Information Security

By Hermawan - 20118081 h.kemis@gmail.com

Definition of Information Security

Every Activities to protect the information Security is a process not product

Indonesia InfoSec Attack/Risk

Malicious Ware (Virus, Keylogger, DOS, DDOS, etc) Spam, Phising Identity Theft Data Leakage/Theft Web Transaction Attack Misuse of IT Resources Regulatory Compliance

Worm,

Spyware,

Information Security Concept

InfoSec Management Concept Dimension of Information Security

Dimension of Information Security

People Hiring, Awareness, Training/Education. Compliance, Relocation, Termination. Process (Security Management) Information Security Policy, Security Management Practices and Assurance Controls Technology Hardware, Software, Networking, Telecommunication

Why we need Information Security!?

Avoid the consequences of the impact of incidents caused by:

Distruption to the process Financial Damage/ Loss of assets / data Damage to the Image/ Reputation of the company To suit needs of business partner Creating a public perception of IT security Products Handling threats and weaknesses of IT with Optimal condition

Regulation

Information according to ISO 27001/27002

Information is an asset which, like other important business assets,

has value to an organization and consequently needs to be suitably protected Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected

Business Asset
Tangible Asset Physical Assets Software Assets Intangible Asset Information Assets (Electronic & Non Electronic) Services People Company Image / Reputation

TCP/IP
An acronym that stands for Transmission Control Protocol/Internet Protocol TCP/IP is the language of the Internet Communications Protocol

TCP/IP OSI 7 Layer

TCP/IP OSI 7 Layer

TCP/IP Attack
Basic Attack Ping of Death Land Attack Syn Flood Smurf Man in The Middle Attack (MITM) ARP Spoofing etc

Top 10 Wireless Attack

Reveal SSID Eavesdropping Bypass MAC address Encryption Attack Authentication Attack Client to client Attack MITM (Man in the Middle Attack) Rogue Access Point Wireless Denial of Service Physical damage or theft

The OWASP top 10 Attack Web Application Security Risk for 2010
A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

Non Technical Attack

Social Engineering Shoulder Surfing Dumster Diving

Penetration Testing Phase

What is Penetration Testing

Penetration testing is the practice of a trusted third-party company attempting to compromise the computer network of an organization for the purpose of assessing its security.

Penetration tester is an ethical hacker who is hired to attempt to compromise the network of a company for the purpose of assessing its data security.

Attacker vs Penetration Tester

Attacker/Intruder Ethical Hacker

(Penetration Tester)
No Code of Ethics Unauthorized Attempts to Bypass Logging No Report Exploit Vulnerabilities Bad Guy Follow a Strict Code of Ethics Must Have Authorization Must Log All Activity Must Present a Detailed Report Attempts to Correct Vulnerabilites Good Guy

Type of Penetration
BlackBox Testing

Assumes no prior knowledge of the infrastructure or system to be tested.

WhiteBox Testing

Provide the Penetretion Tester with complete knowledge of the Infrastructure, network diagram, and IP address information.

GrayBox Testing

The Penetration Tester testing system from outside and inside

Phases

Penetration testing consists of four phases

Planning Phase

Identification of contact individuals from both side, Opening meting to confirm the scope, approach and methodology Agree to specific test cases and escalation paths

Assessment Phase
1. Information Gathering 2. Network Mapping 3. Vulnerability Identification 4. Penetration 5. Gaining Access & Privilege Escalation 6. Enumerating Further 7. Compromise Remote Users/Sites 8. Maintaining Access 9. Covering Tracks

Report Phase

Describe the identified vulnerabilities Provide a risk rating Give guidance on the mitigation of the

discovered weaknesses.

Other Penetration Test Methods

Open Source Security Testing Methodology Manual (OSSTM) National Institute of Standards and Technology (NIST SP 800-42) Information System Security Assessment Framework (ISSAF) Open Web Application Security Project (OWASP)

Approach & Methodology

Information Gathering
Information gathering consists of collecting all possible information about the target of the security assessment to help the assessor to perform a thorough security evaluation.

Kind of Information You can get

An assessor may be able to gain insight into the target network: Employees (name and number of employees, role, positions and contact details,) Technology partners (technologies used, locations, computing platforms) Business partners (involvement, location, their trust relationship, and so on) Business/financial history, investments, and investor details Web presence (name and number of domains, where they are hosted, etc.) Physical locations (offices, data centers, partners, warehouses) Network topology and -architecture Technologies being implemented on the network E-mails, phone numbers, or any other personal information Company location, product names, and names of senior managers in the company IP block owned Administration and maintenance contact for target domain and IP block

Tools
Ping Nmap (Network Mapper) Nessus Metasploit

Nmap (Network Mapping)

To produce a probable network topology for the target Identify Live Hosts

Determine running Services

OS Fingerprinting

Nessus

The Nessus vulnerability scanner is the world-leader in active scanners, featuring high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks.

Nessus

Penetration

Gaining Access Password Attacks Exploit Framework

Metasploit

WHAT IS IT? The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Metasploit

WHAT DOES IT DO? The framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.

Interest
Develop Wireless Sensor Network for Medical Health Monitoring 802.1x for Wireless Local Area Network ( Cryptography )