1 / 20

Web Security Demystified

Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix Systems http://www.MadIrish.net Twitter: MadIrish2600. Web Security Demystified. Overview. About your site, from evil eyes Attacker objective Means of attack

lilike
Download Presentation

Web Security Demystified

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix Systems http://www.MadIrish.net Twitter: MadIrish2600 Web Security Demystified

  2. Overview • About your site, from evil eyes • Attacker objective • Means of attack • Motive • Why this stuff works • What you can do

  3. Erroneous Assumptions • “I'm running a small site, who would want to hack it?” • “I back everything up nightly, at most I'll only lose a days worth of stuff.” • “I'm the only one with admin rights, so it's not an issue.” • “It doesn't matter if the site goes down from time to time.” • Your data isn't necessarily what an attacker wants!

  4. Risk Analysis • Risk is often calculated as: • Threat x Impact x Likelihood • Unfortunately quantifying “threat” is almost impossible • Likelihood is also tough to gauge • Impact we can do though (maybe)

  5. Objectives • First the obvious ones: • p0wn your box3n • Deface your website • Abuse your e-commerce • Steal your data • Account access

  6. Objectives (cont.) • Less obvious: • Black hat SEO • Bandwidth (botnets) • Spam • Phishing • Fast flux DNS • Hosting • Drive by download • RFI • Click fraud

  7. Objectives (cont.) • Ultimately you can never predict!

  8. Means • Script injection (user trust exploitation) • Stored and reflected • XSRF (application trust exploitation) • SQL Injection • Account compromise • Brute force • Session flaws • Social engineering

  9. Means (cont.) • Privilege escalation • Social engineering • Trust exploitation (content) • Information disclosure • Code execution • Application exploitation • When features become flaws • Access control bypass

  10. Means (cont.) • 10 years ago XSS wasn't a threat • New means emerge regularly

  11. Motive • Prestige • Money • Political • The world may never know...

  12. Why hacking works • Security is a specialization • Security is an evolving, moving target • No easy way to automate vulnerability detection • Web app attacks don't require proximity • Your site is always on • You have to be right 100% of the time, the bad guys not so much

  13. Unfortunately • Software security flaws are inevitable • Studies show a certain number of bugs per X lines of code • A percentage of bugs will be security related

  14. A Word... • Open source vs. closed source • No matter what anyone tells you, neither is more secure • Check out Verscode's analysis: • http://www.veracode.com/reports/index.html • Closed source does put more onus on the vendor though

  15. Roots of the Problem • Mixing data with code • HTML is inherently flawed in this respect • Where does display stop and execution begin? • Input validation • Output validation • It's usually easier to do things in an unsafe way

  16. Emerging Sources of Vulnerability • The web is evolving! • Flash or other animation • AJAX • Remote data sources, API's and interoperability • New platforms, code, and technology • New programmers

  17. Learn to • Commit to an application lifecycle • Security is an ongoing process • Plan for vulnerabilities, and patches! • Be sure your code evolves as threats do • Keep your components up to date • Use all the security tools of the stack • Database, filesystem, operating system, etc.

  18. Learn to • Protect, detect, react • If you can't prevent, log! • Segregate your detection mechanisms • KISS • Complexity is the enemy of security • Enforce permissions • You are using permissions right? • Privilege separations and privilege enforcement

  19. Extend your Security • Bake security in (from the start) • Add security on • Use additions like: • IDS • Web application firewall • IPS • Encryption • Code review and penetration testing • etc.

  20. Thanks! Justin@MadIrish.net Questions

More Related