Jayson Street, infosec ranger, Pwnie Express.
So said Jayson Street, infosec ranger at Pwnie Express, during his keynote on "Strategies on securing your banks and enterprises, from someone who robs banks and enterprises", at ITWeb Security Summit 2017, this morning, at Vodacom World in Midrand.
He said humans are terrible at risk management. Everyone is worried about zero days, but let's face it, you'll be phished long before you get hit by a zero day, he commented.
Then there's the question of who's coming after you, he added. "We'd all like to think it's a nation state. But not really. Unless you're the Pope or own a centrifuge, it's not them. It's not hacktivists either. Who else could it be, hacktivists? Not so much. They're not that organised."
So who is your attack vector? "Criminals. Criminals who want to rob you for money. They are not hackers. They are criminals. Start protecting yourself from them. Unfortunately, these criminals may well have nation state technology, but they are still just criminals."
If someone wants to breach an organisation badly enough, they will, Street said. "The longest I've taken to compromise a company was 1h45 minutes. You can't control being attacked; it's how you respond to it that defines you."
Upon coming to SA, Street decided to see if he could breach one of the country's biggest banks. The first step is Googling ‘SA's big five banks'. It's easy, he said. On their landing page, there is already a smorgasbord of information that makes them an attractive target. "Starting with the line: ‘One of SA's wealthiest banks.' Moreover, there is plenty of other information, and links to social media accounts that can be used to socially engineer the organisation."
Criminals may well have nation state technology, but they are still just criminals. ? Jayson Street, Pwnie Express.
"Look at their Twitter account, and look at who they follow. Send that guy a DM message that compromises his account, then use that to compromise the bank."
In terms of defence, never put a real person's name and contact details in the ‘contacts' section. "It's a good start for a social engineer to gain a foothold. Always use a generic contact address."
In addition, he advised that security teams should be taught to look at the site in an offensive manner. "Look at your site like an attacker would. You're not trying to keep honest people out, but think about any vulnerabilities that would let an attacker in. Also, stop trusting your network."
You can't control being attacked; it's how you respond to it that defines you. ? Jayson Street, Pwnie Express.
Finally, Street said: "Stop living in a world where you think no one is trying to attack you. You may live in a nice neighbourhood, and if you pop down to the shops for a few minutes, your neighbours will keep an eye out. When you're online, your neighbours are China, Russia... They're looking for a way in. Don't give it to them."
