In INFOSEC, the focus of the discussion is a bird’s eye view of the different domains of Information Security. More importantly, the curriculum followed is the CompTIA Security+ lessons. The final project’s objective is to be able to explore on security tools and software such as firewall, IDS, honeypot and to demonstrate the functionalities by doing test scenarios.
For COMSEC1, the focus shifts into a more specific topic on ethical hacking. The course discusses the steps on ethical hacking and its importance. For the final project, students are required to conduct a static code analysis and vulnerability scan in an existing project and fix the risks to an acceptable risk level.
Last July 31, 2015, I gave a talk about Information Security and Ethical basics at PATTS College of Aeronautics in Paranaque City. It was quite challenging because the audience were not familiar with IT concepts.
I started by showing them local news about hacking data in banks. Then I established the need for the information security field. I discussed the core concepts of information security.
I also talked about the steps in ethical hacking and the reason why it has to be conducted routinely. Lastly, I stressed the need for a cybercrime law that will protect our data handled by third-party organizations.
Last August 1, 2015, I presented about a known security standard for credit cards. The Payment Card Industry Data Security Standard (PCI-DSS) is a standard used to protect data of merchants and banks that utilize the credit card facility.
There are 12 requirements of PCI-DSS. I focused my presentation on the vulnerability management side since I handled the vulnerability assessment (VA) in my previous work.
For the demo, I used the trial version of Acunetix vulnerability scanner. I used the test website to and verified 1 of the vulnerabilities (sending data in cleartext) and exploiting it by using Wireshark.
I rode a Cebu Pacific plane going to Malaysia last Jun 7 in NAIA Terminal 3. As usual, the airport was jampacked with people. The flight was around 4 hours long and arrived at the KLIA2. I then rode an express train (20-minute train) going to the downtown KL.
I met my former officemate in the Philippines who is already working in KL. He toured me around KL (Petronas, Jalon Alor) and brought me to the hotel, Melia Hotel.
It’s a good thing that the school booked in the hotel where the conference will be held. The parallel sessions started at 8am. It was my first time to present in an international conference and I was very nervous. The presenters were mostly Muslims coming from Malaysia, Indonesia, India other neighboring countries. The participants were very friendly and excited too. I met 2 other professors from the Philippines, Terry from UP-Diliman and Marylene from MUST in Mindanao.
I attended and listened to the keynote presentation of Dr. Rozhan Mohammed Idrus who discussed about “IT Education and Its Impact to the Society.” He coined the term, “technogogy” which means blending in of technology to the teaching pedagogy. In essence, Dr. Idrus pointed out that teachers and the curriculum must be able to adapt with the technological advances in today’s world.
My presentation was scheduled in the afternoon. The paper is an applied research on how to detect Botnet traffic in a Local Area Network (LAN) using Snort and aggregated reputable Botnet sources.
The presentation lasted for 10 minutes. The PDF presentation can be found in this link: BCM_Presentation.
I went to fetch my girl friend in Pavillion Mall and ate dinner there. We rode Uber going to another mall outside KL called Publika.
Last day in KL, walking around the city
Our third and last day in Malaysia was spent in touring around the city by foot. We went to Mydin, where wholesale products are sold. We bought a lot of Cadburry and other chocolates.The place was not very classy thought. We walked to Low Yat, a technology/gadgets mall. We then walked to the KLCC area and visited Kinokuniya. We checked out then rode Uber to the train station going to KLIA2.
I heard a lot of negative stories in Malaysia (dangerous at night, a lot of street clubs, ill-mannered taxi drivers, snatchers riding motorcycles etc.) but I haven’t experienced those stories. Maybe they have already changed? Or I’m just used to living with a similar environment in the Philippines? I don’t know. The experience was great. Their express train is very convenient and spacious. The establishments offer items both expensive and cheap depending on your budget.
Since I did not want to experience the horror stories in the taxi, I always used Uber for the transpo around the area. Malaysia has more Uber cars compared to the Philippines.
In terms of value for money, I can say your money has a big value in their country.
Last February 26, 2015, I gave a talk at the Pamantasan ng Lungsod ng Pasig for their CCS Week. It’s my first time to go there and to that part of Pasig City.
I was very fascinated by the campus because the classrooms and facilities are state-of-the-art. Also, the CCS students were very hospitable and accommodating during my stay.
My talk was about protecting your network through Network Security and discussed some types attacks and countermeasure. I started the talk with the latest security news on Superfish which affected Lenovo products. I also encouraged the school to participate with JISSA (Junior Information Security Systems Association) which can help the schools learn the IT trends in information security.
Last February 2, 2015, I was invited to conduct a talk during the CCS Days of Lyceum of the Philippines University (LPU) in Batangas City, Batangas. It’s a 2-hour drive from Quezon City to Batangas City with more than 100 kilometers from my place to the venue.
What I like about Batangas City is that it’s very clean and people are very orderly. The place didn’t look much of a province at all! It looks very progressive.
I was supposed to focus on Ethical Hacking. However, I learned that the theme was “CCS: Practicing Theories towards ASEAN Integration.” I introduced Information Security as a discipline and introduced career opportunities to students especially for those graduating ones.
Photo credit to the student photographer of LPU-Batangas.
When I studied and took EC-Council’s Certified Ethical Hacker (CEH) in 2013, I learned a very important lesson: even if you follow the hacking methodologies, it only has a 10% success rate. This lesson has, on the other hand, 90% success rate. In gist: Why would you spend a lot of time to brute force a password when you can just ask for it? That’s social engineering.
Social Engineering is an attempt to gain information from a victim or target through manipulation and deceit. The attacker attempts to gain the victim’s trust then exploits the emotions of the latter.
Note: There is a reading I wrote in 2011 that is relevant with this lesson. Copies will be/are given during class.
Why is Social Engineering very successful?
In the past lessons, we studied about Defense in Depth. This means that in every layer of security, there should be protection. Now in Network Security for instance, you may deploy and implement a firewall. The firewall has its limitations but it will strictly enforce whatever rules are written in the ACL. If it says allow web traffic, it will allow web traffic. If it says deny FTP traffic then it will deny FTP traffic.
Problems rise when humans intervene. Let’s say a school enforces a “No ID, No Entry” policy. All students are required to wear their ID upon entering the school. One day, one student forgot to bring his ID but the guard still allowed him to enter because they’re friends. Is it correct for a guard to make exceptions even if there’s an explicit ID policy? What if the said student brought his friends? Will the guard still allow it because they’re friends?
Humans or wetware are the weakest link in the security chain because they simply make a lot of exceptions. That’s why the human vulnerability is a weakness that no patch can perfectly fix.
Ethics: Social Engineering in Penetration Testing
In penetration testing, a third party service provider actively tests the security solutions implemented in the network. Active testing means exploiting discovered weaknesses in security. One of the tests is the social engineering test. In this case, the pen tester tries to bypass security through social engineering.
For example, the company security policy requires the use of a badge/ID to enter the office. The pen tester will carry a lot of heavy things so the guard will help him instead of looking for the ID. The pen tester successfully enters the facility with the guard as accessory to the crime. After the pen testing, the guard is terminated due to abandonment of duty during the test.
It is the job of the pen tester to lure people into breaking the policy. The targets, out of good-will, will help them. But in the end, they will be terminated. Is that ethical?
Steps in Social Engineering
There are three steps in social engineering.
In this step, the social engineer gathers as many information about his target as possible. He can do online searches in social networking sites, stalk the target to learn his routines and talk to his friends to learn more about his likes.
After you have gathered enough information about your target, it’s time to build relationship. Let’s say you learned that the target likes Justin Bieber. You can create a “perfect encounter” with him in his daily routine. You could probably sit beside him in a bus and have a little chitchat about Justin Bieber. Ideally, you can build a relationship with the “serendipitous meeting.” In some cases, you will need to “invest” on something. If you learned that the target is in a lot of debt, aside from being a Justin Bieber fan, you can use that to your advantage for the next step.
In the last step, you push through with your goal of eliciting the information you need from the target. You may have allowed your target to borrow a sum of money from you so that he can pay his debt. Now, you can use that to your advantage. You can ask for the information and remind him that he is in debt so he should return the favor. In this case, you are successful in your mission.
Types of Social Engineering Attacks
The Social Engineering Attacks can be classified into 2 categories:
Non-technical – Doing social engineering in a traditional way
Dumpster diving – Literally checking the target’s garbage.
Shoulder surfing – Glancing at other person’s computer, cellphone or paper.
Impersonation – Pretending to be key personnel in your target’s company.
Tailgating – Walking in the vicinity after the person ahead of you taps his badge to open the access door.
Technical – Doing social engineering using technology
Phishing – Getting target’s information using fake e-mail or website.
Spear phishing – A type of phishing targeting a particular person.
Pharming – A type of phishing targeting a group of people/organization.
Vishing – Deceiving target using telephone/cellphone/smart phone.
—– NOTHING FOLLOWS —–
You can download the PDF version of this lesson here: INFOSEC_L5_SE
Authentication is defined as proving who you are claiming to be. By default, we have 3 types of authentication:
Something that you know – A form of authentication coming from what you know (residing in the mind)
Ex. Password, pin
Something that you have – A form of authentication that is tangible.
Ex. Token, cellphone, ID
Something that you are – A form of authentication where the uniqueness of the part of your body is used.
Ex. Fingerprint, voice recognition, iris scan
Not one of the authentication types can be considered the strongest. Something that you know authentication such as password can be cracked using brute force or social engineering. Something that you have authentication such as ID’s can be stolen or reproduced. Something that you are authentication such fingerprint is prone to false positives (you have sweaty hands etc.)
To make your authentication stronger, it is advised that you use 2 or more types of authentication to provide a layer of security. This is what we call 2-factor or multi-factor authentication. Examples include:
ATM + Pin (something that you have and you know)
Credit card + signature (something that you have and you know)
Cellphone for One-Time Password (OTP) + password (something that you have and you know)
Badge + biometric (something that you have and you are)
Note: Usernames and passwords are not considered multi-factor because both are something that you know type of authentication.
Questions to search on:
What is the fourth type (or other types) of authentication?
What is the most accurate biometric? Why?
Types of Access Control
Access Control or Authorization determines the type of privilege a user has after being authenticated. If you enter the school, an authentication mechanism could be your school ID. Access Control determines which rooms in the school you can access. If you’re a student, you can access the classrooms, computer laboratories and cafeteria. However, you are prohibited from accessing the faculty room and server room. A faculty member can access more rooms compared to a student.
Mandatory Access Control (MAC)
MAC is the strictest type of access control. This access control can be seen in government especially in military. It uses Sensitivity Labels (SL) both for the subject (initiates an action) and object (waiting for action). It is also known as a multi-level type of access control.
SL can be classified as:
Let’s say a File A (Object) has an SL of Secret. Only the subject that has an SL of either Top Secret or Secret can access the file.
To visualize, let’s say a 5-star General has an SL of Top Secret, Colonel with SL of Secret, Lieutenant with SL of Confidential and Sergeant with SL of Public. Only the Colonel or 5-Star General can access File A because they have clearance to do so because of their SL. A subject can access all objects that are below his/her SL. MAC uses a top-down approach.
Discretionary Access Control (DAC)
DAC is the direct opposite of MAC. In this case, this type of access control can be seen in non-military institutions (commercial use, usually). In DAC, the owner of the file determines the privilege of the subjects to the objects. It is also known as a single-level type of access control.
DAC uses an Access Control Matrix (r-read, w-write, x-execute) shown below:
S (down) O (right)
In the above scenario, we have 3 users (subjects) trying to access 3 files (objects). Each file is owned by a specific individual (owner). It becomes the discretion of the owner on what privileges he/she wants to give the subjects. These privileges may change also.
Role-based Access Control (RBAC)
RBAC is also known as a non-discretionary access control. It gives privileges based on the roles/tasks. It is beneficial for large organizations in organizing group privileges to objects. For example, all students have read only access to File 1, File 2 and File 3. All faculty members, on the other hand, have full access to all the files mentioned. The admin will just add users (subjects) on the groups created for consistency and convenience.
Rule-based Access Control
Rule-based Access Control basically gives privilege based on a list of an enforced policy. A good example is an Access Control List (ACL) in a firewall. The firewall will grant/deny access based on the rules found in the ACL. However, if no rule is present, then no privilege should be given. (implicit deny)
We have agreed that we protect data/information in Infosec. And as we have discussed in Lesson 1, the scope of Infosec is very broad and IT Security is just part of it. We have also learned in Lesson 2 that preventive controls are incomplete without detective controls and response. With former concepts discussed, a more concrete and concise security architecture is formed- Defense in Depth.
The concept of Defense in Depth states that in order for anybody to access the data, it should pass layers of security first. Security controls may vary but it should be in layers.
For example, if you want to access the bank database, you need to pass through frisking of security guards, inspection of bags and proper identification when entering the bank premises. That is what we call Physical Security.
When you enter the premises, you are required to wear your ID at all times. If you are a visitor, a security personnel is required to accompany you wherever you go within the premises. That is the next layer called the Operational Security.
If you connect to their wireless network and your laptop cannot access the Internet because of MAC filtering, that is an example of Network Security.
When desktop computers have disabled USB ports to prevent spread/download of virus, that is an example of Host Security.
When you need to enter a username and password to gain access to your account, that is an example of Application Security.
Diversity of Defense
The Diversity of Defense security concept is quite tricky. Management will always want a cost-effective IT infrastructure setup. For example, Huawei, a known networking product, might offer an IT infrastructure package that may be very appealing. Let’s say they offer the whole IT infrastructure with X pesos. The management may be lured to buy the package because of the cost. However, as an information security professional, you should weigh the possible security issues that may take in place.
In Diversity of Defense, you are compelled to buy different brands of network and IT devices such as firewall, switch, router, etc. But assuming you plan to buy different types of devices, the cost may double (2X pesos) compared to the X pesos if you have a single brand.
So what is the advantage of this concept?
If a vulnerability in Huawei firewall is found, no matter how many Huawei firewalls you have, then your network is vulnerable to that particular attack. You can simply say that the cost of information disclosure is way more expensive than the implementation of diversity of defense when a single proprietary vulnerability is exploited.
Security through Obscurity
If we say that a company is implementing security through obscurity, can we consider it secured? In Security through Obscurity, we rely on the idea that nobody will think that some valuable asset is hidden in an obscure place.
For example, will anybody think that there’s 1M pesos stored underneath the driver’s seat of my car? What are the odds, right? But if I accidentally left my car unlock and somebody randomly opens the door of my car, is my asset still secured?
Security through obscurity is simply hiding something. But hiding something without proper safeguards has no security at all.
Cost-Benefit Analysis (CBA)
In information security terms, CBA refers to the weighing of the cost of safeguards to the value of asset. As a rule of thumb, you are not supposed to buy a safeguard that is more expensive than the asset.
For example, you won’t buy a vault that is valued at 20,000 pesos to safeguard a Timex watch from a buy 1 take 1 sale worth 2,000 pesos. The thief will probably steal the safeguard instead of the asset in it.
All issues and solutions pertaining to security fall under 3 categories:
Confidentiality – Protection against unauthorized access
Integrity – Protection against unauthorized modification
Availability – Protection against denial of service
The exact opposite of the CIA is the DAD – Disclosure, Alteration and Destruction.
See the following events and solutions:
Locking the door when you leave the house – This is a confidentiality solution because only the person who has the key to unlock the door can enter the house.
A students overwrites the teacher’s Powerpoint presentation – This is an integrity issue because the content of the presentation is already changed.
The system administrator backs up the file server every Friday – This is an availability solution because the backup ensures access to the files when the main file server becomes unavailable.
A security issue can be a result of an accidental or intentional event. In example 2, the student may have accidentally overwritten the teacher’s file because of his negligence. He may also have overwritten the file intentionally out of revenge. But regardless of his intention, it is classified as a security issue.
The Formula for Protection
Some decades ago, the formula for protection is:
This means that in order to protect something, you need to prevent something bad from happening. For example, in order to prevent a home intruder from entering your home, you install a gate around your house. You are preventing the intruder from getting in the house because of the gate.
Similarly in the technical world, you can install a firewall in your network. A firewall is a hardware or software that enforces a security policy. For example, you have a web server in your company and you would like the public only to access the web server, the firewall can filter the traffic going to your network. Only packets/traffic that are destined to TCP port 80 (http) will be allowed to enter the network. That’s because port 80 is specifically opened for web connections. All other traffic will be denied.
Now, what is the problem or limitation with this formula?
In the first example (gate example), what will happen if the intruder climbs using a rope and he is able to pass the gate? Hypothetically, if the intruder is able to enter your house in the middle of the night, will you be able to stop him?
The formula for protection lacks other components.
Let’s say you bought a motion sensor alarm and a gun. You realize that if the intruder is able to enter your house after passing the gate using a rope, the motion sensor alarm will detect his movements and will alert you. Now if you see him and he’s planning to attack you with some weapon, you can defend yourself by shooting him using your gun.
Well, that’s just a hypothetical situation. But the point is, you need to anticipate that your preventive tool may be bypassed. That’s why you need to set up other security controls.
Therefore, the modified and correct formula for protection is:
Protection = Gate + (Motion Sensor Alarm + Shoot using your gun)
This formula can be applied to all domains of information security.
Going back to the firewall example, can you determine the limitation of implementing only a firewall in your network? If the firewall is the preventive tool, what is the detective tool and the response mechanism?
I think the concept of least privilege is the essence of information security. In least privilege, you only get the privilege and access that you need, nothing more and nothing less.
In a company, there is an Accountant, HR assistant and Sales Agent. When we apply least privilege to these 3 employees, we will give each employees the following access to applications:
Accountant – MS Excel, Calculator, E-mail, Printer
HR Assistant – Telephone, Job Street, LinkedIn, MS Word, E-mail, Printer
Sales Agent – Telephone, Facebook, MS Word, E-mail, Printer
In least privilege, we list the things that each employee needs and we give the needed access to them. However, those applications that are not in the list won’t be given to the users.
Types of Least Privilege
Separation of Duties (SOD)
SOD states that a task (especially critical jobs) must be delegated to more than 1 person. Let’s use the payroll system as an example.
HR Department – Computes your daily time record (DTR)
Accounting Department – Computes your salary based of the DTR submitted by HR department
Management Group – Approves the salary computed and submitted by the Accounting department
What happens if only one person, let’s say Paula, computes for the DTR and salary and approves the computation also?
For instance, if an employee, Gilbert, does not go to work, then it will reflect in his DTR. However, if Paula decides to give Gilbert a salary, then she can freely do so without anybody questioning it. There’s nobody who checks if the task is done correctly or not.
The SOD for the payroll scenario is very important to ensure checks and balances of activities related to work.
Implicit Deny is another type of least privilege that is usually seen and applied in a firewall Access Control List (ACL). Assuming we have an entry in an access control list:
This ACL entry allows web traffic (tcp 80) going in and out of the network. If that’s the only rule that we have in the ACL, can we access the file server in the network (tcp 21)?
The answer, of course, is no. But one can ask, will it deny tcp 21 even if there is not rule stating that it should be denied?
The implicit deny states that if there is no rule that states allow, then deny access. So even without a specific rule, it is understood that there is a “deny all” rule after the last entry in the ACL.
Job Rotation is a not so known type of least privilege. This concept requires that other persons are familiar with the job that you have especially if it is a critical role. Although it is costly because you need to train other employees, this is very helpful in determining what is happening to the tasks assigned to a particular person.
If you are put in an employee’s shoes due to job rotation, you and the management may find a lot of things. For example, why does this employee take 10 hours (with overtime) to do his job when I can finish it in 4 hours when I assumed his role in job rotation? There may be something to investigate in this issue.
I had a chance to give a training on Secure Web Application Coding under Bitshield Security. The company is a training and consulting center.
The first training I conducted was on October 2012 in their office in Shaw Blvd, Mandaluyong. The focus of my talk back then was on the OWASP tools and best practices.
The participants were relatively young and new to information security. The whole training was useful for the participants because they are developers. The good thing about it was that OWASP best practices can now be incorporated in their projects.
(Photos courtesy of Bitshield)
The second workshop that I conducted was for Bancnet. The training was customized and focused more on secure coding and more application-based approach. I included Payment Card Industry (PCI) Standard as one of the key topics in the discussion.