Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Security Initiative 2005 Security Assessment Email & Security Services 23 August 2005.

Published byLetitia Fleming Modified over 9 years ago

Similar presentations

Presentation on theme: "Electronic Security Initiative 2005 Security Assessment Email & Security Services 23 August 2005."— Presentation transcript:

1 Electronic Security Initiative 2005 Security Assessment Email & Security Services 23 August 2005

2 2 Internet Assessment l Results of the Internet Assessment discovered a total of 44 vulnerabilities (Affecting 206 Systems) l High risk exposures were corrected by IEEE IT Staff as soon as they were found.

3 3 Wireless and Dial-up Wireless Assessment Remediation Summary HighMediumLowTotal Issues Found107 27 Issues Resolved107 27 Outstanding Issues0000 Percent of Issues Resolved100% l Results of the Wireless & Dialup Assessment discovered a total of 23 vulnerabilities l E&Y did not identify any rouge data carriers on IEEE’s dial-up infrastructure

4 4 Web Applications l Results of the Web Applications Assessment discovered a total of 39 vulnerabilities across 3 web applications. l The development staff responsible for these applications is working to remediate these security issues.

5 5 Web Applications (Cont’d)

6 6 Remediation: XPLORE Security Issues (11 Security Issues Remain) l High Risk (1 issue) - No encryption for application login (TBR 1Q 2006) Username & Password: Clear Text Risk: possible lost of information. Explore Team willing to take the risk

7 7 Web Applications (Cont’d) Remediation of XPLORE Security Issues l Medium Risk (5 issues) - Username Passed in Clear Text Cookie (TBR 1Q 2006) Risk: User credentials can be compromised - Arbitrary URL Redirection (TBR 1Q 2006) Risk: Facilitates phishing/social engineering attacks - AutoComplete - Not Disabled (TBR 3Q 2006) Risk: Username and Password is Cached - Weak Passwords (TBR 3Q 2006) Risk: Passwords can be guessed - Inadequate Lockout Policy (TBR 3Q 2006) Risk: Enable brute force attacks to guess user passwords

8 8 Web Applications (Cont’d) Remediation of XPLORE Security Issues l Solving security issues require programming changes, testing and QA. - Most of the critical issues are scheduled to be remediated by 1Q 2006, with the next release of XPLORE. - All remaining issues are to be remediated by 3Q 2006, with future releases of Xplore.

9 9 Web Applications (Cont’d) Remediation: Renewal Security Issues (7 Security Issues Remain) l High Risk (3 issues) −Option exists for unencrypted authentication (TBR 9/1/2005) Risk: User credentials are sent in cleartext −Application does not enforce password complexity (TBR 9/1/2005) Risk: Passwords can be guessed −Username and Password exposed in the URL (TBR 9/1/2005) Risk: This information can be easily retrieved from a browser history or log file

10 10 Web Applications (Cont’d) Remediation of Renewal Security Issues l Med Risk (3 issues) - AutoComplete not disabled (TBR 9/1/2005) Risk: Username and Password is cached in the browser - Cross-site Scripting Vulnerabilities (TBR 9/1/2005) Risk: Scripts can be injected into the Renewal application - Inadequate Account Lockout Policy (TBR 9/1/2005) Risk: Enable brute force attacks to guess user passwords

11 11 Web Applications (Cont’d) Remediation of Renewal Security Issues The High & Medium risk issues are scheduled to be addressed with the next release of Renewal –1 Sep 2005

12 12 Web Applications (Cont’d) Remediation: Catalog Security Issues (7 Security issues remain) High Risk (1 issue) −Option exists for unencrypted transaction (TRB 9/1/2005) Risk: Sensitive information could be captured by an attacker üActual transmission of Credit Card information is encrypted

13 13 Web Applications (Cont’d) Remediation of Catalog Security Issues Medium Risk (3 issues) − AutoComplete is not disabled (TBR 9/1/2005) Risk: Username and Password is Cached in the browser − Arbitrary URL Redirection (Remediation Not Possible) Risk: Facilitates phishing/social engineering attacks üRemediation not possible due to limitations of the tools in use. (Commerce Server) üWill no longer exist after BMS takes over the Shop function, scheduled for May 2006. − Inadequate Account Lockout Policy (Remediation Not Possible) Risk: Enables brute force attacks to guess user passwords üRemediation not possible due to limitations of the tools in use to authenticate users üWill no longer exist after BMS takes over the Shop function, scheduled for May 2006.

14 14 2005 Security Assessment Next Steps l IEEE has remediated all vulnerabilities not requiring programming changes. The final E&Y report will be delivered by COB Wednesday August 23 th. - Original scheduled delivery date: 12 Aug 2005 (Missed) - Vendor requested extension due to: ASC close down – Blackhat/Defcon Lead IEEE tester out of the office (Personal Matter) Additional time to confirm fixes (re-testing) l Complex security issues, requiring programming changes, have been prioritized for implementation.

Download ppt "Electronic Security Initiative 2005 Security Assessment Email & Security Services 23 August 2005."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.
August 25, 20151 SSO with Microsoft Active Directory Presented by: Craig Larrabee.

August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
1 iSAMS by CIS IT Department CIS – IT Department Date : 04 August 2012 Version : 1.0.

1 iSAMS by CIS IT Department CIS – IT Department Date : 04 August 2012 Version : 1.0.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.

Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.

Similar presentations

Ads by Google