Web security demystified
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Web Security Demystified PowerPoint PPT Presentation


  • 33 Views
  • Uploaded on
  • Presentation posted in: General

Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix Systems http://www.MadIrish.net Twitter: MadIrish2600. Web Security Demystified. Overview. About your site, from evil eyes Attacker objective Means of attack

Download Presentation

Web Security Demystified

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Web security demystified

Justin C. Klein Keane

Sr. InfoSec Specialist

University of Pennsylvania

School of Arts and Sciences

Information Security and Unix Systems

http://www.MadIrish.net

Twitter: MadIrish2600

Web Security Demystified


Overview

Overview

  • About your site, from evil eyes

  • Attacker objective

  • Means of attack

  • Motive

  • Why this stuff works

  • What you can do


Erroneous assumptions

Erroneous Assumptions

  • “I'm running a small site, who would want to hack it?”

  • “I back everything up nightly, at most I'll only lose a days worth of stuff.”

  • “I'm the only one with admin rights, so it's not an issue.”

  • “It doesn't matter if the site goes down from time to time.”

  • Your data isn't necessarily what an attacker wants!


Risk analysis

Risk Analysis

  • Risk is often calculated as:

    • Threat x Impact x Likelihood

  • Unfortunately quantifying “threat” is almost impossible

  • Likelihood is also tough to gauge

  • Impact we can do though (maybe)


Objectives

Objectives

  • First the obvious ones:

    • p0wn your box3n

    • Deface your website

    • Abuse your e-commerce

    • Steal your data

    • Account access


Objectives cont

Objectives (cont.)

  • Less obvious:

    • Black hat SEO

    • Bandwidth (botnets)

      • Spam

      • Phishing

      • Fast flux DNS

    • Hosting

      • Drive by download

      • RFI

    • Click fraud


Objectives cont1

Objectives (cont.)

  • Ultimately you can never predict!


Means

Means

  • Script injection (user trust exploitation)

    • Stored and reflected

  • XSRF (application trust exploitation)

  • SQL Injection

  • Account compromise

    • Brute force

    • Session flaws

    • Social engineering


Means cont

Means (cont.)

  • Privilege escalation

  • Social engineering

    • Trust exploitation (content)

  • Information disclosure

  • Code execution

  • Application exploitation

    • When features become flaws

  • Access control bypass


Means cont1

Means (cont.)

  • 10 years ago XSS wasn't a threat

  • New means emerge regularly


Motive

Motive

  • Prestige

  • Money

  • Political

  • The world may never know...


Why hacking works

Why hacking works

  • Security is a specialization

  • Security is an evolving, moving target

  • No easy way to automate vulnerability detection

  • Web app attacks don't require proximity

  • Your site is always on

  • You have to be right 100% of the time, the bad guys not so much


Unfortunately

Unfortunately

  • Software security flaws are inevitable

  • Studies show a certain number of bugs per X lines of code

  • A percentage of bugs will be security related


A word

A Word...

  • Open source vs. closed source

    • No matter what anyone tells you, neither is more secure

  • Check out Verscode's analysis:

    • http://www.veracode.com/reports/index.html

  • Closed source does put more onus on the vendor though


Roots of the problem

Roots of the Problem

  • Mixing data with code

    • HTML is inherently flawed in this respect

    • Where does display stop and execution begin?

  • Input validation

  • Output validation

  • It's usually easier to do things in an unsafe way


Emerging sources of vulnerability

Emerging Sources of Vulnerability

  • The web is evolving!

  • Flash or other animation

  • AJAX

  • Remote data sources, API's and interoperability

  • New platforms, code, and technology

  • New programmers


Learn to

Learn to

  • Commit to an application lifecycle

    • Security is an ongoing process

    • Plan for vulnerabilities, and patches!

  • Be sure your code evolves as threats do

  • Keep your components up to date

  • Use all the security tools of the stack

    • Database, filesystem, operating system, etc.


Learn to1

Learn to

  • Protect, detect, react

    • If you can't prevent, log!

    • Segregate your detection mechanisms

  • KISS

    • Complexity is the enemy of security

  • Enforce permissions

    • You are using permissions right?

    • Privilege separations and privilege enforcement


Extend your security

Extend your Security

  • Bake security in (from the start)

  • Add security on

    • Use additions like:

      • IDS

      • Web application firewall

      • IPS

      • Encryption

      • Code review and penetration testing

      • etc.


Web security demystified

Thanks!

[email protected]

Questions


  • Login