Ethical Hacking & Information Security

Ethical Hacking &Information SecurityJustin David G. PinedaAsia Pacific College

Topics for today: Is there such thing as ethical hacking?What is information security?What are issues that need to beaddressed?Information security as a disciplineDo we need a cybercrime law?

About: Justin David Pineda Lecturer at Asia Pacific CollegeCurrently, Sr. Application SecuritySpecialist at The Coca-ColaCompanyIn the past: Security Analyst,SilverSkyBS Computer Science, DLSUCertifications earned: Certified Ethical Hacker (CEH)CompTIA Security ISO 27002 FoundationCisco Certified Network AssociateIBM DB2 Academic AssociateMicrosoft Technology Associate(MTA) Security

Is there such thing as ethicalhacking?

Is there such thing as ethical hacking? A hacker exploits weaknesses in acomputer system.Hacking or cracking which refersto unauthorized access into orinterference in a computersystem (RA 8792, E-CommerceLaw)Someone with an advancedunderstanding of computers andcomputer networks (A Guide tothe World of Computer Wizards)Ex. Hacking with a Pringles tube(from BBC News)

What separates good from bad hackers? They both exploit weaknesses in a computer system ornetwork.The difference is – permissionand scope.White hat – good guysBlack hat – bad guysGray hat – good in the morning; bad in the eveningWith this definition, what’s the classification ofAnonymous?

Hacking trend

Steps in Hacking1.2.3.4.5.ReconnaissanceScanningGaining AccessMaintaining AccessCovering Tracks

Reconnaissance ObservationResearch about your targetStart from online tools NetcraftArchiveWeb Data ExtractorJob opportunities

Scanning Look for openopportunitiesnmap, hping

Firewalking

Gaining & Maintaining Access Password GuessingPrivilege EscalationExecuting Malicious CodesCopying files

Covering Tracks Delete or modify audit trails

What is information security?

What is information security? Protection of information systems against unauthorizedaccess to or modification of information, whether instorage, processing or transit, and against the denial ofservice to authorized users or the provision of service tounauthorized users, including those measures necessaryto detect, document, and counter such threats. (U.S.National Information Systems Security)

The CIA triad

The CIA Triad explained Confidentiality – Protection against unauthorized access.Integrity – Protection against unauthorized modification.Availability – Protection against Denial of Service (DoS)

Examples:

Remember the 3-way handshake!

Information Security vs. IT Security Information Security has many domains. Access control, telecommunications and network security,Information security governance and risk management,Software development security, Cryptography, Securityarchitecture and design, Operations security, Businesscontinuity and disaster recovery planning, Legal, regulations,investigations and compliance, Physical (environmental) security– from CISSP’s domains on ISC2IT Security only focuses on software and hardwaretechnologies.

Defense in Depth

Definition of Protection Past & Present PROTECTION PREVENTION Example: Gate, Network Firewall Problem: What if the thief climbs over the gate?Problem 2: What if there is a DoS attempt in a webserver on port 80.

Definition of Protection Past & Present PROTECTION PREVENTION (DETECTION INCIDENT RESPONSE) Example: Motion detector tools, anti-virus for host device,Intrusion Detection System (IDS) for network.

Reality Check You cannot eliminate all risks.You do not have a lot of money to buy all controls tomitigate the risks.You need to prioritize.

Least Privilege A user/program must be able to access only theinformation and resources that are necessary for itslegitimate purpose.It is the essence of all domains in information security

Separation of Duties (SOD) The concept of having more than one person required tocomplete a task.Keys to the kingdomExample: How payroll is computed, approved, deliveredetc.

Policies HR PoliciesClean desk policyAcceptable Use PolicyInternet policyData security policyPassword Policy

Physical Security Natural barriersAuthentication (something to you know, something thatyou have, something that you are)Gates and dogsGuards

Network Security FirewallsIntrusion Detection Systems (IDS)Unified Threat Management (UTM)Data Loss Prevention (DLP)

Host Security Port SecurityAnti-virusUser access (standard, admin, super admin)

Application Security EncryptionPatches, hotfixes

What issues need to be addressed?

Focus on 2 critical issues Social EngineeringWeb Application Attacks

Social Engineering Social engineering is the hacker/attacker's clevermanipulation of the natural human tendency to trust toobtain information that will allow him to gainunauthorized access to a valued system. (SocialEngineering Fundamentals)90% of successful hacking activities are done using socialengineering.

Steps in Social Engineering Information Gathering Developing Relationships Stalk in social networking sitesMail-outsForensic analysisFacebook appsCognitive biases (returning the favor, share interests)Exploitation People become less reasonable when in state of shock orstrong affect.

Types of Social Engineering Attacks Physical Shoulder surfingDumpster diving (ex. Argo)TailgatingWar driving, chalking, walkingetc.Online PhishingPharmingSpear phishingVishing

Countermeasures Create, implement and harden security policies Comply with physical security standards This should be done periodically.Resistance Training for specified employeesSocial Engineering Land Mines (SANS, David Gragg) Are doors locked? Do security guards check all students forID?Security Awareness Training for employees People easily forget policies. It needs enforcement.Call-back policy, key questions, bogus questionsIncident Response

Web Application Attacks A lot of people are using the Internet and doingtransactions there.A lot of websites are not checked whether it is safe forusers to use.It’s possible that applications follow proper codingstandards but versions/functions are vulnerable.

Usual attacks: SQL InjectionCross Site Scripting (XSS)Session HijackingDirectory TraversalCross Site Request Forgery (CSRF) Web Goat demonstration Download it here https://www.owasp.org/index.php/Category:OWASP WebGoat Project

Web Application Security Advice Include security in all SDLC steps.Refer to the Open Web Application Security Project(OWASP) when writing web applications.https://www.owasp.org/Use both source code analyzer and vulnerability scannerto check the status of your application.

Information Security as a Discipline

Information Security as a Discipline InfoSec is a relatively new field.It is starting to grow because a lot of businesses aretransitioning to online.Virtual money is same as physical money.There are still few professionals who are in this field.Supply is low, demand is high.CS and IT major courses are good infosec foundations.You can opt to choose infosec in thesis.

Security Certifications CompTIA – Security EC-Council – Certified EthicalHacker, Certified SecurityAnalyst, Certified Hacking &Forensics Investigator etc.SANS – GIAC Certified ReverseEngineering Malware, IncidentHandler, Intrusion Analyst etc.ISACA – Certified InformationSystems Auditor etc.ISC2 – Certified InformationSystems Security Professional(CISSP), etc.

Do we need a cybercrime law?

Do we need a cybercrime law? Of course, we need one.R.A. 10175 or Cybercrime Prevention Act is a mixture ofseveral issues.Cybercrime Law should not only focus on the limitationof Freedom of Expression.Cybercrime Law should protect the people.

What kind of cybercrime law do we need? A law that compels for-profit organizations like banks tofollow certain best standards to protect client data foundin bank accounts.A law that compels telecom companies to ensure thatdata that pass their infrastructure are sent and receivedto the intended recipients.A law that compels government offices to securely storepersonal data that are found in their computer system.

Thank you very much.Q&AJustin David PinedaAsia Pacific Collegejustinp@apc.edu.ph

Dec 04, 2014 · EC-Council – Certified Ethical Hacker, Certified Security Analyst, Certified Hacking & Forensics Investigator etc. SANS – GIAC Certified Reverse Engineering Malware, Incident Handler, Intrusion Analyst etc. ISACA – Certified Information Systems Auditor etc. ISC2 – Certified Information Sys