A Primer on Ethical Hacking & Information Security Education

Similar documents
Certified Ethical Hacker (CEH)

Rational AppScan & Ounce Products

The Top Web Application Attacks: Are you vulnerable?

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Application Security Testing

Penetration testing & Ethical Hacking. Security Week 2014

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Penetration Testing in Romania

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Principles of Information Assurance Syllabus

Four Top Emagined Security Services

LINUX / INFORMATION SECURITY

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Passing PCI Compliance How to Address the Application Security Mandates

Security Certifications. Presentatie SecCert 101 Jordy Kersten MSc., ISC2 Ass., CEH, OSCP

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

EC Council Certified Ethical Hacker V8

Application Intrusion Detection

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

Cybercrime & Cybersecurity: the Ongoing Battle International Hellenic University

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

OWASP AND APPLICATION SECURITY

CRYPTUS DIPLOMA IN IT SECURITY

A Decision Maker s Guide to Securing an IT Infrastructure

Client logo placeholder XXX REPORT. Page 1 of 37

CYBERTRON NETWORK SOLUTIONS

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

CEH Version8 Course Outline

Penetration Testing - a way for improving our cyber security

Cyber R &D Research Roundtable

Where every interaction matters.

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Penetration Testing Service. By Comsec Information Security Consulting

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Metasploit The Elixir of Network Security

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

Critical Controls for Cyber Security.

CompTIA Security+ (Exam SY0-410)

Overview of the Penetration Test Implementation and Service. Peter Kanters

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Security Transcends Technology

EC-Council. Certified Ethical Hacker. Program Brochure

Reducing Application Vulnerabilities by Security Engineering

New IBM Security Scanning Software Protects Businesses From Hackers

OWASP Top Ten Tools and Tactics

Secure Web Applications. The front line defense

05.0 Application Development

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

USM IT Security Council Guide for Security Event Logging. Version 1.1

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

WEB APPLICATION FIREWALL

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Table of Contents. Page 2/13

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Chapter 1 The Principles of Auditing 1

A Systems Engineering Approach to Developing Cyber Security Professionals

WEB APPLICATION SECURITY

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

Adobe Systems Incorporated

NETWORK PENETRATION TESTING

HACKING RELOADED. Hacken IS simple! Christian H. Gresser

Using Free Tools To Test Web Application Security

ensuring security the way how we do it

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Hackers are here. Where are you?

Course Title: Course Description: Course Key Objective: Fee & Duration:

Transcription:

A Primer on Ethical Hacking & Information Security Education Justin David Pineda CEH, GWAPT March 2, 2016 Asia Pacific College Speaker s Profile Name: Justin David Pineda Occupation: Sr. Application Security Specialist, The Coca-Cola Company Other occupation: Faculty, SoCIT APC Educational background: MIS (APC), BS-CS (DLSU-Manila) Certifications: Certified Ethical Hacker (CEH), GIAC Web Application Penetration Tester (GWAPT), Cisco Certified Network Associate (CCNA), CompTIA Security+, ISO 27002 (ISFS), IBM DB2 Associate, Microsoft Technology Associate (MTA) Security Courses taught: INFOSEC, COMSEC1, COMSEC2, DATACOM, DATANET, ADVUNIX, PROGCON, OPESYS1, ITCONCE Areas of expertise: Networking, infosec 1

Topics for today Some information security concepts Ethical hacking steps (and demo) Career in information security In the news Apple vs. FBI 2

In the news In the news 3

Some information security concepts 1 of 3 What is information security? Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. (U.S. National Information Systems Security) 4

The CIA triad The CIA Triad explained Confidentiality Protection against unauthorized access. Integrity Protection against unauthorized modification. Availability Protection against Denial of Service (DoS) 5

Examples: (Determine the type of issue) A stranger is able to enter campus premises by using a fake ID and impersonate as an employee. The school servers are down because there s a blackout and there s no generator. A student forges his course card to make it look like he got a passing score in a course. The school employs a guard that strictly checks people going in and out of the school building. A professor loses her Excel file containing the students grades. She didn t backup her files. Defense in Depth 6

Definition of Protection Past & Present PROTECTION = PREVENTION Example: Gate, Network Firewall Problem: What if the thief climbs over the gate? Problem 2: What if there is a DoS attempt in a web server on port 80. Definition of Protection Past & Present PROTECTION = PREVENTION + (DETECTION + INCIDENT RESPONSE) Example: Motion detector tools, anti-virus for host device, Intrusion Detection System (IDS) for network. 7

Reality Check You cannot eliminate all risks. You do not have a lot of money to buy all controls to mitigate the risks. You need to prioritize. Least Privilege A user/program must be able to access only the information and resources that are necessary for its legitimate purpose. It is the essence of all domains in information security 8

Separation of Duties (SOD) The concept of having more than one person required to complete a task. Keys to the kingdom Example: How payroll is computed, approved, delivered etc. Separation of Duties Example What will happen if the manager, the HR & finance are one and the same? Manager HR Finance 9

Physical Security Natural barriers Authentication (something to you know, something that you have, something that you are) Gates and dogs Guards Network Security Firewalls Intrusion Detection Systems (IDS) Unified Threat Management (UTM) Data Loss Prevention (DLP) 10

Host Security Port Security Anti-virus User access (standard, admin, super admin) Application Security Encryption Patches, hotfixes 11

Other Important Security Terms Diversity of Defense Do not rely on a single brand of security device. Security through Obscurity Feeling of security by hiding the asset and thinking that nobody else will think the same way. Cost Benefit Analysis (CBA) The cost of safeguard or protection should not be greater than the value of the asset. Ethical hacking steps 2 of 3 12

Is there such thing as ethical hacking? A hacker exploits weaknesses in a computer system. Hacking or cracking which refers to unauthorized access into or interference in a computer system (RA 8792, E-Commerce Law) Someone with an advanced understanding of computers and computer networks (A Guide to the World of Computer Wizards) Ex. Hacking with a Pringles tube (from BBC News) What separates good from bad hackers? They both exploit weaknesses in a computer system or network. The difference is permission and scope. White hat good guys Black hat bad guys Gray hat good in the morning; bad in the evening With this definition, what s the classification of Anonymous? 13

Hacking trend Steps in Hacking 1. Reconnaissance 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Covering Tracks 14

Reconnaissance Observation Research about your target Start from online tools Netcraft Archive Web Data Extractor Job opportunities Scanning Look for open opportunities nmap, hping 15

Gaining & Maintaining Access Password Guessing Privilege Escalation Executing Malicious Codes Copying files Covering Tracks Delete or modify audit trails 16

Web Application Attacks A lot of people are using the Internet and doing transactions there. A lot of websites are not checked whether it is safe for users to use. It s possible that applications follow proper coding standards but versions/functions are vulnerable. Usual attacks: SQL Injection Cross Site Scripting (XSS) Session Hijacking Directory Traversal Cross Site Request Forgery (CSRF) Web Goat demonstration Download it here - https://www.owasp.org/index.php/category:owasp_webgoat_project 17

Web Application Security Advice Include security in all SDLC steps. Refer to the Open Web Application Security Project (OWASP) when writing web applications. https://www.owasp.org/ Use both source code analyzer and vulnerability scanner to check the status of your application. Career in information security 3 of 3 18

Information Security as a Discipline InfoSec is a relatively new field. It is starting to grow because a lot of businesses are transitioning to online. Virtual money is same as physical money. There are still few professionals who are in this field. Supply is low, demand is high. CS and IT major courses are good infosec foundations. You can opt to choose infosec in thesis. CompTIA Security+ Security Certifications EC-Council Certified Ethical Hacker, Certified Security Analyst, Certified Hacking & Forensics Investigator etc. SANS GIAC Certified Reverse Engineering Malware, Incident Handler, Intrusion Analyst etc. ISACA Certified Information Systems Auditor etc. ISC2 Certified Information Systems Security Professional (CISSP), etc. 19

Security or Freedom? Privacy Issues Are we being watched? 20

Thank you very much. Q&A Justin David Pineda Coca-Cola Philippines http://justinpineda.com 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information