ann in hung dung
TRANSCRIPT
-
7/31/2019 Ann in Hung Dung
1/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
TS. V Quc ThnhCI SA ( Ce r t i f i ed I n f o r m a t i on Sys t em Aud i t o r )
TG Cng ty MISOFT
Vi vn v An ninhng dng
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
2/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Pol icy
App l i ca t i onSecur i t y
Opera t ing Sys tem
Secur i t yI n f r a s t r u c t u r e
Secur i t y
An ninh ng dng l g?
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
3/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
Cc chun quc t ni g?
ISO 17799 ISO27001
PCI
Cobit 4.0 GLBA
.SOX
HIPAA
GLBA
FFIEC
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
4/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
ATTT ang c chun ha:
Ct B 2006
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
5/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
ATTT ang c chun ha:
Nng 2007
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
6/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
ATTT ang c chun ha:
Btu pht trin
(new name for ISO/IEC 18028on IT network security)
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
7/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Ni dung ATTT theo ISO1. Chnh sch an ninh (Security Policy)2. T chc an ton thng tin (Organizing Information Security)3. Qun l s c an ton thng tin (Information Security
Incident Management)4. Xc nh, phn loi v qun l ti nguyn (Asset
Management)
5. An ninh nhn s (Human Resources Security)6. An ninh vt l v mi trng (Physical and Environmental
Security)7. Qun tr vn hnh v truyn tin (Communication and
Operations Management)8. Kim sot truy cp (Access Control)
9. Trang b, pht trin v duy tr h thng (Informations SystemAcquisition, Development and Maintenance)10. Qun l tnh lin tc nghip v (Business Continuity
Management)11. Tun th lut php v cc quy nh (Compliance)
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
8/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
SecuritySecurity
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
9/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
PCI: 12 yu cuBuild and Maintain a Secure Network1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords and othersecurity parametersProtect Cardholder Data3. Protect Stored Data
4. Encrypt transmission of cardholder data and sensitive information acrosspublic networksMaintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applicationsImplement Strong Access Control Measures7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder dataRegularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processesMaintain an Information Security Policy
12. Maintain a policy that addresses information security
6. Develop and maintain secure systemsand applications
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
10/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Cc quy nh VN c cp
khng? LUT: GIAO DCH IN T NGHNH: V giao dch in
t trong hot ng ngnhng CH TH 03: Tng cng m
bo an ninh thng tin trnmng Internet
Quy ch: an ton, bo mt hthng CNTT trong ngnhNgn hng
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
11/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
NetworkServer
WebApplications
% of At t acks % of Dollars
75%
10%
25%
90%
Sources: Gartner, Watchfire
Securit y Spending
of All At t acks on I nform ation Securit y
Are Directed t o the Web Application Layer75%75%
of All Web Applications Are Vulnerable2/32/3
Buffer Overflow Cookie Poisoning
Hidden Fields Cross Sit e Scri pt ing Stealt h Commanding Parameter Tampering Forceful Browsing SQL Inject ion Etc
An ninh ng dng sau? 75% cc cuc tn cng c thc hin t ni
b (Ngun: CSI/FBI, M).
Cc t chc chi rt nhiu tin ca v cng
sc cho vic xy dng h thng bo v mng nhng li cho php ngi s dng tngi d dng truy cp su vo cc h thng ng
dng ch bng tn v mt khu n gin(Ngun: Gartner)
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
12/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Tn cng ng dng lt qua tt c
cc lp bo v mngDesktop Transport Network Web Applications
AntivirusProtection
Encryption(SSL)
Firewalls/IPS
Strong Authentication, ManualPatching and Code Review
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
13/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Kh khn
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
14/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Cc vn cng ngh chnh ca
ANUD?I. Xc thc ++
II. Tch hp ANUD trong qu trnh pht
trinIII. ANUD Web
IV. An ninh dliu v CSDL
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
15/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
I. Xc thc
S lng cc loi m c hi nhm n cp mt khu tng hn 425% k t5/2005 n thng 5/2006 (theo Anti-Phishing Working Group 2006)
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
16/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
nh cp nh danh
Trong nm 2005 ring M c n 8.9 triungi ln (chim 4% s ngi ln M) trthnh nn nhn ca nh cp nh danh (theo
Javelin Strategy 2006). S lng cc trang Web nh cp nh danh sdng k thut phishing tng hn 360% t thng5/2005 n thng 5/2006 (theo Anti-PhishingWorking Group 2006)
Th trng th gii cc cng ngh xc thcchng nh cp nh danh t $200M USD vonm 2006 (theo UBS 2006)
nh cpnh danh ti phm hay khng?
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
17/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Cc cng ngh xc thc 2FASn phm / Cng ngh xc thc
Tnh dmang
theo
Tnh
sdng
Tnh
bomt
Chi ph
u tKhnngqun
tr
Khnngtch
hp
One-Time-Password Tokens 5 3 4 2 2 5
Dch v OTP 5 4 4 3 3 5
Smart Card (EMV) 5 3 5 3 3 5
Xc thc bng s PIN/TAN 5 5 3 3 3 5
Ma trn s IdentityGuard 5 5 5 4 4 5
Xc thc bng Mobile 4 3 5 3 5 5
Nhp gi tr xc thc trn bnphm o
5 3 2 5 5 2
Xc thc bng danh sch cc dys
5 2 2 4 5 2
Sim: 1 = km 5 = rt ttTheo ngun: Cng ty nghin cu nh gi cc sn phm cng ngh
Forrester Research
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
18/31
-
7/31/2019 Ann in Hung Dung
19/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
II. Tch hp ANUD trong qu
trnh pht trin
Phn tch p dngThit k Pht trin/Kim tra
Iterations
Security Team
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
20/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
i An ninh ng dng
Chuyn gia thit k an ninh (SecurityArchitect): chu trch nhim v thit k chung
Chuyn gia phn tch an ninh (Security
Analyst): chu trch nhim v yu cu v xydng cc Misuse Cases
Unit Hacker: Hack cc unit/module v ara cc hng dn khc phc
Chuyn gia cu hnh an ninh ng dng(Application Security Configurator)
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
21/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
III. ANUD Web
Hacker tn cng t ngoi vo:
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
22/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Mc tiu hack ng dng Web
Thay i trang ch
n cp thng tin
Lm sp dch v(DoS/DDoS)
Chim ot tin
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
23/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Xu th Hack ng dng Web
2 l hng thng gp nht 2006: 21.5 % Cross Site Scripting 14 % SQL injection
Cc l hng ng dng Web chim 69% tng s tt ccc l hng c ghi nhn trong na u nm 2006.
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
24/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Tn cng Cross Site Scripting(XSS)
How?In form fieldsIn URLFrom phishing
What Can It Do?
Load pages from other sites Capture cookies Modify data contents Execute commands to the OS
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
25/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Khi nim Cross-Site Scripting L tn cng vo ngi sdnginternetang kt ni hp l ti web server cim yu
im yu trn web server nhng itng b tn cng l client
Client b la chy mt script cahacker di s trung gian ca webserver b li.
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
26/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
V d v XSS-CSS trong Internet
Banking
`
User
Bank.comAttacker.com
http://bank.com/login/
Webpage + Cookies
InternetBankingCookie
Malicious link onwebpage or email with
malicious link
Mal ic ious L ink
http://bank.com/account.jsp? Send cookie to attacker.com
Ref lect ed Code
Send Cookie toattacker.com
InternetBankingCookie
Executed
RETURN
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://bank.com/login/http://bank.com/account.jsphttp://www.pdffactory.com/http://www.pdffactory.com/http://bank.com/account.jsphttp://bank.com/login/ -
7/31/2019 Ann in Hung Dung
27/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Tn cng SQL Injection
`
Hacker
WEB Site
Form FieldJohn Doe select * from accounts...
How?Insert SQL into form fields
What Can It Do?Read, Write, or Modify Database
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
28/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
10 l hng ng dng Web
nghim trng nht theo OWASP1. D liu u vo khng c kim tra2. Li kim sot truy cp ngun ti nguyn3. Li lin quan n qu trnh qun l xc thc v
phin truy cp4. Li Cross Site Scripting (XSS)5. Li trn bm6. Li (SQL) Injection
7. Quy trnh x l li khng ng8. Lu gi thng tin km bo mt9. Tn cng t chi dch v (Denial-of-service)10. Qun l cu hnh km an ton
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
29/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Cng c qut tm l h ngh thng ng dng Web
Database Operat ing System
Web Server
Web Applicat ion Web Servi ces
Database Scanners Host Scanners
NetworkScanners
Web Applicati on Scanners
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
30/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
Tng la ng dng Web
W AF - W ebApp l i ca t i onFi rew a l l s
NetCont inuum
ng dng
Web
CSDLNetwork
Firewall
Users
PDF created with pdfFactory Pro trial version www.pdffactory.com
http://www.pdffactory.com/http://www.pdffactory.com/ -
7/31/2019 Ann in Hung Dung
31/31
MISOFT
Nng 1 -0 -2007 Dr. Vu Quoc Thanh, CISA
4:06:31 PM
IV. An ninh d liu v CSDL
Bo v d liu trn ng lun chuyn:Vn: b l, bsao chp, gi ra ngoi?
Bin php: m ha, chk s, Phn mm chng r r
thng tin Data Leakage Prevention (DLP), phn mmqun l cc thng tin vo ra Device Protector,
Bo v d liu lu gi:Vn: CSDL bxm nhp (hp php), bsao chp,
bph hoi?Bin php: m ha CSDL, kim ton CSDL, d tm
im yu CSDL,