Audit dan EvaluasiTeknologi Informasi

Sesi 5

MTI-CIO2012

Current Issues

• World economic downturn• Fierce business competition• Technology availability (and affordability)• Access anywhere and everywhere• Education (knowledge) level• Information explosion• Political influences• WAR!

“false sense of security”“malicious intention and attempt”

Security Basic

• Input-Output– Proper (good) input produces good output– Bad input creates bad output

• Involves proper working (honesty)– System– Human

• Properties– Confidentiality– Integrity– Availability

General IT Security Concerns

• Network– Devices (communication), appliances, cabling

• Host– Application, Operating System, web, hardware/software

• Environment– Building, infrastructure, physical access

• Human– User, operator, administrator, manager, etc

• Partners and Peers– Providers, services access

“good system is always tested against time”

Vulnerability

• Any programming error or misconfiguration that could allow an intruder to gain unauthorized access to a system

• No longer just the realm of system crackers and security consultants, they have become the enabling factor behind network worms, spyware and viruses

• Sophisticated attack methods are becoming more prevalent e.g. Stuxnet • Critical vulnerability examples:

– Buffer overflows• Programmer memory issue, usually during file-copy• Hijack vulnerability by making a service unusable

– Files accessed outside restricted directory structures– Example: FTP server giving access to /etc/passwd file

• Other vulnerabilities:– Default Passwords

• Vulnerability due to failed password changes• Practical issues with password changes, many applications, many passwords!!• Example: Linksys with very simple passwords for gateways, routers

– Misconfigurations• Incomplete configurations for a particular task

– Known backdoors• Backdoor applications to capture keyboard strokes, Desktop Hijack, password capture etc

Why are there security vulnerabilities? • Lots of buggy software...

– Why do programmers write insecure code?– Awareness is the main issue

• Some contributing factors– Few courses in computer security– Programming text books do not emphasize security– Few security audits – Unsafe programming language– Programmers have many other things to worry about– Legacy software (some solutions, e.g. Sandboxing)– Consumers do not care about security– Security is expensive and takes time

Cyber Criminal

• Cracker– True cyber criminal

• Hacker– Black Hat– Grey Hat– White Hat

• Motivation– Personal gain– Financial/commercial gain– Extreme curiosity– Plenty of spare times– Posses necessary resources

• Common profile (2000)– Male– Between 14 and 34 years of age– Computer addicted– No permanent girlfriend

Typical Botherder: 0x80“(X-eighty)

High school dropout– “…most of these people I infect are so stupid they really ain't got no business

being on the Internet in the first place.“Working hours: approx. 2 minutes/day to manage BotnetMonthly earnings: $6,800 on averageDaily Activities:

– Chatting with people while his bots make him money– Recently paid $800 for an hour alone in a VIP room with several dancers

Job Description: – Controls 13,000+ computers in more than 20 countries – Infected Bot PCs download Adware then search for new victim PCs– Adware displays ads and mines data on victim's online browsing habits.– Bots collect password, e-mail address, SS#, credit and banking data– Gets paid by companies like TopConverting.com, GammaCash.com, Loudcash,

or 180Solutions.

Washington Post: Invasion of the Computer Snatchers

9

Why do security audit?

• Assess compliance aspects of policy• Assess risk• Assess level of security• Evaluate security incident response

10

Security Audit

• Controls• Security logs• Risk assessment• Steps

– Starts with policies and procedures in place– Initially the policy is treated as threat and audit focuses

on how people and systems address the threat– Interview employees and administrators– Evaluate technical aspects for security– Review all data logs

What Is a Security Policy?

• A set of organization-level rules governing:– Acceptable use of computing resources– Security practices– Operational procedures

• Essential information– Date last updated– Name of office that developed the policies– Clear list of policy topics– Equal emphasis on positive points (access to information) and

negative points (unacceptable policies)

Why Is a Security Policy Important?

• Essential component of a fully functional firewall– Defines what needs to be done when firewall is configured– Defines intrusion detection and auditing systems that are

needed• Minimizes impact of a “hack attack” on:

– Staff time– Data loss– Productivity

Setting Goals for an Effective Security Policy

• Describe a clear vision for a secure networked computing environment

• Be flexible enough to adapt to changes in the organization• Be consistently communicated and implemented throughout

the organization• Specify how employees can and cannot use the Internet• Define appropriate and inappropriate behavior as it pertains

to privacy and security

Seven Steps to Building a Security Policy

1. Develop a policy team2. Determine organization’s overall approach to security3. Identify assets to be protected4. Determine what should be audited for security5. Identify security risks6. Define acceptable use7. Provide for remote access and monitoring

Develop a Policy Team

• Members (5-10 people)– Senior administrator– Member of legal staff– Representative from rank-and-file employees– Member of IT department– Editor or writer who can structure and present the policy

coherently• Identify one person to be the official policy interpreter

Determine Overall Approach to Security

• Two primary activities for overall approach:– Restrictive– Permissive

• Specific security stances:– Open– Optimistic– Cautious– Strict– Paranoid

Identify Assets to Be Protected

• Physical assets– Actual hardware devices

• Logical assets– Digital information that can be viewed and misused

• Network assets– Routers, cables, bastion hosts, servers, firewall hardware

and software• System assets

– Software that runs the system (server software and applications)

Example of Assets to Be Protected

Determine What Should Be Audited for Security

• Auditing– Process of recording which computers are accessing a

network and what resources are being accessed– Includes recording the information in a log file

• Specify types of communication to be recorded and how long they will be stored

• Use Tripwire to audit system resources• Use a firewall log to audit security events

Auditing with Tripwire

Auditing with a Firewall Log

Determine What Should Be Audited for Security

• Auditing log files• Auditing object access

Identify Security Risks

• Specify the kinds of attacks the firewall needs to guard against– Denial of service attacks– Disclosure of information due to fraud– Unauthorized access

Define Acceptable Use

• Define acceptable computing and communications practices on the part of employees and business partners

• Aspects– E-mail– News

Provide for Remote Access

• Specify acceptable protocols • Determine use of Telnet or Secure Shell (SSH) access to

internal network from Internet• Describe use of cable modem, VPN, and DSL connections to

access internal network through the firewall• Require remote users to have a firewall on their computer

Accounting for What the Firewall Cannot Do

• A firewall sandwich or load balancing switches can be compromised by:– Brute force attack– Sending an encrypted e-mail message to someone within

the network with a virus attached– Employees who give out remote access numbers;

unauthorized users can access company network– Employees who give out passwords

Other Security Policy Topics

• Passwords• Encryption• Restrictions on removable media• ASPs• Acceptable users

• Secure use of office-owned laptop computers• Wireless security• Use of VPNs• Key policy

Defining Responses to Security Violations

• Gather information on an incident response form• Define disciplinary action to be pursued if employees access

the Internet improperly• Identify who to contact in case of intrusion

Educating Employees

• Security User Awareness program• Advise workers of expectations and consequences• Make policies available on local network

– Displayed as the standard screen-saver– Posted strategically

Presenting and Reviewing the Process

• Keep reports short and concise• Give people ample time to respond after policy statement is

issued

Amending the Security Policy

• Change the security policy when:– The organization makes substantial changes in hardware

configuration, or– The firewall is reconfigured in response to security

breaches

32

What to look for in audit?

• Are passwords difficult to crack? • Are there access control lists (ACLs) in place on network devices to

control who has access to shared data? • Are there audit logs to record who accesses data? • Are the audit logs reviewed? • Are the security settings for operating systems in accordance with

accepted industry security practices? • Have all unnecessary applications and computer services been

eliminated for each system? • Are these operating systems and commercial applications patched to

current levels? • How is backup media stored? Who has access to it? Is it up-to-date? • Is there a disaster recovery plan? Have the participants and

stakeholders ever rehearsed the disaster recovery plan?

33

What to look for in audit?

• Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?

• Have custom-built applications been written with security in mind?

• How have these custom applications been tested for security flaws?

• How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?

34

Audit components

• Preparation 10%• Reviewing Policy/Docs 10%• Talking/Interviewing 10%• Technical Investigation 15%• Reviewing Data 20%• Writing Up 20%• Report Presentation 5%• Post Audit Actions 10%

(Source: Tech Support Alert website)

35

Audit Process

• Security audit team reports directly to CEO or the Board of Directors

• Types of security audits examples:– Firewall every 6 months– Network every year– Host every 3 months

Vulnerability Auditing

• A vulnerability audit provides an assessment of the security weaknesses that are visible via the computer network

• Audits can reveal vulnerabilities that can be exploited inside a security boundary by an authorized user or initiated from outside the security boundary by an illegitimate user

• Importance– Once a patch is announced, an exploit will be available in

2-3 days for unpatched machines– On average, every 5 minutes, one un-patched machine is

compromised

Steps to Vulnerability Auditing

• Compile inventory of system nodes and services in a computer network

• Identify the visible and exploitable weakness and vulnerabilities– Use the view of an attacker

• Consolidate a report with vulnerability disclosures– IBMs X-Force severity classification– Common Vulnerability Scoring System (CVSS) classification

Compile Inventory

• Obtain a network map, i.e. a network interconnection of all live hosts and attached devices which are being analyzed for security risks. – IP scanning or Host discovery is performed using system

tools e.g. ping and traceroute, Internet Control Message Protocol (ICMP) queries.

– System information is also provided using routing tables, nslookup (DNS information)

– Other tools such as nmap, fping..

Identify Vulnerabilities

• Check collected host information against publicly known vulnerabilities that may affect hosts

• Perform vulnerability tests– CVA – Common Vulnerability Assessment

• Focus on unauthorized access– SDA – Secure Device Assessment

• Architectural review of device deployment, operating system configuration, etc

– SEA – Secure Exploit Assessment • Similar to CVA + multi stage attacks

Produce a Report

• Risk assess the vulnerability obtained • Suggest fixes and provide a vulnerability report

Host vs. Network based Vulnerability Auditing

• Network based: focused on vulnerabilities visible and exploitable from network

• Host based: focused on vulnerability inside configuration of the host

Host Assessment

• Assessment software should be installed on each system that needs to be included

• Looks for system level vulnerability such as – Insecure file permissions – Missing software patches– Noncompliant security policies – Backdoor and Trojan horse installations

• The depth of the testing performed makes it the preferred method of monitoring the security of critical systems.

• Downside is that they require a set of specialized tools for operating system and software patches being used and administrative access to each system being tested.

Network Assessment

• Instead of analyzing the individual hosts for problems, this searches for common problems on any system connected to the network

• Locates all live systems on the network, determines what network services are in use, and then analyzes those services for potential vulnerabilities. For example vulnerabilities on HTTP, FTP, SNMP

• Unlike host assessment solutions, this process does not require any configuration changes on the system being assessed

• Feasible for monitoring the security of large, complex networks of heterogeneous systems

• Downside of these tools are:– Inability to detect certain type of backdoors– Complications in networks with firewalls– Inability to test for certain vulnerabilities– Can interfere with many devices (such as printers)– May use large amounts of bandwidth– Fill up disks with log files on the systems being assessed

Difference between IDS & Vulnerability Auditing

• IDS monitors network traffic, picks out malicious attacks from normal data, and send out alerts when an attack is detected -> provide information after an attack has been detected

• Vulnerability auditing provides information about a vulnerability before it is exploited to compromise a system, allowing administrators to fix the problem and prevent a possible intrusion

Essential Practices

• Restrictive policy (using e.g., proxies and f/ws)• Redundant capacity (links) (over-provisioned)• Media diversity (e.g. radio and wire, Internet and PSTN)• Path diversity (e.g., mesh routing across multiple media) • Peer-to-peer (link) and End-to-end (layer 7) cryptography (e.g.,

SSH, SSL, other VPNs)• Layered defenses• Peer-to-peer mutual authentication (e.g., 2-way SSL) (may imply

mutually trusted third-party)• COTS Crypto• Out-of-band (VPN) connection setup and control• Physical security of nodes and links

Best Practices

• Run applications as an unprivileged user– This would result in a successful attacker only gaining the rights of this unprivileged

user.• chroot apps to prevent access to unrelated data

– MobileSafari does not need access to email or SMS msgs– MobileMail does not need access to browsing history

• Add heap and stack address randomization– This will serve to make the development of exploits for vulnerabilities more

difficult• Memory protection: no pages both writable and executable• Server software security modules

– Server Operating System: IDS (autoblocker), anti-malware/rootkit, Real-time reports, incident alarm, access control monitor

– Server software (web) : security modules (autoblocker, xss protection, bw throttling)

– Network monitoring, packet filtering, application proxy• Periodic scanning• Manual inspection and test

In the News

• Nigerian letter (419 Scams) still works:– Michigan Treasurer Sends 1.2MUSD of State Funds !!!

• Many zero-day attacks– Google, Excel, Word, Powerpoint, Office …

• Criminal access to important devices– Numerous lost, stolen laptops, storage media, containing

customer information– Second-hand computers (hard drives) pose risk

• Vint Cerf estimates ¼ of PCs on Internet are bots

Facts

• In 1988, the Morris worm was the first Internet worm that was released. It only infected 10% of the computers

• Code Red worm appeared in 2001 and used a vulnerability in Microsoft IIS web server and caused an estimated $2 billion damage

• Slammer worm released in 2003 used a vulnerability in Microsoft SQL and infected 15% of the world’s computers in less than 10 minutes

The“2002 Computer Security Institute /FBI Computer Crime and Security Survey” Report

• 90% of survey respondents (primarily larger corporations) detected computer security breaches. Respondents reported a wide range of attacks:

• 44% detected system penetration from the outside • 44% detected denial of service attacks • 76% detected employee abuse of Internet access privileges • 85% detected computer viruses, worms, etc. • 80% acknowledged financial losses due to computer security breaches • 44% were willing and/or able to quantify their financial losses (these losses were

$455 million). • Most serious losses occurred through theft of proprietary information and financial

fraud. • 74% cited their Internet connections as a frequent point of attack and 33% cited

their internal systems ands frequent point of attack • 34% reported intrusions to law enforcement (up from only 16% in 1996)

Current Trends

• Malware, worms, and Trojan horses– spread by email, instant messaging, malicious or infected websites

• Botnets and zombies– improving their encryption capabilities, more difficult to detect

• Scareware – fake/rogue security software • Attacks on client-side software

– browsers, media players, PDF readers, etc. • Ransom attacks

– malware encrypts hard drives, or DDOS attack• Social network attacks

– Users’ trust in online friends makes these networks a prime target. • Cloud Computing - growing use will make this a prime target for attack. • Web Applications - developed with inadequate security controls • Budget cuts - problem for security personnel and a boon to cyber criminals.

Trends

Operating System Vulnerabilities

Reported Web Vulnerabilities "In the Wild"

(Data from aggregator and validator of NVD-reported vulnerabilities)

Web vs System vulnerabilities

XSS peak

Botnet Lifecycle

• Propagation– Compromised host activity– Network probe and other activity– Recognizable activity on newly infected host

Recent Malware Distribution

• Blogs are widely used- 184 Million blogs world-wide - 73% of internet users have read a blog - 50% post comments

• Blogs have automated Linkbacks - Facilitate cross-referencing- Exploited by spammers

One blog spam can reach thousand of users

Web attack toolkit: MPack

57

• Basic setup– Toolkit hosted on web server– Infects pages on that server– Page visitors get infected

• Features– Customized: determines exploit

on the fly, based on user’s OS, browser, etc

– Easy to use: management console provides stats on infection rates

– Customer care toolkit can be purchased with one-year support contract!

Traffic Hijacking

Proxy intercepts request and adds

fields

Bank sends login page needed to log in

When user submits information, also sent to attacker

SilentBanker

Steal cars with a laptop

• NEW YORK - Security technology created to protect luxury vehicles may now make it easier for tech-savy thieves to drive away with them.

• In April ‘07, high-tech criminals made international headlines when they used a laptop and transmitter to open the locks and start the ignition of an armor-plated BMW X5 belonging to soccer player David Beckham, the second X5 stolen from him using this technology within six months.

• Beckham's BMW X5s were stolen by thieves who hacked into the codes for the vehicles' RFID chips.

Other Advance Security News

• iPhone Safari downloads malicious web page (2007)– Arbitrary code is run with administrative privileges– Can read SMS log, address book, call history, other data– Can perform physical actions on the phone.

• system sound and vibrate the phone for a second• could dial phone numbers, send text messages, or

record audio (as a bugging device) – Transmit collected data over network to attacker

• Built-in backdoor or time-bomb by the programmer• Greed takes over eventually and the perpetrator gets

caught

Social Engineering

• Many attacks don't use computers– Call system administrator– Dive in the dumpster

• Online versions– send trojan in email– picture or movie with malicious code

• SMS message fraud?

Latest Issues

• Cloud Computing– Hosted by 3rd party– Multitenancy– Security?– SLA?– Highly Available– Redundancy– Distributed (decentralized) resources

63

•Spam service•Rent-a-bot•Cash-out•Pump and dump•Botnet rental

Underground goods and services

Rank Last Goods and services Current Previous Prices

1 2 Bank accounts 22% 21% $10-1000

2 1 Credit cards 13% 22% $0.40-$20

3 7 Full identity 9% 6% $1-15

4 N/R Online auction site accounts

7% N/A $1-8

5 8 Scams 7% 6% $2.50/wk - $50/wk (hosting); $25 design

6 4 Mailers 6% 8% $1-10

7 5 Email Addresses 5% 6% $0.83-$10/MB

8 3 Email Passwords 5% 8% $4-30

9 N/R Drop (request or offer) 5% N/A 10-50% of drop amount

10 6 Proxies 5% 6% $1.50-$30

Credit: Zulfikar Ramzan

Law enforcement

• Sean Smith– Melissa virus: 5 years in prison, $150K fine

• Ehud Tenenbaum (“The Analyzer”) – Broke into US DoD computers– 6 months service, suspended prison, $18K fine

• Dmitry Sklyarov– Broke Adobe ebooks– Prosecuted under DMCA