiron Das Gupta) 

Includes fundamental understanding of threat hunting, process, plan and execution, tools & techniques, resources to learn, DNS Tunnelling, Webshells & more

>> Pre-Register for SACON 2018

17.Automotive Security / Connected Cars (Aditya Kakrania)

Includes fundamentals of connected cars, ECU (Electronic Control Unit) & types, Controlled Area Network (CAN) Protocol, On-Board Diagnostics, Components Of Connected Cars

>> Pre-Register for SACON 2018

18. Mobile App Security (Srinath Venkataramani)

This includes Mobile App Development - Attack Surface, Data authentication & App protection challenges, iOS & Android protection measures & more

>> Pre-Register for SACON 2018

19.IoT Forum Fresh Thinking (Arvind Tiwary & Bikash Barai)

This is a joint initiative by TiE & CISO Platform. It explains IoT Security Challenges, Complexity and Introduces some ways of solving it (a fresh approach)

>> Pre-Register for SACON 2018

20.Fresh Thinking IoT (Arnab Chattopadhayay)

Includes basic IoT security key components, hyper scale, key players, key security functions, functional aspects of IoT Security, Access control, network segments & more

>> Pre-Register for SACON 2018

21.IoT Hackfest (Sri Chakradhar K)

This session was heavily covered with demos, the slides cover very little material. Includes Latest IoT Attacks

Here are some indicators which will help you detect a compromise :

• Identification of same email from public domain to significant number of users or C-level employees or high value targets; encrypted attachments, password protected and zipped and protected to escape email malware filter; (put user in the reference list)

• End point alert / HIPS / Host based malware alerts for local script execution for the same user, raise incident

• Identify usual traffic volumes to multiple ports or IP addresses or excessive packet loss (connection over 4 hours to external IP )

• Examine abnormal services on known ports and abnormal ports for well-known services, verify reputation scores of IP (SSH to port 80)

• EDR and WAF alerts for scripts, hash mismatch

• Botnet filter alerts for traffic to blacklisted domains

• Email / SPAM filter misbehavior / maintainance activity followed by suspicious activity on the network specially related to unknown / suspicious remote destinations

• Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C + C) traffic, outbound custom encrypted communications, covert communication channels with external entities etc.

• Threat intelligence alerts for connections / data sent to suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours

• Examine if any data breach has occurred like large HTML packet

• Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic

This was presented at SACON - The Security Architecture Conference - largest security architecture conference in the region. You can find the full presentation here. SACON International 2017 will be hosting a Cyber Security Workshop by Dr. Phil Polstra (Author Of 'Linux Forensic').

Dr. Phil Polstra (Author of 'Linux Forensic' & many more books) will be conducting Linux and Windows Forensic Workshop at SACON 2017. Check workshop agenda here

Top Past Talks By Moshe Ferber

Frequent Speaker at DEFCON, Blackhat, RSAC APJ, Royal Society London

Renowned Cloud Security Expert

1. From Zero To Secure In 1 Minute (Securing IaaS)

Conference : DEFCON 23

For complete presentation/slide : Click Here

2. Cloud Security for Startups by Mosche Ferber

Conference : Technopreneurship SIG

For complete presentation/slide : Click Here

***********

Top Past Talks Dr. Phil Polstra

Frequent speaker at DEFCON, Blackhat, BSides, GrrCON, ShakaCON..

Author of "Linux Forensic"

1. Cyber hi-jacking airplanes

Conference: DEFCON22

For complete presentation/slide : Click Here

2.One Device To Pwn Them All

Conference: DEFCON23

For complete presentation/slide : Click Here

***********

Top Past Talks Gregory Pickett

Frequent Speaker at DEFCON, BRUCON, Hack In Paris, Blackhat

Renowned Security Expert

1. Staying Persistent In Software Defined Networks

Conference: Black Hat USA 2015

For complete presentation/slide : Click Here

2. Abusing Software Defined Networks

Conference: DEFCON 22

For complete presentation/slide : Click Here

***********

Top Past Talks Murray Goldschmidt

Frequent speaker at RSAC, AusCERT 

Renowned DevSecOps Expert

1. DevOps – A How To for Agility with Security

Conference: RSAC APJ 2017

For complete presentation/slide : Click Here

************

This article is a contribution by Chitranjan Kesari, AVP IT, Lodha Group for the information security community.

The need for flexibility, speed and information sharing means is mandatory to maintain a robust security arrangement that can protect the data and offer ability to stay connected. A reliable BYOD policy is required to help and safeguard our network. BYOD is to develop a policy that defines exactly what sensitive company information needs to be protected and which employees should have access to this information, and then to educate all employees on this policy. We experience that safety of our network depends on knowledge of our employee on cyber security.

Below are a few fundamentals covered :

1. Virtual Desktop Infrastructure & Containerization 

It is way to address Virtual Hybrid Desktop issues by placing native applications inside a safe zone on a device. A virtual machine manager abstracts the container from the client hardware, boosting performance and reducing server strain by allowing client - side execution, while still improving security by isolating the container from certain functions, such as wireless network connections, USB ports or device cameras. Some virtual containers contain an entire operating system and productivity application suite, while others are purpose-built, single-function virtual devices that provide services like compliance monitoring or highly secure applications.

2. Chipset Level Security Technologies

These allow MDM to reach underneath a managed device's operating system, performing remote wipes and pre-boot virus scans, regardless of the device status. By providing access below the operating system, this technology allows administrators to correct problems by loading software patches and virus definitions, removing the need for third-party software tokens or hardware - based authentication devices. Anti-Theft technology from some reliable vendor extends security features such as remote, operating system independent device locking and unlocking to processors.

( Read More: Top 6 Reasons Why Data Loss Prevention (DLP) Implementation Fails )

3. Network Access Control Technology

This allows employees to use their personal devices on the network while providing the security and access control required by the enterprise. The approach combines granular access policies, automated enforcement, and complete visibility into every device and user on the network. Leverage software and hardware solutions to lock down and manage devices while simultaneously securing the data itself. Wireless networks have to be built for secure BYOD access and the way to do that is incorporating NAC for mobile devices.

4. Data loss prevention

Deploying these engines enables administrators to keep track of data traffic and immediately block suspicious users or activity. DLP tools can apply a use policy for information as it is created, whether it is a file, email or application. This means that data in rest, in use or in transit can be logged, reported tagged and encrypted at any stage, ensuring the prevention of unauthorized activity. As more firms allow employees the freedom to access the corporate database from a personal device, DLP technologies will be imperative to maintain secure data management.

( Learn More : Top Security Researchers are coming together for workshops and sessions on Cloud Security, Cyber Forensics, IR, SOC, Appsec & more at SACON (Security Architecture Conference). Registrations open here )

This article was contributed by Sridhar Govardhan, CISA, CISM, CEH, General Manager-Cyber Security at Wipro

Phishing is a type of social engineering attack. Using phishing email, the attacker cleverly manipulates the natural human tendency to trust others and tricks the victim into act as per the instructed in the email. To be convincing, the fraudster will use a combination of the following elements in the email - Use of authority, Secrecy and Pressure tactics.

Today’s email security solutions are designed to detect and prevent predominantly known threats using signatures and/or heuristics. Signature based detection technology fails in detecting / protecting zero-day threats and is ineffective in handling of polymorphic threats.

Also, Security technology lacks context of human behavior. Today’s security technology doesn’t have consideration of human action factored and completely ignores the social engineering attacks. Various forms of social engineering attack (Phishing, Whale Attack, CEO Fraud) is the highly exploited threat today and this is achieved by exploiting the human trust. To cover above threat scenarios, email security technology as to mature further.

With this background, the best security control an enterprise can design and implement is to make their users first-line of defence. An information security trained and educated user is the best preventive and detective control against phishing email threat.

Regular awareness and training sessions can provide basic concepts of phishing email and some additional knowledge of phishing. This knowledge alone will not suffice for a user to detect all variants of phishing, since targeted (spear) phishing emails can be made to look real with respect to content and context of the email.

To provide users a real-time view of how phishing emails would trick users and manipulate. A controlled phishing simulation exercise along with immediate feedback and training is be the best tactic.

( Read More: Bad USB Defense Strategies )

To achieve better results and effective user training, below key components of selecting the phishing simulation exercise :

• Phishing Simulation Tool

• Phishing email theme

• Frequency of the simulation

• Reporting and Awareness

1. Phishing simulation solution

One of the critical element in the process of building a phishing simulation is the solution which will be used for conducting the phishing simulation. The tool should have features,

• Built-in repository of varied templates covering different phishing categories and continually updated phishing email templates (commercial solution)

• Solution should be highly customizable w.r.t phishing email templates

• Extensive reporting options on completion data, average score, most missed items, user activity

• Trend graphing feature to understand the user behaviour over time

• Easy integration with messaging solution

• Granular reporting on user activity and overall participation division / project / department

• Integration with the existing Learning Management Solution (LMS)

( Read More: Free Resources For Kickstarting Your IT-GRC Program )

2. Phishing email theme

In every phishing simulation activity, theme of the phishing plays an important part in meeting the end objective of educating users on real threats. To provide a real-world experience and awareness, phishing simulation theme selected should align with an event or context relevant to the target individual or group. Below points to be considered for an effective simulation activity,

• Theme chosen for the phishing simulation should be aligned with business context and perceived risk to the user’s role / function / department

• Phishing simulation theme selected should have relevance to the individual or group selected  

• To achieve better results and learning experience, the complexity of the theme selected should be gradually elevated to next level

• Starting with a highly complex phishing theme will make many fail and will not achieve the end objective

• Each deceiving element of phishing email needs to be combined with other tricks typically used by attackers (example: look alike domain with camouflaged hyperlink, spoofed domain with double extension file)

3. Frequency of the simulation

Every phishing email sent by attackers is well planned and appropriately timed to an event targeting the victim (example: Tax returns, holiday shopping, M&A, etc). Below points to be considered for an effective simulation activity,

• High risk functions / department / individuals handling important role in the organization should be covered more frequently as part of the simulation. A matrix of risk and functions / department / individual, sample below

• Frequency of simulation should be changed based on perceived threat

• If the function or department to be covered is being targeted with phishing emails, change the risk score and increase the frequency

• Each simulation activity should be time bound, contextual themes if not conducted within the defined timeline will loss the value

• The coverage of user and frequency of simulation should be decided based on the perceived risk (Finance & Payments – 2 themes / month, senior leadership – 1 theme / month)

• “Too Much of Anything Is Bad” doesn’t apply to phishing simulation, the more the better

• When planning the campaign, for each function / department or individual phishing emails initiation “Day of the week” and “Time of the day” is an important element

(Read more : Top 9 Past Security Talks By Dr. Phil Polstra, speaker @SACON ) 

4. Analysis and Reporting

After every phishing simulation campaign, a mandatory detailed analysis of the results of the campaign should be part of the process. Analysis could provide valuable insights into the failure and success points. Analysis should factor the following points,

• complexity of the selected phishing theme

• theme of the phishing email

• targeted group

• number of times previously covered 

• Final report on the overall performance of the simulation phishing exercise should be shared with head of function / department

• Report should cover statics of failure and success points, few sample points below -

  • % of targeted users were successfully phished

  • % of targeted users clicked the URL and submitted details requested

  • % users who have access to critical data / information who failed

  • % of users opened mail, but they didn’t click the phishing URL

  • % of targeted users opened the attachment

• Good points should also be reported (if process allows reward few to encourage others)

• At advanced phase, analyse and provide details of timeline graph of failure and user reporting

• If possible, avoid revealing names of users who failed in the simulation in the management report

• If users are repeatedly failing, have a discussion with few users to understand the reason and constraint they have. Accordingly arrange for awareness / training sessions for the users

Few considerations to be taken care of :

• Communicate about the phishing simulation to the head of function / department before initiating the phishing simulation campaign

• If you are using an in-house solution, never use your enterprise external IP address range and frequently change the IP address

• Don’t use irreverent and loose themes, the sanity of the whole exercise will be lost

• If the campaign is targeted to large group of users belonging to same function / department, avoid using online feedback and declaration. Have delayed feedback, this will ensure users don’t inform others in the group.

What are your go-to solutions for designing an effective phishing simulation ? Community members share their knowledge here to help the community collaborate and grow faster. You can help too. Write an article today Click here to write(If you don't have an account, kindly register - It's Free)

Dr. Philip Polstra

Author of ‘Linux Forensic’, 'Windows Forensic', 'Hacking & Penetration Testing With Low Power Devices' | Frequent speaker at DEFCON, Blackhat, BSides, GrrCON, ShakaCON | Renowned forensic expert

About : Digital forensics professor by day. Hardware hacker and penetration tester by night. Associate Professor, Digital Forensics at Bloomsburg University of Pennsylvania. Attended Northcentral University

Dr. Phil Polstra shall be conducting a Handson 'Windows & Linux Forensic' workshop at SACON - Bangalore on 10 & 11th November, 2017. To register/know more click here

Top 10 Past Security Talks by Dr. Phil Polstra

1. Am I Being Spied On ? Low Tech Ways Of Detecting High Tech Surveillance

Conference : DEFCON22

Brief : Is someone spying on you? This talk will present several low-tech ways that you can detect even high-tech surveillance. Topics covered will include: detecting surveillance cameras with your cell phone, signs that you are under physical surveillance, detecting active and passive bugs with low cost devices, and detecting devices implanted inside computers, tablets, and cell phones.

For complete slide/presentation : Click here

2.Cyber hi-jacking airplanes

Conference: DEFCON22

Brief : This talk will take a systematic look at the mechanisms others are claiming would permit such cyberhijacking. Each of the most popular techniques will be examined mythbuster style. Along the way several important aircraft technologies will be examined in detail.

For complete presentation/slide : Click Here

3.Hacker In The Wires

Conference: DEFCON23

Brief : 

This talk will show attendees how to use a small ARM-based computer that is connected inline to a wired network for penetration testing. The computer is running a full-featured penetration testing Linux distro. Data may be exfiltrated using the network or via a ZigBee mesh network or GSM modem.

The device discussed in this talk is easily integrated into a powerful penetration test that is performed with an army of ARM-based small computer systems connected by XBee or ZigBee mesh networking.

For complete presentation/slide : Click Here

4.Mouse Jiggler Offense & Defense

Conference: DEFCON24

Brief : This talk will present ways of detecting and defending against such assaults on your system by mouse jiggler wielding individuals. It will also show you how to build your own simple mouse jiggler. Nothing beyond basic Linux usage is required to understand this talk. Attendees will leave with several ways to defend against mouse jigglers and the knowledge of how to create their own mouse jigglers.

For complete presentation/slide : Click Here

5.One Device To Pwn Them All

Conference: DEFCON23

Brief : This talk will present a device that can be used as a dropbox, remote hacking drone, hacking command console, USB writeblocker, USB Mass Storage device impersonator, or scripted USB HID device. The device is based on the BeagleBone Black, can be battery operated for several days, and is easily constructed for under $100.

For complete presentation/slide : Click Here

6.We are Legion : Pentesting with an Army of Low-power Low-cost Devices

Conference: DEFCON21

Brief : This talk will show attendees how they can do penetration testing with a network of small, battery-powered, penetration testing systems. The small devices discussed will be running a version of The Deck, a full-featured penetration testing and forensics Linux distro. The Deck runs on the BeagleBoard and BeagleBone family of devices (including the next-gen BeagleBone released in April aka the Raspberry Pi killer). These devices are easily hidden and can run for days to weeks off of battery power thanks to their low power consumption. Various configurations will be presented including a device the size of a deck of cards that is easily attached to the back of a computer which is powered by USB and can be connected inline with the computer's Ethernet connection. 

For complete presentation/slide : Click Here

7.Bypassing Endpoint Security $20 or less

Conference: DEFCON20

Brief : In this talk cheap easily constructed devices which can be used to bypass endpoint security software by making any USB mass storage (flash or hard) drive appear as authorized devices will be presented.

The design and implementation will be discussed in detail. Devices can be constructed for approximately $18 and $30 for a small package which requires soldering of 4 wires, and a slightly larger package which requires no soldering, respectively. Some familiarity with microcontrollers and C programming would be helpful, but not required for attendees to get the most from this talk.

For complete presentation/slide : Click Here

8. Mesh Stalkings-Penetration Testing With Small Networked Devices

Conference: BlackHat Europe 2013

Brief : This talk will show attendees how they can do penetration testing with a network of small, battery-powered, penetration testing systems. The small devices discussed will be running a version of The Deck, a full-featured penetration testing and forensics Linux distro. The Deck runs on the BeagleBoard-xM, BeagleBone, and similar ARM-based systems. These devices are easily hidden and can run for days to weeks off of battery power thanks to their low power consumption. While each device running The Deck is a full-featured penetration-testing platform, connecting systems together via a mesh network allows even more power and flexibility.

For complete presentation/slide : Click Here

9.Low-power Hacking Bootcamp training course

Conference: BlackHat USA 2015

Reference:

The previous talk links, documents, talk description, videos have been taken from various sources like Defcon and BlackHat .

Cyber Kill Chain Model 

In military strategy, a 'Kill Chain' is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks

• Situational Awareness - Ability to identify what is happening in the networks and system landscape
• Reconnaissance - Identification and selection of the target/s host or network by active scanning
• Weaponization & delivery - Transmission / Inject of the malicious payload in to the target/s
• Lateral Movement - Detect, exploit and compromise other vulnerable hosts
• Data Exfiltration - Steal and exhilarate data
• Persistency - Establish a foothold in the corporate network

Situational Awareness

• Outbound protocols
• Outbound protocols by size
• Top destination Countries
• Top destination Countries by size

Reconnaissance

• Port scan activity
• ICMP query

Weaponization & delivery

• Injection
• Cross Site Scripting
• Cross Site Request Forgery
• Failure to Restrict URL
• Downloaded binaries
• Top email subjects
• Domains mismatching
• Malicious or anomalous Office/Java/Adobe files
• Suspicious Web pages (iframe + [pdf|html|js])

Lateral Movement

• Remove or add account
• Remote WMI communications
• Remote Group Policy Editor
• Remote Session Communications (during outside working hours?)
• Antivirus terminated

Data Exfiltration

• Upload on cloud storage domains
• Suspicious HTTP Methods (Delete, Put)
• Uploaded images
• FTP over non standard port
• IRC communication
• SSH | ICMP Tunneling

Persistency

• Unusual User Agents
• Outbound SSL VPN
• Outbound unknown

This article highlights the Threat Management Process in Incident Response and brings in the understanding of the Kill chain model. Excerpts have been taken from a session presented at SACON - The Security Architecture Conference. You can view the full slide here.

For more in depth session on Incident Response, Threat Intel & many more - sign up for SACON here

3 Stages Of Incident LifeCycle

• Detection & Analysis
• Response & Recovery
• Post incident

( Read More: Bad USB Defense Strategies )

Threat Management - NIST Aligned Process

....view full table & slides here

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )