WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "WEB SECURITY. Oriana Kondakciu 0054118 Software Engineering 4C03 Project"

Transcription

1 WEB SECURITY Oriana Kondakciu Software Engineering 4C03 Project

2 The Internet is a collection of networks, in which the web servers construct autonomous systems. The data routing infrastructure corresponds to software based communication interfaces, which are executed upon physical hardware. The main software application responsible for the transmitted data is the java-based browser. The design of this application is directly responsible for the reliability of the data transmitted through the Internet. Security however is usually treated as an afterthought. Despite common sense, the security is considered at the bottom of a list that includes functionality, performance, compatibility and human interface. Good faith should not be applied when transferring private information through the Internet. The programming languages Java and JavaScript have become the power tools of choice in building web-based applications. A Web application is a dynamic extension of a web server. Its services can include remote database access and online purchases. Security weaknesses of web applications are often refer as holes or bugs. The exploitation of these weaknesses has severe consequences which include loss and manipulation of sensitive information. The new browsers have a considerable improvement over their predecessors when it comes to security but cannot guarantee that they are bug-free. The newest technology with a superior security system is ActiveX control by Microsoft. The downside of this technology is that it is supported only by Internet Explorer browser. Also, the ActiveX controls are written and compiled using Microsoft office visual basics programs. The Java language however needs only an editor and a free compiler. ActiveX controls use certified digital signature, but it is dangerous because it has no restrictions on the variety of its use. One disturbing example is the spy-ware software usually downloaded automatically from specific websites. Java on the other hand, achieves security by restricting the behavior of applets to a set of safe actions supervises 1. The information transmitted in the Internet and mostly web browsers may contain very sensitive. It is understandable that third parties will always be interested in acquiring this information. Unauthorized use and access of sensitive data can have unprecedented consequences. The most common threats to web applications include SQL Injection, Variable manipulation, Cross Site Scripting and exploitation of their different features. The process of acquiring information illegally is usually called an attack or exploitation. SQL Injection technique is very simple; it uses the basic knowledge of the SQL language representation of the database and it exploits it. The Variable manipulation involves accessing the information after it leaves the browser on its way to the server. Once the browser's proxy settings are configured to go through the HTTP proxy, some proxy tools such as WebScarab, can see all information flowing between the client and the server; it even allows the attacker to modify any part of the request/response before sending it. Such tool can access credit card information during an online purchase. Another interesting attack that is due mostly to human negligence is the Cross-Site Scripting. Cross-Site Scripting relies on the server reflecting back user input without checking for embedded JavaScript. This can be used to steal 1 WWW Security FAQL Client Side Security. Retrieved on April 1 st. O.Kondakciu Web Security 2

3 cookies and session IDs. This information however should be deleted regularly by the user. While cookies are considered a benign vulnerability, deleting them prevents another type of exploitation that is called Browse Cache, in which the attacker can track the surfing patterns of the users. The spy-ware companies for example rely on these cookies to collect information about the user. Another very dangerous exploitation can come from using the Forgot Password feature of a web application such as an service provider. In this case, the user has to answer its secret question. If the attacker for example, can access the secret question, he might guess the answer, and even reset the password. The remote-access method, which allows another party to control the desktop of the user s computer, makes this exploitation really easy. Another great procedure that collects information entered through keyboard is the Keystroke loggers. They are usually a very efficient and simple way to retrieve information. Most of these attacks are assisted by tools such as IP sniffers and Trojan horses. Port sniffing consists in the first stage of the attack. The IP sniffer uses the communications protocols to collect the ports status of the user s machines. If any of the ports is unprotected, then it can be used in the second stage of the attack. Sniffing is done remotely and in large ranges of IP. That means that the attacker might be looking for any unprotected online computer. A Trojan horse is a different tool that needs to be installed on the users computer. Upon installation, it opens a back-door that allows the attacker to infiltrate inside the computer. This program is called a Trojan horse because it masquerades itself behind friendly applications, big size pictures or links. Worms, which is a program that can duplicate itself upon execution, is another very common threat on the Internet. Full scale attacks on websites such as CNN or YAHOO!, are made possible by spreading a powerful worm on the Internet. The two processes that a worm performs are: duplicate and attack. The attack consists in sending data packets into a specific website. Usually the number of computers infected with the worm may exceed thousands, which causes the data traffic to exceed its capacity limits. If the number of infected computers continues to increase, the web-servers supporting the attacked website would crash and go down. Finally, biggest threats of all are the people behind these malicious programs. The two most generalized groups are called hackers and crackers. Hackers are your friendly neighborhood gang of attackers who would come to your house and look around but not steal. Crackers on the other hand are very dangerous, because they will actually try to damage any information they come across too and usually they cause great damage. Most attackers do not write the malicious programs themselves; they use tools that are already created by other software programmers. A dangerous crime that an attacker might commit is identity theft which has become an increasing problem in North America. That is why it is so important that attack detection and defense should be a priority for the user. Most of the attacks are directed towards websites that store the information in data bases stored in remote web servers. As a form of defense, remote access of data bases uses an encryption technique that is called MD5. SQL injection for example can be prevented by not using dynamic SQL queries or by removing all unwanted input and accepting only expected input. The encryption O.Kondakciu Web Security 3

4 technique is the best protection by far. The Variable manipulation attack can be prevented by using SSL 2 or digital passports which uses 40 bit and 128 bit encryption. In this case, the attacker has to replace the embedded certificate in the applet with a fake certificate to succeed or has to decode the public key. A higher bit encryption is illegal in North America. In the client side, spy-ware programs are not fully detected by anti-viruses, and the best way to detect them is using anti-spy ware programs. Keystroke loggers can be detected by the antivirus programs, but the oldest versions can also be seen through the Task Manager. These programs can be detected by the antivirus because they use a Trojan horse to transmit the log files back to the attacker. A graphical keyboard eliminates this threat but they are not recommended for other security reasons. The user should always be security-conscious especially if he or she is processing sensitive information. Trojan horses are the most common way of attack but they can be easily prevented. The Internet user must not open files of size greater then 50kb without antivirus scanning. Because the usual way of transmitting a Trojan horse is through s, the user should not click on links or download attachments that are not secured. Worms have the tendency to spread very quickly because the account owners act with negligence. The fastest way to detect a worm is to monitor Internet data traffic. An abrupt increase in traffic is a good indication that a worm is in motion. The sniffing attack can be rejected by a well configured firewall. The new patches by Microsoft office, allow the Windows XP OS to reject remote sniffing successfully. However, 100% protection against identity theft does not exist. Most of personal information online is stored in data bases accessed by a web browser. This might be a bank account, student grades, medical records and even top secret military records. This weakness together with human error is a great vulnerability that software engineers should try to patch up in the future years. The designer or the software engineer should consider the security from the start. Some of the security points that should be taken in consideration are: anticipate future security requirements, minimize and isolate security controls, enforce least privilege feature, structure the security-relevant functions, make security friendly and do not depend on secrecy for security. Some lawmakers consider as the most efficient way to protect the information on the Internet is by stalling and outlawing the technology that makes it possible. The author of this paper strongly disagrees with this approach. The technology is not the malicious; the people who use the technology can be. The only best way to protect the information on the Internet is by developing and expanding more security tools 3 for traffic analysis and black hole monitors, key Encryption, personal certificate, host-based firewall, proxy-based defenses and other defense and detection systems. The users should also be conscious about the risks that associate the web applications. Knowledge and Education is the answer. 2 Secure Sockets Layer which is a protocol used over the Internet for securing transactions made between clients to server. 3 Rough Auditing Tool For Security scans for security flaws, FX Cop by Microsoft, Prexic and Flawfinder are is a run time and source code analyzer, Compaq ESC and Parasoft work with Java O.Kondakciu Web Security 4

5 Reference Hazario, Jose. Defense and Detection Strategies against Internet Worms, Archtech House, 2004 Gassier, Morrier. Building a Secure Computer System, Van Nostrand Reinhold Company, New York, 1988 Web Applications, retrieved on April 1 st AppSec FAQ, retrieved on April 1 st WWW Web Security FAQ: General Questions, retrieved on March 24 th, 2005 Microsoft Server 2003, retrieved on March 24 th, 2005 The Apache Software Foundation, retrieved on March 24 th, 2005 O.Kondakciu Web Security 5

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security ITSC Training Courses Student IT Competence Programme SI1 2012 2013 Prof. Chan Yuen Yan, Rosanna Department of Engineering The Chinese University of Hong Kong SI1-1 Course Outline What you should know

More information

COMPUTER-INTERNET SECURITY. How am I vulnerable?

COMPUTER-INTERNET SECURITY. How am I vulnerable? COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus Worm Trojan Spyware Adware Messenger Service 2 VIRUS A computer virus is a small program written to alter the way a computer

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003 Lectures 9 Advanced Operating Systems Fundamental Security Computer Systems Administration TE2003 Lecture overview At the end of lecture 9 students can identify, describe and discuss: Main factors while

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY) E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system

More information

Introduction to Computer Security Table of Contents

Introduction to Computer Security Table of Contents Introduction to Computer Security Table of Contents Introduction... 2 1 - Viruses... 3 Virus Scanners... 3 2 - Spyware... 7 Spyware Scanners... 8 3 - Firewalls... 10 Windows Firewall... 10 4 - References...

More information

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details: Malicious software About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for

More information

Web Plus Security Features and Recommendations

Web Plus Security Features and Recommendations Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of

More information

PC Security and Maintenance

PC Security and Maintenance PC Security and Maintenance by IMRAN GHANI PC Maintenance and Security-Forecast. Major sources of danger. Important steps to protect your PC. PC Security Tools. PC Maintenance Tools. Tips. PC Security-

More information

Computer Viruses: How to Avoid Infection

Computer Viruses: How to Avoid Infection Viruses From viruses to worms to Trojan Horses, the catchall term virus describes a threat that's been around almost as long as computers. These rogue programs exist for the simple reason to cause you

More information

Cyber Security: Beginners Guide to Firewalls

Cyber Security: Beginners Guide to Firewalls Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started

More information

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html

More information

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household This appendix is a supplement to the Cyber Security: Getting Started Guide, a non-technical reference essential for business managers, office managers, and operations managers. This appendix is one of

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

Protecting Web Application Delivery with Citrix Application Firewall. Johnson Mok Systems Engineer Citrix Systems, Inc.

Protecting Web Application Delivery with Citrix Application Firewall. Johnson Mok Systems Engineer Citrix Systems, Inc. Protecting Web Application Delivery with Citrix Application Firewall Johnson Mok Systems Engineer Citrix Systems, Inc. Six Keys to Successful App Delivery Optimizing Web Application Delivery Citrix NetScaler

More information

We are a volunteer-based organization that is spreading cyber awareness and creating a cyber first responders unit.

We are a volunteer-based organization that is spreading cyber awareness and creating a cyber first responders unit. We are a volunteer-based organization that is spreading cyber awareness and creating a cyber first responders unit. We participate in several team-based competitions a year to serve as training and experience

More information

NetDefend Firewall UTM Services

NetDefend Firewall UTM Services NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content Filtering

More information

Countermeasures against Spyware

Countermeasures against Spyware (2) Countermeasures against Spyware Are you sure your computer is not infected with Spyware? Information-technology Promotion Agency IT Security Center http://www.ipa.go.jp/security/ 1. What is a Spyware?

More information

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide Cyber Security Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Multi-State Information Sharing and Analysis Center (MS-ISAC) U.S.

More information

Contents Introduction xxvi Chapter 1: Understanding the Threats: E-mail Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers

Contents Introduction xxvi Chapter 1: Understanding the Threats: E-mail Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers Contents Introduction xxvi Chapter 1: Understanding the Threats: E-mail Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers 1 Introduction 2 Essential Concepts 3 Servers, Services, and Clients 3

More information

Spyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc.

Spyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc. Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References

More information

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Guidelines for Website Security and Security Counter Measures for e-e Governance Project and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online

More information

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

Detailed Description about course module wise:

Detailed Description about course module wise: Detailed Description about course module wise: Module 1: Basics of Networking and Major Protocols 1.1 Networks and its Types. 1.2 Network Topologies 1.3 Major Protocols and their Functions 1.4 OSI Reference

More information

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation

More information

CYBERTRON NETWORK SOLUTIONS

CYBERTRON NETWORK SOLUTIONS CYBERTRON NETWORK SOLUTIONS CybertTron Certified Ethical Hacker (CT-CEH) CT-CEH a Certification offered by CyberTron @Copyright 2015 CyberTron Network Solutions All Rights Reserved CyberTron Certified

More information

Section 12 MUST BE COMPLETED BY: 4/22

Section 12 MUST BE COMPLETED BY: 4/22 Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Common Cyber Threats. Common cyber threats include:

Common Cyber Threats. Common cyber threats include: Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...

More information

Spyware. Summary. Overview of Spyware. Who Is Spying?

Spyware. Summary. Overview of Spyware. Who Is Spying? Spyware US-CERT Summary This paper gives an overview of spyware and outlines some practices to defend against it. Spyware is becoming more widespread as online attackers and traditional criminals use it

More information

Windows Remote Access

Windows Remote Access Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by

More information

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Recommended Practice Case Study: Cross-Site Scripting. February 2007 Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber

More information

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work How Firewalls Work By: Jeff Tyson If you have been using the internet for any length of time, and especially if

More information

What Do You Mean My Cloud Data Isn t Secure?

What Do You Mean My Cloud Data Isn t Secure? Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there

More information

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems

More information

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning Lee Zelyck Network Administrator Regina Public Library Malware, Spyware, Trojans

More information

NetDefend Firewall UTM Services

NetDefend Firewall UTM Services NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content Filtering (WCF) for superior

More information

2010 White Paper Series. Layer 7 Application Firewalls

2010 White Paper Series. Layer 7 Application Firewalls 2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;

More information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft) 1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

More information

Computer Security Maintenance Information and Self-Check Activities

Computer Security Maintenance Information and Self-Check Activities Computer Security Maintenance Information and Self-Check Activities Overview Unlike what many people think, computers are not designed to be maintenance free. Just like cars they need routine maintenance.

More information

FORBIDDEN - Ethical Hacking Workshop Duration

FORBIDDEN - Ethical Hacking Workshop Duration Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once

More information

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 13 DECEMBER 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

NetDefend Firewall UTM Services

NetDefend Firewall UTM Services Product Highlights Intrusion Prevention System Dectects and prevents known and unknown attacks/ exploits/vulnerabilities, preventing outbreaks and keeping your network safe. Gateway Anti Virus Protection

More information

The Key to Secure Online Financial Transactions

The Key to Secure Online Financial Transactions Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1 Threats and Attacks Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to:

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

MacScan. MacScan User Guide. Detect, Isolate and Remove Spyware

MacScan. MacScan User Guide. Detect, Isolate and Remove Spyware MacScan MacScan User Guide Detect, Isolate and Remove Spyware Part 1 1.1 Introduction MacScan is a spyware detection utility for Macintosh OS X that finds and removes spyware and other Internet files

More information

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange The responsibility of safeguarding your personal information starts with you. Your information is critical and it must be protected from unauthorised disclosure, modification or destruction. Here we are

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Secure Web Development Teaching Modules 1. Threat Assessment

Secure Web Development Teaching Modules 1. Threat Assessment Secure Web Development Teaching Modules 1 Threat Assessment Contents 1 Concepts... 1 1.1 Software Assurance Maturity Model... 1 1.2 Security practices for construction... 3 1.3 Web application security

More information

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) : Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)

More information

Penetration Testing Service. By Comsec Information Security Consulting

Penetration Testing Service. By Comsec Information Security Consulting Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your

More information

Computer Security and Privacy

Computer Security and Privacy Computer Security and Privacy 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Guidelines for Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures

More information

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

More information

Secure Web Access Solution

Secure Web Access Solution Secure Web Access Solution I. CONTENTS II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. E-CODE SECURE WEB ACCESS SOLUTION... 3 OVERVIEW... 3 PKI SECURE WEB ACCESS... 4 Description...

More information

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT Appendix A to 11-02-P1-NJOIT NJ OFFICE OF INFORMATION TECHNOLOGY P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT The Intent

More information

Computer Security Related Terms and Definitions By Bob (Daddybob) Kober 26 Oct 2005

Computer Security Related Terms and Definitions By Bob (Daddybob) Kober 26 Oct 2005 TABLE OF CONTENTS Adware... 2 Ad Server... 2 Backbone... 2 Backdoor... 2 Browser Hijacker... 2 Cookie... 2 Denial Of Service (Dos)... 3 Dialer... 3 Dumpster Diving... 3 E-Mail Harvester... 3 Encryption...

More information

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning SECURITY TERMS: Advisory - A formal notice to the public on the nature of security vulnerability. When security researchers discover vulnerabilities in software, they usually notify the affected vendor

More information

Network Incident Report

Network Incident Report To submit copies of this form via facsimile, please FAX to 202-406-9233. Network Incident Report United States Secret Service Financial Crimes Division Electronic Crimes Branch Telephone: 202-406-5850

More information

Managing Information Systems Seventh Canadian Edition. Laudon, Laudon and Brabston. CHAPTER 8 Securing Information Systems

Managing Information Systems Seventh Canadian Edition. Laudon, Laudon and Brabston. CHAPTER 8 Securing Information Systems Managing Information Systems Seventh Canadian Edition Laudon, Laudon and Brabston CHAPTER 8 Securing Information Systems Copyright 2015 Pearson Canada Inc. 8-1 System Vulnerability and Abuse Security:

More information

Web Tap: Detecting Covert Web Traffic. Presented By: Adam Anthony

Web Tap: Detecting Covert Web Traffic. Presented By: Adam Anthony Web Tap: Detecting Covert Web Traffic Presented By: Adam Anthony Outline Problem Description Web Tap's Goals Web Tap's Significance Threat Model Implementation Evaluation Future Work Conclusion Typical

More information

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

When you listen to the news, you hear about many different forms of computer infection(s). The most common are: Access to information and entertainment, credit and financial services, products from every corner of the world even to your work is greater than ever. Thanks to the Internet, you can conduct your banking,

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Network Security: Introduction

Network Security: Introduction Network Security: Introduction 1. Network security models 2. Vulnerabilities, threats and attacks 3. Basic types of attacks 4. Managing network security 1. Network security models Security Security has

More information

A Real-Life Man-in-the-Middle Attack on SSL

A Real-Life Man-in-the-Middle Attack on SSL A Real-Life Man-in-the-Middle Attack on SSL Ted Shorter, Certified Security Solutions February 15, 2005 4:30pm Agenda Spyware product Analysis Work originated while helping CSS client Ways to address the

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How Network Security Is Breached Network Security Policy

More information

ONLINE BANKING INTERNET SAFETY. What your bank is doing to protect you What you can do to safeguard yourself

ONLINE BANKING INTERNET SAFETY. What your bank is doing to protect you What you can do to safeguard yourself & INTERNET ONLINE BANKING SAFETY What your bank is doing to protect you What you can do to safeguard yourself Online Banking The Future Is Now U Using the convenience of banking online is one of the major

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

Building A Secure Microsoft Exchange Continuity Appliance

Building A Secure Microsoft Exchange Continuity Appliance Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building

More information

Malware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services

Malware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services Malware, Spyware, Adware, Viruses Gracie White, Scott Black Information Technology Services The average computer user should be aware of potential threats to their computer every time they connect to the

More information

Spyware, online fraud, and other Internet threats are certainly not new. But they are growing more sophisticated and criminal every day.

Spyware, online fraud, and other Internet threats are certainly not new. But they are growing more sophisticated and criminal every day. 10 Common Questions About Internet Safety Spyware, online fraud, and other Internet threats are certainly not new. But they are growing more sophisticated and criminal every day. So how can you protect

More information

Evolutionism of Intrusion Detection

Evolutionism of Intrusion Detection Evolutionism of Intrusion Detection Jackie Lai The network technology changes with each passing day; and the attack technique of hacker also weeds through the old to bring forth the new. Worms such as

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006 IBM TRAINING A43 Modern Hacking Techniques and IP Security By Shawn Mullen Las Vegas, NV 2005 CSI/FBI US Computer Crime and Computer Security Survey 9 out of 10 experienced computer security incident in

More information

Seqrite Antivirus for Server

Seqrite Antivirus for Server Enterprise Security Solutions by Quick Heal Seqrite Best server security with optimum performance. Product Highlights Easy installation, optimized antivirus scanning, and minimum resource utilization.

More information

Simple Steps to Securing Your SSL VPN

Simple Steps to Securing Your SSL VPN Simple Steps to Securing Your SSL VPN A five-point strategy for secure remote access Managing secure remote access is a tough job. Because remote systems may directly connect to the Internet rather than

More information

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses

More information

IBM Protocol Analysis Module

IBM Protocol Analysis Module IBM Protocol Analysis Module The protection engine inside the IBM Security Intrusion Prevention System technologies. Highlights Stops threats before they impact your network and the assets on your network

More information

DSL and Cable Modems: The Dangers of Having a Static IP Address

DSL and Cable Modems: The Dangers of Having a Static IP Address DSL and Cable Modems: The Dangers of Having a Static IP Address By Joe Edwards ECE 478 Spring 2000 1.0 Introduction As computer technology continues to rapidly progress, more and more people are abandoning

More information

E-BUSINESS THREATS AND SOLUTIONS

E-BUSINESS THREATS AND SOLUTIONS E-BUSINESS THREATS AND SOLUTIONS E-BUSINESS THREATS AND SOLUTIONS E-business has forever revolutionized the way business is done. Retail has now a long way from the days of physical transactions that were

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

Hackers: Detection and Prevention

Hackers: Detection and Prevention Computer Networks & Computer Security SE 4C03 Project Report Hackers: Detection and Prevention Due Date: March 29 th, 2005 Modified: March 28 th, 2005 Student Name: Arnold Sebastian Professor: Dr. Kartik

More information

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network. Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

Desktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI

Desktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI Desktop Security Overview and Technology Guidance Michael Ramsey Network Specialist, NC DPI Desktop Security Best practices for both the technical type and the typical user Defensive Layering Top Vulnerabilities

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Course Content: Session 1. Ethics & Hacking

Course Content: Session 1. Ethics & Hacking Course Content: Session 1 Ethics & Hacking Hacking history : How it all begin Why is security needed? What is ethical hacking? Ethical Hacker Vs Malicious hacker Types of Hackers Building an approach for

More information

Computer Networks & Computer Security

Computer Networks & Computer Security Computer Networks & Computer Security Software Engineering 4C03 Project Report Hackers: Detection and Prevention Prof.: Dr. Kartik Krishnan Due Date: March 29 th, 2004 Modified: April 7 th, 2004 Std Name:

More information

Securing Your Windows Laptop

Securing Your Windows Laptop Securing Your Windows Laptop Arindam Mandal (arindam.mandal@paladion.net) Paladion Networks (http://www.paladion.net) May 2004 Now-a-days laptops are part of our life. We carry laptops almost everywhere

More information