Embed Size (px)
Citation preview
TRANSFORMING CYBERSECURITY, RISK AND CONTROL FOR EVOLVING THREATS
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
Cybersecurity Nexus Liaison
ISACA, Indonesia
Seminar Nasional Internal AuditSolo, 14-16 April 2015
2
Current:
• Cybersecurity Nexus Liaison, ISACA Indonesia Chapter• ISACA Academic Advocate at ITB• SME for Information Security Standard for ISO at ISACA HQ• Associate Professor at School of Electrical Engineering and Informatics, Institut Teknologi Bandung• Ketua WG Layanan dan Tata Kelola TI, anggota WG Keamanan Informasi serta Anggota Panitia Teknis 35-01 Program
Nasional Penetapan Standar bidang Teknologi Informasi, BSN – Kominfo. Past:• Ketua Kelompok Kerja Evaluasi TIK Nasional, Dewan TIK Nasional (2007-2008)• Plt Direktur Operasi Sistem PPATK (Indonesia Financial Transaction Reports and Analysis Center, INTRAC), April 2009 –
May 2011
Professional Certification:• Professional Engineering (PE), the Principles and Practice of Electrical Engineering, College of Engineering, the University
of Texas at Austin. 2000• IRCA Information Security Management System Lead Auditor Course, 2004• ISACA Certified Information System Auditor (CISA). CISA Number: 0540859, 2005• Brainbench Computer Forensic, 2006• (ISC)2 Certified Information Systems Security Professional (CISSP), No: 118113, 2007• ISACA Certified Information Security Manager (CISM). CISM Number: 0707414, 2007Award:• (ISC)2 Asia Pacific Information Security Leadership Achievements (ISLA) 2011 award in category Senior Information
Security Professional. http://isc2.org/ISLA
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
SCENARIO
• Attacker: 131.107.1.101• Victim 1: 131.107.1.200• Victim 2: 172.101.101.3
• Victim 1: Weak Password• Victim 2: Jboss default Installation
• Video Access:
http://kaminfo.id/demo/1-weak-password.mp4http://kaminfo.id/demo/2-Jboss.mp4http://kaminfo.id/demo/3-sshkey.mp4
First Scenario:
• Attacker do a dictionary attack to the 1st victim. The victim has a weak password quality problem.
• Attacker take a look of victim’s data / information after take over the server.
• Attacker get the web server information (which is Jboss).
Second Scenario:
• Attacker use the victim’s machine to exploit jboss’s server (since the Attacker doesn’t know the
password)
• Attacker gain the access and could take a look the content of the server.
Third Scenario:
• SSH-key
Fourth Scenario: Anti virus AVG2014 bypass https://youtu.be/d948ICBKee8
SCENARIO
Q and A:
• Q: How if the victim (on Linux Machine with root:toor) change their password?
• A:
MANAGING ACCESS
Q and A:
• Q: How if the victim (on Linux Machine with root:toor) change their password?
• A: The Attacker just need to:
1. Change .ssh’s target.
2. Generate authorize key on our machine and paste it into .ssh’s target.
If we do this, every time we would like to connect into the target’s machine via ssh, we
don’t need to input the password anymore even the target already changed their
password.
MANAGING ACCESS
Q: Do you have change your password?
Q: Is it possible that the 2nd scenario happened in the Internet area (not internal?)
Q: Do you ever see your authorized SSH keys on your server?
TEASER Q & A
NETWORK IS COMPROMISED
APT LIFE CYCLE
HOW FAST
TEN ASSESSEMENT SCENARIOS
THREAT
ADAPTIVE ATTACK VECTOR
Security Issue Security Solution Adaptive Attack Vector
Single-factor authentication Multifactor authentication Break into token vendor
Malware writer, masquerade Digital certificate Break into a credible vendor
Antivirus approach -blacklisting
whitelisting Break into application whitelisting vendor (Bit9)
RESPONSE
CYBERVULNERABILITIES, THREAT AND RISKVulnerability Threat Risk and Impact
Spear phising Attacker may gain access through phish phish payload or combined social-technical technical follow-up
Initial data loss or leakage leading to secondary secondary impact
Water holing Attacker may gain control of websites and and subsequent control of visitor
Initial behavior errors leading to secondary impact
Wireless/Mobile APT Compromise wireless channel to enable enable control
Partial or full control of wireless or mobile; direct/indirect impact on service and application
Zero-day Use zero-day to circumvent defences Partial / full control of application and underlying underlying system
Excessive priviledge Inside attack Full and (technically) legitimate control outsite outsite GRC, secondary impacts
Home user APT Attack use home environment may less well well protected than organization environment
Partial or full control of wireless or mobile; direct/indirect impact on service and application
CYBERVULNERABILITIES IN CONTEXTVulnerability Motive Opportunity Effort
Spear phising Financial, espinage, data theft, prepratory to prepratory to main attack
Email access to target Mediumtohigh, depending on on quality of phish
Water holing Financial, espinage, data theft, prepratory to prepratory to main attack
Email access to target, control of web sites
High, depending on precision precision of targeting
Wireless/Mobile APT Financial, espionage, extortion, theft of personally identifiable information
Proximity to target Low to medium
Zero-day Financial, operational, data theft, extortion, extortion, control of technical infrastructure
Availability of suitable zero-day exploits, organized handling of exploit
Medium to high
Excessive priviledge Financial, personal, data theft, extortion, reputational
Deficiencies in IDM,corruption
Low to medium
Home user APT Financial, espionage, extortion, theft of personally identifiable information
Physical or logical access to access to target
Low to high, depending on level of protection of target environment
PIRT
The CSX Liaison reports to the chapter president.
RISK-BASED CATEGORIZATION CONTROL
COBITISO 38500
Internal Control
Framework COSO
HUBUNGAN ANTAR KERANGKA
PP60/2008
Sistem Pengendalian Intern
Pemerintah
Tata
Kelo
laTa
ta K
elo
la T
IM
an
aje
men
TI
Panduan Umum Tata Kelola TIK Nas+
Kuesioner Evaluasi Pengendalian Intern TIK
SNI ISO 27001SNI ISO 20000
•Q&A
•isaca.org/cyber
•ISACA Cybersecurity Teaching Materials
