Murray Goldschmidt
[Sense Of Security]
Murray Goldschmidt is the Co-Founder and Chief Operating Officer at Sense of Security, Australia's leading pure-play Cyber Security consulting practice for nearly 20 years.
Murray is an industry recognised information security expert providing advice across the spectrum, from the boardroom to the basement across the region's elite corporate entities to government agencies.
Murray is frequently invited to present at conferences, workgroups and seminars and asked to provide expert comment for editorials and publications. He has presented on security topics at every leading conference locally, regionally and internationally.
His credentials include CISSP, IRAP and PCI QSA certifications and he is an active member of AISA, the AICD and RMIA. Murray has been instrumental in developing an expert and authoritative voice to the Australian media.
A Cyber Security Thought Leader, Murray is frequently published as well as being a highprofile media commentator for both enterprise and consumer security trends, attacks and issues.
Zero to P0wn3d & no 0Days - a Critical Infrastructure Red Team Case Study
Technical Level (3 being the highest score): 2
We are delivering this presentation as a case study of a Red Team assessment that we undertook at a client of ours – a critical infrastructure operator in Australia. This session will have all the excitement and drama of a James Bond thriller.
We will describe how we gained physical entry to a corporate location, bypassed the Network Access Controls (NAC) and slowly integrated ourselves, as unauthenticated testers, into the environment. This attack was a true demonstration of what can be achieved by simply leveraging everything that is available to you – a true live-off-the-land attack.
Without any exploit code and no 0days, we pivoted from the corporate environment to the critical infrastructure operating environment. And it’s not as if the environment wasn’t protected! We evaded every control and technology that was implemented. And the attack went undetected. We ultimately achieved the goal of the project – we gained access to a backend system that held the crown-jewels of this organization – the Private Keys.
The client actually had a reasonably secure deployment. But we managed to pick it apart.
Most of the issues related to poor configuration and mismanagement. And once inside, things began to cascade. Controls fell like dominoes. We will describe what we did every step of the way. What we thought might work but didn’t.
How we pivoted and escalated our way to total critical system control compromise. This presentation is sure to be a show stopper!
Murray is an industry recognised information security expert providing advice across the spectrum, from the boardroom to the basement across the region's elite corporate entities to government agencies.
Murray is frequently invited to present at conferences, workgroups and seminars and asked to provide expert comment for editorials and publications. He has presented on security topics at every leading conference locally, regionally and internationally.
His credentials include CISSP, IRAP and PCI QSA certifications and he is an active member of AISA, the AICD and RMIA. Murray has been instrumental in developing an expert and authoritative voice to the Australian media.
A Cyber Security Thought Leader, Murray is frequently published as well as being a highprofile media commentator for both enterprise and consumer security trends, attacks and issues.
Zero to P0wn3d & no 0Days - a Critical Infrastructure Red Team Case Study
Technical Level (3 being the highest score): 2
We are delivering this presentation as a case study of a Red Team assessment that we undertook at a client of ours – a critical infrastructure operator in Australia. This session will have all the excitement and drama of a James Bond thriller.
We will describe how we gained physical entry to a corporate location, bypassed the Network Access Controls (NAC) and slowly integrated ourselves, as unauthenticated testers, into the environment. This attack was a true demonstration of what can be achieved by simply leveraging everything that is available to you – a true live-off-the-land attack.
Without any exploit code and no 0days, we pivoted from the corporate environment to the critical infrastructure operating environment. And it’s not as if the environment wasn’t protected! We evaded every control and technology that was implemented. And the attack went undetected. We ultimately achieved the goal of the project – we gained access to a backend system that held the crown-jewels of this organization – the Private Keys.
The client actually had a reasonably secure deployment. But we managed to pick it apart.
Most of the issues related to poor configuration and mismanagement. And once inside, things began to cascade. Controls fell like dominoes. We will describe what we did every step of the way. What we thought might work but didn’t.
How we pivoted and escalated our way to total critical system control compromise. This presentation is sure to be a show stopper!
