Teach a Man to Phish

Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life."

- @thegrugq

Information Security
Is Hard

 

 

What is InfoSec?

"Information Security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information."

The focus of InfoSec is balancing protection of the Confidentiality, Integrity and Availability of data. Data security should focus on effective policies that don't impede operational efficiency.

Threat Modeling

  • Assets
  • Threats
  • Vulnerabilities

more info: https://www.owasp.org/index.php/Application_Threat_Modeling

Data!

Notes About PHI

PHI: health status, provision of health care, or payment for health care created or collected by a Covered Entity

  • Difficult/impossible to change if compromised
  • Can be used to commit health care fraud or other identity theft
  • Can be held for ransom

What are the threats we

might be facing?

The Government?

Hackers?

Organized Crime?

Where are we vulnerable?

Some Areas of Vulnerability

  • Servers
  • Email
  • People
  • Login systems
  • Connections to 3rd parties

Meltdown and Spectre

Meltdown

This exploit breaks application isolation and allows one program running on an OS to access memory used by other applications. We were vulnerable to this until Aptible rolled out a fix early this week!

Spectre

Spectre exploits a CPU's speculative execution of code and can be used to read data from the CPU's cache. This can allow attackers to access things like passwords typed into different browser tabs.

https://meltdownattack.com/

Phishing

Common Phishing Attacks

  • Deceptive Phishing - pretending to be a legitimate site
  • Spear Phishing - highly personalized
  • CEO fraud - spear phishing directed at CEOs
  • Pharming - redirecting http traffic
  • Dropbox Phishing - harvesting credentials with dropbox links
  • Google Docs Phishing

Login and 3rd Parties

  • Http can leak credentials
  • Sending unnecessary info risks leaks
  • Giving access to 3rd parties exposes our system to 3rd party risk

Sometimes you just fail.

What can we do?

  • mitigate – build layers of defence to address our assessed threats and vulnerabilities
  • transfer – outsource some risk where we don't have a core competency. (like Aptible)
  • accept – weigh costs and benefits, no security is perfect and near perfect might be prohibitively expensive

Mitigation

  • Defense in Depth
  • Good Policies
  • Training
  • Cryptography

Cyber Security!

Further Reading

  • https://krebsonsecurity.com/
  • https://meltdownattack.com/
  • https://medium.com/@thegrugq/
  • https://www.owasp.org/index.php/Category:Vulnerability

Thanks for listening,

please use a password manager.

phishing and phrends

By Chase Gilliam

phishing and phrends

  • 207