21/03/2016

1

Justin David G. Pineda CEH, GWAPT

Sr. Application Security Specialist

The Coca-Cola Company

PATTS College of Aeronautics

February 25, 2016

Topics for today:

What is information security?

Is there such thing as ethical hacking?

Summary of security threats 2014

What are issues that need to be

addressed?

Information security as a discipline

Do we need a cybercrime law?

21/03/2016

2

In the news…

In the news…

21/03/2016

3

What is information security?

What is information security?

Protection of information systems against unauthorized

access to or modification of information, whether in

storage, processing or transit, and against the denial of

service to authorized users or the provision of service to

unauthorized users, including those measures necessary

to detect, document, and counter such threats. (U.S.

National Information Systems Security)

21/03/2016

4

The CIA triad

The CIA Triad explained

Confidentiality – Protection against unauthorized access.

Integrity – Protection against unauthorized modification.

Availability – Protection against Denial of Service (DoS)

21/03/2016

5

Examples: (Determine the type of issue)

A stranger is able to enter campus premises by using a

fake ID and impersonate as an employee.

The school servers are down because there’s a blackout

and there’s no generator.

A student forges his course card to make it look like he

got a passing score in a course.

The school employs a guard that strictly checks people

going in and out of the school building.

A professor loses her Excel file containing the students

grades. She didn’t backup her files.

Remember the 3-way handshake!Student Facebook

21/03/2016

6

Issue:

What happens if student issues continuous SYN packets?

What happens if the students sends 2 million SYN

packets?

Student Google

SYN

SYN-ACK

SYN

SYN-ACK

Information Security vs. IT Security

Information Security has many domains.

Access control, telecommunications and network security,

Information security governance and risk management,

Software development security, Cryptography, Security

architecture and design, Operations security, Business

continuity and disaster recovery planning, Legal, regulations,

investigations and compliance, Physical (environmental) security

– from CISSP’s domains on ISC2

IT Security only focuses on software and hardware

technologies.

21/03/2016

7

Defense in Depth

Definition of Protection Past & Present

PROTECTION = PREVENTION

Example: Gate, Network Firewall

Problem: What if the thief climbs over the gate?

Problem 2: What if there is a DoS attempt in a web

server on port 80.

21/03/2016

8

Definition of Protection Past & Present

PROTECTION = PREVENTION + (DETECTION +

INCIDENT RESPONSE)

Example: Motion detector tools, anti-virus for host device,

Intrusion Detection System (IDS) for network.

Reality Check

You cannot eliminate all risks.

You do not have a lot of money to buy all controls to

mitigate the risks.

You need to prioritize.

21/03/2016

9

Least Privilege

A user/program must be able to access only the

information and resources that are necessary for its

legitimate purpose.

It is the essence of all domains in information security

Separation of Duties (SOD)

The concept of having more than one person required to

complete a task.

Keys to the kingdom

Example: How payroll is computed, approved, delivered

etc.

21/03/2016

10

Separation of Duties Example

What will happen if the manager, the HR & finance are

one and the same?

Manager HR Finance

Policies

HR Policies

Clean desk policy

Acceptable Use Policy

Internet policy

Data security policy

Password Policy

21/03/2016

11

Physical Security

Natural barriers

Authentication (something to you know, something that

you have, something that you are)

Gates and dogs

Guards

Network Security

Firewalls

Intrusion Detection Systems (IDS)

Unified Threat Management (UTM)

Data Loss Prevention (DLP)

21/03/2016

12

Host Security

Port Security

Anti-virus

User access (standard, admin, super admin)

Application Security

Encryption

Patches, hotfixes

21/03/2016

13

Other Important Security Terms

Diversity of Defense

Do not rely on a single brand of security device.

Security through Obscurity

Feeling of security by hiding the asset and thinking that nobody

else will think the same way.

Cost Benefit Analysis (CBA)

The cost of safeguard or protection should not be greater than

the value of the asset.

Is there such thing as ethical

hacking?

21/03/2016

14

Is there such thing as ethical hacking?

A hacker exploits weaknesses in a computer system.

Hacking or cracking which refers to unauthorized access into or interference in a computer system… (RA 8792, E-Commerce Law)

Someone with an advanced understanding of computers and computer networks… (A Guide to the World of Computer Wizards)

Ex. Hacking with a Pringles tube (from BBC News)

What separates good from bad hackers?

They both exploit weaknesses in a computer system or network.

The difference is – permission

and scope.

White hat – good guys

Black hat – bad guys

Gray hat – good in the morning; bad in the evening

With this definition, what’s the classification of Anonymous?

21/03/2016

15

Hacking trend…

Steps in Hacking

1. Reconnaissance

2. Scanning

3. Gaining Access

4. Maintaining Access

5. Covering Tracks

21/03/2016

16

Reconnaissance

Observation

Research about your target

Start from online tools

Netcraft

Archive

Web Data Extractor

Job opportunities

What do you know about PATTS?

Can you retrieve PATTS’ website in the year 2003?

21/03/2016

17

How about server info about PATTS?

Scanning

Look for open

opportunities

nmap, hping

21/03/2016

18

Gaining & Maintaining Access

Password Guessing

Privilege Escalation

Executing Malicious Codes

Copying files

Covering Tracks

Delete or modify audit trails

21/03/2016

19

Summary of security threats

2014

21/03/2016

20

How does a vulnerability get

discovered and fixed?

How does a vulnerability get discovered and

fixed?

21/03/2016

21

In the headlines…

What happens when you don’t

patch?

21/03/2016

22

Can a vulnerability not affect my

system?

21/03/2016

23

Heartbleed bug

April 2014

Heartbleed bug

Security bug in OpenSSL cryptography library.

Results from improper input validation.

Registered under CVE-2014-0160.

Discovered by Canadian Cyber Incident Response

Centre.

Approx. half a million web servers are affected.

21/03/2016

24

Heartbleed bug

Heartbeat – extension for keep alive of secure

communications

Problem: No bounds checking

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

OpenSSL 1.0.1g is NOT vulnerable

OpenSSL 1.0.0 branch is NOT vulnerable

OpenSSL 0.9.8 branch is NOT vulnerable

Heartbleed bug

21/03/2016

25

Testing…

Shellshock/Bashdoor

September 2014

21/03/2016

26

Shellshock

Security bug used in UNIX bash shell

Allows attacker to execute arbitrary commands remotely

to vulnerable versions.

Registered under CVE-2014-627.

Shellshock

Affected systems:

Linux, BSD, and Mac OS X distributions

All unpatched Bash versions between 1.14 through 4.3 (i.e. all

releases until now) are at risk.

Test on your system:

env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=()

{ :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

21/03/2016

27

Testing…

How to fix Shellshock?

Update Bash version.

21/03/2016

28

What issues need to be addressed?

Focus on 2 critical issues

Social Engineering

Web Application Attacks

21/03/2016

29

Social Engineering

Social engineering is the hacker/attacker's clever

manipulation of the natural human tendency to trust to

obtain information that will allow him to gain

unauthorized access to a valued system. (Social

Engineering Fundamentals)

90% of successful hacking activities are done using social

engineering.

Steps in Social Engineering

Information Gathering

Stalk in social networking sites

Mail-outs

Forensic analysis

Facebook apps

Developing Relationships

Cognitive biases (returning the favor, share interests)

Exploitation

People become less reasonable when in state of shock or

strong affect.

21/03/2016

30

Types of Social Engineering Attacks

Physical

Shoulder surfing

Dumpster diving (ex. Argo)

Tailgating

War driving, chalking, walking

etc.

Online

Phishing

Pharming

Spear phishing

Vishing

Countermeasures

Create, implement and harden security policies

People easily forget policies. It needs enforcement.

Comply with physical security standards

Are doors locked? Do security guards check all students for

ID?

Security Awareness Training for employees

This should be done periodically.

Resistance Training for specified employees

Social Engineering Land Mines (SANS, David Gragg)

Call-back policy, key questions, bogus questions

Incident Response

21/03/2016

31

Web Application Attacks

A lot of people are using the Internet and doing

transactions there.

A lot of websites are not checked whether it is safe for

users to use.

It’s possible that applications follow proper coding

standards but versions/functions are vulnerable.

Usual attacks:

SQL Injection

Cross Site Scripting (XSS)

Session Hijacking

Directory Traversal

Cross Site Request Forgery (CSRF)

Web Goat demonstration

Download it here -

https://www.owasp.org/index.php/Category:OWASP_WebGoa

t_Project

21/03/2016

32

Web Application Security Advice

Include security in all SDLC steps.

Refer to the Open Web Application Security Project

(OWASP) when writing web applications.

https://www.owasp.org/

Use both source code analyzer and vulnerability scanner

to check the status of your application.

Information Security as a Discipline

21/03/2016

33

Information Security as a Discipline

InfoSec is a relatively new field.

It is starting to grow because a lot of businesses are

transitioning to online.

Virtual money is same as physical money.

There are still few professionals who are in this field.

Supply is low, demand is high.

CS and IT major courses are good infosec foundations.

You can opt to choose infosec in thesis.

Security Certifications

CompTIA – Security+

EC-Council – Certified Ethical

Hacker, Certified Security

Analyst, Certified Hacking &

Forensics Investigator etc.

SANS – GIAC Certified Reverse

Engineering Malware, Incident

Handler, Intrusion Analyst etc.

ISACA – Certified Information

Systems Auditor etc.

ISC2 – Certified Information

Systems Security Professional

(CISSP), etc.

21/03/2016

34

Do we need a cybercrime law?

Security or Freedom?

21/03/2016

35

Privacy Issues

Are we being watched?

Do we need a cybercrime law?

Of course, we need one.

R.A. 10175 or Cybercrime Prevention Act is a mixture of

several issues.

Cybercrime Law should not only focus on the limitation

of Freedom of Expression.

Cybercrime Law should protect the people.

21/03/2016

36

What kind of cybercrime law do we need?

A law that compels for-profit organizations like banks to

follow certain best standards to protect client data found

in bank accounts.

A law that compels telecom companies to ensure that

data that pass their infrastructure are sent and received

to the intended recipients.

A law that compels government offices to securely store

personal data that are found in their computer system.

Thank you very much.

Q&A

Justin David Pineda

Coca-Cola Philippines

http://justinpineda.com