-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
1/53
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
ISV and Developer Relations
Introduction to Information Securityand Ethical Hacking
Alexis V. Pantola, CISSP, CEH
Technical Consultant
IDR Team
IBM Philippines
March 2010
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
2/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Information
is an asset which, like other important businessassets, has value to an organization andconsequently needs to be suitably protected
can exist in many forms can be printed or written on paper
stored electronically
transmitted by post or using electronic means
shown on films
spoken in conversation
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
3/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Information Security
What?
Why?
How?
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
4/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Information Security
is the preservation of Confidentiality
ensuring that information is accessible only to those authorized tohave access
Integrity
safeguarding the accuracy and completeness of information andprocessing methods
Availability
ensuring that authorized users have access to information andassociated assets when required
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
5/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Information Security
protects information from a wide range of threats inorder to
ensure business continuity
minimize business damagemaximize return on investments and business
opportunities
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
6/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Information Security
Security = 1______________Convenience
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
7/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Information Security
threats
vulnerabilities
exposure
risk
safeguards
assets
which are
endangered by exploits
which
results in
which iswhich is
mitigated by
which
protects
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
8/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Information Security Audit
is a process of evaluating the assets, its threats andvulnerabilities, and its possible safeguards
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
9/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
The Threat is Real
In 1995, Kevin Mitnick was in
possession of 20,000 credit
card numbers.
In 2005, First PhilippineHacking Case (NEDA vs JJ
Maria Giner) that ended in aconviction is the first Filipino
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
10/53
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
11/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Threats are Increasing
Attack Tools are
widely available.
Many are for
free!!!
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
12/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Threats are Increasing
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
13/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Vulnerabilities Exist
Buggy application software due to time to marketpressure
Buggy Operating Systems and poor default settings most OS are insecure out of the box
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
14/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Vulnerabilities Exist
- CERT 2008
Vulnerabilities Reported
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1994 1996 1998 2000 2002 2004 2006 2008
Year
No.ofVulnera
bilities
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
15/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Vulnerabilities Exist
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
16/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Incidents on the Rise
- CERT 2002
Incidents
0
10000
20000
30000
40000
50000
60000
70000
80000
90000
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999*
2000 20012002+
Incidents
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
17/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
The Result
Financial Loss
Regulatory Actions
Blemished Reputation
Hacker may have stolen personalidentifiable information for 26,000
employees..ComputerWorld, June 22, 2006
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
18/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Security Trends2003 CSI/FBI Computer Crime and Security Survey
530 respondentsUnauthorized use of computer systems
Yes 56%
No 29%
Dont know 15%
Point of attack Internet 78%
Internal 30%
Remote dial-in 18%
S
S
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
19/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Why is the Situation Getting Worse?
the Internetmultiple connections into corporate network
mobile users, partners, suppliers, customers, public
need to be open for e-business 24x7risk impact of new applications not understood
underestimates impact of security breach (e.g. web
defacement)conflicting roles of system admin and security
admin - often the same person
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
20/53
ISV d D l R l ti
ISV d D l R l ti
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
21/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Best Practices in Information Security
Management supportSound corporate security policy
Defense in depth: Internal and external
Effective awareness and training program
Information security audit
Constant monitoring of intrusions/attempts
Incidence Response
Business Continuity Management
ISV d D l R l ti
ISV d D l R l ti
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
22/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Information Security AuditData Gathering
ThreatIdentification
VulnerabiltyIdentification
Control Analysis
LikelihoodDetermination
Impact Analysis
RiskDetermination
ControlRecommendation
RemediationRisk Assessment
ReportSecurity Policy
Validation
ResultDocumentation
Security PolicyUpdate
ISV d D l R l ti
ISV d D l R l ti
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
23/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Vulnerability Identification and Control Remediation
Ethical Hackingand Countermeasures
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
24/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Hacker and Hacking
Hacker refers to a person who enjoys learning the details of computer
systems and stretch their capabilities
Hacking describes the rapid development of new programs or reverse
engineering of already existing software to make the code better, andefficient
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
25/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Ethical Hacker vs Cracker
Cracker Ethical Hackerrefers to a person who uses his hacking skills
for offensive purposesrefers to security professionals who applytheir hacking skills for defensive purposes
individuals with extraordinary computingskills, resorting to malicious or destructive
activities
individuals professing hacker skills and usingthem for defensive purposes
Black Hats White Hats
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
26/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
DOs and DONTs of Ethical Hacking
DO DONTDO ask permission when hacking someone
elses systemDONT do anything irreversible
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
27/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Ethical Hacking
Casing theEnvironment
NetworkHacking
SoftwareHacking
SystemHacking
Social EngineeringFootprintingScanningEnumeration
Hacking
Windows/Linux OSVirusTrojans andBackdoors
Session Hijacking
SniffingDenial of ServiceWireless NetworkHacking
Web Application
HackingPassword CrackingBuffer OverflowCryptography
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
28/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Sniffing
PassiveActive
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
29/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Sniffing - Passive
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
30/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Sniffing - Passive
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
31/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Sniffing - Passive
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
32/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Sniffing - Passive
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
33/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Sniffing - Passive
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
34/53
ISV and Developer Relations
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
Sniffing - Passive
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
35/53
p
2008 IBM Corporation
p
2010 IBM Corporation
Sniffing - Active
Our network is NOT susceptible to sniffingsince we are using a switch
WRONG!!!
ARP Poisoning
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
36/53
p
2008 IBM Corporation
p
2010 IBM Corporation
1
2
3
H VIP: 192.168.1.2MAC: BB
IP: 192.168.1.3MAC: CC
IP: 192.168.1.1MAC: AA
Port MAC
1 BB
2 AA
3 CC
IP MAC
192.168.1.1 AA192.168.1.3 CC
IP MAC
192.168.1.1 AA192.168.1.2 BB
IP MAC
192.168.1.2 BB
192.168.1.3 CC
ARP PoisoningS
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
37/53
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
38/53
p
2008 IBM Corporation
p
2010 IBM Corporation
me
ARP Poisoning
Student B
Student A
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
39/53
2008 IBM Corporation 2010 IBM Corporation
1
2
3
H VIP: 192.168.1.2MAC: BB
IP: 192.168.1.3MAC: CC
IP: 192.168.1.1MAC: AA
Port MAC
1 BB
2 AA
3 CC
IP MAC
192.168.1.1 AA192.168.1.3 CC
IP MAC
192.168.1.1 AA192.168.1.2 BB
IP MAC
192.168.1.2 BB
192.168.1.3 CC
ARP PoisoningS
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
40/53
2008 IBM Corporation 2010 IBM Corporation
1
2
3
H VIP: 192.168.1.2MAC: BB
IP: 192.168.1.3MAC: CC
IP: 192.168.1.1MAC: AA
Port MAC
1 BB
2 AA
3 CC
IP MAC
192.168.1.1 AA192.168.1.3 CC
IP MAC
192.168.1.1 BB192.168.1.2 BB
IP MAC
192.168.1.2 BB
192.168.1.3 BB
ARP PoisoningS
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
41/53
2008 IBM Corporation 2010 IBM Corporation
1
2
3
H VIP: 192.168.1.2MAC: BB
IP: 192.168.1.3MAC: CC
IP: 192.168.1.1MAC: AA
Port MAC
1 BB
2 AA
3 CC
IP MAC
192.168.1.1 AA192.168.1.3 CC
IP MAC
192.168.1.1 BB192.168.1.2 BB
IP MAC
192.168.1.2 BB
192.168.1.3 BB
ARP PoisoningS
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
42/53
2008 IBM Corporation 2010 IBM Corporation
Session Hijacking
Cross-site Scripting
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
43/53
2008 IBM Corporation 2010 IBM Corporation
Session Hijacking Cross Site Scripting
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
44/53
2008 IBM Corporation 2010 IBM Corporation
Session Hijacking Cross Site Scripting
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
45/53
2008 IBM Corporation 2010 IBM Corporation
Session Hijacking Cross Site Scripting
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
46/53
2008 IBM Corporation 2010 IBM Corporation
Session Hijacking Cross Site Scripting
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
47/53
2008 IBM Corporation 2010 IBM Corporation
Session Hijacking Cross Site Scripting
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
48/53
2008 IBM Corporation 2010 IBM Corporation
Rational AppScan
is an automated tool used to perform vulnerabilityassessments on Web Applications
scans web applications, finds security issues andreports on them in an actionable fashion
Used by: Security Auditors main users today
QA engineers when the auditors become the bottle neck
Developers to find issues as early as possible (most efficient)
ibm.com/developerworks
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
49/53
2008 IBM Corporation 2010 IBM Corporation
Rational AppScan
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
50/53
2008 IBM Corporation 2010 IBM Corporation
Rational AppScan
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
51/53
2008 IBM Corporation 2010 IBM Corporation
Rational AppScan
ISV and Developer Relations
ISV and Developer Relations
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
52/53
2008 IBM Corporation 2010 IBM Corporation
Ethical Hacker
tries to answer: What can the intruder see on a target system?
What can an intruder do with that information?
Does anyone at the target notice the intruders attempts or success?
If you know the enemy and know yourself,
you need not fear the results of a hundred battles.-Sun Tzu, Art of War
-
8/7/2019 AFPSummit-IBM-information security and ethical hacking-Pantola
53/53
2008 IBM Corporation
ISV and Developer Relations
2010 IBM Corporation
ISV and Developer Relations
Introduction to Information Securityand Ethical Hacking
Contact Us:
[email protected]@ph.ibm.com