Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Top 10/20 Internet Security Vulnerabilities – A Primer This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.

Published byPosy Clark Modified over 8 years ago

Similar presentations

Presentation on theme: "1 The Top 10/20 Internet Security Vulnerabilities – A Primer This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis."— Presentation transcript:

1 1 The Top 10/20 Internet Security Vulnerabilities – A Primer This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

2 2 Pay Me Now or Pay Me Later  E = D + R –E = amount of time you’re exposed –D = amount of time it takes to detect an attack –R = amount of time it takes to react to an attack  Easiest way to calculate the cost of an Incident –Multiply average hourly wage * Time * People –Plus the IMPACT on the organization…

3 3 Why Are We Vulnerable?  Computer systems and programs have become more complex in the past 25 years.  Quality control hasn’t been able to keep up due to market pressures, programming skill deficiencies, etc.  Most of these programs/systems are based on code that was never intended to be “production” quality.They were “proof of concept” programs that became the basis of production systems.

4 4 So Many Systems, Not Enough Time…..  > X million “hosts” are connected to the Net each month. There aren’t X million sysadmins. Something has to give….  Unfortunately, it’s the sysadmin.  Not enough training, too many conflicting demands on their time.  The Prime Directive: Keep the system up!  Patch the system? When I have time….

5 5 Hacking = Rocket Science? Not!  Any good hacker can write the attack tool. The real skill is making so easy to use that any can launch the attack.  There are lots of hacker WWW sites where you can get these tools. These sites try to outdo each other by designing the best, baddest, user- friendly site.

6 6 Why Are the Attacks Successful?  We didn’t close all the doors because we’re too busy doing “real” stuff. –If the hackers got caught, we didn’t punish them. It would be too embarrassing to admit we got hit. Our Incident Response Plans were inadequate.

7 7 Why Are the Attacks Successful?  Initially, t he attack designers studied (cased) the target code carefully. –A lot of attacks are based on Buffer Overflows. Example: a program expects 80 input characters max. You give it 5000 characters. How does the code handle it?  Now, they just go through holes…

8 8 CVEs  What’s a CVE number? –CVE = Common Vulnerabilities & Exposures reference number that is used to uniquely identify a vulnerability. –It’s like the Dewey Decimal #’s that are used in the library. You can go to any library and find the same book using the same Dewey catalog number –CVE’s does the same for vulnerabilities.

9 9 CVEs  Each item in the list is divided into 4 parts –A description of the vulnerability –The systems affected by the vulnerability –A CVE number identifying the vulnerability –Some suggested corrections

10 The Typical Cube?  What’s wrong with this picture? Source: CSO Magazine

11 The Typical Cube?  How did you do? Source: CSO Magazine

12 OWASP Top Ten  https://www.owasp.org/index.php/Category: OWASP_Top_Ten_Project 12

Download ppt "1 The Top 10/20 Internet Security Vulnerabilities – A Primer This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis."

Similar presentations

Building Secure Mashups D. K. Smetters PARC Usable.

Building Secure Mashups D. K. Smetters PARC Usable.
Grass Valley Learning Center www.GVLearningCenter.com Surf the Net Safely Roger Thornburn.

Grass Valley Learning Center Surf the Net Safely Roger Thornburn.
Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.

Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)

Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
CS682- Network Management and Security Prof. Katz.

CS682- Network Management and Security Prof. Katz.
Chapter 6: Project Cost Management

Chapter 6: Project Cost Management
James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.

James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.

IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
IS 380 OME 1 Fall 2010 Class 1. Administrative Roster Syllabus Review Class overview 10 domains overview.

IS 380 OME 1 Fall 2010 Class 1. Administrative Roster Syllabus Review Class overview 10 domains overview.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
HIT241 - COST MANAGEMENT Introduction

HIT241 - COST MANAGEMENT Introduction
Business Math Assignment Press F5 to begin to playing this slide show.

Business Math Assignment Press F5 to begin to playing this slide show.
Web Application Security

Web Application Security
The Book Sock Riley A. 9PA.  Describe the problem you want to solve. The real world-problem may be one that all the people in your neighborhood face,

The Book Sock Riley A. 9PA.  Describe the problem you want to solve. The real world-problem may be one that all the people in your neighborhood face,
A Cryptography Education Tool Anna Yu Department of Computer Science College of Engineering North Carolina A&T State University June 18, 2009.

A Cryptography Education Tool Anna Yu Department of Computer Science College of Engineering North Carolina A&T State University June 18, 2009.

Similar presentations

Ads by Google