Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Similar documents
Rational AppScan & Ounce Products

Introduction: 1. Daily 360 Website Scanning for Malware

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

10 Things Every Web Application Firewall Should Provide Share this ebook

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Breaking down silos of protection: An integrated approach to managing application security

Where every interaction matters.

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Why The Security You Bought Yesterday, Won t Save You Today

Adobe Systems Incorporated

The Top Web Application Attacks: Are you vulnerable?

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

External Supplier Control Requirements

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Risk-based solutions for managing application security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Fighting Advanced Threats

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

IBM Advanced Threat Protection Solution

The Hillstone and Trend Micro Joint Solution

From the Bottom to the Top: The Evolution of Application Monitoring

Network and Host-based Vulnerability Assessment

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Protecting Your Organisation from Targeted Cyber Intrusion

A Network Administrator s Guide to Web App Security

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

GFI White Paper PCI-DSS compliance and GFI Software products

HP Application Security Center

SANS Top 20 Critical Controls for Effective Cyber Defense

NATIONAL CYBER SECURITY AWARENESS MONTH

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Vulnerability Management

Concierge SIEM Reporting Overview

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

End-to-End Application Security from the Cloud

Top 20 Critical Security Controls

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

CS5008: Internet Computing

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

What Do You Mean My Cloud Data Isn t Secure?

Table of Contents. Page 2/13

Streamlining Web and Security

Passing PCI Compliance How to Address the Application Security Mandates

Web Application Security 101

Internet threats: steps to security for your small business

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

The Web AppSec How-to: The Defenders Toolbox

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

What is Web Security? Motivation

Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis


Reference Architecture: Enterprise Security For The Cloud

WEB APPLICATION VULNERABILITY STATISTICS (2013)

How To Protect A Dns Authority Server From A Flood Attack

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

A Decision Maker s Guide to Securing an IT Infrastructure

ICTN Enterprise Database Security Issues and Solutions

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

IBM Security Strategy

24/7 Visibility into Advanced Malware on Networks and Endpoints

Deep Security Vulnerability Protection Summary

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

How Web Application Security Can Prevent Malicious Attacks

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Beyond the Hype: Advanced Persistent Threats

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Columbia University Web Security Standards and Practices. Objective and Scope

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Sitefinity Security and Best Practices

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Transcription:

Web Security Discovering, Analyzing and Mitigating Web Security Threats

Expectations and Outcomes Mitigation strategies from an infrastructure, architecture, and coding perspective Real-world implementations that work. The testing aspect of vulnerabilities (tools and techniques). Focus maintained on security strategies rather than coding level implementation (best practices) Managing your hosting service provider Top 10 most critical web security application risks & mitigation strategies Face value and brand risk - Keeping the content fresh and up to date Reference to the National Information Security Strategy & Framework

Introduction Computer Forensics Consult is an ICT security consultancy firm founded in 2004. Areas of focus include Forensics Security Audits Policy Advisory Business Intelligence Solutions CFC has been in the business of electronic risk mitigation for the past 10 years and currently spend an enormous amount of time doing security research. We have since witnessed a large number of developments in this industry over the years that make security threats more deadly today than they were just a few years ago.

Web Security The website has evolved from being simply a collection of pages that give information about a company, cause or brand, to an interactive social and systematic platform where interactions are defined and aggregated. Web sites are unfortunately prone to security risks and so are any networks to which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk. Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates and your web site coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.

Web Security Threats 1. Bigger, Subtler DDoS Attacks When IT specialists think about distributed denial-of-service attacks, they envision the most basic kind: floods of packets overwhelming a victim's network so that valid requests can't get through. But improvements in defenses have forced attackers to change the way they attack. Packet floods have become larger, maxing out at 100 Gbps. In a six-month campaign against U.S. banks, for which a group of alleged Muslim hacktivists claimed credit, the volume of attack traffic has regularly surpassed 30 Gbps -- throughput rarely seen five years ago. 2. Old Browsers, Vulnerable Plug-Ins Cyber attacks that account for millions of dollars a year in bank account fraud are fueled by browser vulnerabilities and, more frequently, the browser plug-ins that handle Oracle's Java and Adobe's Flash and Reader. Exploit kits bring together a dozen or so attacks on various vulnerable components and can quickly compromise a company's systems if the patches aren't up to date.

Web Security Threats 3. Good Sites Hosting Bad Content Attackers are targeting well-known, legitimate websites to take advantage of users' trust in those sites. For example, in the VOHO watering hole attack last year, attackers infected legitimate financial and tech industry websites in Massachusetts and Washington, D.C., commonly accessed by their intended victims, says security vendor RSA. 4. Mobile Apps And The Unsecured Web The bring-your-own-device movement has led to a surge in consumer-owned devices inside corporate firewalls. But mobile apps are notoriously poorly programmed, putting business data at risk. There's been a lot of talk about the increasing amount of mobile malware published online, but few security experts are issuing warnings about how programming mistakes turn legitimate mobile apps into dangerous threats. Poor Programming is as big a risk as malware! 5. Failing To Clean Up Bad Input Since 2010, SQL injection has held the top spot on the Open Web Application Security Project's list of top 10 security vulnerabilities. Dynamic websites that pass search queries or other application inputs to a back-end database server are vulnerable to SQL injection.

6. The Hazards Of Certificates Web Security Threats Two years ago, a series of hacks against certificate authorities -- the companies that determine who's trusted online -- gave attackers the tools they needed to issue fraudulent SSL certificates that could disguise a malicious website as a legitimate, well-known company's site. The attacks, against Comodo, DigiNotar and other certificate authorities, underscored the danger of relying too much on a single security technology. 7. The Cross-Site Scripting Problem Attacks exploiting cross-site scripting flaws let the attacker run scripts as if they came from a vulnerable website. They don't give the attacker access to the vulnerable website but instead target the users that go to that site. An attacker going after a banking site with a cross-site scripting vulnerability could run a script for a login box on the bank's page and steal users' credentials. "XSS exploits the trust that a browser has for a website 8. The Insecure 'Internet Of Things' Routers and printers, videoconferencing systems, door locks and other devices are now networked via Internet protocols and even have embedded Web servers. In many cases, the software on these devices is an older version of an open source library that's difficult, if not impossible, to update. Welcome to the Internet of things.

Web Security Threats 9. Getting In The Front Door Not all attacks are aimed at breaching a company's defenses. Automated Web bots scrape from Web pages information that can give a competitor better intelligence on your business 10. Recycled threats Many IT security threats are simply recycled to take advantage of lax policies, procedures and staff awareness. While a particular IT security threat may have been the hot topic of a year ago, many staff may have forgotten all about them by now, returning to their risky habits.

Threat Mitigation Anti-Virus & Anti Malware - The countermeasures developed for detecting viruses can often detect other forms of malware as well. Deploying antivirus programs on client devices and scanning network traffic as it enters the network are appropriate countermeasures for combating malware. In addition, locking down client devices for example, denying most users the privileges needed to install software or update the Windows registry can prevent the installation of malware that manages to avoid detection. DDoS Defense - There are plenty of DIY solutions to DDoS attacks, but they will be limited in effectiveness by your ability to restrict the right packets of information a tricky task. However, more sophisticated solutions, like Cloud DDoS mitigation, can help scrub the incoming data before it reaches your system, helping to overcome the majority of successful DDoS attacks. Another solution to such network and service level attacks is by hosting your web services on a CDN

Threat Mitigation Regular Security Training for all staff - Keep staff regularly updated about the key IT security threats facing your company and remind them of the potential result if they let good habits slip loss of account control and data loss, for example. Adaptive security techniques - Quite simply, do not rely on sandboxing as a silver bullet for negating IT security threats. Yes, it will certainly help to uncover many stealthy attacks and used alongside a good anti-virus it will do a good job of protecting your system. That said, at the end of the day you cannot rely on it completely. Security is a practice not software

Web Security Best Practices A challenge faced by many organizations and governments is that most of their websites and web services are developed by third parties, mitigating this risk is difficult given the applications are not developed in-house as such the best mitigation is by enforcing security best practices; 1. Find and prioritize all website properties by designating their importance to the business and the party responsible for their security. Because you can t secure what you don t know you own. 2. Find and fix website vulnerabilities before the bad guys exploit them by assessing them for weaknesses with each code change. 3. Timely remediate vulnerabilities based on severity, threat and score. 4. Implement a secure software development process utilizing an organizational standard development framework. 5. Utilize a defense-in-depth website vulnerability management strategy.

Hosting provider Security 1. What is your security policy? 2. How do you handle security breaches? 3. What is the platform under my application? 4. Do you offer SSL (HTTPS)? 5. Do you backup? 6. Who is responsible for installing applications and CMS platforms (e.g. WordPress)? 7. Can I disable applications and services I m not using? 8. Who is responsible for updating applications and software? 9. Do you do any security monitoring? Anti-malware scanning to check for malicious files hosted on your site Web application firewalls (WAF) to filter out malicious attacks against your applications and databases Blacklist monitoring to alert you when a third party detects a compromise 10. How are uploads secured?

Brand Risk One of the main purpose of websites is for branding and informational purposes Today websites form a key role in trust building between user and the organization they are interfacing with This trust can be breached when; Information is inaccurate Outdated Offensive Unavailable Hacktivists take advantage of the brand value for dubious gain Demo: http://www.ecitizen.gov.sg/pages/default.aspx http://immigration.go.ug/

Tools Web Application Vulnerability Scanners are the automated tools that scan web applications to look for known security vulnerabilities such as cross-site scripting, SQL injection, command execution, directory traversal and insecure server configuration. AVDS by Beyond Secutiy AppScan by IBM NeXpose by Rapid7 WebApp360 by Tripwire WebInspect by HP https://www.owasp.org/index.php/category:vulnerability_scanning_tools

Conclusion The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Provisions in the National Information Security Strategy & Framework pave the way for standardization and application of best practice security implementation. Questions & Answers

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information