Cyber Hygiene for Physical Security



Similar documents
COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

SCP - Strategic Infrastructure Security

CRYPTUS DIPLOMA IN IT SECURITY

Penetration Testing with Kali Linux

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

CYBERTRON NETWORK SOLUTIONS

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Build Your Own Security Lab

CONTENTS. PCI DSS Compliance Guide

That Point of Sale is a PoS

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

Certified Ethical Hacker (CEH)

Vulnerability Assessment and Penetration Testing

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

GFI White Paper PCI-DSS compliance and GFI Software products

12 Security Camera System Best Practices - Cyber Safe

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Metasploit The Elixir of Network Security

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Concierge SIEM Reporting Overview

APT Advanced Persistent Threat Time to rethink?

Introduction to Cyber Security / Information Security

Managed Encryption Service

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

IT Networking and Security

PCI Compliance 3.1. About Us

MCSA Security + Certification Program

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

DLA Storage Appliance Deployment in NAS/DAS Environment

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Building the Next Generation of Computer Security Professionals. Chris Simpson

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

1 Scope of Assessment

IDS and Penetration Testing Lab ISA 674

Course Title: Course Description: Course Key Objective: Fee & Duration:

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Learn Ethical Hacking, Become a Pentester

Medical Device Security Health Group Digital Output

Virtual Learning Tools in Cyber Security Education

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

A New Era. A New Edge. Phishing within your company

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Venue. Dates. Certified Ethical Hacker (CEH) boot camp. Inovatec College. Nairobi Kenya (exact hotel name to be confirmed

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Catapult PCI Compliance

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

Security Policy JUNE 1, SalesNOW. Security Policy v v

EECS 354 Network Security. Introduction

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Appendix E to DIR Contract Number DIR-TSO-2736 CLOUD SERVICES CONTENT (ENTERPRISE CLOUD & PRIVATE CLOUD)

Penetration Testing Report Client: Business Solutions June 15 th 2015

Things I can do to protect my network from getting Hacked!!!!!! Jazib Frahim, Technical Leader


Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

GE Measurement & Control. Cyber Security for NEI 08-09

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Security Advice for Instances in the HP Cloud

Developing Secure Software in the Age of Advanced Persistent Threats

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

IDS and Penetration Testing Lab ISA656 (Attacker)

Tutorial on Smartphone Security

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Table of Contents. Introduction. Audience. At Course Completion

Vulnerability Assessment and Penetration Testing

IBM Security Strategy

Security Testing Summary of Next-Generation Enterprise VoIP Solution: Unify Inc. OpenScape SBC V8

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Cyber Essentials Questionnaire

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

WDM Security Guidelines

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

INTRUSION DETECTION SYSTEMS and Network Security

Overcoming PCI Compliance Challenges

Footprinting and Reconnaissance Tools

Firewalls, Tunnels, and Network Intrusion Detection

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Transcription:

Cyber Hygiene for Physical Security David Brent: david.brent@us.bosch.com Darnell Washington: dwashington@securexperts.com 1 Objectives Fundamentals of Penetration Testing : Video Perspective Reality and Targets Best Practices From the Inside: Device Policies and Social Engineering Penetration Test Tools Passwords: Past, Present, and the Future? 2 2 Answering Questions with Questions How Secure is Your Video translates to: How secure is your network? How are you recording your video and in what format? How secure is your vendor s Video System? 3 3 1

Question #4 The supplemental question is: Is the attack from the outside? or the inside? Have you examined your internal weaknesses as well? 4 4 View From the Outside External attacks typically happen using three basic steps: Network Enumeration= Recon Work I have to find you Tools: Sam Spade, DNS Zone Transfers, Trace Route, Ping, Firewalk Vulnerability Analysis= Looking for a way in Identify the OS of your servers: Nmap List possible weaknesses Exploitation= Find the vulnerability and gain machine level access Metasploit, Nmap, Netcat, Root Kits 5 5 Finding Your Video How are you recording your video and in what format? Analog or IP Fixed or PTZ H.263/ 264 RTSP (State), TCP (Stateless), SSL, iscsi, Edge or Centralized OS and Final Video Format? DVR NVR iscsi/ SAN / NAS VRM 6 6 2

Now what Do I Do? How Much Data to sort? 50 cameras, 1500 Kbits/s, 15 Days Retention, 8 quiet hours a day 9.3 TB of recorded data IF you have the viewer for the video the device needs to be routed for remote viewing You are not routing 1000 cameras via 1 clip on a coax cable by wireless from a DVR in a basement 7 7 Reality If you were writing malicious code who would you target? 8 8 Best Practices Wide Area CCTV Network Corporate Network Segregation: You don t want Video Traffic on your Production Network Passwords: Minimum 8 Characters / All devices SSL encryption on video transmission minimum IDS and DMZs: Monitor your network for Nefarious Activity Restrict Access to your video system: Reasons? 9 9 3

Why Separate? Cyber Bank Heist: 100 Banks World Wide, $1 Billion Dollars Malware= Carbanak allowed hackers to watch, record and take control of internal bank computers Spear Phising Emails: Weaponized MS Word 97 2003 Word docs and Control Panel Applet / *.CPL Files Exploited Microsoft Office (CVE 2012 0158 and CVE 2013 3906) and Microsoft Word (CVE 2014 1761) to execute shellcode Shellcode then decrypts and executes the Carbanak backdoor Waited up to 6 Months before executing attacks 10 10 The Enemy Within Exercise? 11 11 The Cloud Ask Jennifer Lawrence and Kate Upton Top Risks are: Communications to and from Who is managing your data Availability Ownership and stale accounts Virtualization Encryption and Keys? 12 12 4

Defense Against the Dark Arts Is your BIOS Locked? Are Your Drives Encrypted? 13 13 Duck.. Duck Goose What are your USB and remote device policies? 14 14 Duck.. Duck Goose 15 15 5

Defense Against the Dark Arts Penetration Testing Options: Canvas, Silica, Swarm: Immunity Inc. PWNIE Express Core Impact: 30K ouch. 16 16 Kali Linux 14 Main Categories of tools 85 Sub Categories FREE 17 17 EDUCATION Everyone in your organization should have basic knowledge and training in: Password Basics Social Engineering Best Practices with Data Encryption Physical Security EVERYONE HAS to BUY IN 18 18 6

The Future of Passwords? BEST PRACTICES TODAY Use Alpha Numeric combinations with special characters Passwords should be at least 8 characters in length DO NOT use the same log in credentials on multiple accounts Change it up every few months 19 19 The Future of Passwords? One Day, like all technology: Passwords WILL be a thing of the past Where is Technology headed? 20 20 Migration of Existing Technology and Standards Personal Entities /People HSPD 12/Personal Identity Verification Credential Network Authentication Digital Signature Data Encryption Removal of username/password combinations Multi factor Authentication (including biometrics) Strong cryptography and encryption between users and devices 21 21 7

Migration of Existing Technology and Standards Non Person Entities Devices (HSM) Secure Digital Card Network Authentication Digital Signature Data Encryption Binding people and devices to trusted physical and logical information technology frameworks using trusted identities 22 22 Federally Certified Trust Model FPKI Using validated and verified technology meets Federal Requirements, and assures the security, resiliency, and reliability of the nation s cyber and communications infrastructure 23 23 Questions 24 24 8

Contact with Questions David Brent Bosch Security Systems David.brent@us.bosch.com 434 481 3082 Bosch Booth #14051 Darnell Washington SecureXperts, Incorporated Dwashington@securexperts.com 404 693 5100 25 25 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information