Web 2'0 Security - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Web 2'0 Security

Description:

(only 20% of malware is caught) Work network --use egress filtering ... Allow access but only during non-work time. Allow access but closely monitor ... – PowerPoint PPT presentation

Number of Views:46
Avg rating:3.0/5.0
Slides: 41
Provided by: ll98
Category:
Tags: security | web | worm

less

Transcript and Presenter's Notes

Title: Web 2'0 Security


1
Web 2.0 Security
  • Active Content
  • Mobile Code
  • Lydia Lourbacos, IT Security Manager
  • CISSPCAP, CISM, CISA, GCIH, GCFA
  • SANS Mentor for GCIH GCFA

2
Overview of Web 2.0 Security
  • Brief Internet History
  • The Web
  • Web 2.0 vs. Web 1.0
  • Why is Web 2.0 dangerous?
  • What can you do?
  • Web 3.0
  • .and beyond.Discussion

3
Internet History -1
  • ARPA What caused its creation when?
  • 1958
  • in response to Soviet Sputnik
  • Year of first 2 Nodes of ARPAnet?
  • 1969
  • Year of First basic email using _at_ ?
  • 1972
  • First world leader to send email?
  • Queen Elizabeth
  • Year Apple Computer Founded?
  • 1976

4
.Internet History - 2
  • Year TCP IP put together?
  • 1978
  • Year Microsoft Creates DOS ?
  • 1981
  • Year Internetcoined? (Smilies invented)
  • 1982
  • Year ARPANet has 5000 hosts
  • 1986

5
Internet History - 3
  • Year ARPANet has 10,000 hosts
  • 1987
  • Year of Morris Worm
  • 1988
  • Year The Web was born Whose vision?
  • 1989
  • Tim Berners-Lee
  • Death of ARPANet 1989 _at_ 20 years

6
Internet Trivia - 4
  • Year HTML introduced?
  • 1993
  • Year Yahoo born?
  • 1994100,000 visitors
  • Year Amazon eBay born?
  • 1995
  • Year Google born?
  • 1998

7
Internet Use
  • 1969 2 nodes
  • 1996 45 million
  • 1999 150 million
  • 2002 544 million
  • 2005 1 billion
  • 2007 1.3 billion
  • 2009 1.669 billion
  • December 22, 2012 0

8
What is Web 2.0?
  • The Web -- static (RetronymWeb 1.0)
  • Web 2.0 -- add value interactive
  • Web 3.0 -- sixth sense
  • Web 4.0 .?

9
Web 1.0 vs Web 2.0http//www.oreillynet.c
om/pub/a/oreilly/tim/news/2005/09/30/what-is-Web-2
0.html
10
5 Tenets of Web 2.0 -1
  • Users add value
  • Value is data (video, audio, images, text)
  • Data accrues on platform of applications
  • Chat
  • Audio/video
  • Databases
  • Google maps

11
5 Tenets of Web 2.0 -2
  • Applications can be accessed from many devices
  • Devices are becoming integrated into changing
    our lives profoundly
  • http//www.oreillynet.com/pub/a/oreilly/tim/news/2
    005/09/30/what-is-Web-20.html

12
Elements of Web 2.0 -1
  • 3D Virtual Worlds (Second Life 10)
  • Blogs Podcasts Twitter
  • Bookmarking (Digg, Delicious, 50)
  • Cloud Computing (SaaS, PaaS, IaaS)

13
Elements of Web 2.0 -2
  • Mashups integration of 2 external
    data/functions - Fastest growing app
  • http//news.zdnet.com/2422-13569_22-152729.html
  • http//hisz.rsoe.hu/alertmap/index2.php?areausal
    angeng
  • Photo Video Sites (YouTube, Flickr, 50)
  • Pop-up Ads
  • RSS
  • Social Networking Sites (Facebook, 100)

14
Why is Web 2.0 Different?
  • Web 2.0 is NOT TV only better
  • INTERACTIVITY is based on
  • Mobile Code
  • Active Content
  • The gun is loaded and you dont know it!

15
Interpreters
  • Code no longer distinct from data
  • Scripts-High level programming languages
  • Scripts require interpreters or JIT compilers
  • Application Interpreters are different
    ubiquitous

16
Mobile Code -1
  • Code transmitted, executed on client
  • A portable instruction
  • program, script, macro or other
  • Shipped unchanged over Internet
  • To variety of platforms (clients)
  • Executed same on each client

17
Mobile Code -2
  • Examples provide rich content
  • JavaScript
  • VBScript
  • JScript (Microsofts version of JavaScript)
  • AJAX
  • (Asynchronous JavaScript And eXtended markup
    language)
  • Java applets
  • ActiveX (formerly OLE)
  • Flash
  • Shockwave

18
Active Content
  • Uses Interpreters in applications to run mobile
    code
  • Acts within electronic documents
  • Trigger execute actions on a platform
  • Automatic
  • No user intervention/knowledge

19
Client Side Active Content
  • Different Interpreters in
  • Email clients
  • Office Automation
  • Adobe PDF
  • Browsers
  • Render other content types
  • Video /Audio /Graphics
  • Forms
  • Postscript (printing)

20
Client Browser Active Content
  • Cookies
  • datamine authentication patterns
  • Cross site scripting goal to steal cookies
  • Browser dependent
  • Data validation
  • Forms
  • Error messages
  • Browsers Render Content
  • Graphics, menus
  • Render audio, video, proprietary content

21
Client Browser Extensions
  • Browsers render content
  • Graphics
  • Menus
  • Other types like video, audio
  • Extensions-extend content types rendered
  • Different audio or video types
  • FTP, bookmarking, form fill out
  • Handling capabilities are registered w browser
  • Usually require full access to browser/OS
    Internals

22
Browser Plug-ins Helpers
  • Plug-ins are confined to the capability of the
    browser
  • Plug-ins cannot enforce authenticated signatures
  • Helpers (content viewers)
  • Run independent of browser security controls
  • Windows Media Player, RealPlayer, Quicktime,
    Shockwave, Flash

23
Client Technical Protection -1
  • Lock down clients
  • Become familiar with FDCC
  • Registry settings
  • Group Policy Objects
  • Internet Explorer restrictions
  • Disable unneeded functionality
  • Delete cookies temp directory on exit
  • Run only signed objects on clients
  • http//www.us-cert.gov/cas/tips/ST04-012.html
  • http//technet.microsoft.com/en-us/library/cc75086
    2.aspx

24
Client Technical Protection -2
  • Disable HTML in eMail
  • Disable administrator access on clients
  • Scan eMail/attachments for malware
  • (only 20 of malware is caught)
  • Work network --use egress filtering
  • Home network --use hardware router
  • Check logs

25
NEVER
  • Click on links in emails
  • Always type them in yourself

26
Server Side -1
  • Server Side Scripting
  • Happens on server - to resource to be sent
  • On the fly formatting of HTML
  • Not browser specific
  • Web-server OS dependent
  • AJAX API improve response times/user tasks
  • Cross Site Scriptinginjection of malicious code
    into poorly secured servers pages
  • 68 of servers vulnerable to it

27
Server Side -2
  • Rexx, Perl, Python
  • JavaScript ( Jscript) used in interactive
    documents
  • ASP.NET
  • SSI (CGI scripts)
  • Java Enterprise Edition
  • C
  • VBScript

28
Server Technical Protection
  • Programmer education
  • Use OWASP standards
  • Procurement/contracts
  • OWASP standards in contracts
  • Patch and Vulnerability program
  • Strict change management
  • Whitelisting (lots of pros and cons)
  • Email filters, disable HTML (GPO)

29
Web 2.0 Threats -1
  • Malicious websites Malware
  • 3D Virtual Worlds
  • Bookmarking
  • Privacy /PII
  • Blogs Podcasts
  • Photo Video Sites

30
Web 2.0 Threats -2
  • Both Privacy Malicious sites/malware
  • Social Networking
  • eMail
  • Office Automation
  • Mashups
  • Cloud Computing (SaaS, PaaS, IaaS)
  • Security of a remote system
  • Encryption
  • Cost
  • End of Lifeif you have to pull it back inside

31
Web 2.0 Controls -1
  • Policy
  • Evaluate risk based on business sensitivity
  • Policy restriction continuum
  • Entirely block social networks
  • Allow access but only during non-work time
  • Allow access but closely monitor
  • Block access after evidence of misuse
  • Regardless of access--prohibit identification
    with company on social networking sites

32
Web 2.0 Controls -2
  • Privacy
  • Personally Identifiable Information (PII)
  • Personal reputation future
  • Children and teens
  • Financial information
  • Malware
  • lt25 of malware caught by Anti-Malware
  • HTML in eMail biggest attack vector
  • Phishing and malicious site
  • User awareness and education

33
Web 2.0 Controls -3
  • MAJOR SAFEGUARD IS
  • AWARENESS

34
Summary Web 2.0 Security
  • Mobile code enabled by Active Content
  • Establish follow policies procedures
  • Lock down desktop
  • Use OWASP inhouse, in contracts
  • Patch Vulnerability program
  • Establish active awareness program

35
Evolution to Web X.0
  • Tim Berners-Lees Semantic Web
  • the Web as a whole can be made more intelligent.
  • The computer can learn enough about what the data
    means to process it.
  • Web OS network services for distributed
    computing independent of computer OSes.

36
Web 3.0 ?
37
Web 4.0a hint?
  • WolframAlpha
  • http//www04.wolframalpha.com/
  • Technology and a platform to make knowledge
    computable and accessible to everyone.
  • Mathematica
  • A symbolic language
  • Includes 50,000 algorithms
  • Is also a deployment platform

38
Web 4.0 One World Wide Computer
  • http//www.ted.com/talks/kevin_kelly_on_the_next_5
    _000_days_of_the_web.html
  • Nothing is inevitable except change
  • We can be frightened or excited

39
Which are you?
  • ?

40
References
  • http//www.out-law.com/page-6946
  • http//www.oreillynet.com/pub/a/oreilly/tim/news/
    2005/09/30/what-is-Web-20.html
  • http//www.out-law.com/page-6946
  • http//www.hpl.hp.com/techreports/2009/HPL-2009-9
    9.pdf
  • http//www.youtube.com/watch?v6PNuQHUiV3Q What
    is Cloud Computing?
  • http//www.practicalecommerce.com/articles/464-Ba
    sic-Definitions-Web-1-0-Web-2-0-Web-3-0
  • http//www.ibm.com/developerworks/podcast/dwi/cm-
    int082206.txt Developer Works Interviews Tim
    Berners-Lee
  • http//whitepapers.theregister.co.uk/paper/view/7
    43/swat-7designs-web2.0-threat-prevention.pdf
  • http//securitymanagement.searchsecurity.com/docum
    ent5135258/abstract.htm Seven Design
    Requirements for Web 2.0 Threat Protection
  • http//csrc.nist.gov/publications/nistpubs/800-28
    -ver2/SP800-28v2.pdf
  • http//www.youtube.com/watch?vcbPDN7modE8
    Pattie Maes at TED Unveiling the Sixth Sense
  • http//blogs.zdnet.com/BTL/?p4499 Dan Farber
    2/14/2007 From Semantic Web (3.0) to the WebOS
    (4.0)
Write a Comment
User Comments (0)
About PowerShow.com