the corporate web security landscape
DESCRIPTION
The Corporate Web Security Landscape - An Ethical Hacker's ViewTRANSCRIPT
The Corporate Web Security Landscape
Peter WoodChief Executive Officer
First•Base Technologies LLP
An Ethical Hacker’s View
Slide 2 © First Base Technologies 2011
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First•Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’Chair of Advisory Board at CSA UK & IrelandVice Chair of BCS Information Risk Management and Audit GroupVice President UK/EU Global Institute for Cyber Security + ResearchMember of ISACA Security Advisory GroupCorporate Executive Programme ExpertKnowthenet.org.uk ExpertIISP Interviewer
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2011
Information leakage
Slide 4 © First Base Technologies 2011
Web Security Issues
• Drive-by malware infection
• Phishing and spear phishing
• Social networking attacks
Slide 5 © First Base Technologies 2011
Web Security Issues
• Drive-by malware infection
• Phishing and spear phishing
• Social networking attacks
Slide 6 © First Base Technologies 2011
The Statistics
Cisco 1Q11 Global Threat Report
Slide 7 © First Base Technologies 2011
Drive-by Malware Infection
• Just surfing to a compromised website is enough to infect your computer
• The malware exploits security holes in browsers and plug-ins
Slide 8 © First Base Technologies 2011
Drive-by Malware Infection
• Web sites often employ JavaScript, Java, ActiveX, PHP or Adobe Flash
• These allow continuous communication between browser and server without user intervention
• Legitimate uses include changing web banners, loading lists or sending data to servers
• If a browser has an unpatched vulnerability, malicious scripts can access a user's computer directly
• Thus malware can move from the server to the browser, and via the vulnerability to the user's computer, without any conscious action by the website visitor at all
• Even legitimate, well-known and frequently-visited websites can be infected
Browser Version %
Slide 10 © First Base Technologies 2011
Operation Aurora
• Two days after the attack became public, McAfee reported that the attackers had exploited purported zero-day vulnerabilities (unfixed and previously unknown to the target system developers) in Internet Explorer and dubbed the attack ‘Operation Aurora’
• In an advisory on January 14, 2010, Microsoft said that attackers targeting Google and other U.S. companies used software that exploits a hole in Internet Explorer
• The vulnerability affected Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4
Slide 11 © First Base Technologies 2011
Web Security Issues
• Drive-by malware infection
• Phishing and spear phishing
• Social networking attacks
Slide 12 © First Base Technologies 2011
Slide 13 © First Base Technologies 2011
Spear phishing
Slide 14 © First Base Technologies 2011
Web Security Issues
• Drive-by malware infection
• Phishing and spear phishing
• Social networking attacks
Slide 15 © First Base Technologies 2011January 2009 - www.lavasoft.com
Malware on LinkedIn
Slide 16 © First Base Technologies 2011
Malware on Facebook
• Users don’t always realize that third-party widgets for Facebook, for example, aren’t written by Facebook
• Some collect more information than necessary or safe• Others have been written specifically to install adware
or generate revenue• “Secret Crush” on Facebook spread spyware• Victims received an invitation to find out who has a
secret “crush” on them, lured them into installing the Secret Crush app, which spread spyware via an iFrame
• The attack became worm-like when it required the victim to invite at least five friends before learning who their “crush” was
Kelly Jackson Higgins, DarkReading
Slide 17 © First Base Technologies 20113 May 2011- http://technolog.msnbc.msn.com
Slide 18 © First Base Technologies 2011http://www.independent.co.uk
Social Networking Attacks
Slide 19 © First Base Technologies 2011
DON’T PANIC!(assuming you’re the only user)
Slide 20 © First Base Technologies 2011
Patch and Check Regularly!
Slide 21 © First Base Technologies 2011
Control Your Web Browsing
Think Before You Click!
Don’t Forget to Cross Your Fingers!
Peter WoodChief Executive Officer
First•Base Technologies LLP
Twitter: peterwoodx
Blog: fpws.blogspot.com
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Need more information?