Chapter Croatia Virtual Meetup: DORA & Phishing infrastructure

Hello everyone, it’s time for our OWASP Croatia meetup. The topics will be delivered virtually, over Google Meet.

We have two topics:

• Slaven Smojver - Digital Operational Resilience Act (DORA)
• Petar ‘Hetti’ Kosic: Phishing infrastructure - building your own

Talk abstracts and bios follow:
---
Slaven Smojver: Digital Operational Resilience Act (DORA)

Short description:
The talk will briefly introduce the Digital Operational Resilience Act (DORA) – a new EU regulation that provides a set of rules for financial entities concerning the use of ICT, with a
particular focus on:

• ICT risk management,
• security and business continuity,
• digital operational resilience testing,
• contracts with ICT service providers and
• oversight framework for critical ICT service providers.

Bio:
Slaven Smojver heads the Information Systems Supervision Department in the Croatian National Bank (HNB). The department's primary responsibility is supervision and assessment of ICT risk in credit institutions, e-money institutions, payment institutions, payment systems and FinTech companies. Slaven obtained his Ph.D., M.Sc. and M.Eng.EE degrees from the University of Zagreb, Croatia. He authored several scientific papers and has presented extensively on various topics related to financial services supervision, control and management of information system and information security in financial institutions. He is CRISC, CISA and CISM in good standing.

Petar ‘Hetti’ Kosic: Phishing infrastructure - building your own

Short description:
Phishing is an attack vector for criminals to obtain credentials or access confidential material. Security professionals use this technique with legal permission to test companies’ resilience against such attacks or improve awareness among the employees of such threats (in the mean time - do not use Phishing for awareness training, there are better ways!).
An Infrastructure is needed to plan phishing campaigns and provide Phishing websites.

Additionally, a mail server setup is essential to send out Phishing emails.
I will show you a solution based on Ansible for the automated deployment of Phishing infrastructure. The focus of this solution lies in data sovereignty and self-hosted infrastructure. It offers the possibility to conduct simple (Page Clone) and complex (2FA Bypass) Phishing assessments. Additionally, a secure mail server setup is deployed and pre-configured. The solution also automatically deploys DNS records for the mail setup, for one example, DNS Provider.

Bio:
Petar ‘Hetti’ Kosic is an IT Security Expert based in Vienna. He got his individual Bachelor’s in Computer Security & Engineering from UT Vienna and his Master’s Degree in IT Security. He loves visiting Community Conferences in his free time, capturing Flags with the academic CTF Team WE 0WN Y0U, and hanging out in the finest Viennese hackspace Metalab. He is also involved in various community projects like the Viennese Privacyweek, the scavenger hunt HunTU and Cryptoparty Vienna.