AFPSummit-IBM-information security and ethical hacking-Pantola

8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola

1/53

2008 IBM Corporation

ISV and Developer Relations



Introduction to Information Securityand Ethical Hacking

Alexis V. Pantola, CISSP, CEH

Technical Consultant

IDR Team

IBM Philippines

March 2010


2/53





Information

is an asset which, like other important businessassets, has value to an organization andconsequently needs to be suitably protected

can exist in many forms can be printed or written on paper

stored electronically

transmitted by post or using electronic means

shown on films

spoken in conversation


3/53





Information Security

What?

Why?

How?


4/53






is the preservation of Confidentiality

ensuring that information is accessible only to those authorized tohave access

Integrity

safeguarding the accuracy and completeness of information andprocessing methods

Availability

ensuring that authorized users have access to information andassociated assets when required


5/53






protects information from a wide range of threats inorder to

ensure business continuity

minimize business damagemaximize return on investments and business

opportunities


6/53






Security = 1______________Convenience


7/53






threats

vulnerabilities

exposure

risk

safeguards

assets

which are

endangered by exploits

which

results in

which iswhich is

mitigated by

which

protects


8/53





Information Security Audit

is a process of evaluating the assets, its threats andvulnerabilities, and its possible safeguards


9/53





The Threat is Real

In 1995, Kevin Mitnick was in

possession of 20,000 credit

card numbers.

In 2005, First PhilippineHacking Case (NEDA vs JJ

Maria Giner) that ended in aconviction is the first Filipino


10/53


11/53





Threats are Increasing

Attack Tools are

widely available.

Many are for

free!!!


12/53





Threats are Increasing


13/53





Vulnerabilities Exist

Buggy application software due to time to marketpressure

Buggy Operating Systems and poor default settings most OS are insecure out of the box


14/53






- CERT 2008

Vulnerabilities Reported

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

1994 1996 1998 2000 2002 2004 2006 2008

Year

No.ofVulnera

bilities


15/53







16/53





Incidents on the Rise

- CERT 2002

Incidents

0

10000

20000

30000

40000

50000

60000

70000

80000

90000

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999*

2000 20012002+

Incidents


17/53





The Result

Financial Loss

Regulatory Actions

Blemished Reputation

Hacker may have stolen personalidentifiable information for 26,000

employees..ComputerWorld, June 22, 2006


18/53





Security Trends2003 CSI/FBI Computer Crime and Security Survey

530 respondentsUnauthorized use of computer systems

Yes 56%

No 29%

Dont know 15%

Point of attack Internet 78%

Internal 30%

Remote dial-in 18%

S

S


19/53





Why is the Situation Getting Worse?

the Internetmultiple connections into corporate network

mobile users, partners, suppliers, customers, public

need to be open for e-business 24x7risk impact of new applications not understood

underestimates impact of security breach (e.g. web

defacement)conflicting roles of system admin and security

admin - often the same person


20/53

ISV d D l R l ti

ISV d D l R l ti


21/53





Best Practices in Information Security

Management supportSound corporate security policy

Defense in depth: Internal and external

Effective awareness and training program

Information security audit

Constant monitoring of intrusions/attempts

Incidence Response

Business Continuity Management

ISV d D l R l ti

ISV d D l R l ti


22/53





Information Security AuditData Gathering

ThreatIdentification

VulnerabiltyIdentification

Control Analysis

LikelihoodDetermination

Impact Analysis

RiskDetermination

ControlRecommendation

RemediationRisk Assessment

ReportSecurity Policy

Validation

ResultDocumentation

Security PolicyUpdate

ISV d D l R l ti

ISV d D l R l ti


23/53





Vulnerability Identification and Control Remediation

Ethical Hackingand Countermeasures




24/53





Hacker and Hacking

Hacker refers to a person who enjoys learning the details of computer

systems and stretch their capabilities

Hacking describes the rapid development of new programs or reverse

engineering of already existing software to make the code better, andefficient




25/53





Ethical Hacker vs Cracker

Cracker Ethical Hackerrefers to a person who uses his hacking skills

for offensive purposesrefers to security professionals who applytheir hacking skills for defensive purposes

individuals with extraordinary computingskills, resorting to malicious or destructive

activities

individuals professing hacker skills and usingthem for defensive purposes

Black Hats White Hats




26/53





DOs and DONTs of Ethical Hacking

DO DONTDO ask permission when hacking someone

elses systemDONT do anything irreversible




27/53





Ethical Hacking

Casing theEnvironment

NetworkHacking

SoftwareHacking

SystemHacking

Social EngineeringFootprintingScanningEnumeration

Hacking

Windows/Linux OSVirusTrojans andBackdoors

Session Hijacking

SniffingDenial of ServiceWireless NetworkHacking

Web Application

HackingPassword CrackingBuffer OverflowCryptography




28/53





Sniffing

PassiveActive




29/53





Sniffing - Passive




30/53





Sniffing - Passive




31/53





Sniffing - Passive




32/53





Sniffing - Passive




33/53





Sniffing - Passive




34/53





Sniffing - Passive




35/53

p


p


Sniffing - Active

Our network is NOT susceptible to sniffingsince we are using a switch

WRONG!!!

ARP Poisoning




36/53

p


p


1

2

3

H VIP: 192.168.1.2MAC: BB

IP: 192.168.1.3MAC: CC

IP: 192.168.1.1MAC: AA

Port MAC

1 BB

2 AA

3 CC

IP MAC

192.168.1.1 AA192.168.1.3 CC

IP MAC

192.168.1.1 AA192.168.1.2 BB

IP MAC

192.168.1.2 BB

192.168.1.3 CC

ARP PoisoningS


37/53




38/53

p


p


me

ARP Poisoning

Student B

Student A




39/53

2008 IBM Corporation 2010 IBM Corporation

1

2

3

H VIP: 192.168.1.2MAC: BB

IP: 192.168.1.3MAC: CC

IP: 192.168.1.1MAC: AA

Port MAC

1 BB

2 AA

3 CC

IP MAC

192.168.1.1 AA192.168.1.3 CC

IP MAC

192.168.1.1 AA192.168.1.2 BB

IP MAC

192.168.1.2 BB

192.168.1.3 CC

ARP PoisoningS




40/53


1

2

3

H VIP: 192.168.1.2MAC: BB

IP: 192.168.1.3MAC: CC

IP: 192.168.1.1MAC: AA

Port MAC

1 BB

2 AA

3 CC

IP MAC

192.168.1.1 AA192.168.1.3 CC

IP MAC

192.168.1.1 BB192.168.1.2 BB

IP MAC

192.168.1.2 BB

192.168.1.3 BB

ARP PoisoningS




41/53


1

2

3

H VIP: 192.168.1.2MAC: BB

IP: 192.168.1.3MAC: CC

IP: 192.168.1.1MAC: AA

Port MAC

1 BB

2 AA

3 CC

IP MAC

192.168.1.1 AA192.168.1.3 CC

IP MAC

192.168.1.1 BB192.168.1.2 BB

IP MAC

192.168.1.2 BB

192.168.1.3 BB

ARP PoisoningS




42/53


Session Hijacking

Cross-site Scripting




43/53


Session Hijacking Cross Site Scripting




44/53






45/53






46/53






47/53






48/53


Rational AppScan

is an automated tool used to perform vulnerabilityassessments on Web Applications

scans web applications, finds security issues andreports on them in an actionable fashion

Used by: Security Auditors main users today

QA engineers when the auditors become the bottle neck

Developers to find issues as early as possible (most efficient)

ibm.com/developerworks




49/53


Rational AppScan




50/53


Rational AppScan




51/53


Rational AppScan




52/53


Ethical Hacker

tries to answer: What can the intruder see on a target system?

What can an intruder do with that information?

Does anyone at the target notice the intruders attempts or success?

If you know the enemy and know yourself,

you need not fear the results of a hundred battles.-Sun Tzu, Art of War


53/53





Introduction to Information Securityand Ethical Hacking

Contact Us:

[email protected]@ph.ibm.com

Documents

AFPSummit-IBM-information security and ethical hacking-Pantola