A Primer on Ethical Hacking & Information Security Education

Transcription

1 A Primer on Ethical Hacking & Information Security Education Justin David Pineda CEH, GWAPT March 2, 2016 Asia Pacific College Speaker s Profile Name: Justin David Pineda Occupation: Sr. Application Security Specialist, The Coca-Cola Company Other occupation: Faculty, SoCIT APC Educational background: MIS (APC), BS-CS (DLSU-Manila) Certifications: Certified Ethical Hacker (CEH), GIAC Web Application Penetration Tester (GWAPT), Cisco Certified Network Associate (CCNA), CompTIA Security+, ISO (ISFS), IBM DB2 Associate, Microsoft Technology Associate (MTA) Security Courses taught: INFOSEC, COMSEC1, COMSEC2, DATACOM, DATANET, ADVUNIX, PROGCON, OPESYS1, ITCONCE Areas of expertise: Networking, infosec 1

2 Topics for today Some information security concepts Ethical hacking steps (and demo) Career in information security In the news Apple vs. FBI 2

3 In the news In the news 3

4 Some information security concepts 1 of 3 What is information security? Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. (U.S. National Information Systems Security) 4

5 The CIA triad The CIA Triad explained Confidentiality Protection against unauthorized access. Integrity Protection against unauthorized modification. Availability Protection against Denial of Service (DoS) 5

6 Examples: (Determine the type of issue) A stranger is able to enter campus premises by using a fake ID and impersonate as an employee. The school servers are down because there s a blackout and there s no generator. A student forges his course card to make it look like he got a passing score in a course. The school employs a guard that strictly checks people going in and out of the school building. A professor loses her Excel file containing the students grades. She didn t backup her files. Defense in Depth 6

7 Definition of Protection Past & Present PROTECTION = PREVENTION Example: Gate, Network Firewall Problem: What if the thief climbs over the gate? Problem 2: What if there is a DoS attempt in a web server on port 80. Definition of Protection Past & Present PROTECTION = PREVENTION + (DETECTION + INCIDENT RESPONSE) Example: Motion detector tools, anti-virus for host device, Intrusion Detection System (IDS) for network. 7

8 Reality Check You cannot eliminate all risks. You do not have a lot of money to buy all controls to mitigate the risks. You need to prioritize. Least Privilege A user/program must be able to access only the information and resources that are necessary for its legitimate purpose. It is the essence of all domains in information security 8

9 Separation of Duties (SOD) The concept of having more than one person required to complete a task. Keys to the kingdom Example: How payroll is computed, approved, delivered etc. Separation of Duties Example What will happen if the manager, the HR & finance are one and the same? Manager HR Finance 9

10 Physical Security Natural barriers Authentication (something to you know, something that you have, something that you are) Gates and dogs Guards Network Security Firewalls Intrusion Detection Systems (IDS) Unified Threat Management (UTM) Data Loss Prevention (DLP) 10

11 Host Security Port Security Anti-virus User access (standard, admin, super admin) Application Security Encryption Patches, hotfixes 11

12 Other Important Security Terms Diversity of Defense Do not rely on a single brand of security device. Security through Obscurity Feeling of security by hiding the asset and thinking that nobody else will think the same way. Cost Benefit Analysis (CBA) The cost of safeguard or protection should not be greater than the value of the asset. Ethical hacking steps 2 of 3 12

13 Is there such thing as ethical hacking? A hacker exploits weaknesses in a computer system. Hacking or cracking which refers to unauthorized access into or interference in a computer system (RA 8792, E-Commerce Law) Someone with an advanced understanding of computers and computer networks (A Guide to the World of Computer Wizards) Ex. Hacking with a Pringles tube (from BBC News) What separates good from bad hackers? They both exploit weaknesses in a computer system or network. The difference is permission and scope. White hat good guys Black hat bad guys Gray hat good in the morning; bad in the evening With this definition, what s the classification of Anonymous? 13

14 Hacking trend Steps in Hacking 1. Reconnaissance 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Covering Tracks 14

15 Reconnaissance Observation Research about your target Start from online tools Netcraft Archive Web Data Extractor Job opportunities Scanning Look for open opportunities nmap, hping 15

16 Gaining & Maintaining Access Password Guessing Privilege Escalation Executing Malicious Codes Copying files Covering Tracks Delete or modify audit trails 16

17 Web Application Attacks A lot of people are using the Internet and doing transactions there. A lot of websites are not checked whether it is safe for users to use. It s possible that applications follow proper coding standards but versions/functions are vulnerable. Usual attacks: SQL Injection Cross Site Scripting (XSS) Session Hijacking Directory Traversal Cross Site Request Forgery (CSRF) Web Goat demonstration Download it here

18 Web Application Security Advice Include security in all SDLC steps. Refer to the Open Web Application Security Project (OWASP) when writing web applications. Use both source code analyzer and vulnerability scanner to check the status of your application. Career in information security 3 of 3 18

19 Information Security as a Discipline InfoSec is a relatively new field. It is starting to grow because a lot of businesses are transitioning to online. Virtual money is same as physical money. There are still few professionals who are in this field. Supply is low, demand is high. CS and IT major courses are good infosec foundations. You can opt to choose infosec in thesis. CompTIA Security+ Security Certifications EC-Council Certified Ethical Hacker, Certified Security Analyst, Certified Hacking & Forensics Investigator etc. SANS GIAC Certified Reverse Engineering Malware, Incident Handler, Intrusion Analyst etc. ISACA Certified Information Systems Auditor etc. ISC2 Certified Information Systems Security Professional (CISSP), etc. 19

20 Security or Freedom? Privacy Issues Are we being watched? 20

21 Thank you very much. Q&A Justin David Pineda Coca-Cola Philippines 21