590 likes | 719 Views
Information Security. Direktorat Komunikasi dan Sistem Informasi Institut Pertanian Bogor. Security Threat. Security Principle. Authentication Authorization atau Access Control Privacy / confidentiality Integrity Availability Nonrepudiation Auditing. Security Components.
E N D
Information Security Direktorat Komunikasi dan Sistem Informasi Institut Pertanian Bogor
Security Principle • Authentication • Authorization atau Access Control • Privacy / confidentiality • Integrity • Availability • Nonrepudiation • Auditing
Security Components • Network security • difokuskan pada saluran (media) pembawa informasiatau jalur yang dilalui. • Application security • difokuskan pada aplikasinya sistem tersebut, termasuk database dan servicesnya. • Computer security • difokuskan pada keamanan dari end system, termasuk operating system (OS)
Vulnerabilities Ada 3 kelemahan dasar keamanan: • Kelemahan teknologi • Kelemahan konfigurasi • Kelemahan kebijakan keamanan
Web Application Threat • Injection Flaws • SQL Injection, XPATH Injection, etc • Cross-Site Scripting (XSS) • Broken Authentication and Session Management • Cross Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Insufficient Transport Layer Protection • Insecure Communications
Cross-Site Scripting (XSS) Attacks Malicious code that can change the look and function of a legitimate web application Originates from old phishing attacks but less obvious and more dangerous to the user/victim More widespread now because of move to more rich Internet applications using dynamic content and JavaScript and the latest AJAX trend
Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Cross-Site Scripting Illustrated Attacker sets the trap – update my profile 1 Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile 2 Script runs inside victim’s browser with full access to the DOM and cookies Script silently sends attacker Victim’s session cookie 3
The Impact of XSS Data residing on the web page can be sent anywhere in the world Including cookies! Facilitates many other types of attacks Cross-Site Request Forgery (CSRF), Session Attacks (more later) Your site’s behavior can be hijacked
What is SQL Injection? The ability to inject SQL commands into the database enginethrough an existing application
Example: SQL Injection Illustrated 1 Attacker sends data containing SQL fragments Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Attacker enters SQL fragments into a web page that uses input in a query Database Application sends modified query to database, which executes it 2 3 Attacker views unauthorized data
Vulnerable Applications • Almost all SQL databases and programming languages are potentially vulnerable • MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc • Accessed through applications developed using: • Perl and CGI scripts that access databases • ASP, JSP, PHP • XML, XSL and XSQL • Javascript • VB, MFC, and other ODBC-based tools and APIs • DB specific Web-based applications and API’s • Reports and DB Applications • 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) • many more
SQL Injection Attacks Login Example Attack Text in blue is your SQL code, Text in orange is the hacker input, black text is your application code Login: Password: Dynamically Build SQL String performing authentication: “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’”; Hacker logs in as: ‘ or 1 = 1; -- SELECT * FROM users WHERE login = ‘’ or 1 = 1; --‘ and password=‘’
SQL Injection Characters • ' or" character String Indicators • -- or # single-line comment • /*…*/ multiple-line comment • + addition, concatenate (or space in url) • || (double pipe) concatenate • % wildcard attribute indicator • ?Param1=foo&Param2=bar URL Parameters • PRINT useful as non transactional command • @variable local variable • @@variable global variable • waitfor delay '0:0:10' time delay
Cross Site Request Forgery (CSRF) “A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.”
Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code CSRF Illustrated 1 Attacker sets the trap on some website on the internet(or simply via an e-mail) Application with CSRF vulnerability Hidden <img> tag contains attack against vulnerable site 2 While logged into vulnerable site,victim views attacker site 3 Vulnerable site sees legitimate request from victim and performs the action requested <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site
CSRF Example A hacker posts to a message board containing an image tag <img src= “http://yourbank.com/transfer? to_account=my_account_number&amount=all_of_your_money> An unsuspecting user logs into yourbank.com and authenticates The user then visits said message board A request is issued from the victim’s browser to the bank’s website The bank’s website transfers the user’s money to the hacker’s account
Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code BrokenAuthentication Illustrated 1 User sends credentials www.boi.com?JSESSIONID=9FA1DB9EA... Site uses URL rewriting (i.e., put session in URL) 2 3 User clicks on a link to http://www.hacker.com in a forum 5 4 Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID Hacker uses JSESSIONID and takes over victim’s account
Insecure Communications Illustrated Business Partners External Victim Backend Systems Custom Code Employees 2 1 Internal attacker steals credentials and data from internal network External attacker steals credentials and data off network External Attacker
End Devices Vulnerabilities • OS or NOS Vulnerabilities • OS/NOS/Firewall Setting • Unintended Services
End Devices Threat • A worm executes code and installs copies of itself in the memory of the infected computer, which can, in turn, infect other hosts. • A virus is malicious software that is attached to another program for the purpose of executing a particular unwanted function on a workstation. • A Trojan horse is different from a worm or virus only in that the entire application was written to look like something else, when in fact it is an attack tool. • There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux.
NOS Hardening: Linux • Dimulai saat pemilihan Distro dan menyiapkan CD Installer OS tersebut • Partisi Hardisk (/tmp /var /home /boot) • Install paket minimal & up date • Disable services yang tidak digunakan. • Remote Login Hardening: gunakan SSH (protokol SSH v 2) • Proteksi Bruteforce attack untuk SSH: strong password & iptables • Setup Iptables dan SELINUX sebagai Host Firewall • Update kernel
NOS Hardening: Windows • Restrict Group membership • Restriction Permission • Software Restriction Policy • Disable Service yang tidak digunakan (bukan sekedar di STOP) • Microsoft Solution for Securing Win2000 Server (MSS Security) • Security Tools (Resource Kit) – Xcacls , Auditpol, EventComb, NetLogon Debug
WEB server Hardening: Apache • Keamanan pada httpd.conf • General Option • Userdir enable • Userdir disable root • ServerTokens Prod • ServerSignature Off • Pengamanan Cross site Scripting • ReWriteEngine on • ReWriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) • ReWrite .*[F] • Pembatasan Resource user apache • Access Control • Order allow,deny • allow from all • deny from 222.124., .hacker.com
WEB server Hardening: Apache • Apache Module • mod_ssl untuk HTTPS • 3rd Party Apache Module • mod_security • mod_bandwidth atau mod_throttle • mod_evasive • mod_hackprotect • mod_parmguard
Application Hardening • Proteksi aplikasi PHP melalui php.ini • safe_mode = On • register_globals = Off • magic_quote=On • display_errors = Off • disable_functions = phpinfo
Preventing XSS Escape all user input when it is displayed Escaping converts the output to harmless html entities <script> becomes <script> but still displayed as <script>
Preventing CRSF Require a confirmation page before executing potentially dangerous actions Eliminate XSS vulnerabilities Use POST as your form action and only accept POST requests on the server for sensitive data ! Incoming CSRF requests will fail since the parameter is in the URL and not the post body You can protect yourself with RequestPolicy (Firefox extension)
Preventing SQL Injection • Escape apostrophe with two apostrophes (and back slash with two back slashes for MySQL) • Make sure numeric fields really look like numbers • Do step “1" and “2" not only on users' direct input, but on all non-constant variables • Check if the inputs are within your expectation (e.g. 0 < age < 120, login id without space, etc.)
Computer Hardening: • Install Anti Virus, • Install Anti Spy ware • Update Anti Virus
Log Analysis • Log File Formats, Configuration, Management • Why do Log Analysis? • Traffic Analysis (internal and external) • Quality of Service Analysis • Security audits • Performance analysis • Statistics, Tracking, Reporting • Free and commercial tools