Here are my notes from the third day of the Hacker Halted conference.

An Ethical Hacker’s Perspective to Network Access Control

  • Antivirus software is just a checkbox to most companies
  • Layered security is a must
  • Ghosts in the Browser paper – Tons of drive by downloads
  • Gartner said by the end of 2007, 75% of enterprises will have malware in their network undetected
  • NAC doesn’t protect mobile devices
    • It might protect mobile devices from connecting into the corporate network, but what about the time between?
    • Interesting data could be on the laptop
  • Need for policies in a mobile NAC
    • Limit functionality if not compliant
    • Automatically fix the problem – restart AV, get patches, etc
    • Formulate both a whitelist and blacklist of applications
    • If connecting to a public wifi network, enforce mandatory use of corporate VPN
  • Blackjacking
  • 46% of corporations still use WEP

Stealth Web Attack

  • Corporate espionage is largely underreported in the USA
  • Oracle and SAP espionage case
  • Society of Competitive Intelligence Professionals
  • Information corporate spies seek
    • Marketing and new product plans
    • Source code
    • Corporate strategies
    • Target markets and prospect information
    • Usual business methods
    • Product designs, research, costs
    • Alliance and contract arrangements
    • Customer and supplier information
    • Staffing, operations, and salary information
    • Credit records
  • There are so many components to security, does anyone know what everything does?
  • Are people properly trained to do their job?
    • Most can not be masters of their domain, they just need to get it working
  • If there is an issue, the responsibility falls on you, not the vendor
    • If there was a breach due to a vendor flaw, they will be upset at you, not the vendor
  • USB Dumper