Upload
dinhminh
View
220
Download
6
Embed Size (px)
Citation preview
21/03/2016
1
Justin David G. Pineda CEH, GWAPT
Sr. Application Security Specialist
The Coca-Cola Company
PATTS College of Aeronautics
February 25, 2016
Topics for today:
What is information security?
Is there such thing as ethical hacking?
Summary of security threats 2014
What are issues that need to be
addressed?
Information security as a discipline
Do we need a cybercrime law?
21/03/2016
2
In the news…
In the news…
21/03/2016
3
What is information security?
What is information security?
Protection of information systems against unauthorized
access to or modification of information, whether in
storage, processing or transit, and against the denial of
service to authorized users or the provision of service to
unauthorized users, including those measures necessary
to detect, document, and counter such threats. (U.S.
National Information Systems Security)
21/03/2016
4
The CIA triad
The CIA Triad explained
Confidentiality – Protection against unauthorized access.
Integrity – Protection against unauthorized modification.
Availability – Protection against Denial of Service (DoS)
21/03/2016
5
Examples: (Determine the type of issue)
A stranger is able to enter campus premises by using a
fake ID and impersonate as an employee.
The school servers are down because there’s a blackout
and there’s no generator.
A student forges his course card to make it look like he
got a passing score in a course.
The school employs a guard that strictly checks people
going in and out of the school building.
A professor loses her Excel file containing the students
grades. She didn’t backup her files.
Remember the 3-way handshake!Student Facebook
21/03/2016
6
Issue:
What happens if student issues continuous SYN packets?
What happens if the students sends 2 million SYN
packets?
Student Google
SYN
SYN-ACK
SYN
SYN-ACK
Information Security vs. IT Security
Information Security has many domains.
Access control, telecommunications and network security,
Information security governance and risk management,
Software development security, Cryptography, Security
architecture and design, Operations security, Business
continuity and disaster recovery planning, Legal, regulations,
investigations and compliance, Physical (environmental) security
– from CISSP’s domains on ISC2
IT Security only focuses on software and hardware
technologies.
21/03/2016
7
Defense in Depth
Definition of Protection Past & Present
PROTECTION = PREVENTION
Example: Gate, Network Firewall
Problem: What if the thief climbs over the gate?
Problem 2: What if there is a DoS attempt in a web
server on port 80.
21/03/2016
8
Definition of Protection Past & Present
PROTECTION = PREVENTION + (DETECTION +
INCIDENT RESPONSE)
Example: Motion detector tools, anti-virus for host device,
Intrusion Detection System (IDS) for network.
Reality Check
You cannot eliminate all risks.
You do not have a lot of money to buy all controls to
mitigate the risks.
You need to prioritize.
21/03/2016
9
Least Privilege
A user/program must be able to access only the
information and resources that are necessary for its
legitimate purpose.
It is the essence of all domains in information security
Separation of Duties (SOD)
The concept of having more than one person required to
complete a task.
Keys to the kingdom
Example: How payroll is computed, approved, delivered
etc.
21/03/2016
10
Separation of Duties Example
What will happen if the manager, the HR & finance are
one and the same?
Manager HR Finance
Policies
HR Policies
Clean desk policy
Acceptable Use Policy
Internet policy
Data security policy
Password Policy
21/03/2016
11
Physical Security
Natural barriers
Authentication (something to you know, something that
you have, something that you are)
Gates and dogs
Guards
Network Security
Firewalls
Intrusion Detection Systems (IDS)
Unified Threat Management (UTM)
Data Loss Prevention (DLP)
21/03/2016
12
Host Security
Port Security
Anti-virus
User access (standard, admin, super admin)
Application Security
Encryption
Patches, hotfixes
21/03/2016
13
Other Important Security Terms
Diversity of Defense
Do not rely on a single brand of security device.
Security through Obscurity
Feeling of security by hiding the asset and thinking that nobody
else will think the same way.
Cost Benefit Analysis (CBA)
The cost of safeguard or protection should not be greater than
the value of the asset.
Is there such thing as ethical
hacking?
21/03/2016
14
Is there such thing as ethical hacking?
A hacker exploits weaknesses in a computer system.
Hacking or cracking which refers to unauthorized access into or interference in a computer system… (RA 8792, E-Commerce Law)
Someone with an advanced understanding of computers and computer networks… (A Guide to the World of Computer Wizards)
Ex. Hacking with a Pringles tube (from BBC News)
What separates good from bad hackers?
They both exploit weaknesses in a computer system or network.
The difference is – permission
and scope.
White hat – good guys
Black hat – bad guys
Gray hat – good in the morning; bad in the evening
With this definition, what’s the classification of Anonymous?
21/03/2016
15
Hacking trend…
Steps in Hacking
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks
21/03/2016
16
Reconnaissance
Observation
Research about your target
Start from online tools
Netcraft
Archive
Web Data Extractor
Job opportunities
What do you know about PATTS?
Can you retrieve PATTS’ website in the year 2003?
21/03/2016
17
How about server info about PATTS?
Scanning
Look for open
opportunities
nmap, hping
21/03/2016
18
Gaining & Maintaining Access
Password Guessing
Privilege Escalation
Executing Malicious Codes
Copying files
Covering Tracks
Delete or modify audit trails
21/03/2016
19
Summary of security threats
2014
21/03/2016
20
How does a vulnerability get
discovered and fixed?
How does a vulnerability get discovered and
fixed?
21/03/2016
21
In the headlines…
What happens when you don’t
patch?
21/03/2016
22
Can a vulnerability not affect my
system?
21/03/2016
23
Heartbleed bug
April 2014
Heartbleed bug
Security bug in OpenSSL cryptography library.
Results from improper input validation.
Registered under CVE-2014-0160.
Discovered by Canadian Cyber Incident Response
Centre.
Approx. half a million web servers are affected.
21/03/2016
24
Heartbleed bug
Heartbeat – extension for keep alive of secure
communications
Problem: No bounds checking
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Heartbleed bug
21/03/2016
25
Testing…
Shellshock/Bashdoor
September 2014
21/03/2016
26
Shellshock
Security bug used in UNIX bash shell
Allows attacker to execute arbitrary commands remotely
to vulnerable versions.
Registered under CVE-2014-627.
Shellshock
Affected systems:
Linux, BSD, and Mac OS X distributions
All unpatched Bash versions between 1.14 through 4.3 (i.e. all
releases until now) are at risk.
Test on your system:
env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=()
{ :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
21/03/2016
27
Testing…
How to fix Shellshock?
Update Bash version.
21/03/2016
28
What issues need to be addressed?
Focus on 2 critical issues
Social Engineering
Web Application Attacks
21/03/2016
29
Social Engineering
Social engineering is the hacker/attacker's clever
manipulation of the natural human tendency to trust to
obtain information that will allow him to gain
unauthorized access to a valued system. (Social
Engineering Fundamentals)
90% of successful hacking activities are done using social
engineering.
Steps in Social Engineering
Information Gathering
Stalk in social networking sites
Mail-outs
Forensic analysis
Facebook apps
Developing Relationships
Cognitive biases (returning the favor, share interests)
Exploitation
People become less reasonable when in state of shock or
strong affect.
21/03/2016
30
Types of Social Engineering Attacks
Physical
Shoulder surfing
Dumpster diving (ex. Argo)
Tailgating
War driving, chalking, walking
etc.
Online
Phishing
Pharming
Spear phishing
Vishing
Countermeasures
Create, implement and harden security policies
People easily forget policies. It needs enforcement.
Comply with physical security standards
Are doors locked? Do security guards check all students for
ID?
Security Awareness Training for employees
This should be done periodically.
Resistance Training for specified employees
Social Engineering Land Mines (SANS, David Gragg)
Call-back policy, key questions, bogus questions
Incident Response
21/03/2016
31
Web Application Attacks
A lot of people are using the Internet and doing
transactions there.
A lot of websites are not checked whether it is safe for
users to use.
It’s possible that applications follow proper coding
standards but versions/functions are vulnerable.
Usual attacks:
SQL Injection
Cross Site Scripting (XSS)
Session Hijacking
Directory Traversal
Cross Site Request Forgery (CSRF)
Web Goat demonstration
Download it here -
https://www.owasp.org/index.php/Category:OWASP_WebGoa
t_Project
21/03/2016
32
Web Application Security Advice
Include security in all SDLC steps.
Refer to the Open Web Application Security Project
(OWASP) when writing web applications.
https://www.owasp.org/
Use both source code analyzer and vulnerability scanner
to check the status of your application.
Information Security as a Discipline
21/03/2016
33
Information Security as a Discipline
InfoSec is a relatively new field.
It is starting to grow because a lot of businesses are
transitioning to online.
Virtual money is same as physical money.
There are still few professionals who are in this field.
Supply is low, demand is high.
CS and IT major courses are good infosec foundations.
You can opt to choose infosec in thesis.
Security Certifications
CompTIA – Security+
EC-Council – Certified Ethical
Hacker, Certified Security
Analyst, Certified Hacking &
Forensics Investigator etc.
SANS – GIAC Certified Reverse
Engineering Malware, Incident
Handler, Intrusion Analyst etc.
ISACA – Certified Information
Systems Auditor etc.
ISC2 – Certified Information
Systems Security Professional
(CISSP), etc.
21/03/2016
34
Do we need a cybercrime law?
Security or Freedom?
21/03/2016
35
Privacy Issues
Are we being watched?
Do we need a cybercrime law?
Of course, we need one.
R.A. 10175 or Cybercrime Prevention Act is a mixture of
several issues.
Cybercrime Law should not only focus on the limitation
of Freedom of Expression.
Cybercrime Law should protect the people.
21/03/2016
36
What kind of cybercrime law do we need?
A law that compels for-profit organizations like banks to
follow certain best standards to protect client data found
in bank accounts.
A law that compels telecom companies to ensure that
data that pass their infrastructure are sent and received
to the intended recipients.
A law that compels government offices to securely store
personal data that are found in their computer system.
Thank you very much.
Q&A
Justin David Pineda
Coca-Cola Philippines
http://justinpineda.com