2. Protecting Your Website / Network Onno W. Purbo onno@indo.net.id

3. “Information Security is about technology, policy, people and common sense”

4. Outline Technical Tips Security Policies Knowing Your Friends & Enemies

5. Outline Technical Tips Security Policies Knowing Your Friends & Enemies

6. CERT Technical Tips URLhttp://www.cert.org/tech_tips/Covering Securing System or Networks Responding to Incidents Web Security Issues Mail Abuse Understanding Attacks Securing Network Systematically

7. Where It All Started … Choosing a Technology

8. In-House vs. Outside Tech Support Do you have the HR to do it? Freely-Available vs. Commercial Software Do you have the HR to do it? Understand Your Needs Availability of source code vs. binaries Availability of technical expertise (internal and external) Maintenance and/or customer support Customer requirements and usability Cost of software, hardware, and technical support staff

9. Choosing a Technology Regardless of the choice you make, you should first carefully review and understand the needs of your organization or customer base in terms of resources, cost, and security risk, as well as any site-specific constraints; compare the available products and services to your needs; and then determine what product best matches your needs.

10. Network Security Technology Map

12. Internet Security Aspects Penetration testing Certificate Authority / PKI Vulnerability Testing Managed Security Services

13. Penetration Testing Active Content Monitoring / Filtering. Intrusion Detection – Host Based. Firewall. Intrusion Detection – Network Based. Authorization. Air Gap Technology Network Authentication. Security Appliances. Security Services: Penetration Testing. Authentication.

14. Certificate Authority / PKI Certificate Authority. File & Session Encryption. VPN & Cryptographic Communications. Secure Web Servers. Single Sign On Web Application Security.

15. Vulnerability Testing Vulnerability Scanners – Host Based Real-Time Security Awareness, Response & Threat Management. Vulnerability Scanners – Network Based.

16. Managed Security Services Enterprise Security Policy Implementation. Managed Security Services. Enterprise Security Administration. Security Services: Policy Development. Trusted Operating Systems. Anti D.D.O.D Tools.

17. Some Tips Securing Networks Systematically — the Security Knowledge in Practice - SKiP Method General Advice Pertaining to Intrusion Detection Minimal Steps in Compromised System Intruder Detection Checklist Windows Intruder Detection Checklist Steps for Recovering from a UNIX or NT System Compromise

18. SKiP Method

19. 1. Select systems software from a vendor and customize it according to an organization’s needs. 2. Harden and secure the system against known vulnerabilities. 3. Prepare the system so that anomalies may be noticed and analyzed for potential problems. 4. Detect those anomalies and any other system changes that could indicate evidence of an intrusion. 5. Respond to intrusions when they occur. 6. Improve practices and procedures after updating the system. 7. Repeat the SKiP process as long as the organization needs to protect the system and its information assets.

20. SKiP Method Customizing Vendor Software eliminate services that are unneeded and insecurely configured restrict access to vulnerable files and directories turn off software “features” that introduce vulnerabilities mitigate vulnerabilities that intruders can use to break into systems

21. SKiP Method Harden and Secure the Network configure their system to meet organizational security requirements retaining only those services and features needed to address specific business needs Securing a system against known attacks eliminates vulnerabilities and other weaknesses commonly used by intruders. The practices performed during this step may change over time to address new attacks and vulnerabilities.

22. SKiP Method Prepare Network administrators characterize their system in the Prepare step. An administrator knows what to expect in terms of changes in files and directories and the operating system normal processes, when they run, by whom, and what resources they consume network traffic consumed and produced hardware inventory on the system

23. SKiP Method Detect Administrators concentrate on detecting signs of anomalous or unexpected behavior since it may indicate possible intrusions and system compromise. Administrators also watch for early warning signs of potential intruder actions such as scanning and network mapping attempts.

24. SKiP Method Respond analyze the damage caused by the intrusion and respond by adding new technology or procedures to combat it monitor an intruder’s actions in order to discover all access paths and entry points before acting to restrict intruder access. eliminate future intruder access return the system to a known, operational state while continuing to monitor and analyze

25. SKiP Method Improve the System hold a post-mortem review meeting to discuss lessons learned update policies and procedures select new tools collect data about the resources required to deal with the intrusion and document the damage it caused

26. General Advice Pertaining to Intrusion Detection

27. Proactive auditing and monitoring are essential steps in intrusion detection. It is ineffective to audit altered data or compromised systems -- their logs are unreliable. Establish a baseline for what you consider normal activity for your environment so you can determine unusual events and respond appropriately

28. Minimal Steps in Compromised System

29. Document every step that you perform in detail. Perform a sector-by-sector backup of the hard disk drive. If your organization intends to take legal action in connection with intrusions, then consult with your legal department before performing any step.

30. Intruder Detection Checklist

31. Examine log files Look for setuid and setgid Files Check system binaries Check for packet sniffers Examine files run by 'cron' and 'at'. Check for unauthorized services Examine /etc/passwd file Check system and network configuration Look everywhere for unusual or hidden files Examine all machines on the local network

32. Windows Intruder Detection Checklist

33. Look for Signs For System Compromised Rootkits Examine Log Files Check for Odd User Accounts and Groups Check All Groups for Unexpected User Membership Look for Unauthorized User Rights Check for Unauthorized Applications Starting Automatically Check Your System Binaries for Alterations

34. Windows Intruder Detection Checklist Look for Signs For System Compromised Check Your Network Configurations for Unauthorized Entries Check for Unauthorized Shares Check for Any Jobs Scheduled to Run Check for Unauthorized Processes Look Throughout the System for Unusual or Hidden Files Check for Altered Permissions on Files or Registry Keys

35. Windows Intruder Detection Checklist Look for Signs For System Compromised Check for Changes in User or Computer Policies Ensure the System has not been Joined to a Different Domain Audit for Intrusion Detection

36. Windows Intruder Detection Checklist Consider Running Intrusion Detection Systems Freeware/shareware Intrusion Detection Systems Commercial Intrusion Detection Systems

37. Windows Intruder Detection Checklist Review CERT Documents Steps for Recovering from a Windows NT Compromise Windows NT Configuration Guidelines NIST Checklists

38. Recovering from Compromise

39. Before you get started Regain control Analyze the intrusion Contact the relevant CSIRT for Incident Reporting Recover from the intrusion Improve the security of your system and network Reconnect to the Internet Update your security policy

40. Recovering from Compromise A. Before you get started Consult your security policy If you do not have a security policy Consult with management Consult with your legal counsel Contact law enforcement agencies Notify others within your organization Document all of the steps you take in recovering

41. Recovering from Compromise B. Regain control Disconnect compromised system(s) from the network Copy an image of the compromised system(s)

42. Recovering from Compromise C. Analyze the intrusion Look for modifications made to system software and configuration files Look for modifications to data Look for tools and data left behind by the intruder Review log files Look for signs of a network sniffer Check other systems on your network Check for systems involved or affected at remote sites

43. Recovering from Compromise D. Contact the relevant CSIRT and other sites involved Incident Reporting Contact the CERT Coordination Center Obtain contact information for other sites involved

44. Recovering from Compromise E. Recover from the intrusion Install a clean version of your operating system Disable unnecessary services Install all vendor security patches Consult CERT advisories, external security bulletins and vendor-initiated bulletins Caution use of data from backups Change passwords

45. Recovering from Compromise F. Improve the security of your system and network Review security using the UNIX or NT configuration guidelines document Install security tools Enable maximal logging Configure firewalls to defend networks

46. Recovering from Compromise G. Reconnect to the Internet H. Update your security policy Document lessons learned from being compromised Calculate the cost of this incident Incorporate necessary changes (if any) in your security policy

47. Outline Technical Tips Security Policies Knowing Your Friends & Enemies

48. Security Policies URLhttp://www.sans.org/resources/policies/ http://www.sans.org/resources/policies/Policy_Primer.pdf Template For Wireless Communication Policy Server Security Policy Anti-Virus Process Extranet Policy

50. A Security Policy Framework Policies define appropriate behavior. Policies set the stage in terms of what tools and procedures are needed. Policies communicate a consensus. Policies provide a foundation for HR action in response to inappropriate behavior. Policies may help prosecute cases. Ref: Michele D. Guel, The SANS Policy Primer.

51. Policy Outline PurposeScopeGuidelinesPolicy Ownership Responsibilities Scenarios & Business Impact Prohibited Use Network Control Scanning period MonitoringEnforcementDefinitions

52. Outline Technical Tips Security Policies Knowing Your Friends & Enemies

53. Type of Communities IT Policy & Politics telematika@yahoogroups.com IT Network Administrators indowli@yahoogroups.comasosiasi-warnet@yahoogroups.com Programmer (Formal & White Collar) delphindo@yahoogroups.com Hacker & Virus jasakom-perjuangan@yahoogroups.comnewbie-hacker@yahoogroups.com

54. IT Policy & Politics NameMembers genetika2205 telematika1750 mastel-anggota337

55. IT Network Administrators NameMembers asosiasi-warnet6241 Ilmukomputer-networking5636 It-center4889 indowli4766

56. Programmer NameMembers Ilmukomputer-programming5226 Indoprog-vb5215 delphindo2844 jug-indonesia1783 csharp-indo699

57. Hacker & Virus NameMembers jasakom-perjuangan12278 newbie-hacker5636 majalahneotek5633 vaksin3388 yogyafree2251 indocrack1175 bandunghack1046

59. IT Politics & Policy telematika

63. Programmer Csharp-indoJug-indonesiaDephindoIndoprog-vbIlmukomputer-programming

64. Delphindo

69. Hacker Communities BandunghackIndocrackyogyafreeJasakom-perjuangan

70. bandunghack

76. Jasakom-perjuangan

84. Excellence References http://www.sans.orghttp://www.cert.org

87. Extreme References http://www.remote-exploit.orghttp://packetstormsecurity.org

88. © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.