Evaluation of Information Systems SecurityTask Information System Security
Coursestudents STMIK ELRAHMA
(Dian Didik Purwanto)
Although
an information system has been designed to have a security device, the
operation of security issues should always be monitored. This is caused by several things, among others:A. Source of Security HolesSecurity
holes (security holes) may occur due to several things: one design
(design flaw), one of the implementation, configuration wrong, and wrong
usage.
1. One Design.Security holes caused by incorrect design generally rare. But if it happens very difficult to repair. For example:
a. Design
sequence number (sequence numbering) of the TCP / IP packets can be
exploited causing a problem known as "IP spoofing", ie a host falsifying
themselves as if into another host by creating fake packets after
observing a sequence of packets from hosts who want to be attacked .
b. ROT13
encryption algorithm in which the character is shifted only 13 letters,
although very carefully programmed, anyone who knows the algorithm can
easily break the encryption.Solution:To address security holes because of design, required accurate flow planning / design of the system to be created.
2. Implementation errors.Security
holes caused by implementation errors often occur because the program
is implemented in a hurry so that less careful in coding. As a result, checks or testing to be done be done. Examples of implementation errors:
a. Often
the limit ("bound") from an "array" is not checked, so there is called
out of bound which can be exploited (eg overwrite to the next variable).
b. Programmers
forget to filter anehaneh characters are included as inputs of a
program so the program can access files or information that should not
be accessed.Solution:
To
overcome the mistakes of implementation, a programmer must learn from
the mistakes of existing errors, programmers should be careful and
always put the safety factor, do not forget programmers must update the
information continuously to find bugs bugs in the application used.
3. Configuration errors.Although the program has been implemented properly, can still occur due to incorrect configuration of security holes.
Examples of problems caused by incorrect configuration is
a. Files that should not be changed by the user could inadvertently be "writable". If the file is an important file, such as files that are used to store the password, then the effect becomes a security hole.
b. Sometimes a computer / server configurations sold with very weak.
c. Sometimes
workstations distributed with the file / etc / aliases (useful for
direct e-mail), / etc / utmp (useful to record anyone's use of the
system) that can be changed by anyone.d. The
existence of programs that inadvertently set to "setuid root" so that
users have access when run as super user (root) who can do anything.Solution:To
solve the configuration error, then a system requires a policy /
standard policy (SOP) Standard Operating Procedure governing the
centralized network configuration, setting user permissions, setting
what programs are allowed to install and use, based on the user level.4. One use of the programErrors in using the program can also result in security holes. Error using programs that run using the root account (super user) can be fatal. It
often happens horror stories from the system administrator who was
careless in running a new command "rm-rf" (which delete files or
directories and sub directories in it). As a result, all files in the system is lost.Solution:a. Required
knowledge in running a program, be careful in running the program,
especially if done using the administrator account as the root.b. Perform system backups and data regularly and thoroughly.B. System security testersDue
to the many things that must be monitored, the administrator of the
information system requires "automated tools", the device auto
attendants, which can help test or evaluate the safety of the system
being managed. Here is a sample program based on the security testers Operating System used:1. COPSCOPS was written by Dan Farmer. COPS
analyzes the system to search for common configuration issues, and
state conditions that still exist on UNIX systems, including:a. file, directory and device permissions that are invalid or errorneous.b. weak passwords.c. poor security on the password and group files.d. bits SUID / SGID inappropriate on those files.e. suspicious changes in the checksum file.2. TripwireTripwire is a file or application programs can check and compare with the previous database. This application works by creating an information database of all the system files and store them in a file. Every time Tripwire is run to check file system examination results will be compared with the database ever created.Tripwire application installed on a partition that is protected and has a Read Only Media policy.Components of the Tripwire configuration file consists of1) Configuration File2) File Policy3) File Database4) File Report3. SATAN and SAINTSATAN
(Security Administrator's Tool for Analyzing Networks created by Dan
Farmer and Venema Wetse th 1995. Satan is a program to detect common
network vulnerabilities with a web browser interface.SATAN
was designed to help system administrators to automate the process of
testing their systems for known vulnerabilities that can be exploited
over a network. This is especially useful for network system with multiple hosts. Such
as network software, this tool can function properly, but can also be
misused, for example, useful to prospective intruders look for systems
with security holes.
As
the successor of SATAN, the 1998 World Wide Digital Security developed
the SAINT (Security Administrator's Integrated Network Tool) as a free
and updated version of SATAN.Saint works by scanning each TCP and UDP services. At
every service that runs Saint will perform probes designed to detect
each passing package that allows an attacker gains unauthorized access,
and make the denial.SAINT Scan Step Four:1) Saint scanning every living system on the network for TCP and UDP services.2)
For each service that is found running, launched a set of probes
designed to detect anything that could allow an attacker to gain
unauthorized access, create a denial-of-service, or obtain sensitive
information about the network.3) Check Scanner for possible weaknesses of the system.4)
When a weakness is detected, the results are categorized in several
ways, allowing customers to target the data they find most useful.In addition to these programs, there are many programs created by hackers to conduct "trial and error". Programs
like these, who are quick bermunculuan, usually can be obtained
(downloaded) from the Internet through the places associated with
security, such as "rootshell". (See
"Sources of information and organizations related to information system
security" on page 54.) Cobacoba Examples of programs include:· Crack: a program to guess or crack passwords using a dictionary (dictionary).· Land: a program that can make the system Windows 95 / NT become stuck (hang, lock up). This
program sends a packet that has been "spoofed" so as if the package is
coming from the same machine by using an open port (eg port 113 or 139).· Ping-o-death: a program (ping) which can either crash the Windows 95/NT and some versions of Unix.· Winuke: a program to tie up a Windows-based systemsRecommended
to install the Program Administrator Security Examiners in accordance
with the design of network systems and their role.C. Probing ServicesProbing the service is an action to determine what services are available in a server. Services performed by a server using TCP or UDP protocol specific. Each service is run by using a different port, for example:• SMTP, to send and receive e-mails, using protocol TCP, port 25• POP3 to retrieve e-mail, using the TCP protocol, port 110• HTTP webserver for the service using TCP port 80• TELNET for remote access using TCP port 23On
UNIX systems, see the file / etc / services and / etc / inetd.conf to
see what services are executed by the server or the computer in
question. There are also services that run through the inetd.conf but does not run as a daemon that runs behind the scenes.Selection of any service depends on the needs and the desired security level. Unfortunately often the system is purchased or assembled to run several major services as a "default". Sometimes some of the services to be shut down because there is a possibility can be exploited by crackers. For that there are some programs that can be used to perform a "probe" (feeling) what services are available. This
program can also be used by criminals to see what services are
available in the system to be attacked and based on data obtained can
launch an attack:1. Manual probeTo check a service is active or not on a server, can do the manual steps in the following way:a. For example to see if there is an e-mail service using the SMTP used telnet to port 25.unix% telnet target.host.com 25Trying 127.0.0.1 ...Connected to target.host.com.Escape character is'^]'.The new 220-dma ESMTP Sendmail 8.9.0/8.8.5; Mon, June 22, 199810:18:54 +0700b. For
other services, such as POP or POP3 can be done in the same manner by
using a number of "ports" in accordance with the service were observed.unix% telnet localhost 110Trying 127.0.0.1 ...Connected to localhost. Escape character is'^]'.+ OK QPOP (version 2.2) at dma-baru.paume.itb.ac.id starting.+ <20651.898485542 @ dma-baru.paume.itb.ac.id>quit+ OK Pop server at dma-baru.paume.itb.ac.id signing off.Connection closed by foreign host.2. Automatic ProbeProbe
process can be done automatically with the help of an application
program, with our application does not need to do an entry port
manually. Here is an example of probe application for:a. UNIX systems§ nmap# Nmap 172.16.100.100Starting Nmap 4:11 (http://www.insecure.org/nmap/) at 2011-11-07 23:48 CDTInteresting ports on 172.16.100.100:Not shown: 1675 closed portsPORT STATE SERVICE22/tcp open ssh53/tcp open domain111/tcp open rpcbind732/tcp open unknown3128/tcp open squid-httpNmap finished: 1 IP address (1 host up) scanned in 0346 seconds#b. Probe for Windows 95/98/NT system§ SuperscanIs an application designed to conduct probes on the network / server is the destination3. Detecting probeTo
detect whether the presence or absence of a probe activity on the
system, system administrators can install programs to the system being
managed. Probing usually leave traces in the system log files. By examining the entries in the log file, can be known whether there is activity probes.root # tail / var / log / syslogMay 16 15:40:42 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8422] -> epson [192.168.1.2]: [635]May 16 15:40:42 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8423] -> epson [192.168.1.2]: ssl-ldapMay 16 15:40:42 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8426] -> epson [192.168.1.2]: [637]May 16 15:40:42 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8429] -> epson [192.168.1.2]: [638]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8430] -> epson [192.168.1.2]: [639]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8437] -> epson [192.168.1.2]: [640]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8441] -> epson [192.168.1.2]: [641]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8445] -> epson [192.168.1.2]: [642]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8454] -> epson [192.168.1.2]: [643]4. OS FingerprintingKnowing the operating system (OS) from the target to be attacked is one of the work performed by a cracker. After knowing the OS to go, he can see the target database system weaknesses. Fingerprinting is a term commonly used to analyze the target system OS. Fingerprinting can be done in various ways.The most conventional way is to telnet to the server in question. If the server happens to provide the telnet service, there is often a banner that shows the name of the OS and its version.unix% telnet 192.168.1.4Trying 192.168.1.4 ...Connected to 192.168.1.4.Escape character is'^]'.Linux 2.0.33 (rock.pau-mikro.org) (ttyp0)login:If the system does not provide services but telnet will provide FTP service, then the information is often available. FTP service is available on port 21. By doing a telnet to that port and give the command "syst" you can find out what version of OS used as the example below.unix% telnet ftp.netscape.com 21Trying 207.200.74.26 ...Connected to ftp.netscape.com.Escape character is'^]'.Ftp29 220 FTP server (UNIX (r) System V Release 4.0) ready.Syst215 UNIX Type: L8 Version: SunOSIf
the server does not have an FTP server running the Web server will
however, still no way to tell the OS that is used by using the program
netcat (nc) like the example below (which looks the OS in use is Debian
GNU):$ Echo-e "GET / HTTP/1.0 \ n \ n" | nc localhost 80 | \grep "^ Server:"Server: Apache/1.3.3 (Unix) Debian / GNUA more sophisticated way of fingerprinting is to analyze the system response to the request (request) specific. For example, by analyzing the packet sequence number of TCP / IP is issued by the server can be narrowed space type of OS used.There are several tools to perform OS detection, among others:• nmapHere is an example of using the program nmap to detect the OS of the system using the IP number 192.168.1.1.# Nmap-O 192.168.1.1Starting Nmap 4:11 (http://www.insecure.org/nmap/) at 2011-11-08 22:57 CDTInteresting ports on 192.168.1.1:Not shown: 1675 closed portsPORT STATE SERVICE22/tcp open ssh53/tcp open domain111/tcp open rpcbind732/tcp open unknown3128/tcp open squid-httpDevice type: general purposeRunning: Linux 2.4.x | 2.5.X | 2.6.xOS details: Linux 2.4.7 - 2.6.11Uptime of 7296 days (since Wed Nov 1 15:51:41 2011)Nmap finished: 1 IP address (1 host up) scanned in 2302 seconds#• QuesoHere is an example of using Queso program to detect the OS of the system using the IP number 192.168.1.1. Incidentally this system is a Windows 95 system.Queso unix # 192.168.1.1* Not Listen 192.168.1.1:80, windoze 95/98/NTD. Use of the program attackerOne
way to find out the weaknesses of the information system is to attack
yourself with the program packages attacker (attack) which can be
obtained on the Internet.1. Striker program.By using this program can be known whether the system is vulnerable and can be exploited by others. Keep in mind that these programs do not use it to attack other systems (systems that you do not manage). It is unethical and can be dragged to court.Examples of programs attackera. Ping of DeathPing
(sometimes referred to as the acronym for Packet Internet Gopher) is a
utility program that can be used to check Induktivitas network of
technology-based Transmission Control Protocol / Internet Protocol (TCP /
IP).By using this utility, can be tested whether a computer is connected to other computers. This is done by sending a packet to an IP address that was about to be tested connectivity and wait for a response from him.PING example:C: \> ping www.google.comPinging www.l.google.com [64,233,183,103] with 32 bytes of data:Reply from 64,233,183,103: bytes = 32 time = 25ms TTL = 245Reply from 64,233,183,103: bytes = 32 time = 22ms TTL = 245Reply from 64,233,183,103: bytes = 32 time = 25ms TTL = 246Reply from 64,233,183,103: bytes = 32 time = 22ms TTL = 246Ping statistics for 64,233,183,103:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:
Minimum = 22ms, Maximum = 25ms, Average = 23msPing of Death is one form of attack "ping attack". On
the internet, this form of attack is a form of DoS attack (denial of
service attack) caused by an attacker who deliberately sending an IP
packet whose size is greater than that allowed by the IP protocol that
is 65,536 bytes. One feature of the TCP / IP is fragmentation, which allows a single IP packet is broken down into smaller sections. In
1996, the attackers began to take advantage of this feature, that is
when they discovered that a package that is broken down into small parts
can be increased to greater than that permitted is 65,536 bytes. Many
operating systems do not know what to do when receiving packets with
excessive size, so that eventually the operating system stops working,
crashed, or rebooted.Ping
of death attack is very unpleasant because of the signs or the identity
of the attacker sending packets with excessive size can be easily
disguised, and because the attacker does not need to know anything about
the machine they are going to attack unless the IP Addressnya. At the end of 1997, operating system vendors have made a patch which allows to avoid this attack.b. land, latierra, winnuke, JOLT & variationsc. mail server attack: MS Exchange, Netscaped. mail bombinge. mail attachment attack: rockme.cf. Distributed DoS attack: trinoo, TFN2. Program Data bugs (Snifing)In
addition to programs that are aggressive attackers cripple a target
system, there are also programs that are doing attacker theft or
interception of data. For tapping the data, usually known as "sniffer". Although
data is not physically stolen (in the sense of being lost), sniffer is
very dangerous because it can be used for intercepting passwords and
sensitive information. This is an attack on privacy aspects.Examples of program bugs (sniffer), among others:a. pcapture (Unix)b. Sniffit (Unix)c. tcpdump (Unix)d. WebXRay (Windows)E. The use of network monitoring systemsNetwork monitoring systems can be used to determine the existence keamaman hole. For
example, a server should only be accessible from within the internal
network, but from the monitoring network can be seen that there are
trying to access from outside the network. In
addition to the monitoring network can also be seen in efforts to
cripple the system by means of Denial of Dervice attack (DoS).1. Network Monitoring Applications using the SNMP protocol (Simple Network Management Protocol)Examples of programs network monitoring / management include:a. Etherboy (Windows), Etherman (Unix)Etherboy features are:1) Shows the traffic on the network2) Identify all the devices on the LAN, including the potential threat3) focuses on the appearance of a particular protocol4) Generate a report in the form of text, html, and rtf5) menampilakan realtime traffic statistics and classification based onb. Packetboy (Windows), Packetman (Unix)Program
of amsoft.com which works by scanning passing packets in a network, the
program can decode TCP / IP, IPX (Novell Netware), Appletalk, Banyan,
DECnet.c. SNMP Collector (Windows)SNMP Collector program will collect data via the SNMP agent or proxy SNMP. SNMP Collector to help collect data on system performance of the system being tested.d. Webboy (Windows)Webboy is an application monitoring internet / intranet. Webboy
collect standard web access statistics including urls accessed, cache
hit ratios, Internet protocols are used and the protocol created by
users. To help administrators, Webboy can also be used as a mechanism to monitor alarms when unusual network activity.2. Examples of programs that do not pemanatu network using SNMP, among others:a. iplog,
icmplog, updlog, which is part of the package iplog to monitor TCP,
UDP, and ICMP, easy to adding support for other protocols.b. iptraf, already included in the Debian Linux packageiptraf is a network utility for linux console-based statistics. Iptraf collect and count the bytes of the TCP packet, and packet byte count and the number of stations in the LAN.# Iptrafc. netdiag, NetWatchNetdiag is the software used to analyze network traffic and configuration of the remote host. This application is very useful to help analyze the systems used are not suspected of carrying out normal activities. Netdiag consists of a collection of software tcpblast, netload, trafshow, NetWatch, strobe, statnet, and tcpspray.d. ntop, a network monitoring applications such as the top program that monitors the Unix disisteme. trafshow, is an ncurses-based utility that shows in detail the network traffic. This application shows the source address, source port, destination address, destination port, IP proto, byte counter and CPSConclusion:After
evaluation of the managed system, then system administrators can know
which parts of the system which has a vulnerability, so that System
Administrators can increase securityBibliography1. Information System Security ... - Budi.insan.co.id - PT Insan Infonesihttp:// www.budi.insan.co.id / books / handbook.pdf2. http://budi.insan.co.id/courses/el695/secure-eval-2000.pdf3. http://www.tripwire.org4. http://en.wikipedia.org/wiki/SAINT_ 28software% 29%5. http://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_Networks6. http://www.amtsoft.com/netboy7. http://openstorage.gunadarma.ac.id/research/Modul/PacketBoy.pdf8. http://ojnk.sourceforge.net/stuff/iplog.readme9. http://iptraf.seul.org/about.html10. http://packages.debian.org/lenny/netdiag11. http://linux.maruhn.com/sec/trafshow.htmlThis paper can be downloaded athttp://www.ziddu.com/download/17236075/makalahevaluasikeamanansisteminformasi.pdf.html
No comments:
Post a Comment