Embed Size (px)
Citation preview
21/03/2016
1
A Primer on Ethical Hacking &
Information Security Education
Justin David Pineda CEH, GWAPT
March 2, 2016
Asia Pacific College
Speaker’s Profile
Name: Justin David Pineda Occupation: Sr. Application Security Specialist, The Coca-Cola Company Other occupation: Faculty, SoCIT APC Educational background: MIS (APC), BS-CS (DLSU-Manila) Certifications: Certified Ethical Hacker (CEH), GIAC Web Application
Penetration Tester (GWAPT), Cisco Certified Network Associate (CCNA), CompTIA Security+, ISO 27002 (ISFS), IBM DB2 Associate, Microsoft Technology Associate (MTA) Security
Courses taught: INFOSEC, COMSEC1, COMSEC2, DATACOM, DATANET, ADVUNIX, PROGCON, OPESYS1, ITCONCE
Areas of expertise: Networking, infosec
21/03/2016
2
Topics for today
• Some information security concepts
• Ethical hacking steps (and demo)
• Career in information security
In the news…
• Apple vs. FBI
21/03/2016
3
In the news…
In the news…
21/03/2016
4
Some information security concepts
1 of 3
What is information security?
• Protection of information systems against unauthorized access to or
modification of information, whether in storage, processing or transit, and
against the denial of service to authorized users or the provision of service
to unauthorized users, including those measures necessary to detect,
document, and counter such threats. (U.S. National Information Systems
Security)
21/03/2016
5
The CIA triad
The CIA Triad explained
• Confidentiality – Protection against unauthorized access.
• Integrity – Protection against unauthorized modification.
• Availability – Protection against Denial of Service (DoS)
21/03/2016
6
Examples: (Determine the type of issue)
• A stranger is able to enter campus premises by using a fake ID and impersonate as an employee.
• The school servers are down because there’s a blackout and there’s no generator.
• A student forges his course card to make it look like he got a passing score in a course.
• The school employs a guard that strictly checks people going in and out of the school building.
• A professor loses her Excel file containing the students grades. She didn’t backup her files.
Defense in Depth
21/03/2016
7
Definition of Protection Past & Present
• PROTECTION = PREVENTION
• Example: Gate, Network Firewall
• Problem: What if the thief climbs over the gate?
• Problem 2: What if there is a DoS attempt in a web server on port 80.
Definition of Protection Past & Present
• PROTECTION = PREVENTION + (DETECTION + INCIDENT
RESPONSE)
• Example: Motion detector tools, anti-virus for host device, Intrusion
Detection System (IDS) for network.
21/03/2016
8
Reality Check
• You cannot eliminate all risks.
• You do not have a lot of money to buy all controls to mitigate the risks.
• You need to prioritize.
Least Privilege
• A user/program must be able to access only the information and resources
that are necessary for its legitimate purpose.
• It is the essence of all domains in information security
21/03/2016
9
Separation of Duties (SOD)
• The concept of having more than one person required to complete a task.
• Keys to the kingdom
• Example: How payroll is computed, approved, delivered etc.
Separation of Duties Example
• What will happen if the manager, the HR & finance are one and the same?
Manager HR Finance
21/03/2016
10
Physical Security
• Natural barriers
• Authentication (something to
you know, something that you
have, something that you are)
• Gates and dogs
• Guards
Network Security
• Firewalls
• Intrusion Detection Systems (IDS)
• Unified Threat Management (UTM)
• Data Loss Prevention (DLP)
21/03/2016
11
Host Security
• Port Security
• Anti-virus
• User access (standard, admin, super admin)
Application Security
• Encryption
• Patches, hotfixes
21/03/2016
12
Other Important Security Terms
• Diversity of Defense
• Do not rely on a single brand of security device.
• Security through Obscurity
• Feeling of security by hiding the asset and thinking that nobody else will think the same
way.
• Cost Benefit Analysis (CBA)
• The cost of safeguard or protection should not be greater than the value of the asset.
Ethical hacking steps
2 of 3
21/03/2016
13
Is there such thing as ethical hacking?
• A hacker exploits weaknesses in a computer system.
• Hacking or cracking which refers to unauthorized access into or interference in a computer system… (RA 8792, E-Commerce Law)
• Someone with an advanced understanding of computers and computer networks… (A Guide to the World of Computer Wizards)
• Ex. Hacking with a Pringles tube (from BBC News)
What separates good from bad hackers?
• They both exploit weaknesses in a computer system or network.
• The difference is – permission
and scope.
• White hat – good guys
• Black hat – bad guys
• Gray hat – good in the morning; bad in the evening
• With this definition, what’s the classification of Anonymous?
21/03/2016
14
Hacking trend…
Steps in Hacking
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks
21/03/2016
15
Reconnaissance
• Observation
• Research about your target
• Start from online tools
• Netcraft
• Archive
• Web Data Extractor
• Job opportunities
Scanning
• Look for open opportunities
• nmap, hping
21/03/2016
16
Gaining & Maintaining Access
• Password Guessing
• Privilege Escalation
• Executing Malicious Codes
• Copying files
Covering Tracks
• Delete or modify audit trails
21/03/2016
17
Web Application Attacks
• A lot of people are using the Internet and doing transactions there.
• A lot of websites are not checked whether it is safe for users to use.
• It’s possible that applications follow proper coding standards but
versions/functions are vulnerable.
Usual attacks:
• SQL Injection
• Cross Site Scripting (XSS)
• Session Hijacking
• Directory Traversal
• Cross Site Request Forgery (CSRF)
• Web Goat demonstration
• Download it here - https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
21/03/2016
18
Web Application Security Advice
• Include security in all SDLC steps.
• Refer to the Open Web Application Security Project (OWASP) when writing
web applications. https://www.owasp.org/
• Use both source code analyzer and vulnerability scanner to check the status
of your application.
Career in information security
3 of 3
21/03/2016
19
Information Security as a Discipline
• InfoSec is a relatively new field.
• It is starting to grow because a lot of businesses are transitioning to online.
• Virtual money is same as physical money.
• There are still few professionals who are in this field.
• Supply is low, demand is high.
• CS and IT major courses are good infosec foundations.
• You can opt to choose infosec in thesis.
Security Certifications
• CompTIA – Security+
• EC-Council – Certified Ethical Hacker, Certified Security Analyst, Certified
Hacking & Forensics Investigator etc.
• SANS – GIAC Certified Reverse Engineering Malware, Incident Handler,
Intrusion Analyst etc.
• ISACA – Certified Information Systems Auditor etc.
• ISC2 – Certified Information Systems Security Professional (CISSP), etc.
21/03/2016
20
Security or Freedom?
Privacy Issues
• Are we being watched?
21/03/2016
21
Thank you very much.
Q&A
Justin David Pineda
Coca-Cola Philippines
http://justinpineda.com
