Vulnerability

Vulnerability Scanner
1. Tujuan
  1. Defender
    1. Used by defenders to automatically check for many known problems
  2. Attacker
    1. Used by attackers to prepare for and plan attacks
  3. identify common security configuration mistakes.
2. Makna
  1. Vulnerability scanners can test systems and network devices for exposure to common attacks.
  2. Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses
3. PortScanner
  1. Port scanning utilities (port scanners) are tools used by both attackers and defenders to identify computers that are active on a network, as well as ports and services active on those computers, functions and roles the machines are fulfilling, and other useful information
  2. The more specific the scanner is, the better and more useful the information it provides is, but a generic, broad-based scanner can help locate and identify rogue nodes on the network
  3. Port is a network channel or connection point in a data communications system
  4. Within TCP/IP, TCP and UDP port numbers differentiate multiple communication channels used to connect to network services being offered on same device
  5. In all, there are 65,536 port numbers in use for TCP and another 65,536 port numbers for UDP
  6. Ports greater than 1023 typically referred to as ephemeral ports and may be randomly allocated to server and client processes
  7. Open port is an open door and can be used by attacker to send commands to a computer, potentially gain access to a server, and possibly exert control over a networking device
4. Contoh Tools
  1. Port Scanner
    1. Nessus
      1. comprehensive vulnerability scanner which is developed by Tenable Network Security.
    2. Nmap
      1. http://insecure.org/
  2. Online Scanner
    1. https://freescan.qualys.com/freescan-front/
    2. https://pentest-tools.com/home
    3. https://hackertarget.com/
  3. http://www.arachni-scanner.com/download/
  4. https://subgraph.com/vega/download/index.en.html
  5. https://github.com/zaproxy/zaproxy
  6. http://wapiti.sourceforge.net/
  7. http://websecuritytool.codeplex.com/
  8. Open VAS
    1. OpenVAS is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution
    2. http://www.openvas.org/index.html
Vulnerability Management
1. Why
  1. Patch Management is ineffective and inefficient.
  2. the discovery of vulnerabilities and assessment of the risk to the network, is a critical part of the business landscape for long term success.
  3. The root cause of the problem is the existence of vulnerabilities in the corporate network.
2. Tujuan
  1. Building a strong program based on mitigating known vulnerabilities has transformed from a security centric process to an operational necessity for business success
  2. automatically and cost-effectively determine whether to eliminate, mitigate or tolerate threats based upon risk and the cost associated with repair
  3. cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities",
3. Activity
  1. Classify. Assign network resources with a heirarchy based on criticality
  2. Measure. Assess security performance in reducing exposures to key vulnerabilities
  3. Integrate. Vulnerability Management bolsters effectiveness of patch management, configuration control, and early warning.
  4. Audit. Regularly audit the effectiveness of integrated vulnerability processes
  5. is not a penetration test
  6. LifeCycle and Best Practice
4. Law Of Vulnerability
Vulnerability Assesment
1. Makna
  1. Vulnerability assessment is a process that works on a system to identify, track, and manage the repair of vulnerabilities on the system.
  2. to provide a comprehensive security review of the system including both the perimeter and system internals.
  3. Vulnerability assessment scans a network for known security weaknesses
  4. Summary
2. Tujuan
  1. network mapping and system finger printing of all known vulnerabilities
  2. a complete vulnerability analysis and ranking of all exploitable weaknesses based on potential impact and likelihood of occurrence for all services on each host
  3. prioritized list of misconfigurations
3. Report
  1. detailing the findings and the best way to go about overcoming such vulnerabilities.
  2. prioritized recommendations for mitigating or eliminating weaknesses,
  3. based on an organization’s operational schedule, it also contains recommendations of further reassessments of the system within given time intervals or on a regular basis.
4. Technique
  1. Network Scanning
  2. Vulnerability Scanning
  3. Password Cracking
  4. Log Review
  5. Integrity Checkers
  6. Virus Detection
  7. War Dialing
  8. War Driving (802.11 or wireless LAN testing)
  9. Penetration Testing
    1. A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source.
    2. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.
    3. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered.
Istilah
1. Threat: potential occurrence that can have an undesired effect on the system
2. Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur
3. Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur
4. Risk: measure of the possibility of security breaches and severity of the damage
5. Summary
Security
1. Problem
  1. Securing computing resources: prevent/detect/deter improper use of computing resources
    1. Hardware
    2. Software
    3. Data
    4. Network
  2. Security is a continuous process of protecting an object from attack. That object may be a person, an organization such as a business, or property such as a computer system or a file.
  3. Pseudosecurity
    1. Security Through Obscurity (STO)
      1. STO is a false hope of security.
      2. any resource on the system can be secure so long as nobody outside the core implementation group is allowed to find out anything about its internal mechanisms
      3. “bunk mentality” security.
2. Security Objective
  1. CIA
    1. Confidentiality: prevent/detect/deter improper disclosure of information (informasi dapat diakses oleh yang mempunyai hak)
    2. Integrity: prevent/detect/deter improper modification of information (object tetap orisinil, tidak diragukan keasliannya, tidak dimodifikasi dalam perjalanannya dari sumber menuju penerimanya)
    3. Availability: prevent/detect/deter improper denial of access to services (user yang mempunyai hak akses atau authorized users diberi akses tepat waktu dan tidak terkendala apapun)
  2. Authentication and non-repudiation
    1. Authentication: proses menentukan apakah sesorang yang masuk merupakan orang yang benar dan berhak
    2. Non Repudiation: pengirim dan penerima tidak dapat mengelak bahwa benar-benar mereka yang melakukannya. Non repudiation dapat dilakukan dengan menggunakan digital signature, confirmation services, dan time stamps.
  3. Access Control :
    1. Entitas
      1. Subject of the Access Control. Yang menjadi subject di sini adalah entitas yang mengajukan request / permintaan untuk melakukan akses ke data.
      2. Object of the Access Control. Yang menjadi object di sini adalah entitas yang mengandung atau mengatur data. Atau dengan kata lain object adalah resource yang tersedia di dalam suatu sistem
    2. Tujuan
      1. proses untuk mengatur / mengontrol siapa saja yang berhak mengakses suatu resource-rosource tertentu yang terdapat di dalam sebuah sistem
      2. memproteksi data terhadap unauthorize access atau akses yang dilakukan oleh orang yang memang tidak memiliki hak akses terhadap reource tersebut
    3. Jenis
      1. Physical Access Control
      2. Perimiter Security
      3. membatasi akses masuk ke area atau lokasi di mana perangkat hardware berada
      4. Cable Protection
      5. shielding untuk meningkatkan ketahanan terhadap EMI (Electro Magnetic Interference
      6. Pembagian Area Kerja (separation of duties and work areas)
      7. Pembagian area kerja secara fisik di antara karyawan ditujukan untuk meminimalisir terjadinya shoulder surfing. Yang dimaksud dengan istilah shoulder surfing adalah di mana seorang karyawan dapat melihat dan mengamati aktifitas yang dilakukan oleh karyawan lainnya dengan mengintip lewat balik bahu
      8. Administrative Access Control
      9. Policies and Procedure
      10. prosedur yang jelas berkaitan dengan akses terhadap resource-resource yang terdapat di dalam sistem
      11. Hiring Pratices
      12. mekanisme perekrutan karyawan baru
      13. Monitoring Point
      14. pengawasan terhadap kebijakan dan prosedur yang berlaku
      15. Security Awareness Training
      16. dilakukan pelatihan / training berkaitan dengan security awareness
      17. Logical Access Control
      18. Object Access Restriction
      19. akses kepada authorized user
      20. Encryption
      21. Melakukan penyandian data sehinga data hanya bisa dibaca oleh orang-orang yang memang memiliki hak akses
      22. Network Architecture / Segregation
      23. egmentasi pada infrastruktur jaringan komputer yang ada. Hal ini ditujukan untuk menghindari adanya aksi pencurian data yang dilakukan melalui infratruktur jaringan yang ada
    4. Prinsip
      1. Least Privilage
      2. Yang dimaksud dengan Least Privilege di sini adalah hanya memberikan hak akses yang memang dibutuhkan oleh subject yang bersangkutan untuk melakukan tugas-tugas yang memang menjadi bagian dari tanggung jawabnya
      3. Full Access
      4. jangan pernah memberikan akses penuh (Full Access) terhadap semua resource yang tersedia di dalam sistem kepada subjec
      5. Authorization Creep
      6. suatu kejadian yang tidak disengaja di mana suatu subject diberi hak akses yang seharusnya tidak dia miliki. Kondisi ini tentunya memiliki potensi untuk memunculkan threat / ancaman terhadap sistem yang kita miliki
  4. Accountability
    1. Accountability (Audit) adalah merujuk kepada kemampuan untuk melacak atau audit apa yang sedang dilakukan oleh user (individu maupun kelompok) terhadap sistem jaringan komputer.
3. Achieving Security
  1. Policy : What to protect?
  2. Mechanism : How to protect?
  3. Assurance : How good is the protection?
Basic Concept
1. Makna
  1. A system vulnerability is a condition, a weakness of or an absence of security procedure, or technical, physical, or other controls that could be exploited by a threat
  2. weaknesses in the software or hardware on a server or a client that can be exploited by a determined intruder to gain access to or shut down a network
2. Source
  1. Design Philosophy
    1. the philosophy was not based on clear blueprints
    2. new developments and additions came about as reactions to the shortfalls and changing needs of a developing infrastructure
  2. Weaknesses in Network Infrastructure and Communication Protocols
    1. Paket Data:As packets are di-assembled, transmitted, and re-assembled, the security of each individual packet and the intermediary transmitting elements must be guaranteed
    2. The cardinal rule of a secure communication protocol in a server is never to leave any port open in the absence of a useful service. If no such service is offered, its port should never be open
  3. Rapid Growth of Cyberspace
    1. The Growth of the Hacker Community
  4. The Invisible Security Threat -The Insider Effect
  5. Social Engineering
    1. uses to gain system authorization through masquerading as an authorized user of the network
  6. Physical Theft
  7. Design Flawns/Kelemahan
    1. the biggest problems in system security vulnerability are due to software design flaws
      1. human factors,
      2. Memory lapses and attentional failures: For example, someone was supposed to have removed or added a line of code, tested, or verified but did not because of simple forgetfulness.
      3. Rush to finish: The result of pressure, most often from management, to get the product on the market either to cut development costs or to meet a client deadline can cause problems.
      4. Overconfidence and use of nonstandard or untested algorithms: Before algorithms are fully tested by peers, they are put into the product line because they seem to have worked on a few test runs.
      5. Malice: Software developers, like any other professionals, have malicious people in their ranks. Bugs, viruses, and worms have been known to be embedded and downloaded in software, as is the case with Trojan horse software, which boots itself at a timed location.
      6. Complacency: When either an individual or a software producer has significant experience in software development, it is easy to overlook certain testing and other error control measures in those parts of software that were tested previously in a similar or related product, forgetting that no one software product can conform to all requirements in all environments.
      7. software complexity,
      8. Complexity: Unlike hardwired programming in which it is easy to exhaust the possible outcomes on a given set of input sequences, in software programming a similar program may present billions of possible outcomes on the same input sequence.
      9. Difficult testing: There will never be a complete set of test programs to check software exhaustively for all bugs for a given input sequence.
      10. Ease of programming: The fact that software programming is easy to learn encourages many people with little formal training and education in the field to start developing programs, but many are not knowledgeable about good programming practices or able to check for errors.
      11. Misunderstanding of basic design specifications: This affects the subsequent design phases including coding, documenting, and testing. It also results in improper and ambiguous specifications of major components of the software and in ill-chosen and poorly defined internal program structures.
      12. trustworthy software sources
      13. There are thousands of software sources for the millions of software products on the market today. However, if we were required to name well known software producers, very few of us would succeed in naming more than a handful. Yet we buy software products every day without even ever minding their sources. Most important, we do not care about the quality of that software, the honesty of the anonymous programmer, and of course the reliability of it as long as it does what we want it to do.
      14. Even if we want to trace the authorship of the software product, it is impossible because software companies are closed within months of their opening. Chances are when a software product is 2 years old, its producer is likely to be out of business. In addition to the difficulties in tracing the producers of software who go out of business as fast as they come in, there is also fear that such software may not even have been tested at all.
      15. The growth of the Internet and the escalating costs of software production have led many small in-house software developers to use the marketplace as a giant testing laboratory through the use of beta testing, shareware, and freeware. Shareware and freeware have a high potential of bringing hostile code into trusted systems.
    2. Hardware systems are less susceptible to design flaws
Attack
1. Step
  1. Reconnaissance: Active/Passive
  2. Scanning
  3. Gaining Access:
    1. Operating systems level/ application level
    2. Network level
    3. Denial of service
  4. Maintaining Access: Uploading/altering/downloading programs or data
  5. Clearing Tracks
  6. Summary
Standard
1. Secure Coding
  1. OWASP
    1. OWASP Top 10 :2013
      1. Subtopic 1
2. Web Hacking Incident Database
  1. WASC
3. Standard Penamaan dan Klasifikasi
  1. CVE
    1. Common Vulnerability Enumeration
    2. http://cve.mitre.org/
    3. naming standard for vulnerabilities
  2. CWE
    1. classification of the types of weaknesses that causes vulnerabilities.
    2. https://nvd.nist.gov/cwe.cfm