Cyber Hygiene for Physical Security

Size: px

Start display at page:

Download "Cyber Hygiene for Physical Security"

Christiana Anthony
8 years ago
Views:

1 Cyber Hygiene for Physical Security David Brent: Darnell Washington: 1 Objectives Fundamentals of Penetration Testing : Video Perspective Reality and Targets Best Practices From the Inside: Device Policies and Social Engineering Penetration Test Tools Passwords: Past, Present, and the Future? 2 2 Answering Questions with Questions How Secure is Your Video translates to: How secure is your network? How are you recording your video and in what format? How secure is your vendor s Video System? 3 3 1

Policies and Social Engineering Penetration Test Tools Passwords: Past, Present, and the Future?

2 Question #4 The supplemental question is: Is the attack from the outside? or the inside? Have you examined your internal weaknesses as well? 4 4 View From the Outside External attacks typically happen using three basic steps: Network Enumeration= Recon Work I have to find you Tools: Sam Spade, DNS Zone Transfers, Trace Route, Ping, Firewalk Vulnerability Analysis= Looking for a way in Identify the OS of your servers: Nmap List possible weaknesses Exploitation= Find the vulnerability and gain machine level access Metasploit, Nmap, Netcat, Root Kits 5 5 Finding Your Video How are you recording your video and in what format? Analog or IP Fixed or PTZ H.263/ 264 RTSP (State), TCP (Stateless), SSL, iscsi, Edge or Centralized OS and Final Video Format? DVR NVR iscsi/ SAN / NAS VRM 6 6 2

Firewalk Vulnerability Analysis= Looking for a way in Identify the OS of your servers: Nmap List possible weaknesses Exploitation= Find the vulnerability and gain machine level access Metasploit,

3 Now what Do I Do? How Much Data to sort? 50 cameras, 1500 Kbits/s, 15 Days Retention, 8 quiet hours a day 9.3 TB of recorded data IF you have the viewer for the video the device needs to be routed for remote viewing You are not routing 1000 cameras via 1 clip on a coax cable by wireless from a DVR in a basement 7 7 Reality If you were writing malicious code who would you target? 8 8 Best Practices Wide Area CCTV Network Corporate Network Segregation: You don t want Video Traffic on your Production Network Passwords: Minimum 8 Characters / All devices SSL encryption on video transmission minimum IDS and DMZs: Monitor your network for Nefarious Activity Restrict Access to your video system: Reasons? 9 9 3

wireless from a DVR in a basement 7 7 Reality If you were writing malicious code who would you target?

4 Why Separate? Cyber Bank Heist: 100 Banks World Wide, $1 Billion Dollars Malware= Carbanak allowed hackers to watch, record and take control of internal bank computers Spear Phising s: Weaponized MS Word Word docs and Control Panel Applet / *.CPL Files Exploited Microsoft Office (CVE and CVE ) and Microsoft Word (CVE ) to execute shellcode Shellcode then decrypts and executes the Carbanak backdoor Waited up to 6 Months before executing attacks The Enemy Within Exercise? The Cloud Ask Jennifer Lawrence and Kate Upton Top Risks are: Communications to and from Who is managing your data Availability Ownership and stale accounts Virtualization Encryption and Keys?

Weaponized MS Word 97 2003 Word docs and Control Panel Applet / *.

5 Defense Against the Dark Arts Is your BIOS Locked? Are Your Drives Encrypted? Duck.. Duck Goose What are your USB and remote device policies? Duck.. Duck Goose

6 Defense Against the Dark Arts Penetration Testing Options: Canvas, Silica, Swarm: Immunity Inc. PWNIE Express Core Impact: 30K ouch Kali Linux 14 Main Categories of tools 85 Sub Categories FREE EDUCATION Everyone in your organization should have basic knowledge and training in: Password Basics Social Engineering Best Practices with Data Encryption Physical Security EVERYONE HAS to BUY IN

16 16 Kali Linux 14 Main Categories of tools 85 Sub Categories FREE 17 17 EDUCATION Everyone in your

7 The Future of Passwords? BEST PRACTICES TODAY Use Alpha Numeric combinations with special characters Passwords should be at least 8 characters in length DO NOT use the same log in credentials on multiple accounts Change it up every few months The Future of Passwords? One Day, like all technology: Passwords WILL be a thing of the past Where is Technology headed? Migration of Existing Technology and Standards Personal Entities /People HSPD 12/Personal Identity Verification Credential Network Authentication Digital Signature Data Encryption Removal of username/password combinations Multi factor Authentication (including biometrics) Strong cryptography and encryption between users and devices

accounts Change it up every few months 19 19 One Day, like all technology: Passwords WILL be a thing of the past Where is Technology headed?

8 Migration of Existing Technology and Standards Non Person Entities Devices (HSM) Secure Digital Card Network Authentication Digital Signature Data Encryption Binding people and devices to trusted physical and logical information technology frameworks using trusted identities Federally Certified Trust Model FPKI Using validated and verified technology meets Federal Requirements, and assures the security, resiliency, and reliability of the nation s cyber and communications infrastructure Questions

using trusted identities 22 22 Federally Certified Trust Model FPKI Using validated and verified technology meets Federal

9 Contact with Questions David Brent Bosch Security Systems Bosch Booth #14051 Darnell Washington SecureXperts, Incorporated

com 434 481 3082 Bosch Booth #14051 Darnell

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.