Cyber Threats to e-commerce. S.C. Leung CISSP CISA CBCP
|
|
- Esmond Turner
- 8 years ago
- Views:
Transcription
1 Cyber Threats to e-commerce S.C. Leung CISSP CISA CBCP
2 Who are we? HKCERT Established in Operated by HK Productivity Council Provide Internet users and SME services (free-of-charge) Scope of services Security Monitor and Early Warning Incident Report Handling Publication of guideline Public Awareness Free subscription of alert information via and mobile (we pay for the SMS charges) Page 2
3 HKCERT CERT Teams in Asia Pacific 亞 太 區 其 他 協 調 中 心 CERT CERT CERT CERT APCERT CERT CERT CERT Teams around the World 全 球 其 他 協 調 中 心 CERT FIRST CERT CERT Law Enforcement 執 法 機 關 Security Research Centre 保 安 研 究 中 心 Internet Infrastructure 互 聯 網 基 建 機 構 Local Enterprise & Internet Users 本 地 企 業 及 互 聯 網 用 戶 Software Vendor 軟 件 供 應 商 Page 3 Universities 大 學
4 Agenda Cyber Threats to e-commerce Attackers and the Motives of Attacks Attack Trends Highlight Relevance to e-commerce Attacks and Counter-attack Strategies Page 4
5 Attackers and Motives Kiddies and Early Hackers: Fame E-Commerce Relevant Activists: Hacktivism Anonymous, Lulzsec groups State sponsored Civilian monitoring Doubts on R2D2 Trojan in Germany Attacks to state critical infrastructure or military Stuxnet USA drone malware Cybercriminals: Money Theft of information Extortion Control machine for other purposes Unfriendly parties Disgruntled employees - loss of reputation via data leakage or scandals Business competitors DoS Theft of business sensitive information, patent, forumla Page 5
6 Cybercrime as a Service Products Piracy: theft of CD Keys Theft of Personal Information and Identification (SSN, id, password, cc #.) Services Hosting: Spam relays, phishing web hosting Phishing attacks: paid web hosting Proxy network (so beware of unsolicited open proxy!) Spyware/adware installation: pay per installation Click fraud: pay per click DDoS: extortion or competitor service site attack Blackmail / Ransomware encrypts hard drive data demand ransom Page 6
7 Attack Trend Highlights Attack becomes less visible - uninformed victims Botnet as platform to deliver attacks Cybercrime as a Service Moving up from network attack to web application attack to business logic abuse Exploit points of weak defense Going Mobile, Going Social, Going Cloud Page 7
8 Attacks Becomes Less Visible HKCERT incident report statistics Virus attack Security attack Visible mass spreading worms (Blaster, Sasser, Netsky) peaked Reports on malware attack dropped significantly. Security incident reports (hacking, phishing, defacement, botnet and others) increased by 4 folds. Page 8
9 How Less Visible Attacks Surfaces Reporting Party (2010/11) 27.92% 27.84% local overseas Victim report figure is low. Compromise becomes visible when victim machine being used to participate in phishing, malware hosting or other attacks % proactive discovery 1. Overseas parties reported incidents to HKCERT 2. HKCERT use proactive discovery methodologies to find out hacked machines in Hong Kong Page 9
10 Botnet (robot Network) - infrastructure for cybercrime Bot Herder Up: Data Down: Command/Update C&C C&C C&C Up: Data Down: Command/Update bot bot bot bot bot bot bot Spam DDoS attack victim victim Page 10 Wikipedia not totally correct in botnet, Botnet is much more than DDOS platform.
11 Relevance to e-commerce Websites Exploit server to provide launchpad for attacks For data on server For money in extortion Web Users Targeted for credential, data breach, fraudulent transaction Man-in-the-Middle (MitM), Man-in-the-Browser (MitB), Man-in-the-Mobile (MitMo) attacks Page 11
12 Attacks to Websites
13 Mass injection of oscommerce websites (Jul 2011) oscommerce is an open source shopping cart using web 2.0 technology Large scale injection attack since July. Over 2.7M web pages infected globally. Over 45,000 pages in Hong Kong Inject "<iframe>" and "<script>" pointing to malicious links such as "willysy.com" and "exero.eu Page 13
14 Page 14
15 Multi-stage infection (drive-by download) Web server (injected) Exploit server Malware Hosting Web request Browser Redirected to Exploit server Serve Exploit Page Redirected to Malware server Download Malware Exploits imported from other servers via iframes, redirects When compromised, dropper download and install the actual bot malware Page 15
16 Website Protection Strategies Plugging security holes Get security vulnerabilities warnings (available in Regular and Timely Patching Application Firewall Block web application attacks Writing secure web applications is the root Good coding practice; Minimum privilege of database user account Code scanning, Vulnerability scanning HKCERT SQL injection defense guideline OWASP (Open Web Application Security Project) Top Ten Project SQL injection, Cross-site scripting, Broken authentication and session management, mis-configuration Page 16
17 Website Protection Strategies Defense in depth - Separate web server and database server - Encryption - Encrypt web communication - Encrypt sensitive data on server - Plan for contingency - What if website not available? - Alternate website - Manual procedure? - Backup and Recovery Page 17
18 Attacks to Web Users
19 Attacks targeting web users Attack more sophisticated, targeting two-factor authentication, using Manin-the-Middle attacks From getting credential to transfer money on the spot, because piggybacking window is temporary From phishing (fake site) to fraud on real online site Targeted, because each online e-commerce site is different E-Commerce site does not see hacker from access log. They are in the browser carrying the cyber identity of the customer Page 19
20 What is Man-in-the-Middle attack? Hacker sits in the middle of the client and server and able to read, modify and insert messages sent between the parties Client and Server NOT AWARE the existence of the middle man It is an ACTIVE attack instead of passive sniffing Normal HTTP connection GET web browser HTTP/ OK web server GET HTTP/ OK MITM hijacked connection GET HTTP/ OK Page 20 attacker
21 Botnet targeting Banks and e-commerce Zeus and SpyEye Botnets steals banking information by Keylogging and Form Grabbing features: Take screenshot (save to html without image) Fake redirect (redirect to a prepared fake bank webpage) HTML inject (hijack the login session and inject new field) Log the visiting information of each banking site, record the input string (text or post URL) Page 21
22 Man-in-the-Browser Hackers dream: breaking two factor authentication Intercept transaction Install software/plugin inside the browser, hook major OS and web browser APIs and proxying data Rewrite the screen. Trick user to enter credentials. Change amount and change destination to attacker account Change the display to user as if his transaction was executed Calculate the should be amount and rewrites the remaining total to screen store in database in the cloud the amount transacted in user's perspective Source: Page 22
23 Zeus in the Mobile ZitMo (reported in Sep-2010) Zeus ver 2.0, with Man-in-the-Mobile (MitMo) feature Mobile Infection: Infected PC visit bank website Zeus inject HTML content into webpage, requesting user to input their mobile phone number and the IMEI # (and phone model) Hacker sends a new "digital certificate" to the phone User install the Zeus mobile. Platforms: Symbian, Android, WinCE and BlackBerry Sniff the SMS messages when waken up by special SMS Steal one-time password (OTP) sent via SMS 2011-July SpyEye go mobile (Apr-2011) using similar techniques Page 23
24 Inserting transaction (when login) Login Trojan kick up shadow login at the back Shadow Login PIN + OTP Submit PIN + OTP Insert a new window Hacker use OTP2 to authenticate a transaction PIN + OTP2 Submit Not successful. Please retry Page 24
25 Defense at client side 3 Baseline Defense is necessary but not insufficient Protection from malware Personal Firewall Update patches this is more and more important Secunia Personal Software Inspector erability_scanning/pers onal/ Install Microsoft Malicious Software Removal Tool (MSRT) Page 25
26 Defense at client side Use newer and secure browsers (Chrome 12, FF 5, IE 9) The Use separate browsers for casual browsing and transaction based come with new features: URL blocking, sandbox Avoid installing add-ons (extension, activex objects ) on the browser Page 26
27 Attacks to Business Logics
28 Attacks to Business Logics When SQL and XSS vulnerabilities are reducing, attackers change focus to vulnerabilities in business logic Business logic flaws are not software bug. Business logic abuse are not exploits. Attackers are using functionality used by legitimate users. Web application firewalls has no defense on it. Quality assurance may overlook this because tests usually test what the code is supposed to do, and not what it can be made to do. Page 28
29 Abuse of Functionality Case 1: Winning Online Auction Online auction website : all logged in user can bid and view who is bidding what. Intruder logout: prevents password guess for 1 hour after 5 failed tries within 5 minute. What can be abused here? One can bruteforce other bidders account login (denial of service) What can be done to improve? Use CAPTCHA instead of intruder logout (~Gmail) Need to display who is bidding what? Allow minimum bid to discourage unreasonable deal Page 29
30 Insufficient Process Validation Case 2: CNBC s Million Dollar Portfolio Challenge Ten 1-week challenges among 375K amateur traders for a prize of USD10K Place simulated stock trade steps 1. Select the stock to purchase, no. of shares and user press submit button 2. Backend system compute the total order using current price and wait for user confirmation What can be abused here? One can hold step 2 confirmation until after trading close. Execute only if the stock price rise significantly What can be done to improve? Always use the current share price to transact Set timeout to session Reject order execution after market closes Page 30
31 Other Business Logic Abuses Information leakage Data scrapping Password recovery Pump-and-dump Spoofing cookie values to gain access to other user's accounts more Reference itepapers/business_logic_flaws.html Page 31
32 Protection Identification and Detection of attacks Detect abnormal behaviour, e.g. large volume download, non-human speed activities criminals behaves differently from normal users check login location, login device log analysis Prevention Pentest your business logic Use CAPTCHA to defend against robots Personal questions like image identification Page 32
33 Take down Botnet
34 Hit criminals' critical infrastructure Trace the supply chain of criminals (Law Enforcement) Bring down their infrastructure (ISP, DNR) C&C, Malicious web sites, fake domain names Domain name registry manage domain registration abuse ISP unplug malware hosting networks Bring down spam borne attacks Page 34 Corps and ISPs to adopt Port 25 management (blocks SMTP); force spammer to use credentials but is more accountable (advocated by APWG, CERT)
35 Botnet Takedowns in the past 2 years Collaboration of law enforcement, Microsoft, security researchers, ISP, domain name registries taking fight to the court Operations Operation b49 (Waledac botnet) Feb, 2010 Operation Trident Breach (Rimecud botnet) - Oct 1, 2010 in Spain and Slovenia Operation Tolling (Bredolab botnets) - Oct 25, 2010 in the Netherlands Page 35 C&C is sinkholed Bots are redirected to a page informing infection
36 Botnet Takedowns in the past 2 years Operation B107 (Rustock botnet) - Mar 16, 2011: most C&C in USA Global spam down by 40% immediately afterwards Bots still need to be cleaned up Operation Adeona (CoreFlood botnet) - Apr 13, 2011 C&C sinkholed; send KILL command to bots to terminate in memory Operation Trident Tribunal (Scareware) - Jun 22, 2011 : long with international law enforcement partners, announced the indictment of two individuals from Latvia and the seizure of more than 40 computers Operation B79 (Kelihos, DNS abuse) - Sep 26, 2011: Page 36
37 Success Factors in Botnet Takedown Be a Good Neighbour Collaboration with Law Enforcement and CERT to take down malicious content If you and other parties (ISPs, OSP, Security researchers, Academia) collaborate, the world will be different WE NEED YOU! Creative disruption tactics in takedown Sharing of intelligence Operation Security (confidentiality, coordinated timing and speed) Preempt future attacks Use Sinkhole to get information of bots. Find out bot machines left before they join another botnet. They are vulnerable. They may be leaking data Solve legal issues Page 37
38 Going Cloud
39 Security Issues arising from the Cloud Service Level Management Challenge Crime in the Cloud Password cracking Hosting of phishing site, malware Botnet in the Cloud Zeus using Amazon's EC2 as command and control server (Dec-2009) SpyEye uses Amazon S3 to exploit (Jul-2011) Launching DDoS Investigation Challenge Most fraud and attacks are conducted via fraudulent accounts (fraud cards) Create one more investigation No seize of devices; no paradigm of forensics Chain of custody start with cloud provider Jurisdiction: where was the crime scene? where to serve warrant? Page 39
40 Security Opportunity with Cloud Cloud is elastic to take up more traffic volume by design Secure Web as a Service Provide secured frontline for customers web servers Shield most application attacks Shield moderate level of DoS attack defense Continuous monitoring. Regular audit Investigation Learn from one customer and apply to others ** But SSL websites may have consideration of confidentiality Page 40
41 Conclusion ATTACKERS Attackers go after $$$. E-Commerce a sure target. Attackers also go mobile, sns and cloud ATTACKS Security Attacks are more and more sophisticated Botnet and invisible malware are the cybercrime vehicles YOUR SECURITY, OUR SECURITY Public Awareness is important: CARE is vital. Tools can only help. Close all security holes in (1) software, (2) procedure/business logic and (3) human We all need to work together for a safe, clean and reliable Internet. Page 41
42 Q & A Website: Hotline: hkcert@hkcert.org
Information Security Threat Trends
Talk @ Microsoft Security Day Sep 2005 Information Security Threat Trends Mr. S.C. Leung 梁 兆 昌 Senior Consultant 高 級 顧 問 CISSP CISA CBCP M@PISA Email: scleung@hkcert.org 香 港 電 腦 保 安 事 故 協 調 中 心 Introducing
More informationCyber Attack Trend and Botnet
Cyber Attack Trend and Botnet S.C. Leung CISSP CISA CBCP Agenda Botnet and Cyber Attack Trends Botnet Attack Trends Commercialization of Cyber Crime Professionalization of Cyber Crimeware Social Engineering
More informationHong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望
Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望 Agenda Information Security Trends Year 2014 in Review Outlook for 2015 Advice to the Public Hong Kong Computer Emergency Response Team Coordination
More informationIndian Computer Emergency Response Team (CERT-In) Annual Report (2010)
Indian Computer Emergency Response Team (CERT-In) Annual Report (2010) Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationWEB ATTACKS AND COUNTERMEASURES
WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More informationEvolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance
Evolving Threats and Attacks: A Cloud Service Provider s viewpoint John Howie Senior Director Online Services Security and Compliance Introduction Microsoft s Cloud Infrastructure Evolution of Threats
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationBotnets: The Advanced Malware Threat in Kenya's Cyberspace
Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationCurrent counter-measures and responses by CERTs
Current counter-measures and responses by CERTs Jeong, Hyun Cheol hcjung@kisa.or.kr April. 2007 Contents I. Malware Trends in Korea II. Malware from compromised Web sites III. Case Study : Malware countermeasure
More informationThe Key to Secure Online Financial Transactions
Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on
More informationUsing big data analytics to identify malicious content: a case study on spam emails
Using big data analytics to identify malicious content: a case study on spam emails Mamoun Alazab & Roderic Broadhurst Mamoun.alazab@anu.edu.au http://cybercrime.anu.edu.au 2 Outline Background Cybercrime
More informationWEB APPLICATION FIREWALLS: DO WE NEED THEM?
DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?
More informationCurrent Threat Scenario and Recent Attack Trends
Current Threat Scenario and Recent Attack Trends Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Objectives Current Cyber space Nature of cyberspace and associated risks
More informationDetailed Description about course module wise:
Detailed Description about course module wise: Module 1: Basics of Networking and Major Protocols 1.1 Networks and its Types. 1.2 Network Topologies 1.3 Major Protocols and their Functions 1.4 OSI Reference
More informationProtect Yourself in the Cloud Age
Protect Yourself in the Cloud Age Matthew Wu Consultant Hong Kong Computer Emergency Response Team Coordination Centre About HKCERT HKCERT ( 香 港 電 腦 保 安 事 故 協 調 中 心 ) Established in 2001 Funding & Operation
More informationCourse Content: Session 1. Ethics & Hacking
Course Content: Session 1 Ethics & Hacking Hacking history : How it all begin Why is security needed? What is ethical hacking? Ethical Hacker Vs Malicious hacker Types of Hackers Building an approach for
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationIntroduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
More informationBOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL
BOTNETS Douwe Leguit, Manager Knowledge Center GOVCERT.NL Agenda Bots: what is it What is its habitat How does it spread What are its habits Dutch cases Ongoing developments Visibility of malware vs malicious
More informationMITB Grabbing Login Credentials
MITB Grabbing Login Credentials Original pre-login fields UID, password & site Modified pre-login fields Now with ATM details and MMN New fields added MITB malware inserted additional fields. Records them,
More informationProtecting against Mobile Attacks
2014-APR-17 Protecting against Mobile Attacks Frankie Wong Security Analyst, HKCERT 1 Image source: http://www.techweekeurope.co.uk/news/mobile-malware-record-mcafee-125537 2 Agenda Attacks moving to mobile
More informationFORBIDDEN - Ethical Hacking Workshop Duration
Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once
More informationProtect Your Business and Customers from Online Fraud
DATASHEET Protect Your Business and Customers from Online Fraud What s Inside 2 WebSafe 5 F5 Global Services 5 More Information Online services allow your company to have a global presence and to conveniently
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationCybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix
Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationInformation Security Summit 2005
Information Security Summit 2005 Forensically Sound Information Security Management in a Risk Compliance Era Keynote Opening Address by Mr. Howard C Dickson Government Chief Information Officer Government
More informationFSOEP Web Banking & Fraud: Corporate Treasury Attacks
FSOEP Web Banking & Fraud: Corporate Treasury Attacks Your Presenters Who Are We? Tim Wainwright Managing Director Chris Salerno Senior Consultant Led 200+ penetration tests Mobile security specialist
More informationwhite paper Malware Security and the Bottom Line
Malware Security Report: Protecting Your BusineSS, Customers, and the Bottom Line Contents 1 Malware is crawling onto web sites everywhere 1 What is Malware? 2 The anatomy of Malware attacks 3 The Malware
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationSpyware. Summary. Overview of Spyware. Who Is Spying?
Spyware US-CERT Summary This paper gives an overview of spyware and outlines some practices to defend against it. Spyware is becoming more widespread as online attackers and traditional criminals use it
More informationThreat Events: Software Attacks (cont.)
ROOTKIT stealthy software with root/administrator privileges aims to modify the operation of the OS in order to facilitate a nonstandard or unauthorized functions unlike virus, rootkit s goal is not to
More informationPrevent Malware attacks with F5 WebSafe and MobileSafe. Alfredo Vistola Security Solution Architect, EMEA
Prevent Malware attacks with F5 WebSafe and MobileSafe Alfredo Vistola Security Solution Architect, EMEA Malware Threat Landscape Growth and Targets % 25 Of real-world malware is caught by anti-virus Malware
More informationLoophole+ with Ethical Hacking and Penetration Testing
Loophole+ with Ethical Hacking and Penetration Testing Duration Lecture and Demonstration: 15 Hours Security Challenge: 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once said,
More informationSpyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc.
Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References
More informationFactoring Malware and Organized Crime in to Web Application Security
Factoring Malware and Organized Crime in to Web Application Security Gunter Ollmann - VP of Research gollmann@damballa.com Blog - http://blog.damballa.com Blog - http://technicalinfodotnet.blogspot.com
More informationSpam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning
Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning Lee Zelyck Network Administrator Regina Public Library Malware, Spyware, Trojans
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationSecurity workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013
Security workshop Belnet Aris Adamantiadis Brussels 18 th April 2013 Agenda What is a botnet? Symptoms How does it work? Life cycle How to fight against botnets? Proactive and reactive NIDS 2 What is a
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationThe SMB Cyber Security Survival Guide
The SMB Cyber Security Survival Guide Stephen Cobb, CISSP Security Evangelist The challenge A data security breach can put a business out of business or create serious unbudgeted costs To survive in today
More informationNetwork attack and defense
Network attack and defense CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan 1 Outline 1. Overview
More informationFive Trends to Track in E-Commerce Fraud
Five Trends to Track in E-Commerce Fraud Fraud is nothing new if you re in the e-commerce business you probably have a baseline level of fraud losses due to stolen credit cards, return fraud and other
More informationSecurity Evaluation CLX.Sentinel
Security Evaluation CLX.Sentinel October 15th, 2009 Walter Sprenger walter.sprenger@csnc.ch Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41
More informationIT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA
IT TRENDS AND FUTURE CONSIDERATIONS Paul Rainbow CPA, CISA, CIA, CISSP, CTGA AGENDA BYOD Cloud Computing PCI Fraud Internet Banking Questions The Mobile Explosion Mobile traffic data in 2011 was nearly
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationOverview of computer and communications security
Overview of computer and communications security 2 1 Basic security concepts Assets Threats Security services Security mechanisms 2 Assets Logical resources Information Money (electronic) Personal data
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationCUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT WHO IS WHO ONLINE
CUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT WHO IS WHO ONLINE Jason Sloderbeck Silver Tail Systems, Part of RSA Session ID: SPO1-W22 Session Classification: General Track Question Do
More informationSecurity A to Z the most important terms
Security A to Z the most important terms Part 1: A to D UNDERSTAND THE OFFICIAL TERMINOLOGY. This is F-Secure Labs. Learn more about the most important security terms with our official explanations from
More information10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
More informationArrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015
Arrow ECS University 2015 Radware Hybrid Cloud WAF Service 9 Ottobre 2015 Get to Know Radware 2 Our Track Record Company Growth Over 10,000 Customers USD Millions 200.00 150.00 32% 144.1 16% 167.0 15%
More informationTop 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath
ebook Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath Protecting against downstream fraud attacks in the wake of large-scale security breaches. Digital companies can no longer trust static login
More informationOverview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms
Overview Common Internet Threats Tom Chothia Computer Security, Lecture 19 Phishing Sites Trojans, Worms, Viruses, Drive-bydownloads Net Fast Flux Domain Flux Infiltration of a Net Underground economy.
More informationWeb Application Security
E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary
More informationTHE HACKERS NEXT TARGET
Governance and Risk Management THE HACKERS NEXT TARGET YOUR WEB AND SOFTWARE Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software ISC2 CyberSecurity Conference 09 Kuala
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationMobile Malware Network View. Kevin McNamee : Alcatel-Lucent
Mobile Malware Network View Kevin McNamee : Alcatel-Lucent Agenda Introduction How the data is collected Lies, Damn Lies and Statistics Windows PC Malware Android Malware Network Impact Examples of malware
More informationNATIONAL CYBER SECURITY AWARENESS MONTH
NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the
More informationSummary of the State of Security
Summary of the State of Security Tram Jewett, CISA CliftonLarsonAllen LLP Virginia GFOA Annual Spring Conference, 2016 1 1 Summary of the State of Security Tram Jewett, MS., CISA, 11 years IT audit and
More informationCyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in
Cyber Security & Role of CERT-In Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in Web Evolution Web Sites (WWW) 1993 Web Invented and implemented 130 Nos. web sites 1994 2738 Nos.
More informationCyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014
Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Lisa D. Traina, CPA, CITP, CGMA Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA
More informationHow To Protect Your Online Banking From Fraud
DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers SUMMARY The Federal Financial Institutions Examination Council (FFIEC) is planning to update online transaction
More informationWhy The Security You Bought Yesterday, Won t Save You Today
9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About
More informationCHAPTER 10: COMPUTER SECURITY AND RISKS
CHAPTER 10: COMPUTER SECURITY AND RISKS Multiple Choice: 1. In a survey of more than 500 companies and government agencies, percent detected computer security breaches. A. 20 B. 75 C. 85 D. 99 Answer:
More informationF5 (Security) Web Fraud Detection. Keiron Shepherd Security Systems Engineer
F5 (Security) Web Fraud Detection Keiron Shepherd Security Systems Engineer The 21 st century application infrastructure (Trends) Users are going to access applications Mobile/VDI/XaaS/OS Security goes
More informationIf you know the enemy and know yourself, you need not fear the result of a hundred battles.
Rui Pereira,B.Sc.(Hons),CIPS ISP/ITCP,CISSP,CISA,CWNA/CWSP,CPTE/CPTC Principal Consultant, WaveFront Consulting Group ruiper@wavefrontcg.com 1 (604) 961-0701 If you know the enemy and know yourself, you
More informationBotNets- Cyber Torrirism
BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot Statistics Suggest Assimilation
More information10 Things Every Web Application Firewall Should Provide Share this ebook
The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationNational Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research
National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationAT&T Real-Time Network Security Overview
AT&T Real-Time Network Security Overview Dan Solero Director of Security Technology, AT&T Know Your Enemy: Security Threats Extend Beyond Viruses & Worms Distributed Denial of Service Spam for Hire Social
More informationMalware B-Z: Inside the Threat From Blackhole to ZeroAccess
Malware B-Z: Inside the Threat From Blackhole to ZeroAccess By Richard Wang, Manager, SophosLabs U.S. Over the last few years the volume of malware has grown dramatically, thanks mostly to automation and
More informationINFOCOMM SEC RITY. is INCOMPLETE WITHOUT. Be aware, responsible. secure!
INFOCOMM SEC RITY is INCOMPLETE WITHOUT Be aware, responsible secure! U HACKER Smack that What you can do with these five online security measures... ANTI-VIRUS SCAMS UPDATE FIREWALL PASSWORD FASTEN UP!
More informationTransaction Anomaly Protection Stopping Malware At The Door. White Paper
Transaction Anomaly Protection Stopping Malware At The Door White Paper Table of Contents Overview 3 Programmable Crime Logic Alter Web Application Flow & Content 3 Programmable Crime Logic Defeats Server-Side
More informationCertified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison
CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation
More informationIBM Protocol Analysis Module
IBM Protocol Analysis Module The protection engine inside the IBM Security Intrusion Prevention System technologies. Highlights Stops threats before they impact your network and the assets on your network
More informationMalicious Network Traffic Analysis
Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the
More informationKASPERSKY FRAUD PREVENTION FOR ENDPOINTS
KASPERSKY FRAUD PREVENTION FOR ENDPOINTS www.kaspersky.com 2 Fraud Prevention for Endpoints KASPERSKY FRAUD PREVENTION 1. Ways of Attacking The prime motive behind cybercrime is making money, and today
More informationCOURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM
COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.
More informationDNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS
DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS December 2011 November saw DNS Poisoning, aka Pharming, making the headlines on more than one occasion: To name a few, the online threat
More informationAdvancements in Botnet Attacks and Malware Distribution
Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York, July 2012 Aditya K Sood Rohit Bansal Richard J Enbody SecNiche Security Department of Computer Science and Engineering
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure
More informationPractical guide for secure Christmas shopping. Navid
Practical guide for secure Christmas shopping Navid 1 CONTENTS 1. Introduction 3 2. Internet risks: Threats to secure transactions 3 3. What criteria should a secure e-commerce page meet?...4 4. What security
More informationYour Web and Applications
Governance and Risk Management Your Web and Applications The Hacker s New Target Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Social Engineering in the Business
More informationCodes of Connection for Devices Connected to Newcastle University ICT Network
Code of Connection (CoCo) for Devices Connected to the University s Author Information Security Officer (Technical) Version V1.1 Date 23 April 2015 Introduction This Code of Connection (CoCo) establishes
More informationTHE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two
More informationPractical Steps To Securing Process Control Networks
Practical Steps To Securing Process Control Networks Villanova University Seminar Rich Mahler Director, Commercial Cyber Solutions Lockheed Martin Lockheed Martin Corporation 2014. All Rights Reserved.
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationCyber liability threats, trends and pointers for the future
Cyber liability threats, trends and pointers for the future Tim Smith Partner, BLM t: 020 7865 3313 e: tim.smith@blm-law.com February 2013 Cyber liability threats, trends and pointers for the future The
More informationRSA Web Threat Detection
RSA Web Threat Detection Online Threat Detection in Real Time Matthew Joseff, Sr. Technology Evangelist, RSA 2 RSA Web Threat Detection Online Threat Detection in Real Time Matthew Joseff, Sr. Technology
More informationDDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest
DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service
More informationThe thriving malware industry: Cybercrime made easy
IBM Software Thought Leadership White Paper The thriving malware industry: Cybercrime made easy Technology and processes from IBM Security help your organization combat malware- driven fraud and achieve
More information