8/11/2015
1
7/30/2015
Justin David G. Pineda, CEHSr. Application Security Specialist
The Coca-Cola CompanyJuly 31, 2015 | PATTS, Paranaque City
7/30/2015
1. Need for information security2. Core information security concepts3. Ethical hacking and its steps4. Moving forward in infosec
8/11/2015
2
7/30/2015
1 of 4
7/30/2015
8/11/2015
3
7/30/2015
7/30/2015
8/11/2015
4
7/30/2015
No sense of security in the web
Logical infrastructure does not equate tophysical infrastructure.
7/30/2015
There is a need to implement a standardizedinformation security program in the industry,government and academe.
8/11/2015
5
7/30/2015
2 of 4
7/30/2015
8/11/2015
6
7/30/2015
Confidentiality – Protection againstunauthorized access.
Integrity – Protection against unauthorizedmodification.
Availability – Protection against Denial ofService (DoS)
7/30/2015
1. A visitor is able to enter an “UnauthorizedPersonnel Only” room.
2. A bank teller accidentally changes theaccount balance of a client.
3. A student tripped over the PC power cableresulting to power and data loss.
4. A hacker is able to gain access to alegitimate account using passwordguessing.
5. Anonymous group initiates a DistributedDenial of Service (DDoS) to bring downPaypal website.
8/11/2015
7
7/30/2015
7/30/2015
Natural barriers Authentication (something to you know,
something that you have, something that youare)
Gates and dogs Guards
8/11/2015
8
7/30/2015
HR Policies Clean desk policy Acceptable Use Policy Internet policy Data security policy Password Policy
7/30/2015
Firewalls Intrusion Detection
Systems (IDS) Unified Threat
Management (UTM) Data Loss Prevention
(DLP)
8/11/2015
9
7/30/2015
Port Security Anti-virus User access (standard, admin, super admin)
7/30/2015
Encryption Patches, hotfixes
8/11/2015
10
7/30/2015
3 of 4
7/30/2015
A hacker exploitsweaknesses in a computersystem.
Hacking or cracking whichrefers to unauthorizedaccess into or interference ina computer system… (RA8792, E-Commerce Law)
Someone with an advancedunderstanding of computersand computer networks… (AGuide to the World ofComputer Wizards)
Ex. Hacking with a Pringlestube (from BBC News)
8/11/2015
11
7/30/2015
They both exploit weaknesses in a computersystem or network.
The difference is – permissionand scope.
White hat – good guys Black hat – bad guys Gray hat – good in the morning; bad in the
evening
With this definition, what’s the classification ofAnonymous?
7/30/2015
8/11/2015
12
7/30/2015
1. Reconnaissance2. Scanning3. Gaining Access4. Maintaining Access5. Covering Tracks
7/30/2015
Observation Research about your target Start from online tools
◦ Netcraft◦ Archive◦ Web Data Extractor
Job opportunities
8/11/2015
13
Can you retrieve PATTS’ website in 2003? Can I filter my search by just getting all PDF
files related to graduate studies? What are the server details of the website
target? Why include job opportunities as method for
reconnaissance?
7/30/2015
Use Web Data Extractor (WDE) URL: http://www.webextractor.com/ Extracting contact details in Ateneo:
7/30/2015
8/11/2015
14
7/30/2015
7/30/2015
Look for openopportunities
nmap, hping
8/11/2015
15
What are the open ports in a particular IPaddress? (corresponds to an organization)
What is the operating system and versionbeing used?
7/30/2015
Issue a traceroute going to the IP. Based on the number of hops, can you be
able to determine its web server? Tools:
◦ traceroute (Windows, tracert)◦ Hping: http://www.hping.org/
7/30/2015
8/11/2015
16
7/30/2015
7/30/2015
8/11/2015
17
7/30/2015
Password Guessing Privilege Escalation Executing Malicious Codes Copying files
Can you sniff data in the network? In what device can I sniff useful data? A hub
or a switch? Are the data sent in free Wi-Fi access zones
safe from sniffing?
7/30/2015
8/11/2015
18
WebGoat is a deliberately insecure webapplication maintained by OWASP designed toteach web application security lessons.(OWASP, 2015)
Download WebGoat here:https://www.owasp.org/index.php/WebGoat_Installation
7/30/2015
Access Control Flaws◦ Bypass Business Layer Access Control◦ Bypass Data Layer Access Control
Authentication Flaws◦ Forgot Password◦ Multi-Level Login
Concurrency◦ Thread Safety Problems◦ Shopping Cart Concurrency
7/30/2015
8/11/2015
19
Cross-Site Scripting (XSS)◦ Phishing with XSS◦ Cross Site Request Forgery (CSRF)
Improper Error Handling◦ Fail Open Authentication Scheme
Injection Flaws◦ Command Injection◦ Numeric SQL Injection◦ Modify Data with SQL Injection◦ Add Data with SQL Injection
7/30/2015
7/30/2015
Delete or modify audit trails
8/11/2015
20
7/30/2015
4 of 4
7/30/2015
Which would you rather choose,
privacy or security?
8/11/2015
21
7/30/2015
Of course, we need one. R.A. 10175 or Cybercrime Prevention Act is a
mixture of several issues. Cybercrime Law should not only focus on the
limitation of Freedom of Expression. Cybercrime Law should protect the people.
7/30/2015
A law that compels for-profit organizations likebanks to follow certain best standards to protectclient data found in bank accounts.
A law that compels telecom companies to ensurethat data that pass their infrastructure are sent andreceived to the intended recipients.
A law that compels government offices to securelystore personal data that are found in theircomputer system.
8/11/2015
22
7/30/2015
Justin David PinedaSr. Application Security SpecialistThe Coca-Cola [email protected]