Presentation is loading. Please wait.

Presentation is loading. Please wait.

Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

Published byChristine Campbell Modified over 5 years ago

Similar presentations

Presentation on theme: "Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez"— Presentation transcript:

1 Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

2 Our Security Problem Is Website Attacks
Firewall are common in every network deployment, so attackers use websites to get access to internal network Every industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries.

3 Our Security Problem's implications for the four cornerstones of secure computing:
Website attacks have an affect on all four corner stones of secure computing Confidentiality Attackers can steal data from databases Authenticity Popular websites are targets of phishing attacks Integrity This is when a software downloads websites serves trojans and viruses combined with the legit software Availability Website are vulnerable to Denial of Service Attacks

4 SQL Injection Web Attack Example
Query Injected by the Attacker Output from the Query Note: Account Numbers masked to protect customer identity

5 PHP File Inclusion Web Attack Example

6 Cross Side Scripting (XSS)
In the code below, you will see that XSS can easily send you to an evil site name=<script language=javascript>window.location= ” In the code below, you will see that XSS may cause denial of service with just one line of code name=<script language=javascript>setInterval ("window.open(' The link above will open a window of Dr. Chen’s webpage and request it every 100 milliseconds.

7 Other Web Attacks Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etc

8 Evaluation of Existing Work – Intrusion Prevention Systems and Web Application Firewall

9 Evaluation of Existing Work – Intrusion Prevention Systems
Pros They can help filter the malicious queries before they get to the website They can prevent bad code to come into the network They have blacklist IPs which can protect you from exchanging data from malicious sites Cons They slow down the speed of the websites False positives block legit web traffic Very costly Have to keep evolving Not suitable for high volume websites

10 Case Study – E-Commerce Website for Computer Goods
June 15, 2008 – Website was hacked Company used a shared shopping cart Attacker stole credit card data via SQL Injection common to the shopping cart August 4, Forensic Investigation completed Recommended Manual Code Review, Intrusion Detection/Prevention System and Application Penetration Test September 20, 2008 – Intrusion Prevention System deployed Configured it with all built in rules

11 Case Study – E-Commerce Website for Computer Goods
September 20, 2008 – Website problems Performance got hit FTP stopped working due to bad IPS rule September 21, Configure only trusted IPS rules Allowed only 10 rules to block traffic November 3, 2008 – Website down Initial ruling was DOS attacks It was later discovered that holiday season rush caused IPS to do more work and it crashed. The setting on IPS was to fail close i.e. Not allow traffic upon device failure

12 Case Study – E-Commerce Website for Computer Goods
November 3, 2008 – CIO ordered downtime report IT guys suggested to have IPS to fail open i.e. allow all traffic when device fails November 4, 2008 – IPS Decommissioned IPS functionality was reduced to minimum anyway Business decision was made to not use traffic inspection solution until the end of Holiday Season

13 Take Aways IPS looked at all traffic when the protection was required for Web Application only Overkill of what web applications need IPS was doing minimal work and was not worth the investment. For a website, you can block all ports except web ports on firewall. IDS/IPS, on their own, cannot protect web applications. Each web application can have different vulnerabilities and requires different treatment.

14 So what’s the industry fix
Web Application Firewalls Trained to look at abnormal web traffic Doesn’t service any ports other than web application ports Provides deep inspection on all web requests Supports ultra high performance & sub-millisecond latency Addresses PCI 6.6 requirement for web security Nothing, Nothing beats the manual code review and secure coding training Companies with high stakes + available funds go for this

15 So what’s the industry fix
Common Web Application Firewalls (WAFs) WebKnight OWASP Stinger Project ModSecurity Imperva SecureSphere Lots of security vendors and startups creating WAFs Source code reviews and Application Penetration Tests are becoming industry standards as well

16 Magic Quadrant for Intrusion Prevention Systems

17 Magic Quadrant for Secure Web Gateways

18 Related Work and Research in This Area
SANS Paper on Web Based Threats Symantec’s Paper on Web Based Threats DevShed.com’s Cross Side Scripting Paper Trustwave’s PHP File Inclusion Paper Security Focus’ article on SQL Injection

Download ppt "Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)

Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.

1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.

Mod Security (Is it worth it?) By Rich Helton. Abstract (see my paper for sources)  Based on statistics, Apache is the most used web server being used.
By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.
1 Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.

1 Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
How It Applies In A Virtual World

How It Applies In A Virtual World
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.

COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Similar presentations

Ads by Google