8/11/2015

1

7/30/2015

Justin David G. Pineda, CEHSr. Application Security Specialist

The Coca-Cola CompanyJuly 31, 2015 | PATTS, Paranaque City

7/30/2015

1. Need for information security2. Core information security concepts3. Ethical hacking and its steps4. Moving forward in infosec

8/11/2015

2

7/30/2015

1 of 4

7/30/2015

8/11/2015

3

7/30/2015

7/30/2015

8/11/2015

4

7/30/2015

No sense of security in the web

Logical infrastructure does not equate tophysical infrastructure.

7/30/2015

There is a need to implement a standardizedinformation security program in the industry,government and academe.

8/11/2015

5

7/30/2015

2 of 4

7/30/2015

8/11/2015

6

7/30/2015

Confidentiality – Protection againstunauthorized access.

Integrity – Protection against unauthorizedmodification.

Availability – Protection against Denial ofService (DoS)

7/30/2015

1. A visitor is able to enter an “UnauthorizedPersonnel Only” room.

2. A bank teller accidentally changes theaccount balance of a client.

3. A student tripped over the PC power cableresulting to power and data loss.

4. A hacker is able to gain access to alegitimate account using passwordguessing.

5. Anonymous group initiates a DistributedDenial of Service (DDoS) to bring downPaypal website.

8/11/2015

7

7/30/2015

7/30/2015

Natural barriers Authentication (something to you know,

something that you have, something that youare)

Gates and dogs Guards

8/11/2015

8

7/30/2015

HR Policies Clean desk policy Acceptable Use Policy Internet policy Data security policy Password Policy

7/30/2015

Firewalls Intrusion Detection

Systems (IDS) Unified Threat

Management (UTM) Data Loss Prevention

(DLP)

8/11/2015

9

7/30/2015

Port Security Anti-virus User access (standard, admin, super admin)

7/30/2015

Encryption Patches, hotfixes

8/11/2015

10

7/30/2015

3 of 4

7/30/2015

A hacker exploitsweaknesses in a computersystem.

Hacking or cracking whichrefers to unauthorizedaccess into or interference ina computer system… (RA8792, E-Commerce Law)

Someone with an advancedunderstanding of computersand computer networks… (AGuide to the World ofComputer Wizards)

Ex. Hacking with a Pringlestube (from BBC News)

8/11/2015

11

7/30/2015

They both exploit weaknesses in a computersystem or network.

The difference is – permissionand scope.

White hat – good guys Black hat – bad guys Gray hat – good in the morning; bad in the

evening

With this definition, what’s the classification ofAnonymous?

7/30/2015

8/11/2015

12

7/30/2015

1. Reconnaissance2. Scanning3. Gaining Access4. Maintaining Access5. Covering Tracks

7/30/2015

Observation Research about your target Start from online tools

◦ Netcraft◦ Archive◦ Web Data Extractor

Job opportunities

8/11/2015

13

Can you retrieve PATTS’ website in 2003? Can I filter my search by just getting all PDF

files related to graduate studies? What are the server details of the website

target? Why include job opportunities as method for

reconnaissance?

7/30/2015

Use Web Data Extractor (WDE) URL: http://www.webextractor.com/ Extracting contact details in Ateneo:

7/30/2015

8/11/2015

14

7/30/2015

7/30/2015

Look for openopportunities

nmap, hping

8/11/2015

15

What are the open ports in a particular IPaddress? (corresponds to an organization)

What is the operating system and versionbeing used?

7/30/2015

Issue a traceroute going to the IP. Based on the number of hops, can you be

able to determine its web server? Tools:

◦ traceroute (Windows, tracert)◦ Hping: http://www.hping.org/

7/30/2015

8/11/2015

16

7/30/2015

7/30/2015

8/11/2015

17

7/30/2015

Password Guessing Privilege Escalation Executing Malicious Codes Copying files

Can you sniff data in the network? In what device can I sniff useful data? A hub

or a switch? Are the data sent in free Wi-Fi access zones

safe from sniffing?

7/30/2015

8/11/2015

18

WebGoat is a deliberately insecure webapplication maintained by OWASP designed toteach web application security lessons.(OWASP, 2015)

Download WebGoat here:https://www.owasp.org/index.php/WebGoat_Installation

7/30/2015

Access Control Flaws◦ Bypass Business Layer Access Control◦ Bypass Data Layer Access Control

Authentication Flaws◦ Forgot Password◦ Multi-Level Login

Concurrency◦ Thread Safety Problems◦ Shopping Cart Concurrency

7/30/2015

8/11/2015

19

Cross-Site Scripting (XSS)◦ Phishing with XSS◦ Cross Site Request Forgery (CSRF)

Improper Error Handling◦ Fail Open Authentication Scheme

Injection Flaws◦ Command Injection◦ Numeric SQL Injection◦ Modify Data with SQL Injection◦ Add Data with SQL Injection

7/30/2015

7/30/2015

Delete or modify audit trails

8/11/2015

20

7/30/2015

4 of 4

7/30/2015

Which would you rather choose,

privacy or security?

8/11/2015

21

7/30/2015

Of course, we need one. R.A. 10175 or Cybercrime Prevention Act is a

mixture of several issues. Cybercrime Law should not only focus on the

limitation of Freedom of Expression. Cybercrime Law should protect the people.

7/30/2015

A law that compels for-profit organizations likebanks to follow certain best standards to protectclient data found in bank accounts.

A law that compels telecom companies to ensurethat data that pass their infrastructure are sent andreceived to the intended recipients.

A law that compels government offices to securelystore personal data that are found in theircomputer system.

8/11/2015

22

7/30/2015

Justin David PinedaSr. Application Security SpecialistThe Coca-Cola Companypineda.justin@rocketmail.com