1. Protecting Your Website / Network Onno W. Purbo onno@indo.net.id

2. “Information Security is about technology, policy, people and common sense”

3. Excellence References http://www.sans.org http://www.cert.org

6. Extreme References http://www.remote-exploit.org http://packetstormsecurity.org

7. Outline Technical Tips Security Policies Knowing Your Friends & Enemies

8. CERT Technical Tips URL –http://www.cert.org/tech_tips/ Covering –Securing System or Networks –Responding to Incidents –Web Security Issues –Mail Abuse –Understanding Attacks –Securing Network Systematically

9. Where It All Started … Choosing an Operating System

10. In-House vs. Outside Tech Support –Do you have the HR to do it? Freely-Available vs. Commercial Software –Do you have the HR to do it? Understand Your Needs –Availability of source code vs. binaries –Availability of technical expertise (internal and external) –Maintenance and/or customer support –Customer requirements and usability –Cost of software, hardware, and technical support staff

11. Choosing an Operating System Regardless of the choice you make, you should first carefully review and understand the needs of your organization or customer base in terms of resources, cost, and security risk, as well as any site-specific constraints; compare the available products and services to your needs; and then determine what product best matches your needs.

12. Network Security Technology Map

14. Internet Security Aspects Penetration testing Certificate Authority / PKI Vulnerability Testing Managed Security Services

15. Penetration Testing Active Content Monitoring / Filtering. Intrusion Detection – Host Based. Firewall. Intrusion Detection – Network Based. Authorization. Air Gap Technology Network Authentication. Security Appliances. Security Services: Penetration Testing. Authentication.

16. Certificate Authority / PKI Certificate Authority. File & Session Encryption. VPN & Cryptographic Communications. Secure Web Servers. Single Sign On Web Application Security.

17. Vulnerability Testing Vulnerability Scanners – Host Based Real-Time Security Awareness, Response & Threat Management. Vulnerability Scanners – Network Based.

18. Managed Security Services Enterprise Security Policy Implementation. Managed Security Services. Enterprise Security Administration. Security Services: Policy Development. Trusted Operating Systems. Anti D.D.O.D Tools.

19. Some Tips Securing Networks Systematically — the Security Knowledge in Practice - SKiP Method General Advice Pertaining to Intrusion Detection Minimal Steps in Compromised System Intruder Detection Checklist Windows Intruder Detection Checklist Steps for Recovering from a UNIX or NT System Compromise

20. SKiP Method

21. 1.Select systems software from a vendor and customize it according to an organization’s needs. 2.Harden and secure the system against known vulnerabilities. 3.Prepare the system so that anomalies may be noticed and analyzed for potential problems. 4.Detect those anomalies and any other system changes that could indicate evidence of an intrusion. 5.Respond to intrusions when they occur. 6.Improve practices and procedures after updating the system. 7.Repeat the SKiP process as long as the organization needs to protect the system and its information assets.

22. SKiP Method Customizing Vendor Software eliminate services that are unneeded and insecurely configured restrict access to vulnerable files and directories turn off software “features” that introduce vulnerabilities mitigate vulnerabilities that intruders can use to break into systems

23. SKiP Method Harden and Secure the Network configure their system to meet organizational security requirements retaining only those services and features needed to address specific business needs Securing a system against known attacks eliminates vulnerabilities and other weaknesses commonly used by intruders. The practices performed during this step may change over time to address new attacks and vulnerabilities.

24. SKiP Method Prepare Network administrators characterize their system in the Prepare step. An administrator knows what to expect in terms of –changes in files and directories and the operating system –normal processes, when they run, by whom, and what resources they consume –network traffic consumed and produced –hardware inventory on the system

25. SKiP Method Detect Administrators concentrate on detecting signs of anomalous or unexpected behavior since it may indicate possible intrusions and system compromise. Administrators also watch for early warning signs of potential intruder actions such as scanning and network mapping attempts.

26. SKiP Method Respond analyze the damage caused by the intrusion and respond by adding new technology or procedures to combat it monitor an intruder’s actions in order to discover all access paths and entry points before acting to restrict intruder access. eliminate future intruder access return the system to a known, operational state while continuing to monitor and analyze

27. SKiP Method Improve the System hold a post-mortem review meeting to discuss lessons learned update policies and procedures select new tools collect data about the resources required to deal with the intrusion and document the damage it caused

28. General Advice Pertaining to Intrusion Detection

29. Proactive auditing and monitoring are essential steps in intrusion detection. It is ineffective to audit altered data or compromised systems -- their logs are unreliable. Establish a baseline for what you consider normal activity for your environment so you can determine unusual events and respond appropriately

30. Minimal Steps in Compromised System

31. Document every step that you perform in detail. Perform a sector-by-sector backup of the hard disk drive. If your organization intends to take legal action in connection with intrusions, then consult with your legal department before performing any step.

32. Intruder Detection Checklist

33. Examine log files Look for setuid and setgid Files Check system binaries Check for packet sniffers Examine files run by 'cron' and 'at'. Check for unauthorized services Examine /etc/passwd file Check system and network configuration Look everywhere for unusual or hidden files Examine all machines on the local network

34. Windows Intruder Detection Checklist

35. Look for Signs For System Compromised Rootkits Examine Log Files Check for Odd User Accounts and Groups Check All Groups for Unexpected User Membership Look for Unauthorized User Rights Check for Unauthorized Applications Starting Automatically Check Your System Binaries for Alterations

36. Windows Intruder Detection Checklist Look for Signs For System Compromised Check Your Network Configurations for Unauthorized Entries Check for Unauthorized Shares Check for Any Jobs Scheduled to Run Check for Unauthorized Processes Look Throughout the System for Unusual or Hidden Files Check for Altered Permissions on Files or Registry Keys

37. Windows Intruder Detection Checklist Look for Signs For System Compromised Check for Changes in User or Computer Policies Ensure the System has not been Joined to a Different Domain Audit for Intrusion Detection

38. Windows Intruder Detection Checklist Consider Running Intrusion Detection Systems Freeware/shareware Intrusion Detection Systems Commercial Intrusion Detection Systems

39. Windows Intruder Detection Checklist Review CERT Documents Steps for Recovering from a Windows NT Compromise Windows NT Configuration Guidelines NIST Checklists

40. Recovering from Compromise

41. Before you get started Regain control Analyze the intrusion Contact the relevant CSIRT for Incident Reporting Recover from the intrusion Improve the security of your system and network Reconnect to the Internet Update your security policy

42. Recovering from Compromise A. Before you get started Consult your security policy If you do not have a security policy Consult with management Consult with your legal counsel Contact law enforcement agencies Notify others within your organization Document all of the steps you take in recovering

43. Recovering from Compromise B. Regain control Disconnect compromised system(s) from the network Copy an image of the compromised system(s)

44. Recovering from Compromise C. Analyze the intrusion Look for modifications made to system software and configuration files Look for modifications to data Look for tools and data left behind by the intruder Review log files Look for signs of a network sniffer Check other systems on your network Check for systems involved or affected at remote sites

45. Recovering from Compromise D. Contact the relevant CSIRT and other sites involved Incident Reporting Contact the CERT Coordination Center Obtain contact information for other sites involved

46. Recovering from Compromise E. Recover from the intrusion Install a clean version of your operating system Disable unnecessary services Install all vendor security patches Consult CERT advisories, external security bulletins and vendor-initiated bulletins Caution use of data from backups Change passwords

47. Recovering from Compromise F. Improve the security of your system and network Review security using the UNIX or NT configuration guidelines document Install security tools Enable maximal logging Configure firewalls to defend networks

48. Recovering from Compromise G. Reconnect to the Internet H. Update your security policy Document lessons learned from being compromised Calculate the cost of this incident Incorporate necessary changes (if any) in your security policy

49. Security Policies

50. URL –http://www.sans.org/resources/policies/ –http://www.sans.org/resources/policies/Policy_Primer.p df Template For –Wireless Communication Policy –Server Security Policy –Anti-Virus Process –Extranet Policy

52. A Security Policy Framework Policies define appropriate behavior. Policies set the stage in terms of what tools and procedures are needed. Policies communicate a consensus. Policies provide a foundation for HR action in response to inappropriate behavior. Policies may help prosecute cases. Ref: Michele D. Guel, The SANS Policy Primer.

53. Policy Outline Purpose Scope Guidelines Policy –Ownership Responsibilities –Scenarios & Business Impact –Prohibited Use –Network Control –Scanning period –Monitoring Enforcement Definitions

54. Knowing Friends & Enemies

55. Type of Communities IT Policy & Politics –telematika@yahoogroups.com IT Network Administrators –indowli@yahoogroups.com –asosiasi-warnet@yahoogroups.com Programmer (Formal & White Collar) –delphindo@yahoogroups.com Hacker & Virus –jasakom-perjuangan@yahoogroups.com –newbie-hacker@yahoogroups.com

56. IT Policy & Politics Namemembers genetika2205 telematika1750 mastel-anggota337

57. IT Network Administrators Namemembers asosiasi-warnet6241 Ilmukomputer-networking5636 It-center4889 indowli4766

58. Programmer Namemembers Ilmukomputer-programming5226 Indoprog-vb5215 delphindo2844 jug-indonesia1783 csharp-indo699

59. Hacker & Virus Namemembers jasakom-perjuangan12278 newbie-hacker5636 majalahneotek5633 vaksin3388 yogyafree2251 indocrack1175 bandunghack1046

60. IT Politics & Policy telematika

65. Programmer Csharp-indo Jug-indonesia Dephindo Indoprog-vb Ilmukomputer-programming

66. Delphindo

71. Hacker Communities Bandunghack Indocrack yogyafree Jasakom-perjuangan

72. bandunghack

78. Jasakom-perjuangan