What is the Internet?

Similar documents
Web Application Security

Where every interaction matters.

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

The Key to Secure Online Financial Transactions

Sitefinity Security and Best Practices

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Magento Security and Vulnerabilities. Roman Stepanov

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Certified Ethical Hacker Exam Version Comparison. Version Comparison

IBM Protocol Analysis Module

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Intro to Firewalls. Summary

Attacks from the Inside

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

The Top Web Application Attacks: Are you vulnerable?

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

E-BUSINESS THREATS AND SOLUTIONS

CYBERTRON NETWORK SOLUTIONS

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Network Threats and Vulnerabilities. Ed Crowley

CompTIA Security+ Cert Guide

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Hack Proof Your Webapps

Computer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Malicious Network Traffic Analysis

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

WHITE PAPER. Understanding How File Size Affects Malware Detection

Exploits: XSS, SQLI, Buffer Overflow

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Cross-Site Scripting

Detailed Description about course module wise:

Description: Course Details:

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

CS5008: Internet Computing

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Rational AppScan & Ounce Products

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Online Banking Fraud Prevention Recommendations and Best Practices

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Desktop and Laptop Security Policy

Course Content: Session 1. Ethics & Hacking

Web Application Report

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

CEH Version8 Course Outline

Web Application Security 101

Basic Security Considerations for and Web Browsing

OWASP AND APPLICATION SECURITY

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Advanced Persistent Threats

Networking for Caribbean Development

The Hillstone and Trend Micro Joint Solution

Web Application Security Considerations

Evolutionism of Intrusion Detection

Protecting Your Organisation from Targeted Cyber Intrusion

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Attack and Penetration Testing 101

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

5 Steps to Advanced Threat Protection

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Introduction to Computer Security

Advanced Web Security, Lab

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

WEB ATTACKS AND COUNTERMEASURES

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Chapter 8 Security Pt 2

Annex B - Content Management System (CMS) Qualifying Procedure

Firewalls, Tunnels, and Network Intrusion Detection

A Decision Maker s Guide to Securing an IT Infrastructure

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Network Security: Introduction

Defending Against Data Beaches: Internal Controls for Cybersecurity

Firewall Firewall August, 2003

Check list for web developers

Presented by: Mike Morris and Jim Rumph

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Trend Micro Titanium 3.0 and the Microsoft Windows Firewall

[CEH]: Ethical Hacking and Countermeasures

Corporate Account Takeover & Information Security Awareness. Customer Training

Module 4 Protection of Information Systems Infrastructure and Information Assets. Chapter 6: Network Security

Web Application Vulnerability Testing with Nessus

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Cross Site Scripting in Joomla Acajoom Component

Computer Security Literacy

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Security A to Z the most important terms

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Business ebanking Fraud Prevention Best Practices

Learn Ethical Hacking, Become a Pentester

Transcription:

What is the Internet? Session 6: Internet Security Elena Silenok @silenok Charlie Robbins @nodejitsu Questions? Just Raise Your Hand

Topics Ports / Protocols / OS / Packets Types of Threats Worms, viruses Social engineering, phishing Facebook / data sharing Mobile Ways to mitigate the vulnerabilities

Ports Communications endpoint Used by TCP/IP, UDP Identified by IP address, port number, protocol Numbered 0 to 65535 HTTP 80, HTTPS 443, SMTP 25, DNS 25, FTP 21 Make computer communication easier

Port Scanning Attack that that sends a request to a port on a host in an attempt to find a vulnerability Background and targeted Script kiddies & more serious attackers Illegal in most countries without legitimate motive ISP/Firewall protection and blocking

Worms/Viruses/Trojans Creeper (1971), Elk Cloner (1981) Morris worm (Robert Morris, MIT CSAIL), 1988 Virus needs a host file, worm doesn t Worms normally don t need user action Trojans seem useful but are malicious, can install backdoors (granting unauthorized access)

Social Engineering/ Phishing Phishing - masquerading as trustworthy Verify your account, Confirm billing info Over 70% success on social networks Spear phishing, whaling Link manipulation/website forgery

Browser Security Phishing Malware, identity theft, fraud, espionage 1 in 10 pages may contain malicious code SQL injection Cross-site scripting (XSS), 70% vulnerable

SQL Injection Exploits database layer of an application Incorrectly filtered escape characters Incorrect type handling Blind SQL injection 2009 - US Justice Dept charged Albert Gonzalez and two unnamed Russians with the theft of 130 million cc numbers

Cross-Site Scripting (XSS) 80% of all vulnerabilities in 2007 Twitter, MySpace, Facebook affected Persistent and non-persistent (reflected) Traditional and DOm-based

Non-persistent XSS scenario 1.Alice goes to Bob s website, logs in, and stores her billing info. 2.Mallory observes that Bob's website contains a reflected XSS vulnerability. 3.Mallory sends Alice an email with the URL that points to Bob s website but contains Mallory s malicious code 4.Alice clicks on this URL and visits the URL provided by Mallory while logged into Bob's website. 5.The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). Script sends session cookie to Mallory. Mallory steals Alice s info (authentication credentials, billing info, etc.) without Alice's knowledge.

Persistent attack Mallory posts a message with malicious payload to a social network. 1. When Bob reads the message, Mallory's XSS steals Bob's cookie. 2. Mallory can now hijack Bob's session and impersonate Bob.

Cross-site request forgery (CSRF/XSRF) 1.Mallory posts a message with malicious code pointing to Bob s bank s website <img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory"> 2.If Bob s bank keeps authentication info in a cookie, and cookie hasn t expired, BAD NEWS! 3. Bob s browser tried to load an image, instead executes a withdrawal request without Bob s approval

Wireless security Data sent unencrypted unless using HTTPS Accidental association Ad-hoc network (Microsoft on by default) Bluetooth - not secure MAC spoofing Man-in-the-middle Denial-of-Service attack

Firewall

Firewall (cont.) Device or software that permits/denies network transmissions based upon a set of rules 1st gen: Packet filters (source/destination, type) 1988, DEC, later AT&T Labs 2nd gen: Application layer (content, use) Next gen - most modern firewalls 3rd gen: Stateful filters (connection-based)

User-side protection Do not open attachments that look suspicious Type in the website URL manually Only run software/visit websites you trust Update your software/os/antivirus regularly Use a firewall (especially on a PC) Firewall / Antivirus / Adware removal

Laws Most of these activities are obviously illegal Port scans made illegal in the last 10 years unless used for legal purposes Botnets - international operations Kill switch bill

Questions/Suggestions? Elena Silenok silenok@gmail.com, twitter: @silenok Charlie Robbins charlie@generalassemb.ly, twitter: @nodejitsu

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information