Audit dan evaluasi ti   5
Upcoming SlideShare
Loading in...5
×
 

Audit dan evaluasi ti 5

on

  • 824 views

Materi Kuliah Pertemuan ke 5 pak Dani

Materi Kuliah Pertemuan ke 5 pak Dani

Statistics

Views

Total Views
824
Views on SlideShare
824
Embed Views
0

Actions

Likes
0
Downloads
17
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Either check the version and name, or use attack methods such as buffer overflow attacks against the service with the possibility of breaking the system
  • For example Nessus provides a HTML report

Audit dan evaluasi ti   5 Audit dan evaluasi ti 5 Presentation Transcript

  • Audit dan EvaluasiTeknologi Informasi Sesi 5 MTI-CIO 2012
  • Current Issues• World economic downturn• Fierce business competition• Technology availability (and affordability)• Access anywhere and everywhere• Education (knowledge) level• Information explosion• Political influences• WAR! “false sense of security” “malicious intention and attempt”
  • Security Basic• Input-Output – Proper (good) input produces good output – Bad input creates bad output• Involves proper working (honesty) – System – Human• Properties – Confidentiality – Integrity – Availability
  • General IT Security Concerns• Network – Devices (communication), appliances, cabling• Host – Application, Operating System, web, hardware/software• Environment – Building, infrastructure, physical access• Human – User, operator, administrator, manager, etc• Partners and Peers – Providers, services access “good system is always tested against time”
  • Vulnerability• Any programming error or misconfiguration that could allow an intruder to gain unauthorized access to a system• No longer just the realm of system crackers and security consultants, they have become the enabling factor behind network worms, spyware and viruses• Sophisticated attack methods are becoming more prevalent e.g. Stuxnet• Critical vulnerability examples: – Buffer overflows • Programmer memory issue, usually during file-copy • Hijack vulnerability by making a service unusable – Files accessed outside restricted directory structures – Example: FTP server giving access to /etc/passwd file• Other vulnerabilities: – Default Passwords • Vulnerability due to failed password changes • Practical issues with password changes, many applications, many passwords!! • Example: Linksys with very simple passwords for gateways, routers – Misconfigurations • Incomplete configurations for a particular task – Known backdoors • Backdoor applications to capture keyboard strokes, Desktop Hijack, password capture etc
  • Why are there security vulnerabilities?• Lots of buggy software... – Why do programmers write insecure code? – Awareness is the main issue• Some contributing factors – Few courses in computer security – Programming text books do not emphasize security – Few security audits – Unsafe programming language – Programmers have many other things to worry about – Legacy software (some solutions, e.g. Sandboxing) – Consumers do not care about security – Security is expensive and takes time
  • Cyber Criminal• Cracker – True cyber criminal• Hacker – Black Hat – Grey Hat – White Hat• Motivation – Personal gain – Financial/commercial gain – Extreme curiosity – Plenty of spare times – Posses necessary resources• Common profile (2000) – Male – Between 14 and 34 years of age – Computer addicted – No permanent girlfriend
  • Typical Botherder: 0x80“ (X-eighty)High school dropout – “…most of these people I infect are so stupid they really aint got no business being on the Internet in the first place.“Working hours: approx. 2 minutes/day to manage BotnetMonthly earnings: $6,800 on averageDaily Activities: – Chatting with people while his bots make him money – Recently paid $800 for an hour alone in a VIP room with several dancersJob Description: – Controls 13,000+ computers in more than 20 countries – Infected Bot PCs download Adware then search for new victim PCs – Adware displays ads and mines data on victims online browsing habits. – Bots collect password, e-mail address, SS#, credit and banking data – Gets paid by companies like TopConverting.com, GammaCash.com, Loudcash, or 180Solutions. Washington Post: Invasion of the Computer Snatchers
  • Why do security audit?• Assess compliance aspects of policy• Assess risk• Assess level of security• Evaluate security incident response 9
  • Security Audit• Controls• Security logs• Risk assessment• Steps – Starts with policies and procedures in place – Initially the policy is treated as threat and audit focuses on how people and systems address the threat – Interview employees and administrators – Evaluate technical aspects for security – Review all data logs 10
  • What Is a Security Policy?• A set of organization-level rules governing: – Acceptable use of computing resources – Security practices – Operational procedures• Essential information – Date last updated – Name of office that developed the policies – Clear list of policy topics – Equal emphasis on positive points (access to information) and negative points (unacceptable policies)
  • Why Is a Security Policy Important?• Essential component of a fully functional firewall – Defines what needs to be done when firewall is configured – Defines intrusion detection and auditing systems that are needed• Minimizes impact of a “hack attack” on: – Staff time – Data loss – Productivity
  • Setting Goals for an Effective Security Policy• Describe a clear vision for a secure networked computing environment• Be flexible enough to adapt to changes in the organization• Be consistently communicated and implemented throughout the organization• Specify how employees can and cannot use the Internet• Define appropriate and inappropriate behavior as it pertains to privacy and security
  • Seven Steps to Building a Security Policy1. Develop a policy team2. Determine organization’s overall approach to security3. Identify assets to be protected4. Determine what should be audited for security5. Identify security risks6. Define acceptable use7. Provide for remote access and monitoring
  • Develop a Policy Team• Members (5-10 people) – Senior administrator – Member of legal staff – Representative from rank-and-file employees – Member of IT department – Editor or writer who can structure and present the policy coherently• Identify one person to be the official policy interpreter
  • Determine Overall Approach to Security• Two primary activities for overall approach: – Restrictive – Permissive• Specific security stances: – Open – Optimistic – Cautious – Strict – Paranoid
  • Identify Assets to Be Protected• Physical assets – Actual hardware devices• Logical assets – Digital information that can be viewed and misused• Network assets – Routers, cables, bastion hosts, servers, firewall hardware and software• System assets – Software that runs the system (server software and applications)
  • Example of Assets to Be Protected
  • Determine What Should Be Audited for Security• Auditing – Process of recording which computers are accessing a network and what resources are being accessed – Includes recording the information in a log file• Specify types of communication to be recorded and how long they will be stored• Use Tripwire to audit system resources• Use a firewall log to audit security events
  • Auditing with Tripwire
  • Auditing with a Firewall Log
  • Determine What Should Be Audited for Security• Auditing log files• Auditing object access
  • Identify Security Risks• Specify the kinds of attacks the firewall needs to guard against – Denial of service attacks – Disclosure of information due to fraud – Unauthorized access
  • Define Acceptable Use• Define acceptable computing and communications practices on the part of employees and business partners• Aspects – E-mail – News
  • Provide for Remote Access• Specify acceptable protocols• Determine use of Telnet or Secure Shell (SSH) access to internal network from Internet• Describe use of cable modem, VPN, and DSL connections to access internal network through the firewall• Require remote users to have a firewall on their computer
  • Accounting for What the Firewall Cannot Do• A firewall sandwich or load balancing switches can be compromised by: – Brute force attack – Sending an encrypted e-mail message to someone within the network with a virus attached – Employees who give out remote access numbers; unauthorized users can access company network – Employees who give out passwords
  • Other Security Policy Topics• Passwords • Secure use of office-owned• Encryption laptop computers• Restrictions on removable • Wireless security media • Use of VPNs• ASPs • Key policy• Acceptable users
  • Defining Responses to Security Violations• Gather information on an incident response form• Define disciplinary action to be pursued if employees access the Internet improperly• Identify who to contact in case of intrusion
  • Educating Employees• Security User Awareness program• Advise workers of expectations and consequences• Make policies available on local network – Displayed as the standard screen-saver – Posted strategically
  • Presenting and Reviewing the Process• Keep reports short and concise• Give people ample time to respond after policy statement is issued
  • Amending the Security Policy• Change the security policy when: – The organization makes substantial changes in hardware configuration, or – The firewall is reconfigured in response to security breaches
  • What to look for in audit?• Are passwords difficult to crack?• Are there access control lists (ACLs) in place on network devices to control who has access to shared data?• Are there audit logs to record who accesses data?• Are the audit logs reviewed?• Are the security settings for operating systems in accordance with accepted industry security practices?• Have all unnecessary applications and computer services been eliminated for each system?• Are these operating systems and commercial applications patched to current levels?• How is backup media stored? Who has access to it? Is it up-to-date?• Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan? 32
  • What to look for in audit?• Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?• Have custom-built applications been written with security in mind?• How have these custom applications been tested for security flaws?• How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review? 33
  • Audit components• Preparation 10%• Reviewing Policy/Docs 10%• Talking/Interviewing 10%• Technical Investigation 15%• Reviewing Data 20%• Writing Up 20%• Report Presentation 5%• Post Audit Actions 10%(Source: Tech Support Alert website) 34
  • Audit Process• Security audit team reports directly to CEO or the Board of Directors• Types of security audits examples: – Firewall every 6 months – Network every year – Host every 3 months 35
  • Vulnerability Auditing• A vulnerability audit provides an assessment of the security weaknesses that are visible via the computer network• Audits can reveal vulnerabilities that can be exploited inside a security boundary by an authorized user or initiated from outside the security boundary by an illegitimate user• Importance – Once a patch is announced, an exploit will be available in 2-3 days for unpatched machines – On average, every 5 minutes, one un-patched machine is compromised
  • Steps to Vulnerability Auditing• Compile inventory of system nodes and services in a computer network• Identify the visible and exploitable weakness and vulnerabilities – Use the view of an attacker• Consolidate a report with vulnerability disclosures – IBMs X-Force severity classification – Common Vulnerability Scoring System (CVSS) classification
  • Compile Inventory• Obtain a network map, i.e. a network interconnection of all live hosts and attached devices which are being analyzed for security risks. – IP scanning or Host discovery is performed using system tools e.g. ping and traceroute, Internet Control Message Protocol (ICMP) queries. – System information is also provided using routing tables, nslookup (DNS information) – Other tools such as nmap, fping..
  • Identify Vulnerabilities• Check collected host information against publicly known vulnerabilities that may affect hosts• Perform vulnerability tests – CVA – Common Vulnerability Assessment • Focus on unauthorized access – SDA – Secure Device Assessment • Architectural review of device deployment, operating system configuration, etc – SEA – Secure Exploit Assessment • Similar to CVA + multi stage attacks
  • Produce a Report• Risk assess the vulnerability obtained• Suggest fixes and provide a vulnerability report
  • Host vs. Network based Vulnerability Auditing• Network based: focused on vulnerabilities visible and exploitable from network• Host based: focused on vulnerability inside configuration of the host
  • Host Assessment• Assessment software should be installed on each system that needs to be included• Looks for system level vulnerability such as – Insecure file permissions – Missing software patches – Noncompliant security policies – Backdoor and Trojan horse installations• The depth of the testing performed makes it the preferred method of monitoring the security of critical systems.• Downside is that they require a set of specialized tools for operating system and software patches being used and administrative access to each system being tested.
  • Network Assessment• Instead of analyzing the individual hosts for problems, this searches for common problems on any system connected to the network• Locates all live systems on the network, determines what network services are in use, and then analyzes those services for potential vulnerabilities. For example vulnerabilities on HTTP, FTP, SNMP• Unlike host assessment solutions, this process does not require any configuration changes on the system being assessed• Feasible for monitoring the security of large, complex networks of heterogeneous systems• Downside of these tools are: – Inability to detect certain type of backdoors – Complications in networks with firewalls – Inability to test for certain vulnerabilities – Can interfere with many devices (such as printers) – May use large amounts of bandwidth – Fill up disks with log files on the systems being assessed
  • Difference between IDS & Vulnerability Auditing• IDS monitors network traffic, picks out malicious attacks from normal data, and send out alerts when an attack is detected - > provide information after an attack has been detected• Vulnerability auditing provides information about a vulnerability before it is exploited to compromise a system, allowing administrators to fix the problem and prevent a possible intrusion
  • Essential Practices• Restrictive policy (using e.g., proxies and f/ws)• Redundant capacity (links) (over-provisioned)• Media diversity (e.g. radio and wire, Internet and PSTN)• Path diversity (e.g., mesh routing across multiple media)• Peer-to-peer (link) and End-to-end (layer 7) cryptography (e.g., SSH, SSL, other VPNs)• Layered defenses• Peer-to-peer mutual authentication (e.g., 2-way SSL) (may imply mutually trusted third-party)• COTS Crypto• Out-of-band (VPN) connection setup and control• Physical security of nodes and links
  • Best Practices• Run applications as an unprivileged user – This would result in a successful attacker only gaining the rights of this unprivileged user.• chroot apps to prevent access to unrelated data – MobileSafari does not need access to email or SMS msgs – MobileMail does not need access to browsing history• Add heap and stack address randomization – This will serve to make the development of exploits for vulnerabilities more difficult• Memory protection: no pages both writable and executable• Server software security modules – Server Operating System: IDS (autoblocker), anti-malware/rootkit, Real-time reports, incident alarm, access control monitor – Server software (web) : security modules (autoblocker, xss protection, bw throttling) – Network monitoring, packet filtering, application proxy• Periodic scanning• Manual inspection and test
  • In the News• Nigerian letter (419 Scams) still works: – Michigan Treasurer Sends 1.2MUSD of State Funds !!!• Many zero-day attacks – Google, Excel, Word, Powerpoint, Office …• Criminal access to important devices – Numerous lost, stolen laptops, storage media, containing customer information – Second-hand computers (hard drives) pose risk• Vint Cerf estimates ¼ of PCs on Internet are bots
  • Facts• In 1988, the Morris worm was the first Internet worm that was released. It only infected 10% of the computers• Code Red worm appeared in 2001 and used a vulnerability in Microsoft IIS web server and caused an estimated $2 billion damage• Slammer worm released in 2003 used a vulnerability in Microsoft SQL and infected 15% of the world’s computers in less than 10 minutes
  • The“2002 Computer Security Institute /FBI Computer Crime and Security Survey” Report• 90% of survey respondents (primarily larger corporations) detected computer security breaches. Respondents reported a wide range of attacks:• 44% detected system penetration from the outside• 44% detected denial of service attacks• 76% detected employee abuse of Internet access privileges• 85% detected computer viruses, worms, etc.• 80% acknowledged financial losses due to computer security breaches• 44% were willing and/or able to quantify their financial losses (these losses were $455 million).• Most serious losses occurred through theft of proprietary information and financial fraud.• 74% cited their Internet connections as a frequent point of attack and 33% cited their internal systems ands frequent point of attack• 34% reported intrusions to law enforcement (up from only 16% in 1996)
  • Current Trends• Malware, worms, and Trojan horses – spread by email, instant messaging, malicious or infected websites• Botnets and zombies – improving their encryption capabilities, more difficult to detect• Scareware – fake/rogue security software• Attacks on client-side software – browsers, media players, PDF readers, etc.• Ransom attacks – malware encrypts hard drives, or DDOS attack• Social network attacks – Users’ trust in online friends makes these networks a prime target.• Cloud Computing - growing use will make this a prime target for attack.• Web Applications - developed with inadequate security controls• Budget cuts - problem for security personnel and a boon to cyber criminals.
  • Trends
  • Operating System Vulnerabilities
  • Reported Web Vulnerabilities "In the Wild"(Data from aggregator and validator of NVD-reported vulnerabilities)
  • Web vs System vulnerabilities XSS peak
  • Botnet Lifecycle• Propagation – Compromised host activity – Network probe and other activity – Recognizable activity on newly infected host
  • Recent Malware Distribution• Blogs are widely used - 184 Million blogs world-wide - 73% of internet users have read a blog - 50% post comments• Blogs have automated Linkbacks - Facilitate cross-referencing - Exploited by spammers One blog spam can reach thousand of users
  • Web attack toolkit: MPack• Basic setup – Toolkit hosted on web server – Infects pages on that server – Page visitors get infected• Features – Customized: determines exploit on the fly, based on user’s OS, browser, etc – Easy to use: management console provides stats on infection rates – Customer care toolkit can be purchased with one-year support contract! 57
  • Traffic Hijacking Proxy intercepts Bank sends login request and adds page needed to log fields inWhen user submitsinformation, also sentto attacker SilentBanker
  • Steal cars with a laptop• NEW YORK - Security technology created to protect luxury vehicles may now make it easier for tech-savy thieves to drive away with them.• In April ‘07, high-tech criminals made international headlines when they used a laptop and transmitter to open the locks and start the ignition of an armor-plated BMW X5 belonging to soccer player David Beckham, the second X5 stolen from him using this technology within six months.• Beckhams BMW X5s were stolen by thieves who hacked into the codes for the vehicles RFID chips.
  • Other Advance Security News• iPhone Safari downloads malicious web page (2007) – Arbitrary code is run with administrative privileges – Can read SMS log, address book, call history, other data – Can perform physical actions on the phone. • system sound and vibrate the phone for a second • could dial phone numbers, send text messages, or record audio (as a bugging device) – Transmit collected data over network to attacker• Built-in backdoor or time-bomb by the programmer• Greed takes over eventually and the perpetrator gets caught
  • Social Engineering• Many attacks dont use computers – Call system administrator – Dive in the dumpster• Online versions – send trojan in email – picture or movie with malicious code• SMS message fraud?
  • Latest Issues• Cloud Computing – Hosted by 3rd party – Multitenancy – Security? – SLA? – Highly Available – Redundancy – Distributed (decentralized) resources
  • • Spam service• Rent-a-bot• Cash-out• Pump and dump• Botnet rental 6
  • Underground goods and servicesRank Last Goods and services Current Previous Prices1 2 Bank accounts 22% 21% $10-10002 1 Credit cards 13% 22% $0.40-$203 7 Full identity 9% 6% $1-154 N/R Online auction site 7% N/A $1-8 accounts5 8 Scams 7% 6% $2.50/wk - $50/wk (hosting); $25 design6 4 Mailers 6% 8% $1-107 5 Email Addresses 5% 6% $0.83-$10/MB8 3 Email Passwords 5% 8% $4-309 N/R Drop (request or offer) 5% N/A 10-50% of drop amount10 6 Proxies 5% 6% $1.50-$30 Credit: Zulfikar Ramzan
  • Law enforcement• Sean Smith – Melissa virus: 5 years in prison, $150K fine• Ehud Tenenbaum (“The Analyzer”) – Broke into US DoD computers – 6 months service, suspended prison, $18K fine• Dmitry Sklyarov – Broke Adobe ebooks – Prosecuted under DMCA