What hacking has thought me about security in depth, detective and preventive measures presented at BSidesAthens 2018

by Jos Peet,

Summary : This talk will evolve around my learnings and insights regarding defence in depth, preventive measures and detective measures in corporate networks, which I gained during my 4 years or red-teaming. This talk will revolve around how attackers work, how they defeat security controls on various levels, ranging from the systems your end-users work on, all the way through to 2FA and 4-eye principles on critical business assets. Defence in depth matters, but it can be quite trivial for attackers to sidestep certain controls to get to the data they want if not done right. Just securing your ‘crown-jewels’ is insufficient and 'trusting your users' may just be the biggest mistake you make. It will also go into differences in and dependencies between preventive measures and detective measures and whether or not it is possible to fix a lack of the former by doing more of the latter. Talk is based on and supported by real-life examples