1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

Security Issues and Challenges in Cloud Computing

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

System and Network Security Practices COEN 351 E-Commerce Security.

Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.

By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

1 Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Security Scanning OWASP Education Nishi Kumar Computer based training

How It Applies In A Virtual World

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Protecting Customer Websites and Web Applications Web Application Security.

Securing Information Systems

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

TalkTalk network security overview 14 th April 2011.

Detrick Robinson & Amris Treadwell.  Computer viruses- are pieces of programs that are purposely made up to infect your computer.  Examples: › Internet.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Imperva Total Application Security Idan Soen, CISSP Security Engineer SecureSphere – The First Dynamic Profiling Firewall Idan Soen, CISSP Security Engineer.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Application Firewall (WAF) RSA ® Conference 2013.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security Testing Case Study 360logica Software Testing Services.

Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.

PROTECTION ON THE INTERNET NADIA SNOW VIRUS Is a file made to do harm or criminal activity there are many types: -worms -Trojan horse -Spyware How they.

Protecting Students on the School Computer Network Enfield High School.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

Sophos Live Protection. Agenda 1.Before and After Scenarios 2.Minimum Required Capabilities 3.How we do it 4.How we do it better.

The Changing World of Endpoint Protection

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Development Web development never ends: 1.Find out what the stakeholders need (sponsors, users, etc.) 2.Investigate available technology 3.Plan the.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

WHAT IS E-COMMERCE? E-COMMERCE is a online service that helps the seller/buyer complete their transaction through a secure server. Throughout the past.

Internet Security. 2 Computers on the Internet are almost constantly bombarded with viruses, other malware and other threats.

Firewalls Priyanka Verma & Jessica Wong. What is it? n A firewall is a collection of security measures designed to prevent unauthorised electronic access.

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.

What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

E-Commerce & Bank Security By: Mark Reed COSC 480.

Security Unit 1 Business skills for e-commerce

Group 18: Chris Hood Brett Poche

Done by… Hanoof Al-Khaldi Information Assurance

Chapter 7: Identifying Advanced Attacks

TOPIC: Web Security (Part-4)

Backdoor Attacks.

Secure Software Confidentiality Integrity Data Security Authentication

Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

Computer Security Firewalls November 19, 2018 ©2004, Bryan J. Higgs.

Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

Web Servers / Deployment

Module 4 System and Application Security

Presentation transcript:

1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

2 Our Security Problem Is Website Attacks  Firewall are common in every network deployment, so attackers use websites to get access to internal network  Every industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries.

3 Our Security Problem's implications for the four cornerstones of secure computing:  Website attacks have an affect on all four corner stones of secure computing –Confidentiality  Attackers can steal data from databases –Authenticity  Popular websites are targets of phishing attacks –Integrity  This is when a software downloads websites serves trojans and viruses combined with the legit software –Availability  Website are vulnerable to Denial of Service Attacks

4 SQL Injection Web Attack Example Query Injected by the Attacker Output from the Query Note: Account Numbers masked to protect customer identity

5 PHP File Inclusion Web Attack Example

6  In the code below, you will see that XSS can easily send you to an evil site name= window.location= ”  In the code below, you will see that XSS may cause denial of service with just one line of code name= setInterval ("window.open(' The link above will open a window of Dr. Chen’s webpage and request it every 100 milliseconds. Cross Side Scripting (XSS)

7  Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etc Other Web Attacks

8 Evaluation of Existing Work – Intrusion Prevention Systems and Web Application Firewall

9 Evaluation of Existing Work – Intrusion Prevention Systems  Pros –They can help filter the malicious queries before they get to the website –They can prevent bad code to come into the network –They have blacklist IPs which can protect you from exchanging data from malicious sites  Cons –They slow down the speed of the websites –False positives block legit web traffic –Very costly –Have to keep evolving –Not suitable for high volume websites

10 Case Study – E-Commerce Website for Computer Goods  June 15, 2008 – Website was hacked –Company used a shared shopping cart –Attacker stole credit card data via SQL Injection common to the shopping cart –August 4, Forensic Investigation completed –Recommended Manual Code Review, Intrusion Detection/Prevention System and Application Penetration Test –September 20, 2008 – Intrusion Prevention System deployed –Configured it with all built in rules

11 Case Study – E-Commerce Website for Computer Goods  September 20, 2008 – Website problems –Performance got hit –FTP stopped working due to bad IPS rule –September 21, Configure only trusted IPS rules –Allowed only 10 rules to block traffic –November 3, 2008 – Website down –Initial ruling was DOS attacks –It was later discovered that holiday season rush caused IPS to do more work and it crashed. –The setting on IPS was to fail close i.e. Not allow traffic upon device failure

12 Case Study – E-Commerce Website for Computer Goods  November 3, 2008 – CIO ordered downtime report –IT guys suggested to have IPS to fail open i.e. allow all traffic when device fails –November 4, 2008 – IPS Decommissioned –IPS functionality was reduced to minimum anyway –Business decision was made to not use traffic inspection solution until the end of Holiday Season

13 Take Aways  IPS looked at all traffic when the protection was required for Web Application only –Overkill of what web applications need –IPS was doing minimal work and was not worth the investment. –For a website, you can block all ports except web ports on firewall. –IDS/IPS, on their own, cannot protect web applications. Each web application can have different vulnerabilities and requires different treatment.

14 So what’s the industry fix  Web Application Firewalls  Trained to look at abnormal web traffic  Doesn’t service any ports other than web application ports  Provides deep inspection on all web requests  Supports ultra high performance & sub-millisecond latency  Addresses PCI 6.6 requirement for web security  Nothing, Nothing beats the manual code review and secure coding training  Companies with high stakes + available funds go for this

15 So what’s the industry fix  Common Web Application Firewalls (WAFs)  WebKnight  OWASP Stinger Project  ModSecurity  Imperva SecureSphere  Lots of security vendors and startups creating WAFs  Source code reviews and Application Penetration Tests are becoming industry standards as well

16 Magic Quadrant for Intrusion Prevention Systems

17 Magic Quadrant for Secure Web Gateways

18 Related Work and Research in This Area  SANS Paper on Web Based Threats – _attacks_2053?show=2053.php&cat=applicationhttp:// _attacks_2053?show=2053.php&cat=application  Symantec’s Paper on Web Based Threats – whitepaper_web_based_attacks_ en-us.pdfhttp://eval.symantec.com/mktginfo/enterprise/white_papers/b- whitepaper_web_based_attacks_ en-us.pdf  DevShed.com’s Cross Side Scripting Paper – Scripting/1/ Scripting/1/  Trustwave’s PHP File Inclusion Paper –  Security Focus’ article on SQL Injection –