My presentation at IT Weekend Lviv 2017. Overview of modern cyber threat agents and their modus operandi. Practical recommendations on how to be a less likely cyber threat.

1. Fantastic Beasts
and where to hide from them
Vlad Styran CISSP CISA OSCP
Berezha Security

2. Imminence and Inevitability of an Incident

3. 2007
“You are going to be hacked.”

4. 2017
“You have been hacked.”

5. What’s up?

7. http://b0n1.blogspot.nl/2017/05/wannacry-ransomware-picture-collection_17.html

13. Who does it?

18. How do they do it?

19. –Sid Victim
“I have nothing to hide.”

20. You could lose your stuff
Crypto-ransom
DDoS attacks
Vandalism
Physical destruction
# rm -rf /
«…Now I’m ready to play with `regedit`.»

21. –Johny Sysadmin
“Backups are for losers.”

22. Someone could steal your stuff
Hacking
Social engineering
Doxing
Insider threat
Sensitive data loss ✈
Physical theft/robbery
Unattended access to equipment

23. –Amy Hacker
“If I can touch your computer,
it’s no longer your computer.”

24. Someone could change your stuff
Transfer money
Reset passwords
Register services
Corrupt data
Seed illegal content
Spread propaganda

25. –Donald Trump
“Despite the constant negative press covfefe.”

26. How they do it?

27. –Eugene Kaspersky
“Internet-weapons.”

28. Phishing

29. Phishing

30. Phishing

31. Phishing

32. Targets
You
Your family
Your friends
Your clients
Your suppliers
Your doctor
Your lawyer
Everyone you trust

33. Targets

34. Targets

35. Targets

36. –Alex Stamos
“Appsec is eating security.”

37. Hall of Fail
Web security
Mobile security
Binary s/w security
Data transport security
S in IoT stands for security

39. What could you do?

40. Bad news
Remember III? You cannot avoid being hacked.

41. Not so bad news
You can try to make it harder.

45. –Boris Sverdlik
“Don’t click shit.”

46. Don’t click… it
Don't click shit.
Formally train your staff not to click shit.
Demand all your business peers formally train their
staff not to click shit.
Teach your spouse, your kids, your parents, your
friends not to click shit.
https://github.com/sapran/dontclickshit

47. Password size matters
Use passphrase instead of password.
MiX ChAr ReGister & 4dd 50m3 d1g1t5
Make it long. Long means 20+ chars.
Remember not more than 2 passphrases:
use a good password manager.
Turn on 2FA: twofactorauth.org

48. Update software
Update your stuff.
Update it right after the patch is available.
Turn on autoupdate wherever it’s possible.
Zero-days are rare, >99% of people get hacked
using known vulnerabilities.

49. Build less insecure software
No, you can’t do it yourself. Hire a security pro.
Security is not an option you can offer your clients.
It should be thought through from the very
beginning, not added up in the end.
Build it in, not bolt it on!

50. Build more secure software
Go to OWASP.org: there is literally no better info
source on Application Security. And it’s free!
Train your staff to build less vulnerable software.
Use frameworks with good security record
whenever possible.
And never, NEVER implement your own crypto!

51. Hack yourself first
Let your staff do it and hire an ethical hacker.
Start a Bug Bounty Program when ready.
Phish your own staff to see if they're ready to
withstand modern attacks.
Don’t blame them if they fail. Let them tell everyone
how it happened.

52. Remember
Once it becomes harder to hack the crap out of
you, they will skip to the next target.
Once it becomes harder to hack the crap out of all
of us, they will change their tactics.
Keep up with the game and know how not to
become a cyber victim.
The game will change. Be the one who changes it.

53. Thank you slide
Thank you

54. Q&A