handout infosec defense-mechanism-y3dips
DESCRIPTION
Light version of KOMINFO workshop BIMTEK Teknik Pengamanan Sistem Informasi presentation file - Bali 11-11-11 (minus image, screenshot, poc, video)TRANSCRIPT
Information Security Information Security Defense MechanismDefense Mechanism
Ahmad Muammar
Bali, 11 Nopember 2011
AgendaAgenda• Introduction• Information Security• Information Security Defense Mechanism
o Know the Enemy• Potential Enemy• Motives• Attack Vector
o SANS Top Cyber Security Risko Defence Mechanism
• Education/Security Awareness• Security Update• Security Hardening• Security Policy• Security Devices/Tools• Backup
AgendaAgenda• Information Security Defense Mechanism
o Attack Mechanism• Security Assessment
o Vulnerability Asessmento Penetration Testing
• Demoo Showing some attacking scenarioo Showing most of Defense Mechanism
• Discussion
IntroductionIntroduction• Freelance IT Security Consultant• More than 9 years in IT Security • Founder of “ECHO” one of Indonesian Hacker
Community[i]
• Founder of “IDSECCONF” - Indonesia Security Conference in cooperation with KOMINFO [ii]
• More Info: o http://me.ammar.web.ido @y3dips
[i] http://echo.or.id[ii] http://idsecconf.org
Information SecurityInformation Securitymeans protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.[1]
[1] http://wikipedia.org
Information SecurityInformation Security• Information
o Set or collection of data that has meaning
• Level [2]
o Non-Classified• Public Information• Personal Information• Routine Business Information
o Classified• Confidential• Secret• Top Secret
[2] http://wikipedia.org
Information SecurityInformation Security• Electronic Information
o Information that is created, convert, duplicate, transmit, and stored using Electronic devices
• Electronic and Information Technology [3]
Includes information technology and any equipment or interconnected system or subsystem of equipment, that is used in the creation, conversion, or duplication of data or information.
includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.
[3] http://www.washington.edu/accessit/articles?106
Information SecurityInformation SecurityDefense MechanismDefense Mechanism
Know Your EnemyKnow Your Enemy“Know your enemy and know yourself and you can fight a hundred battles without disaster.” Sun Tzu quotes (Chinese General and Author, b.500 BC)
•Who are they, What are the motives, and how they attack?
“You'll completely knew a story if you know how it start”
Potential EnemyPotential Enemy• Yourself
Human are the weakest link in security and a vulnerable target, as an Administrator, Developer, or even a user.
• HackerGenius People on earth, mostly known because of their contribution to the IT world, but some hacker may possess their own motives, and intention
• CrackerMost people label them as a dark side of hacker, with bad motives and destruction intention.
Potential EnemyPotential Enemy• CyberSpies
or Cyber espionage is the act or practice of obtaining secrets without the permission of the holder of the information, from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using illegal exploitation methods on the Internet, networks or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware [4]
• CyberTerroristCyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents. [5]
[4] http://wikipedia.org[5] Mark Pollitt – FBI -http://www.crime-research.org/library/Cyber-terrorism.htm
Potential EnemyPotential Enemy• CyberArmy
is the Army service component regarding cyberspace and Information Operations, usually form by a government.
• CyberActivistCyberactivism is a means by which advanced information and communication technologies, are used by individuals and groups to communicate with large audiences, galvanizing individuals around a specific issue or set of issues in an attempt to build solidarity towards meaningful collective actions
• ?Unknown specific targets, unknown Agenda, Unknown Motives; e.g: WikiLeaks, anonymous
MotivesMotives• Money
This motives are mostly for cracker, cyberspies, cyberterrorist/gang, they seek money in every action.
• FamousThis kind of motives mostly doing by a “Script Kiddie” with low level of hacking skills, they only intend to get famous, even with the wrong way.
• Ideology/NationalityThis motives are perfectly for cyber army, but sometimes cyber terrorist also doing it, while hacker also do the same.
MotivesMotives• War
This motives are perfectly for cyber army, but sometimes cyber terrorist also doing it, while hacker also do the same.
• KnowledgeThis kind of motives are for hacker, they intended to break something to learn, with so much reason, e.g: because of limited resource, time, and the beauty of technology
• RevengeAlso a motives for “script kiddie”, doing destruction.
MotivesMotives• Zone-h version [6]
[6] http://www.zone-h.org/news/id/4737
Attack VectorAttack Vector[7][7]• Password (Authentication)• Insecure Infrastructure• Insecure Data Protection• There isnt any Policy and Procedure• Intrusion/hacking • Social Engineering
[7] http://www.slideshare.net/y3dips/y3dips-who-own-your-sensitive-information
Attack VectorAttack Vector• SANS TOP Cyber Security Risk
o Client-Side software that remains unpatchedexploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access
o Internet facing Websites that are vulnerableAttacks against web applications constitute more than 60% of the total attack attempts observed on the Internet
[8] http://www.sans.org/top-cyber-security-risks
Defense MechanismDefense MechanismMechanism, Strategy or technique that we are going to use
to mitigate Information security Attack
EducationEducation• Improve Security Awareness
Improve the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization.
Some organizations require formal and annual security awareness training for all workers when they join the organization and periodically thereafter.
EducationEducation• Improve Security Awareness
Make them understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening.
‘Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks.’[9]
[9] According to the European Network and Information Security Agency – Wikipedia.org
Security UpdatesSecurity Updates• Download and install the latest security updates
Operating system such as Microsoft windows, Apple Mac OSX, GNU/Linux, Unix and another well known operating system release Security updates, security advisories and notification when some known security holes found in their os.
Most attack are successful because the lack of security updates (see SANS TOP cyber security risk)
Well known Application Vendor also release their security patches and fix.
Security UpdatesSecurity Updates• Make sure your “in-house” Application
development/vendor also support fix and compatibility.
• Most case; Client didn’t update their OS and their Application because of another compatibility with some “dead” application.
• Avoid using unsupported application.
Security HardeningSecurity Hardening• Security hardening is usually the process of
securing a system and application by reducing its surface of vulnerability
• Many OS and Application Vendor Release their security hardening guideline:e.g: Linux Security Hardening Guide
Apache WebServer security Hadening Guideline
Security HardeningSecurity Hardening• Some company even create their own Hardening
Guideline to match their Security Policy.
o Adopting publicly Hardening guideline release by vendorso Change the configuration to follow the company needs
Security PolicySecurity Policy[10][10]• Security policy is a definition of what it means to
be secure for a system, organization or other entity. o For an organization, it addresses the constraints on behavior of its
members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls.
o For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
[10] Wikipedia.org
Security PolicySecurity Policy• Well known standard is both ISO 27001 and
27002 and security policy is one of the main section (12 main section)o ISO 27001 – certifiable standardo ISO 27002 – advisory standard
Security PolicySecurity Policy• Example:
Defense against Virus AttacksPolicy Statement“Without exception, Anti Virus software is to be deployed across all PCs with regular virus definition updates and scanning across servers, PCs and laptop computers.”BS ISO/IEC 27001:2005 ReferenceA.10.4 Protections against malicious and mobile code
PurposeThe purpose of this policy is to defend the organization against virus attacks.Guidelines
Security Device/ToolsSecurity Device/Tools• Notice: Never ever trust your security information
to a devices.• Security Devices
Set of devices that will help to mitigate/minimize an attack activityExample:1.Firewall2.Intrusion Detection System (IDS)3.Intrusion Prevention System
Security Device/ToolsSecurity Device/Tools• Security tools
Set of application/tools that will help to secure your Infosec infrastructure1.Hardening tools, e.g:bastille2.Anti Virus3.Anti Malware4.Anti Spam5.Integrity Checker (Tripwire)6.Rootkit Hunter (rkhunter)7.Encryption Tools (Truecrypt, GPG, openssl)8.Password Manager (keepass)9.More and more…
BackupBackup• Backup or the process of backing up is making
copies of data which may be used to restore the original after a data loss event.o Restore after Data Loss.o Restore to previous (working) state.
• Securing your backup is even more important than doing a backup itself.
Attack MechanismAttack MechanismSometimes, to do a Defense, you need to attack
Attack MechanismAttack Mechanism• Hack (attack) your own infrastructure before
someone does it.
• Do the security Assessment
Security AssessmentSecurity AssessmentIs a way to Validate/check the level of security on every aspect of IT Infrastructure.
Also to ensure that necessary security controls are integrated into the design and implementation.
To prepare for better enhancement
Security AssessmentSecurity Assessment• Vulnerability Assessment
A vulnerability assessment is usually carried out by security vulnerability scanner application. Most of the product test type of Operating system, application, patch level, user account and else.
Vulnerability scanner identify common security configuration mistakes and common attack
• Penetration TestIs When a “Hacker” do the attacker work.
The only goal is to get as much as possible and as deep as possible to break into the system.
DemoDemoMaybe, this is how it all end
DEMODEMO• Showing some of Attacking Scenario
We will see how an attacker make a way ini
• Showing most of Defense MechanismWe will see how to do the security hardening and configuration stuff
DiscussionDiscussionQuestion and Answer