What hacking has taught me about security in depth, detective and preventive measures

so then you my name is 33m from the Netherlands and I've been working now in overall IT for about twelve years we saw five years has been full time for testing the application testing but we've also seen some stuff ready what was ready for testing all those kind of things stop focusing on specific component in your appliances network systems whatever it wants to test you have a look at do anything with it yes or no then you can

bb5 least this fantastic now ready is basically the next step up instead of taking one small component of the client let's go to take the entire finest work so we start looking at your organization what can you do how can we get in how the desert getting how can we actually try and compromise your organization so we get to have a look inside the organization's find a stuff things they don't even know they're right - toughness whole bunch of Heroes was already decommissions things this was going fine and this may not be young well to make comparison and we been testing your testing stuff you know it's devastation finding me they're known the nose and you know

something about an application and reckoning all the turns out to be is finding stuff but unknown adults the stuff you didn't even know each of your abilities really messing up the language so I want to talk about a couple of things you see now first off here shortly but you know lover use can you do that I want to talk to you about before I principles before so the stuff that stumble that use it we will know a lover use right didn't have any use it you wouldn't be expended but it may also be an AMA which is good we cannot expect that to be the end all security guards we're not the end-all investor guys and

administrative people everybody so if we do send them up trying to make them as good as possible at every security looking at this email most installers to the games when your rescue score with methyls but in the end something's gonna go wrong tell what someone's and so they look technical perspective to some point four meters depth it is really hard to make a distinction do digital user do his work the malicious user he's trying to make a little irritated just discuss or an attacker who's actually been able to get efficient that is assistive get it made an excuse and go go and masculine you're pretending to be develop useful now if you look at backing an organization

being in the usual frivolous that had some cohesion the system is basing the first thing you know the initial access for they won't start estimating that is basic to issue first one's always the technical exploitation finding a weakness finest approach with musical favorites or finds a weak box all right those are technical attacks those are potential it's possibly a message that is final sportscast pick up on responder trying to get some cash and stuff like that but the other way actually trying to find information in the context of the computer information that users any access which you can use to escalate abilities they find barcode city's levels they find stuff from the internet is their most

basic says only this 2007 because immediately that's really useful information for an attacker and it's really hard to detect that because for my intent perspective it's hard to make a distinctive to assist the usual you with your by the internet leading articles on all space or is this actually in a separate crime to plant some sensitive information which many don't want it to have so we can roll bands of stuff to our users train them make them better we choose to list with a Mexican clicking than becoming infected infected baby cannot beget there's always a little chance some more to the big the organization that basically in the end 100% chance that it will happen at some point while they're

fishing effect you will try it will be successful but one of them movies are typically so logo bees start losing network monitoring like they're gonna try and find those that's you but a fine figure out its distressed that I'm seeing on the network comes user segments that you do to be cheaper is it someone trying to estimate access trying to get a nice report like get to some sense assistance but in order to do that you have to have somebody about the normal mobile traffic is your book if you have a very open up if you don't have any second presentation right now close the fire was no support between your user segment your service segment

we brought you information is and it's really large form ordering teams to actually start detecting which traffic is malicious different user is on the same set that your administrator which are going to mark the one to see the server go into acetate what you see was it that really like to use it's really hard to figure out if the traffic receives a jido I've caught with multiple monitoring peeps telling that rules for TC stats instead of just generating too much false personation of l cameto there's no baseline there's commonality with Hispanic sugar-filled today which administrators use the same axis of menace as useful users are going to do website with Internet administrators may be going to your industry reports so

will be effective but that's where the connection start escalating it's not moments we'll never know what we do but would like to do it with actually sentimental so you have to you just separate this is basically a little security they can access notifications internet file standards will have basically any applications all your youth don't use only on normal force with musicals but then you have to have a separate channel I have a jump of sometimes ready to go to know they're coming from a sports sequencer United States all those things you want to second on out in the know when you spend so a monitoring team connection forgotten that's not one attacker who doesn't know about your jump-offs

doesn't information to me jump box just I just kinda network with I'm still out there and try to find people

so you don't have that reputation like it's really really hard but you know you have some crown jewel applications and you cite it before I'm gonna actually make transfer you go to wipe out those ten million I'm gonna use the for ice principle right but that second guy login and authorize the transaction well let's play let's let's think about what the fourth principle is basically it's basically to prevent one malicious user forming a certain listing pledge but you do know that comes from the silos let's for example with our physical message to prevent one user

so there's several cows they have different keys is the term which they keep on the person and actually their fist be set up in a way you cannot actually twist both people means already but I'm not that I couldn't mean suppose this was to launch missile so you see there are a couple of things in place you need to have both the key switch between busy people among them is not the members we need to get in obviously discussed them but you also in each of those two people can do that now obviously the cup of times in for I systems is that necessary sensor system very well but they still just looking with the normal use Natasha basement and

to make sure that music is absolutely accessories now if you're an attacker when you compromise environment it's not that hard anymore as you get those for them now say 99% of the clients run a Windows domain as soon as you promised basically at this any news you want you will be able to get as part of it even if you have open in security updates even if you make sure me because can be run if I put all over your main I can change the settings and the systems right changed when is to shake excuse me because I can use non-windows tools as you roll up so all the users actually send their partners to get into the

system so yes it's great for making sure that one more than one user accounts while under 10 million that's it itself it's not going to protect you from the attacker who is trying to network 10 million and why without offenders so if you could pay thanks to myself the newly assigned unless you have the physical piece to make notification to be whole know it I really like think it's really good it really helps you as navigation system to make sure the user is immunity settings if you are in the network if you're able to get those financials you can escalate this illusion you want something extra to make sure to make sure that it's actually the user who is

like to begin but how you this how you deploy to personification there are a couple of ways to do it and they're all the same so one of the things we've solved to receive an organization most party they were working with that sounds great right this song just picks up the

most important however as an organization you make use of pens and security of that members of our company because if they don't use syntax on networks we've done that what is secure you're still just be able to people if you can send one time possible even remember to use which is protected by the same use in part of your application there's no set pattern you just locate get the password another example it actually implemented in SMS so the testable passwords see so try to move in some way you get popped any only the second factor means of things one who can't just again to you should just on this mess with us your roominess from Devon but you know

where it is and you may act on this people better you don't think getting it one time box with their phone without doing anything you think it's good because we've never had anyone actually alerted them right no one that can go through this I want I park it on my phone I didn't or something so we had some time so we look we look around the system we actually found in the network we found sure which extending out these dismissals so you have this one system which is really critical systems you think it's important enough questions security to certification the trouble selling defective an identification sir send another text messages everything we're done you have to ensure sitting in

the normal domain basically any administrator can get to it and you even keep the Philippines for setting out on the walls again

the older the nest see the next application encountered one when you only request the outside you can do that like watching it's definitely something you can do with these 49 points you want to make sure that some extras notification will be outstanding people remotely for however they have all that hope they're using they're not set up there they're just available to affect edification and you're actually brought it to enroll yourself if you look remotely so the first time you've done login screen setting up see you love me remotely did you please read to you phone number so we can send the text message we will happen to apply so we provide the phone number we'll get into abilities doesn't

mean the user is not even to getting to know any more but by having in your users and roll themselves over unto us the channel you're trying to secure maybe not the best idea because I think I may be the first time you hope is that but you don't know that's a fact

yes so my name message here patients in substance you don't want to be storing the secrets to your next security level on your current security level up here you all know me because it's not like this for me but that's the way you get more contentious that's fine it's how it works you can do some stuff to prevent that but if you can be storing your passwords but the most secure system security bad or oddments effect that defecation you're going to be storing those in the network the normal levels of people are coming from it's far too easy for an attacker to us and start looking around the system and finding those pieces figuring out where it's

deserved with semantic representation whereas this user was able to approve this reduction waiting it's already been me and it's awaiting it that's one of the things we always struggle with you'll be letting in a time of Cecrops planning what's the number of days yeah but a lot of times just a better way waiting for that one used to click on the file to most effective look at a system where you need those transport and if you don't make sure that the user is to assessments if you don't make sure that those sensitive against if you want to protect what is the depth and it's an ad that the extra effective on the on the right points it's partly to an

attacker to gain gas my destiny steal your data basically blow cheap you're out the water - yeah

yeah so make sure you use it it's fine trusted users that's okay educate your users but know they're gonna fail at some point like everything but you use it I'll pick something your net worth protection is going to be something your monitor of team is going to be something all those things happen it's what make sure you put enough controls in place it's very luxe but they don't have an all other same time you can use to pick something you would like that for the protection to catch it but with this media Decker they're not going to constantly but anyone have to come up with most plans to make sure that you do get some other science but make sure

they're ready to go that's make sure that if you go to increase the security level either gets tripped up junk box or some sensitive occasion practical to them to make sure it's actually usually claims it's an effectiveness to make just this in too easy too