ethical hacking & information security - wordpress.com · 04-12-2014 · protection =...
TRANSCRIPT
Ethical Hacking &Information Security
Justin David G. PinedaAsia Pacific College
Topics for today: Is there such thing as ethical hacking? What is information security? What are issues that need to be
addressed? Information security as a discipline Do we need a cybercrime law?
Is there such thing as ethical hacking? What is information security? What are issues that need to be
addressed? Information security as a discipline Do we need a cybercrime law?
About: Justin David Pineda Lecturer at Asia Pacific College Currently, Sr. Application Security
Specialist at The Coca-ColaCompany
In the past: Security Analyst,SilverSky
BS Computer Science, DLSU Certifications earned: Certified Ethical Hacker (CEH) CompTIA Security+ ISO 27002 Foundation Cisco Certified Network Associate IBM DB2 Academic Associate Microsoft Technology Associate
(MTA) Security
Lecturer at Asia Pacific College Currently, Sr. Application Security
Specialist at The Coca-ColaCompany
In the past: Security Analyst,SilverSky
BS Computer Science, DLSU Certifications earned: Certified Ethical Hacker (CEH) CompTIA Security+ ISO 27002 Foundation Cisco Certified Network Associate IBM DB2 Academic Associate Microsoft Technology Associate
(MTA) Security
Is there such thing as ethicalhacking?
Is there such thing as ethicalhacking?
Is there such thing as ethical hacking? A hacker exploits weaknesses in a
computer system. Hacking or cracking which refers
to unauthorized access into orinterference in a computersystem… (RA 8792, E-CommerceLaw)
Someone with an advancedunderstanding of computers andcomputer networks… (A Guide tothe World of Computer Wizards)
Ex. Hacking with a Pringles tube(from BBC News)
A hacker exploits weaknesses in acomputer system.
Hacking or cracking which refersto unauthorized access into orinterference in a computersystem… (RA 8792, E-CommerceLaw)
Someone with an advancedunderstanding of computers andcomputer networks… (A Guide tothe World of Computer Wizards)
Ex. Hacking with a Pringles tube(from BBC News)
What separates good from bad hackers? They both exploit weaknesses in a computer system or
network. The difference is – permission
and scope.
White hat – good guys Black hat – bad guys Gray hat – good in the morning; bad in the evening
With this definition, what’s the classification ofAnonymous?
They both exploit weaknesses in a computer system ornetwork.
The difference is – permissionand scope.
White hat – good guys Black hat – bad guys Gray hat – good in the morning; bad in the evening
With this definition, what’s the classification ofAnonymous?
Hacking trend…
Steps in Hacking1. Reconnaissance2. Scanning3. Gaining Access4. Maintaining Access5. Covering Tracks
1. Reconnaissance2. Scanning3. Gaining Access4. Maintaining Access5. Covering Tracks
Reconnaissance Observation Research about your target Start from online tools Netcraft Archive Web Data Extractor
Job opportunities
Observation Research about your target Start from online tools Netcraft Archive Web Data Extractor
Job opportunities
Scanning Look for open
opportunities nmap, hping
Firewalking
Gaining & Maintaining Access Password Guessing Privilege Escalation Executing Malicious Codes Copying files
Covering Tracks Delete or modify audit trails
What is information security?What is information security?
What is information security? Protection of information systems against unauthorized
access to or modification of information, whether instorage, processing or transit, and against the denial ofservice to authorized users or the provision of service tounauthorized users, including those measures necessaryto detect, document, and counter such threats. (U.S.National Information Systems Security)
Protection of information systems against unauthorizedaccess to or modification of information, whether instorage, processing or transit, and against the denial ofservice to authorized users or the provision of service tounauthorized users, including those measures necessaryto detect, document, and counter such threats. (U.S.National Information Systems Security)
The CIA triad
The CIA Triad explained Confidentiality – Protection against unauthorized access. Integrity – Protection against unauthorized modification. Availability – Protection against Denial of Service (DoS)
Examples:
Remember the 3-way handshake!
Information Security vs. IT Security Information Security has many domains. Access control, telecommunications and network security,
Information security governance and risk management,Software development security, Cryptography, Securityarchitecture and design, Operations security, Businesscontinuity and disaster recovery planning, Legal, regulations,investigations and compliance, Physical (environmental) security– from CISSP’s domains on ISC2
IT Security only focuses on software and hardwaretechnologies.
Information Security has many domains. Access control, telecommunications and network security,
Information security governance and risk management,Software development security, Cryptography, Securityarchitecture and design, Operations security, Businesscontinuity and disaster recovery planning, Legal, regulations,investigations and compliance, Physical (environmental) security– from CISSP’s domains on ISC2
IT Security only focuses on software and hardwaretechnologies.
Defense in Depth
Definition of Protection Past & Present PROTECTION = PREVENTION
Example: Gate, Network Firewall
Problem: What if the thief climbs over the gate? Problem 2: What if there is a DoS attempt in a web
server on port 80.
PROTECTION = PREVENTION
Example: Gate, Network Firewall
Problem: What if the thief climbs over the gate? Problem 2: What if there is a DoS attempt in a web
server on port 80.
Definition of Protection Past & Present PROTECTION = PREVENTION + (DETECTION +
INCIDENT RESPONSE)
Example: Motion detector tools, anti-virus for host device,Intrusion Detection System (IDS) for network.
Reality Check You cannot eliminate all risks. You do not have a lot of money to buy all controls to
mitigate the risks. You need to prioritize.
Least Privilege A user/program must be able to access only the
information and resources that are necessary for itslegitimate purpose.
It is the essence of all domains in information security
Separation of Duties (SOD) The concept of having more than one person required to
complete a task. Keys to the kingdom Example: How payroll is computed, approved, delivered
etc.
Policies HR Policies Clean desk policy Acceptable Use Policy Internet policy Data security policy Password Policy
HR Policies Clean desk policy Acceptable Use Policy Internet policy Data security policy Password Policy
Physical Security Natural barriers Authentication (something to you know, something that
you have, something that you are) Gates and dogs Guards
Natural barriers Authentication (something to you know, something that
you have, something that you are) Gates and dogs Guards
Network Security Firewalls Intrusion Detection Systems (IDS) Unified Threat Management (UTM) Data Loss Prevention (DLP)
Host Security Port Security Anti-virus User access (standard, admin, super admin)
Application Security Encryption Patches, hotfixes
What issues need to be addressed?What issues need to be addressed?
Focus on 2 critical issues Social Engineering Web Application Attacks
Social Engineering Social engineering is the hacker/attacker's clever
manipulation of the natural human tendency to trust toobtain information that will allow him to gainunauthorized access to a valued system. (SocialEngineering Fundamentals)
90% of successful hacking activities are done using socialengineering.
Social engineering is the hacker/attacker's clevermanipulation of the natural human tendency to trust toobtain information that will allow him to gainunauthorized access to a valued system. (SocialEngineering Fundamentals)
90% of successful hacking activities are done using socialengineering.
Steps in Social Engineering Information Gathering Stalk in social networking sites Mail-outs Forensic analysis Facebook apps
Developing Relationships Cognitive biases (returning the favor, share interests)
Exploitation People become less reasonable when in state of shock or
strong affect.
Information Gathering Stalk in social networking sites Mail-outs Forensic analysis Facebook apps
Developing Relationships Cognitive biases (returning the favor, share interests)
Exploitation People become less reasonable when in state of shock or
strong affect.
Types of Social Engineering Attacks Physical Shoulder surfing Dumpster diving (ex. Argo) Tailgating War driving, chalking, walking
etc.
Online Phishing Pharming Spear phishing Vishing
Physical Shoulder surfing Dumpster diving (ex. Argo) Tailgating War driving, chalking, walking
etc.
Online Phishing Pharming Spear phishing Vishing
Countermeasures Create, implement and harden security policies People easily forget policies. It needs enforcement.
Comply with physical security standards Are doors locked? Do security guards check all students for
ID?
Security Awareness Training for employees This should be done periodically.
Resistance Training for specified employees Social Engineering Land Mines (SANS, David Gragg) Call-back policy, key questions, bogus questions
Incident Response
Create, implement and harden security policies People easily forget policies. It needs enforcement.
Comply with physical security standards Are doors locked? Do security guards check all students for
ID?
Security Awareness Training for employees This should be done periodically.
Resistance Training for specified employees Social Engineering Land Mines (SANS, David Gragg) Call-back policy, key questions, bogus questions
Incident Response
Web Application Attacks A lot of people are using the Internet and doing
transactions there. A lot of websites are not checked whether it is safe for
users to use. It’s possible that applications follow proper coding
standards but versions/functions are vulnerable.
A lot of people are using the Internet and doingtransactions there.
A lot of websites are not checked whether it is safe forusers to use.
It’s possible that applications follow proper codingstandards but versions/functions are vulnerable.
Usual attacks: SQL Injection Cross Site Scripting (XSS) Session Hijacking Directory Traversal Cross Site Request Forgery (CSRF)
Web Goat demonstration Download it here -
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
SQL Injection Cross Site Scripting (XSS) Session Hijacking Directory Traversal Cross Site Request Forgery (CSRF)
Web Goat demonstration Download it here -
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Web Application Security Advice Include security in all SDLC steps. Refer to the Open Web Application Security Project
(OWASP) when writing web applications.https://www.owasp.org/
Use both source code analyzer and vulnerability scannerto check the status of your application.
Include security in all SDLC steps. Refer to the Open Web Application Security Project
(OWASP) when writing web applications.https://www.owasp.org/
Use both source code analyzer and vulnerability scannerto check the status of your application.
Information Security as a DisciplineInformation Security as a Discipline
Information Security as a Discipline InfoSec is a relatively new field. It is starting to grow because a lot of businesses are
transitioning to online. Virtual money is same as physical money. There are still few professionals who are in this field. Supply is low, demand is high. CS and IT major courses are good infosec foundations. You can opt to choose infosec in thesis.
InfoSec is a relatively new field. It is starting to grow because a lot of businesses are
transitioning to online. Virtual money is same as physical money. There are still few professionals who are in this field. Supply is low, demand is high. CS and IT major courses are good infosec foundations. You can opt to choose infosec in thesis.
Security Certifications CompTIA – Security+ EC-Council – Certified Ethical
Hacker, Certified SecurityAnalyst, Certified Hacking &Forensics Investigator etc.
SANS – GIAC Certified ReverseEngineering Malware, IncidentHandler, Intrusion Analyst etc.
ISACA – Certified InformationSystems Auditor etc.
ISC2 – Certified InformationSystems Security Professional(CISSP), etc.
CompTIA – Security+ EC-Council – Certified Ethical
Hacker, Certified SecurityAnalyst, Certified Hacking &Forensics Investigator etc.
SANS – GIAC Certified ReverseEngineering Malware, IncidentHandler, Intrusion Analyst etc.
ISACA – Certified InformationSystems Auditor etc.
ISC2 – Certified InformationSystems Security Professional(CISSP), etc.
Do we need a cybercrime law?Do we need a cybercrime law?
Do we need a cybercrime law? Of course, we need one. R.A. 10175 or Cybercrime Prevention Act is a mixture of
several issues. Cybercrime Law should not only focus on the limitation
of Freedom of Expression. Cybercrime Law should protect the people.
Of course, we need one. R.A. 10175 or Cybercrime Prevention Act is a mixture of
several issues. Cybercrime Law should not only focus on the limitation
of Freedom of Expression. Cybercrime Law should protect the people.
What kind of cybercrime law do we need? A law that compels for-profit organizations like banks to
follow certain best standards to protect client data foundin bank accounts.
A law that compels telecom companies to ensure thatdata that pass their infrastructure are sent and receivedto the intended recipients.
A law that compels government offices to securely storepersonal data that are found in their computer system.
A law that compels for-profit organizations like banks tofollow certain best standards to protect client data foundin bank accounts.
A law that compels telecom companies to ensure thatdata that pass their infrastructure are sent and receivedto the intended recipients.
A law that compels government offices to securely storepersonal data that are found in their computer system.