WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Transcription

1 WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1

2 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating Web Site Security o One of the biggest obstacles facing public cloud computing is security 1 1 -SP Guidelines on Security and Privacy in Public Cloud Computing

3 WHO IS ATTACKING THE WEB?

4 WHAT ARE WE SEEING? Evolving Threat Landscape o Increasingly multi-vector attacks o DDoS attacks rampant Better Reconnaissance Better Targeting Smarter Attacks More/Larger Attacks

5 HOW EASY IS IT TO ATTACK?

6 HOW EASY IS IT TO HIDE? Sources o TOR (The Onion Router) o Amazon Web Services o VPN proxies o Web Proxies

7 HEARTBLEED o A serious vulnerability in the popular OpenSSL cryptographic software library o Allows stealing information protected by SSL/TLS encryption o Permits anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL

8 SHELLSHOCK A family of security bugs in the widely used Unix GNU Bash shell o Can allow an attacker to gain unauthorized access to a computer system Attackers exploited Shellshock within hours o Created botnets on compromised computers to perform distributed DoS attacks and vulnerability scanning Potential to be used to compromise millions of unpatched servers and other systems.

9 POODLE POODLE (Padding Oracle On Downgraded Legacy Encryption) o Designed to take advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 o Creates an opportunity to decrypt select content within the SSL session

10 WEB SITE SECURITY

11 WEB SITE SECURITY Best place is in the Cloud o Function as 1st layer of defense o Easy operation CNAME change o Implement an integrated solution o Best architecture for addressing network-layer DDoS attacks o Concerns about availability not an issue o Enable customers to focus technical & financial resources on other needs

12 DOMAIN NAME SYSTEM (DNS) Can Your Web Site Be Found? Requirements o Function as Managed (Primary) or Secondary DNS - Administer DNS zones and associated records - Run Health Checks - Define load balancing and failover configurations - Comply with DNS specification - Restful API

13 ANTI-DDoS Is Your Web Site Available? Requirements o Protect at both the network and application layers o Handle malicious traffic at edge - Reverse proxy architecture - Port lockdown - Identification and remediation of malicious traffic o Ensure that customer Web site is always available DDoS Protection

14 WEB APPLICATION FIREWALL Are Your Origin & Web Applications Secure? Requirements o Provide an additional set of protections at Application Layer - Increase security by monitoring, detecting and preventing attacks against web applications

15 THE OWASP TOP 10 o A1 Injection o A2 Broken Authentication and Session Management o A3 Cross-Site Scripting (XSS) o A4 Insecure Direct Object References o A5 Security Misconfiguration o A6 Sensitive Data Exposure o A7 Missing Function Level Access Control o A8 Cross-Site Request Forgery (CSRF) o A9 Using Components with Known Vulnerabilities o A10 Un-validated Redirects and Forwards

16 ORIGIN CLOAKING Are Your Origin & Web Applications Secure? Requirements o Protect against Direct-to-Origin Attacks - Used to apply additional security by firewalling the origin so that only authorized vendor IP addresses are allowed to contact the customer origin

17 ENCRYPTION Is Your Content Protected? Requirements o SSL certificates used to protect content - Hosted Subject Alternative Name (SAN) - Custom SSL - Customer supplied certificates o OCSP Stapling - Addresses many of the inherent challenges with OCSP including performance (can be >35% faster)

18 WEB SITE SECURITY Bringing The Pieces Together

19 Questions? THANK YOU!