Equnix Business Solutions (Equnix) is an IT Solution provider in Indonesia, providing comprehensive solution services especially on the infrastructure side for corporate business needs based on research and Open Source. Equnix has 3 (three) main services known as the Trilogy of Services: Support (Maintenance/Managed), World class level of Software Development, and Expert Consulting and Assessment for High Performance Transactions System. Equnix is customer oriented, not product or principal. Equal opportunity based on merit is our credo in managing HR development.
2. 1. Improve the object functionality
2. Add some other function to the object
3. Creates a tools, software / anything
needed by them in order to being
useful (for them and others)
4. Collaborate, Open, and great personal
integrity
1. Trespassing
2. Unauthorized Access: Penetration,
3. Steals, Robs, etc.
4. Looking for bounty
5. Abuse with damage (personal, public,
etc)
6. Obscure, Covered, and in shadow
Hacker Criminal
3. Richard Stallman Linus Torvalds Eric Raymond Greg Kroah Hartmann
The Real Life Honourable Hacker
5. 1. Internal Fraud (Policy, People)
a. Bad Intention Administrator
b. 3rd party outsource
2. Unauthorized Access (Process,
People)
a. Social Engineering
b. Privilege Access Abusive
What is the cause of data leak?
6. 3. NDA Violation (People)
a. Bad Partner
b. Bad Vendor
4. No Compliant Security System (Policy,
Process, People)
a. Backdoor,
b. Security loophole
c. Dual party superuser access
What is the cause of data leak?
7. 5. Security Breach (Policy,
Process)
a. Exploits (bug, backdoor,
loopholes)
b. Zero Day: tuxnet
c. Injection (code, sql, etc)
d. Penetration
e. Side channel: eavesdropping,
meltdown, spectre, etc
6. Others
What is the cause of data leak?
8. Case - Heartbleed
- Is a Bug found on OpenSSL implementation
- Leak memory content running through server
to client, vice versa
- Allowed to exploit/extract user’s data from
server through eavesdropping
- Private keys are exposed
- Check CVE-2014-0160 for more information
11. Hashing, what it is for?
What is one-way encryption OR Hashing for?
1. As a product part of Encryption technology, but
not considered as Encryption since it lose its
capability to decypher back. Encryption is
defined to encode plaintext into a ciphertext,
which able to decode back into plaintext.
2. Hash function creates a digest, or a calculation or
mapping a data into a simple, shorter data which
can be relate. But it doesn’t guarantee to relate
back
3. Hash data is a representative of the real data, for
identity for some extent.
4. Hash function should be deterministic, giving
consistent the same result for the same input.
SHA-256/384/512, …
Hash function is different compare
to CRC32, Parity Code, Check Digit.
But for some extend hash data can
be use for Parity or Signature.
12. Security - Public Key Infrastructure
Cryptography Products:
A. Symmetric Encryption:
a. AES: 128, 256
b. 3DES
c. Camelia
B. Asymmetric Encryption
a. PKI - RSA
C. Hashing Algorithm
a. SHA-1, SHA256, SHA512
b. MD5 (obsolete)
13. Security - Encryption:A/Symmetric?
Asymmetric keys usage:
1. Authentication,
2. Avoid MITM while sending key,
3. PKI (Public Key Infrastructure)
4. Pinpad ATM, EDC,
5. Mostly Financial Institution
Part of End-to-end Security key factor
Symmetric keys usage:
1. Avoid Unauthorized access to Data-At-Rest
(Column Level Encryption, TDE, Storage Encryption)
2. Avoid Unauthorized access to Data-In-Transit,
(SSL, IPSEC, TLS)
3. HTTPS, SSH, ...
Part of End-to-end Security key factor
14. Key Management
The most important in security is not about Encryption Algorithm, how long is
your key, how big or small is your data, or where to put the data…
It is about where to put the key, how to take the key, who can take the key, etc.
IT IS ABOUT KEY MANAGEMENT
HSM completes End-to-end Security design
approach:
1. Authentication uses SSO
2. Network transfer secured by SSL
3. Each SSL and SSO Server require key,
the key is provided and managed by
HSM.
4. Hardware Module avoids physical
breach.
15. Security - Single Sign On (SSO)
Single Sign On works by having a central server, which all the applications trust.
SSO requires one time authentication with a single set of login credentials to access multiple applications.
It eliminates the hassle of remembering complex usernames and passwords for different services by providing
a centralized user authentication service.
16. Security - Authentication?
Authentication?
Kerberos Authentication
Flow
CHAP (Challenge Authenticator
Protocol, is also used in PostgreSQL.
Describe as below: As long as there is
no password data revelation on
PostgreSQL, it is safe.
Password is stored using hashing, some other data required to help
17. Security - User Management
A system requires a User Access Management in order
to managed the User’s access, role and its credentials.
There are some options for managing the user’s
access:
1. Single Sign On to store the User’s credential and
its role.
2. Use HSM or Key Vault as centralized
authenticator of the Credential
3. Use 2FA, with help of security device or
biometric and authentication process is done in
the 3rd party such as biometric server or HSM.
4. Use the same credential that is being used for
Database access, in the other word, application
doesn’t manage one, instead using Database’s
credentials.
A Database also requires a User Access Management in
order to managed the User’s access, role and its
credentials. There are some options for managing the
Database user’s access:
1. Single Sign On to store the User’s credential and
its role.
2. Use HSM or Key Vault as centralized
authenticator of the Credential, approved 3rd
party authenticator, such as: Kerbero, LDAP, etc.
3. Use 2FA, with help of security device or biometric
and authentication process is done in the 3rd
party such as biometric server or HSM.
4. Manage Privileges for Database objects
5. Account all User’s activities
18. Type of Data At Rest Encryption
Storage Level
Encryption is
enabled by
Operating
System.
Thus, it is not
relate directly
with database,
even Database
Server
transparently
didn’t recognize
it.
Storage-level
Encryption
19. Type of Data At Rest Encryption
Tablespace
Encryption with
transparent and
very seamless
access from
Application into
the Database
Server, usually
considered as
TDE
(Transparent
Data Encryption)
Tablespace-level
Encryption
20. Type of Data At Rest Encryption
Application Level
Encryption can be
done by 2 approach:
using crypto
functions (PgCrypto)
or using API for
crypto. The Apps
itself which encrypt
and decrypt data, and
the app itself who
deal with the Auth
Key Management
Application-level
Encryption