1 / 59

Information Security

Information Security. Direktorat Komunikasi dan Sistem Informasi Institut Pertanian Bogor. Security Threat. Security Principle. Authentication Authorization atau Access Control Privacy / confidentiality Integrity Availability Nonrepudiation Auditing. Security Components.

odessa-valenzuela
Télécharger la présentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Direktorat Komunikasi dan Sistem Informasi Institut Pertanian Bogor

  2. Security Threat

  3. Security Principle • Authentication • Authorization atau Access Control • Privacy / confidentiality • Integrity • Availability • Nonrepudiation • Auditing

  4. Security Components • Network security • difokuskan pada saluran (media) pembawa informasiatau jalur yang dilalui. • Application security • difokuskan pada aplikasinya sistem tersebut, termasuk database dan servicesnya. • Computer security • difokuskan pada keamanan dari end system, termasuk operating system (OS)

  5. Vulnerabilities Ada 3 kelemahan dasar keamanan: • Kelemahan teknologi • Kelemahan konfigurasi • Kelemahan kebijakan keamanan

  6. Threat types:

  7. Network Threat

  8. Type of Network Attacks

  9. Reconaissance Attacks

  10. Access Attack

  11. DoS Attack

  12. DoS: SYN Attack

  13. DDoS

  14. Application Threats

  15. Web Application Threat • Injection Flaws • SQL Injection, XPATH Injection, etc • Cross-Site Scripting (XSS) • Broken Authentication and Session Management • Cross Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Insufficient Transport Layer Protection • Insecure Communications

  16. XSS

  17. Cross-Site Scripting (XSS) Attacks Malicious code that can change the look and function of a legitimate web application Originates from old phishing attacks but less obvious and more dangerous to the user/victim More widespread now because of move to more rich Internet applications using dynamic content and JavaScript and the latest AJAX trend

  18. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Cross-Site Scripting Illustrated Attacker sets the trap – update my profile 1 Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile 2 Script runs inside victim’s browser with full access to the DOM and cookies Script silently sends attacker Victim’s session cookie 3

  19. Cross-Site Scripting (XSS) Attacks

  20. The Impact of XSS Data residing on the web page can be sent anywhere in the world Including cookies! Facilitates many other types of attacks Cross-Site Request Forgery (CSRF), Session Attacks (more later) Your site’s behavior can be hijacked

  21. SQL INJECTION

  22. What is SQL Injection? The ability to inject SQL commands into the database enginethrough an existing application

  23. Example: SQL Injection Illustrated 1 Attacker sends data containing SQL fragments Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Attacker enters SQL fragments into a web page that uses input in a query Database Application sends modified query to database, which executes it 2 3 Attacker views unauthorized data

  24. Vulnerable Applications • Almost all SQL databases and programming languages are potentially vulnerable • MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc • Accessed through applications developed using: • Perl and CGI scripts that access databases • ASP, JSP, PHP • XML, XSL and XSQL • Javascript • VB, MFC, and other ODBC-based tools and APIs • DB specific Web-based applications and API’s • Reports and DB Applications • 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) • many more

  25. SQL Injection Attacks Login Example Attack Text in blue is your SQL code, Text in orange is the hacker input, black text is your application code Login: Password: Dynamically Build SQL String performing authentication: “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’”; Hacker logs in as: ‘ or 1 = 1; -- SELECT * FROM users WHERE login = ‘’ or 1 = 1; --‘ and password=‘’

  26. SQL Injection Characters • ' or" character String Indicators • -- or # single-line comment • /*…*/ multiple-line comment • + addition, concatenate (or space in url) • || (double pipe) concatenate • % wildcard attribute indicator • ?Param1=foo&Param2=bar URL Parameters • PRINT useful as non transactional command • @variable local variable • @@variable global variable • waitfor delay '0:0:10' time delay

  27. Cross Site Request Forgery (CSRF) “A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.”

  28. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code CSRF Illustrated 1 Attacker sets the trap on some website on the internet(or simply via an e-mail) Application with CSRF vulnerability Hidden <img> tag contains attack against vulnerable site 2 While logged into vulnerable site,victim views attacker site 3 Vulnerable site sees legitimate request from victim and performs the action requested <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site

  29. CSRF Example A hacker posts to a message board containing an image tag <img src= “http://yourbank.com/transfer? to_account=my_account_number&amount=all_of_your_money> An unsuspecting user logs into yourbank.com and authenticates The user then visits said message board A request is issued from the victim’s browser to the bank’s website The bank’s website transfers the user’s money to the hacker’s account

  30. Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code BrokenAuthentication Illustrated 1 User sends credentials www.boi.com?JSESSIONID=9FA1DB9EA... Site uses URL rewriting (i.e., put session in URL) 2 3 User clicks on a link to http://www.hacker.com in a forum 5 4 Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID Hacker uses JSESSIONID and takes over victim’s account

  31. Insecure Communications Illustrated Business Partners External Victim Backend Systems Custom Code Employees 2 1 Internal attacker steals credentials and data from internal network External attacker steals credentials and data off network External Attacker

  32. End Devices Threat

  33. End Devices Vulnerabilities • OS or NOS Vulnerabilities • OS/NOS/Firewall Setting • Unintended Services

  34. End Devices Threat • A worm executes code and installs copies of itself in the memory of the infected computer, which can, in turn, infect other hosts. • A virus is malicious software that is attached to another program for the purpose of executing a particular unwanted function on a workstation. • A Trojan horse is different from a worm or virus only in that the entire application was written to look like something else, when in fact it is an attack tool. • There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux.

  35. Threat Prevention

  36. NOS Hardening: Linux • Dimulai saat pemilihan Distro dan menyiapkan CD Installer OS tersebut • Partisi Hardisk (/tmp /var /home /boot) • Install paket minimal & up date • Disable services yang tidak digunakan. • Remote Login Hardening: gunakan SSH (protokol SSH v 2) • Proteksi Bruteforce attack untuk SSH: strong password & iptables • Setup Iptables dan SELINUX sebagai Host Firewall • Update kernel

  37. NOS Hardening: Windows • Restrict Group membership • Restriction Permission • Software Restriction Policy • Disable Service yang tidak digunakan (bukan sekedar di STOP) • Microsoft Solution for Securing Win2000 Server (MSS Security) • Security Tools (Resource Kit) – Xcacls , Auditpol, EventComb, NetLogon Debug

  38. WEB server Hardening: Apache • Keamanan pada httpd.conf • General Option • Userdir enable • Userdir disable root • ServerTokens Prod • ServerSignature Off • Pengamanan Cross site Scripting • ReWriteEngine on • ReWriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) • ReWrite .*[F] • Pembatasan Resource user apache • Access Control • Order allow,deny • allow from all • deny from 222.124., .hacker.com

  39. WEB server Hardening: Apache • Apache Module • mod_ssl untuk HTTPS • 3rd Party Apache Module • mod_security • mod_bandwidth atau mod_throttle • mod_evasive • mod_hackprotect • mod_parmguard

  40. Application Hardening • Proteksi aplikasi PHP melalui php.ini • safe_mode = On • register_globals = Off • magic_quote=On • display_errors = Off • disable_functions = phpinfo

  41. Preventing XSS Escape all user input when it is displayed Escaping converts the output to harmless html entities <script> becomes &lt;script&gt; but still displayed as <script>

  42. Preventing CRSF Require a confirmation page before executing potentially dangerous actions Eliminate XSS vulnerabilities Use POST as your form action and only accept POST requests on the server for sensitive data ! Incoming CSRF requests will fail since the parameter is in the URL and not the post body You can protect yourself with RequestPolicy (Firefox extension)

  43. Preventing SQL Injection • Escape apostrophe with two apostrophes (and back slash with two back slashes for MySQL) • Make sure numeric fields really look like numbers • Do step “1" and “2" not only on users' direct input, but on all non-constant variables • Check if the inputs are within your expectation (e.g. 0 < age < 120, login id without space, etc.)

  44. Computer Hardening: • Install Anti Virus, • Install Anti Spy ware • Update Anti Virus

  45. Log Analysis • Log File Formats, Configuration, Management • Why do Log Analysis? • Traffic Analysis (internal and external) • Quality of Service Analysis • Security audits • Performance analysis • Statistics, Tracking, Reporting • Free and commercial tools

  46. Log Analyzer

  47. Mengikuti trend ancaman terkinihttp://www.sans.org

More Related