Faast_SecurityDay
-
Upload
elevenpaths -
Category
Technology
-
view
227 -
download
0
Transcript of Faast_SecurityDay
![Page 1: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/1.jpg)
Eleven Paths
Faast: Attacks & Defences: Hacking, Pentesting & Hardening
![Page 2: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/2.jpg)
2
Caso 1: RSA Conference
w1.livestatserver.com/w.jsrsaconference.com
![Page 3: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/3.jpg)
3
Caso 2: Apple Software Updates
El certificado digital caducó
Durante un tiempo Apple fuevulnerable a ataques de Evil Grade
Malware que se hace pasar por unaactualización
Ataques MITM
Nadie avisó a Apple de esto. Yno será que Apple no pasavarias auditorías al año…
![Page 4: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/4.jpg)
4
Caso 3: El robo del dominio de Oracle
A Oracle se le caducó el dominio “.es”
Otra persona lo registró
¿Y si se utilizase para realizar acciones que puedan dañar la imagen detu organización?
![Page 5: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/5.jpg)
5
Caso 4: El celebGate de iCloud
![Page 6: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/6.jpg)
6
Caso 5: Java.com y Jquery.com
![Page 7: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/7.jpg)
7
Caso 6: HeartBleed & ShellShock
![Page 8: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/8.jpg)
8
Show me your robots.txt
Pwn1nage!
Caso 6: Leakage inesperado
![Page 9: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/9.jpg)
9
¿Qué sacamos de esto?
![Page 10: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/10.jpg)
10
La auditoría de seguridad…
![Page 11: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/11.jpg)
11
Pentester estratégico
![Page 12: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/12.jpg)
12
¿Por qué ha muerto?
1. Entrega Informe
2. Sistemas en continuo cambio
3. Aparición vulnerabilidades diarias
4. Imagen dañada y pérdidas
![Page 13: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/13.jpg)
13
Pentest clásico vs Pentest persistente
Mejor caso: 3 meses
Caso medio: 1 año
Peor caso: Sometimes
Los malos no descansan
Pentesting persistente
Minuto a minuto (m2m)
Vulnerabilidades Vulnerabilidades + Debilidades
![Page 14: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/14.jpg)
14
• ¿Escanner de CVEs?
• ¿Escanner web?
• ¿Lo lanzas todos los días?
• ¿Contra el 100 % de tusactivos?
• ¿Sabes todos los activos quetienes?
• ¿Puedes incidir en losplugins?
• ¿Puedes tener info entiempo real de los bugs ydebilidades que tienes?
![Page 15: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/15.jpg)
15
Faast:· Exploit well-knownvulnerabilities· Use OSINT Tricks
• Shodan
• Whois
• Archive.org
• Paste
• DNS
· Check for Human mistakes· Check for leaks· Test the whole infrastructure· Social networks· Day by day knowledge baseincreases.
Faast: Persistent Pentesting
![Page 16: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/16.jpg)
16
Faast
![Page 17: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/17.jpg)
17
Fases:10 Descubrimiento20 Análisis30 Explotación40 GOTO 10
![Page 18: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/18.jpg)
18
![Page 19: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/19.jpg)
19
![Page 20: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/20.jpg)
20
![Page 21: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/21.jpg)
21
![Page 22: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/22.jpg)
22
Invitación a realizar un piloto
![Page 23: Faast_SecurityDay](https://reader030.fdocuments.in/reader030/viewer/2022032420/55a442791a28ab6b158b4585/html5/thumbnails/23.jpg)
23