Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Handout infosec defense-mechanism-y3dips


Published on

Light version of KOMINFO workshop BIMTEK Teknik Pengamanan Sistem Informasi presentation file - Bali 11-11-11 (minus image, screenshot, poc, video)

Published in: Technology
  • Be the first to comment

Handout infosec defense-mechanism-y3dips

  1. 1. Information Security Defense Mechanism Ahmad Muammar Bali, 11 Nopember 2011
  2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>Information Security </li></ul><ul><li>Information Security Defense Mechanism </li></ul><ul><ul><li>Know the Enemy </li></ul></ul><ul><ul><ul><li>Potential Enemy </li></ul></ul></ul><ul><ul><ul><li>Motives </li></ul></ul></ul><ul><ul><ul><li>Attack Vector </li></ul></ul></ul><ul><ul><ul><ul><li>SANS Top Cyber Security Risk </li></ul></ul></ul></ul><ul><ul><li>Defence Mechanism </li></ul></ul><ul><ul><ul><li>Education/Security Awareness </li></ul></ul></ul><ul><ul><ul><li>Security Update </li></ul></ul></ul><ul><ul><ul><li>Security Hardening </li></ul></ul></ul><ul><ul><ul><li>Security Policy </li></ul></ul></ul><ul><ul><ul><li>Security Devices/Tools </li></ul></ul></ul><ul><ul><ul><li>Backup </li></ul></ul></ul>
  3. 3. Agenda <ul><li>Information Security Defense Mechanism </li></ul><ul><ul><li>Attack Mechanism </li></ul></ul><ul><ul><ul><li>Security Assessment </li></ul></ul></ul><ul><ul><ul><ul><li>Vulnerability Asessment </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Penetration Testing </li></ul></ul></ul></ul><ul><li>Demo </li></ul><ul><ul><li>Showing some attacking scenario </li></ul></ul><ul><ul><li>Showing most of Defense Mechanism </li></ul></ul><ul><li>Discussion </li></ul>
  4. 4. Introduction <ul><li>Freelance IT Security Consultant </li></ul><ul><li>More than 9 years in IT Security </li></ul><ul><li>Founder of “ ECHO ” one of Indonesian Hacker Community [i] </li></ul><ul><li>Founder of “ IDSECCONF ” - Indonesia Security Conference in cooperation with KOMINFO [ii] </li></ul><ul><li>More Info: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>@y3dips </li></ul></ul>[i] [ii]
  5. 5. Information Security <ul><ul><li>means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. [1] </li></ul></ul>[1]
  6. 6. Information Security <ul><li>Information </li></ul><ul><ul><li>Set or collection of data that has meaning </li></ul></ul><ul><li>Level [2] </li></ul><ul><ul><li>Non-Classified </li></ul></ul><ul><ul><ul><li>Public Information </li></ul></ul></ul><ul><ul><ul><li>Personal Information </li></ul></ul></ul><ul><ul><ul><li>Routine Business Information </li></ul></ul></ul><ul><ul><li>Classified </li></ul></ul><ul><ul><ul><li>Confidential </li></ul></ul></ul><ul><ul><ul><li>Secret </li></ul></ul></ul><ul><ul><ul><li>Top Secret </li></ul></ul></ul>[2]
  7. 7. Information Security <ul><li>Electronic Information </li></ul><ul><ul><li>Information that is created, convert, duplicate, transmit, and stored using Electronic devices </li></ul></ul><ul><li>Electronic and Information Technology [3] </li></ul><ul><ul><li>Includes information technology and any equipment or interconnected system or subsystem of equipment, that is used in the creation, conversion, or duplication of data or information. </li></ul></ul><ul><ul><li>includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. </li></ul></ul>[3]
  8. 8. Information Security Defense Mechanism
  9. 9. Know Your Enemy <ul><li>“ Know your enemy and know yourself and you can fight a hundred battles without disaster. ” Sun Tzu quotes (Chinese General and Author, b.500 BC) </li></ul><ul><li>Who are they, What are the motives, and how they attack? </li></ul><ul><ul><li>“ You'll completely knew a story if you know how it start ” </li></ul></ul>
  10. 10. Potential Enemy <ul><li>Yourself </li></ul><ul><ul><li>Human are the weakest link in security and a vulnerable target, as an Administrator, Developer, or even a user. </li></ul></ul><ul><li>Hacker </li></ul><ul><ul><li>Genius People on earth, mostly known because of their contribution to the IT world, but some hacker may possess their own motives, and intention </li></ul></ul><ul><li>Cracker </li></ul><ul><ul><li>Most people label them as a dark side of hacker, with bad motives and destruction intention. </li></ul></ul>
  11. 11. Potential Enemy <ul><li>CyberSpies </li></ul><ul><ul><li>or Cyber espionage is the act or practice of obtaining secrets without the permission of the holder of the information, from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using illegal exploitation methods on the Internet, networks or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware [4] </li></ul></ul><ul><li>CyberTerrorist </li></ul><ul><ul><li>Cyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents. [5] </li></ul></ul>[4] [5] Mark Pollitt – FBI -
  12. 12. Potential Enemy <ul><li>CyberArmy </li></ul><ul><ul><li>is the Army service component regarding cyberspace and Information Operations, usually form by a government. </li></ul></ul><ul><li>CyberActivist </li></ul><ul><ul><li>Cyberactivism is a means by which advanced information and communication technologies, are used by individuals and groups to communicate with large audiences, galvanizing individuals around a specific issue or set of issues in an attempt to build solidarity towards meaningful collective actions </li></ul></ul><ul><li>? </li></ul><ul><ul><li>Unknown specific targets, unknown Agenda, Unknown Motives; e.g: WikiLeaks, anonymous </li></ul></ul>
  13. 13. Motives <ul><li>Money </li></ul><ul><ul><li>This motives are mostly for cracker, cyberspies, cyberterrorist/gang, they seek money in every action. </li></ul></ul><ul><li>Famous </li></ul><ul><ul><li>This kind of motives mostly doing by a “Script Kiddie” with low level of hacking skills, they only intend to get famous, even with the wrong way. </li></ul></ul><ul><li>Ideology/Nationality </li></ul><ul><ul><li>This motives are perfectly for cyber army, but sometimes cyber terrorist also doing it, while hacker also do the same. </li></ul></ul>
  14. 14. Motives <ul><li>War </li></ul><ul><ul><li>This motives are perfectly for cyber army, but sometimes cyber terrorist also doing it, while hacker also do the same. </li></ul></ul><ul><li>Knowledge </li></ul><ul><ul><li>This kind of motives are for hacker, they intended to break something to learn, with so much reason, e.g: because of limited resource, time, and the beauty of technology </li></ul></ul><ul><li>Revenge </li></ul><ul><ul><li>Also a motives for “script kiddie”, doing destruction. </li></ul></ul>
  15. 15. Motives <ul><li>Zone-h version [6] </li></ul>[6]
  16. 16. Attack Vector [7] <ul><li>Password (Authentication) </li></ul><ul><li>Insecure Infrastructure </li></ul><ul><li>Insecure Data Protection </li></ul><ul><li>There isnt any Policy and Procedure </li></ul><ul><li>Intrusion/hacking </li></ul><ul><li>Social Engineering </li></ul>[7]
  17. 17. Attack Vector <ul><li>SANS TOP Cyber Security Risk </li></ul><ul><ul><li>Client-Side software that remains unpatched </li></ul></ul><ul><ul><ul><li>exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access </li></ul></ul></ul><ul><ul><li>Internet facing Websites that are vulnerable </li></ul></ul><ul><ul><ul><li>Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet </li></ul></ul></ul>[8]
  18. 18. Defense Mechanism <ul><li>Mechanism, Strategy or technique that we are going to use to mitigate Information security Attack </li></ul>
  19. 19. Education <ul><li>Improve Security Awareness </li></ul><ul><ul><li>Improve the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. </li></ul></ul><ul><ul><li>Some organizations require formal and annual security awareness training for all workers when they join the organization and periodically thereafter. </li></ul></ul>
  20. 20. Education <ul><li>Improve Security Awareness </li></ul><ul><ul><li>Make them understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening. </li></ul></ul><ul><ul><li>‘ Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks.’ [9] </li></ul></ul>[9] According to the European Network and Information Security Agency –
  21. 21. Security Updates <ul><li>Download and install the latest security updates </li></ul><ul><ul><li>Operating system such as Microsoft windows, Apple Mac OSX, GNU/Linux, Unix and another well known operating system release Security updates, security advisories and notification when some known security holes found in their os. </li></ul></ul><ul><ul><li>Most attack are successful because the lack of security updates (see SANS TOP cyber security risk) </li></ul></ul><ul><ul><li>Well known Application Vendor also release their security patches and fix. </li></ul></ul>
  22. 22. Security Updates <ul><li>Make sure your “in-house” Application development/vendor also support fix and compatibility. </li></ul><ul><ul><ul><li>Most case; Client didn’ t update their OS and their Application because of another compatibility with some “ dead ” application. </li></ul></ul></ul><ul><ul><ul><li>Avoid using unsupported application. </li></ul></ul></ul>
  23. 23. Security Hardening <ul><li>Security hardening is usually the process of securing a system and application by reducing its surface of vulnerability </li></ul><ul><li>Many OS and Application Vendor Release their security hardening guideline: </li></ul><ul><ul><li>e.g: Linux Security Hardening Guide </li></ul></ul><ul><ul><li>Apache WebServer security Hadening Guideline </li></ul></ul>
  24. 24. Security Hardening <ul><li>Some company even create their own Hardening Guideline to match their Security Policy. </li></ul><ul><ul><li>Adopting publicly Hardening guideline release by vendors </li></ul></ul><ul><ul><li>Change the configuration to follow the company needs </li></ul></ul>
  25. 25. Security Policy [10] <ul><li>Security policy is a definition of what it means to be secure for a system, organization or other entity. </li></ul><ul><ul><li>For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. </li></ul></ul><ul><ul><li>For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people. </li></ul></ul>[10]
  26. 26. Security Policy <ul><li>Well known standard is both ISO 27001 and 27002 and security policy is one of the main section (12 main section) </li></ul><ul><ul><li>ISO 27001 – certifiable standard </li></ul></ul><ul><ul><li>ISO 27002 – advisory standard </li></ul></ul>
  27. 27. Security Policy <ul><li>Example: </li></ul><ul><ul><li>  </li></ul></ul><ul><ul><li>Defense against Virus Attacks </li></ul></ul><ul><ul><li>Policy Statement </li></ul></ul><ul><ul><li>“ Without exception, Anti Virus software is to be deployed across all PCs with regular virus definition updates and scanning across servers, PCs and laptop computers.” </li></ul></ul><ul><ul><li>BS ISO/IEC 27001:2005 Reference </li></ul></ul><ul><ul><li>A.10.4 Protections against malicious and mobile code </li></ul></ul><ul><ul><li>Purpose </li></ul></ul><ul><ul><li>The purpose of this policy is to defend the organization against virus attacks. </li></ul></ul><ul><ul><li>Guidelines </li></ul></ul>
  28. 28. Security Device/Tools <ul><li>Notice: Never ever trust your security information to a devices. </li></ul><ul><li>Security Devices </li></ul><ul><ul><li>Set of devices that will help to mitigate/minimize an attack activity </li></ul></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><li>Intrusion Detection System (IDS) </li></ul></ul><ul><ul><li>Intrusion Prevention System </li></ul></ul>
  29. 29. Security Device/Tools <ul><li>Security tools </li></ul><ul><ul><li>Set of application/tools that will help to secure your Infosec infrastructure </li></ul></ul><ul><ul><li>Hardening tools, e.g:bastille </li></ul></ul><ul><ul><li>Anti Virus </li></ul></ul><ul><ul><li>Anti Malware </li></ul></ul><ul><ul><li>Anti Spam </li></ul></ul><ul><ul><li>Integrity Checker (Tripwire) </li></ul></ul><ul><ul><li>Rootkit Hunter (rkhunter) </li></ul></ul><ul><ul><li>Encryption Tools (Truecrypt, GPG, openssl) </li></ul></ul><ul><ul><li>Password Manager (keepass) </li></ul></ul><ul><ul><li>More and more… </li></ul></ul>
  30. 30. Backup <ul><li>Backup or the process of backing up is making copies of data which may be used to restore the original after a data loss event. </li></ul><ul><ul><li>Restore after Data Loss. </li></ul></ul><ul><ul><li>Restore to previous (working) state. </li></ul></ul><ul><li>Securing your backup is even more important than doing a backup itself. </li></ul>
  31. 31. Attack Mechanism <ul><li>Sometimes, to do a Defense, you need to attack </li></ul>
  32. 32. Attack Mechanism <ul><li>Hack (attack) your own infrastructure before someone does it. </li></ul><ul><li>Do the security Assessment </li></ul>
  33. 33. Security Assessment <ul><li>Is a way to Validate/check the level of security on every aspect of IT Infrastructure. </li></ul><ul><li>Also to ensure that necessary security controls are integrated into the design and implementation. </li></ul><ul><li>To prepare for better enhancement </li></ul>
  34. 34. Security Assessment <ul><li>Vulnerability Assessment </li></ul><ul><ul><li>A vulnerability assessment is usually carried out by security vulnerability scanner application. Most of the product test type of Operating system, application, patch level, user account and else. </li></ul></ul><ul><ul><li>Vulnerability scanner identify common security configuration mistakes and common attack </li></ul></ul><ul><li>Penetration Test </li></ul><ul><ul><li>Is When a “Hacker” do the attacker work. </li></ul></ul><ul><ul><li>The only goal is to get as much as possible and as deep as possible to break into the system. </li></ul></ul>
  35. 35. Demo <ul><li>Maybe, this is how it all end </li></ul>
  36. 36. DEMO <ul><li>Showing some of Attacking Scenario </li></ul><ul><ul><li>We will see how an attacker make a way ini </li></ul></ul><ul><li>Showing most of Defense Mechanism </li></ul><ul><ul><li>We will see how to do the security hardening and configuration stuff </li></ul></ul>
  37. 37. Discussion <ul><li>Question and Answer </li></ul>