Information Security Information Security Defense MechanismDefense Mechanism

Ahmad Muammar

Bali, 11 Nopember 2011

AgendaAgenda• Introduction• Information Security• Information Security Defense Mechanism

o Know the Enemy• Potential Enemy• Motives• Attack Vector

o SANS Top Cyber Security Risko Defence Mechanism

• Education/Security Awareness• Security Update• Security Hardening• Security Policy• Security Devices/Tools• Backup

AgendaAgenda• Information Security Defense Mechanism

o Attack Mechanism• Security Assessment

o Vulnerability Asessmento Penetration Testing

• Demoo Showing some attacking scenarioo Showing most of Defense Mechanism

• Discussion

IntroductionIntroduction• Freelance IT Security Consultant• More than 9 years in IT Security • Founder of “ECHO” one of Indonesian Hacker

Community[i]

• Founder of “IDSECCONF” - Indonesia Security Conference in cooperation with KOMINFO [ii]

• More Info: o http://me.ammar.web.ido @y3dips

[i] http://echo.or.id[ii] http://idsecconf.org

Information SecurityInformation Securitymeans protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.[1]

[1] http://wikipedia.org

Information SecurityInformation Security• Information

o Set or collection of data that has meaning

• Level [2]

o Non-Classified• Public Information• Personal Information• Routine Business Information

o Classified• Confidential• Secret• Top Secret

[2] http://wikipedia.org

Information SecurityInformation Security• Electronic Information

o Information that is created, convert, duplicate, transmit, and stored using Electronic devices

• Electronic and Information Technology [3]

Includes information technology and any equipment or interconnected system or subsystem of equipment, that is used in the creation, conversion, or duplication of data or information.

includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.

[3] http://www.washington.edu/accessit/articles?106

Information SecurityInformation SecurityDefense MechanismDefense Mechanism

Know Your EnemyKnow Your Enemy“Know your enemy and know yourself and you can fight a hundred battles without disaster.” Sun Tzu quotes (Chinese General and Author, b.500 BC)

•Who are they, What are the motives, and how they attack?

“You'll completely knew a story if you know how it start”

Potential EnemyPotential Enemy• Yourself

Human are the weakest link in security and a vulnerable target, as an Administrator, Developer, or even a user.

• HackerGenius People on earth, mostly known because of their contribution to the IT world, but some hacker may possess their own motives, and intention

• CrackerMost people label them as a dark side of hacker, with bad motives and destruction intention.

Potential EnemyPotential Enemy• CyberSpies

or Cyber espionage is the act or practice of obtaining secrets without the permission of the holder of the information, from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using illegal exploitation methods on the Internet, networks or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware [4]

• CyberTerroristCyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents. [5]

[4] http://wikipedia.org[5] Mark Pollitt – FBI -http://www.crime-research.org/library/Cyber-terrorism.htm

Potential EnemyPotential Enemy• CyberArmy

is the Army service component regarding cyberspace and Information Operations, usually form by a government.

• CyberActivistCyberactivism is a means by which advanced information and communication technologies, are used by individuals and groups to communicate with large audiences, galvanizing individuals around a specific issue or set of issues in an attempt to build solidarity towards meaningful collective actions

• ?Unknown specific targets, unknown Agenda, Unknown Motives; e.g: WikiLeaks, anonymous

MotivesMotives• Money

This motives are mostly for cracker, cyberspies, cyberterrorist/gang, they seek money in every action.

• FamousThis kind of motives mostly doing by a “Script Kiddie” with low level of hacking skills, they only intend to get famous, even with the wrong way.

• Ideology/NationalityThis motives are perfectly for cyber army, but sometimes cyber terrorist also doing it, while hacker also do the same.

MotivesMotives• War

This motives are perfectly for cyber army, but sometimes cyber terrorist also doing it, while hacker also do the same.

• KnowledgeThis kind of motives are for hacker, they intended to break something to learn, with so much reason, e.g: because of limited resource, time, and the beauty of technology

• RevengeAlso a motives for “script kiddie”, doing destruction.

MotivesMotives• Zone-h version [6]

[6] http://www.zone-h.org/news/id/4737

Attack VectorAttack Vector[7][7]• Password (Authentication)• Insecure Infrastructure• Insecure Data Protection• There isnt any Policy and Procedure• Intrusion/hacking • Social Engineering

[7] http://www.slideshare.net/y3dips/y3dips-who-own-your-sensitive-information

Attack VectorAttack Vector• SANS TOP Cyber Security Risk

o Client-Side software that remains unpatchedexploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access

o Internet facing Websites that are vulnerableAttacks against web applications constitute more than 60% of the total attack attempts observed on the Internet

[8] http://www.sans.org/top-cyber-security-risks

Defense MechanismDefense MechanismMechanism, Strategy or technique that we are going to use

to mitigate Information security Attack

EducationEducation• Improve Security Awareness

Improve the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization.

Some organizations require formal and annual security awareness training for all workers when they join the organization and periodically thereafter.

EducationEducation• Improve Security Awareness

Make them understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening.

‘Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks.’[9]

[9] According to the European Network and Information Security Agency – Wikipedia.org

Security UpdatesSecurity Updates• Download and install the latest security updates

Operating system such as Microsoft windows, Apple Mac OSX, GNU/Linux, Unix and another well known operating system release Security updates, security advisories and notification when some known security holes found in their os.

Most attack are successful because the lack of security updates (see SANS TOP cyber security risk)

Well known Application Vendor also release their security patches and fix.

Security UpdatesSecurity Updates• Make sure your “in-house” Application

development/vendor also support fix and compatibility.

• Most case; Client didn’t update their OS and their Application because of another compatibility with some “dead” application.

• Avoid using unsupported application.

Security HardeningSecurity Hardening• Security hardening is usually the process of

securing a system and application by reducing its surface of vulnerability

• Many OS and Application Vendor Release their security hardening guideline:e.g: Linux Security Hardening Guide

Apache WebServer security Hadening Guideline

Security HardeningSecurity Hardening• Some company even create their own Hardening

Guideline to match their Security Policy.

o Adopting publicly Hardening guideline release by vendorso Change the configuration to follow the company needs

Security PolicySecurity Policy[10][10]• Security policy is a definition of what it means to

be secure for a system, organization or other entity. o For an organization, it addresses the constraints on behavior of its

members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls.

o For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.

[10] Wikipedia.org

Security PolicySecurity Policy• Well known standard is both ISO 27001 and

27002 and security policy is one of the main section (12 main section)o ISO 27001 – certifiable standardo ISO 27002 – advisory standard

Security PolicySecurity Policy• Example:

 Defense against Virus AttacksPolicy Statement“Without exception, Anti Virus software is to be deployed across all PCs with regular virus definition updates and scanning across servers, PCs and laptop computers.”BS ISO/IEC 27001:2005 ReferenceA.10.4 Protections against malicious and mobile code

PurposeThe purpose of this policy is to defend the organization against virus attacks.Guidelines

Security Device/ToolsSecurity Device/Tools• Notice: Never ever trust your security information

to a devices.• Security Devices

Set of devices that will help to mitigate/minimize an attack activityExample:1.Firewall2.Intrusion Detection System (IDS)3.Intrusion Prevention System

Security Device/ToolsSecurity Device/Tools• Security tools

Set of application/tools that will help to secure your Infosec infrastructure1.Hardening tools, e.g:bastille2.Anti Virus3.Anti Malware4.Anti Spam5.Integrity Checker (Tripwire)6.Rootkit Hunter (rkhunter)7.Encryption Tools (Truecrypt, GPG, openssl)8.Password Manager (keepass)9.More and more…

BackupBackup• Backup or the process of backing up is making

copies of data which may be used to restore the original after a data loss event.o Restore after Data Loss.o Restore to previous (working) state.

• Securing your backup is even more important than doing a backup itself.

Attack MechanismAttack MechanismSometimes, to do a Defense, you need to attack

Attack MechanismAttack Mechanism• Hack (attack) your own infrastructure before

someone does it.

• Do the security Assessment

Security AssessmentSecurity AssessmentIs a way to Validate/check the level of security on every aspect of IT Infrastructure.

Also to ensure that necessary security controls are integrated into the design and implementation.

To prepare for better enhancement

Security AssessmentSecurity Assessment• Vulnerability Assessment

A vulnerability assessment is usually carried out by security vulnerability scanner application. Most of the product test type of Operating system, application, patch level, user account and else.

Vulnerability scanner identify common security configuration mistakes and common attack

• Penetration TestIs When a “Hacker” do the attacker work.

The only goal is to get as much as possible and as deep as possible to break into the system.

DemoDemoMaybe, this is how it all end

DEMODEMO• Showing some of Attacking Scenario

We will see how an attacker make a way ini

• Showing most of Defense MechanismWe will see how to do the security hardening and configuration stuff

DiscussionDiscussionQuestion and Answer