The Vulnerability Landscape of Greece

that's right so it's it will be the second we're in the heart of the summer I can't think of a better place to build an Athens we show good motivation and giving to your sponsors they say your father on cyber security and we're going to discuss about the parallel Community landscape of Greece so this is a collective report that we conducted internally in another common without three main relations to do it one in the primary reason was the fact that we couldn't fight critical data about our company so we're gonna have to do educated guesses about what's going on or we either have to do statistical analysis or extrapolating data from Global reports like the rise of the town

and try to say if this is happening in a global scale but seven billion people this is what must be happening from Greece second reason the first report the first version of this report was published back in October was to contribute to a major cyber security Awareness Month in the third region and perhaps the most important one and that's the key message for the days to encourage information sharing [Music] to contribute to this so that we have a wider picture and understand what's really the case some demographics we did approximately 215 patents during the last three and a half years for almost all the major verticals in Greece and then we deducted findings for retests or purpose-bit engagements so

that we have a human ability is identified um we also deducted the results from the subsidiaries of Greek companies abroad so we're talking recently we know the Greek subsidiaries in other countries and we can see from the first glands that the majority of the engagements were about web application testing followed by infrastructure engagements mobile tests and a small sum of social engineering I'm going to discuss about this in a week um not a big fan of the numbers but during these three and a half years we have identified 1200 unique vulnerabilities um what's really important the thing is that we see somebody already here uh 30 almost 40 percent of the findings in infrastructure engagements were

either ranked as high or quicker same stands for web apps 35 are ranked as high or critical and similar is about the mobile space brought to the 30 of the findings are in the ranked as high or critical and these are the first indicators of the Greek market however the Greek market has given us some very interesting driving indicators which will try to put them into context and better understand what's really the case so typically in every engagement they average number of findings were 36 unique vulnerabilities but what's even big worry is that 24 percent of it that means AIDS fulfillment and abilities will run this half what these numbers mean is that we have

eight different ways to accomplished mission so we have eight different ways to accomplish the missions eight different methods to try to pitch into the corporate Network or the application surprisingly uh vulnerabilities ranked as medium or low uh took 34 months before they were initiated so usually you know when a higher critical finding is identified with all you know the the other end of the line and saying you know the cupcakes Okay we're gonna remediate

that's almost three years so we leave three years our systems are unpacks and I think we can all understand that the medium ranked academic today after 34 months

uh root cause is configuration and we're gonna see a bit more intimate the oldest vulnerability found was back from 1999 and this didn't happen once not quite but three times so you know the first the first report I received in my desk I said okay it may happens it's smlp default Community streams second one said okay it's a coincidence the third time I can't receives myself a politicism you know something there's availability 20 years old why a couple of weeks this is the default of the slip Community things because we use the system to protect from the Millennium bag foreign

one of the most astonishing indicators that it took us on average three business days to break in about three times eight hours that's a full day so we skinned attacker within one day 24 hours he usually breaks in a quick application for Network and we proud ourselves of being you know agile and I don't know trained or aware but it's targeting 20 in Social Engineering exercises get failed advocates so maybe these are three days it can become faster with large social engineering so if some please up to you please is there any questions it's mostly large-scale organizations but not in terms of size of our you know number of users it's large-scale organization considering the impact of

the customer in the country right we don't have these hundred thousand employees okay um so if someone asks what's really the case with vulnerabilities in Greece I think we can reply using five words excuse when we have a problem but because words are stronger in our mother tongue in Greek it's unavaggio that's an amazing picture right I want to transport to be transported there uh I did I don't know like that but still it's a secret something bad has happened there and let's dive a bit uh deeper to understand what's really happening so infrastructure engagement is also findings crypto doesn't mean blockchain it means SSL from that self we're still using necessary magnitude and about to start getting 40 to the

finals um how many of you guys are doing firewalls on your daily routine congratulations you're the winner it's simply one percent of exposed services so we're doing really well in not exposing services that shouldn't be exposed however 21 for misconfiguration 15 of unsupported platforms and 23 because of taxing means almost 60 percent comes from improper system maintenance

web apps this is a different of course categorization client side there is a tendency no user left behind so we see that the web applications increase tend to support intellectual six why because there are customers well potential customers team using in the military or six information linkage 20 and it's a good configuration again 26 in the mobile app majority is insecure configuration again and then a client-side from the revenue so out of this uh 1200 unique vulnerabilities um we have to choose the top three the top from infrastructure engagements from web apps and from mobile apps so we have three winners was common you know me at strength Cyprus that's a neat by definition in the web application space it's called

the rejection again it's a medium you think and in the mobile app it's lack of certificate pain it goes to medium or five depending on what can be done so we have three medium run product abilities here and let's see how we can combine this in order to do something really really bad uh I would ask you in your photos please slides thank you so uh we had two occasions we'll send the an email said we have 20 chances of someone giving their credentials good uh we have more than one automatically second step we took access to the Erp of the system using this SSL medium system Strikers seems whatever there we do some lateral movement and we see

that accent we can find what we need to steal from the customer and second the inventory that this is already there and then by using lack of certificate pinning with a lot of receipt for that so by using three medium sizes we were able to accomplish a tax legitimate transaction without anybody understanding or not a lot surprising by definition but what was uprisingly is that the fact that people are someone else was already there so someone else has already broken into console to something pretty worried we don't have it method two ways to understand that something that was supposed to happen so before wrapping up um what I mean would contribute better in in better security hygiene for great

organizations first of all patronize I think that if we are able to uh it's a huge well-defined system-based lines we would avoid this 60 of the proper system maintenance these are two protocols guys it's time to move on no more than that no more SSD version of the month or two it's high time we move on to something more and more secure DLP and encryption by definition we will be preached so it's a matter of time for your grades so something that controls a crown jewels like you'll be educational perhaps minimize the damage awareness of course this 20 of social Ingenuity is really high so we need to do something about it uh EDR it's surprising that we are

creating a corporate Network and nobody pays attention there's no alert on the other side so we must have something to you know give us an indication that something is going back and certificates we're still using expired to feed this world certificates in our web services and last but not least that's a big word it says you'll see I think that we need to code a bit better and I know there are some Trends and some initiatives from Greek universities towards secure clothing but I'm sure the community will have something more to contribute here and last but not least of course more penetration testing the more uh the manager you simulation

um that's about it a special condos to uh compiling plants and thank you very much for watching