The document discusses various risks facing organizations with a web presence and provides recommendations to address those risks. It identifies issues such as security vulnerabilities, privacy concerns, social media risks, and analytics inaccuracies. It recommends that organizations conduct security audits, monitor their websites for hackability, disclose any required information, and stay aware of their site's performance, uptime, and what search engines are indexing about them.
2. Our Plan Today
• Show some existing and emerging
problems
• Present some possible solutions
• Illustrate all with examples and stories
• Have a little fun so it is
memorable, because if you don’t
remember much today you won’t act so
… let’s get memorable
3. Risk Management
“Risk management is the
identification, assessment, and prioritization
of risks followed by coordinated and
economical application of resources to
minimize, monitor, and control the
probability and/or impact of unfortunate
events or to maximize the realization of
opportunities.”
4. Translation – Avoid
This
Instead – openly acknowledge what could happen
and actively decide to address it (or not)
5. A Root Cause for
Missing Many Risks?
• Who exactly owns the Web initiatives
• …and in turn the problems and risks
they may face or create?
9. BTW…The Web is
the Real World
• Everything is
different online
don’t you know?
• Psst…don’t tell
anyone
10. Things We
Do To Ourselves
Sometimes we make poor
decisions about:
• Development
• Design
• Hosting
• Security
• Social
• Analytics
11. Add To This Things
Others Do To Us
• Impose rules on us
• Try to hack us
• Try to trick us
• Try to crash us
• Say bad things about us
As well as any black swans of
life we can’t account for
17. Why – 4 Lulz
Ok so it isn’t funny to you but it is to them
18. Nope, Never
Happens
After hacking PBS.com
they added this article for
the “Lulz”
19. Why – Spread
Malware “Germs”
Put malware on your home page to infect others
20. Why – ID Theft
You (or your users) are a commodity
(at least your id, IP or cc# is)
21. Come on not us!
• If you get compromised
legally per California SB
1386 you are supposed
to disclose
• 40 other states have
similar laws
• That could be a lot of
trouble and $!
22. Why – Zombie
Recruiting
Grow and army and then…
“Awake my Zombie army and attack!”
25. Yes - Bad people are
real
credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove
And they’re in your country too…
44. Custom Troubles
• Reality: Site owners often their
own worst enemy
• Excessive customization by
non-security minded devs
• Now add in some third party
components with their own
troubles for good fun – It’s a 3rd
Party Security Party!
51. No Try Limit = No
Security Eventually*
No retry limits
+ No Easy Alerting
Let a bot work on it
52. Password Policy
Time!
• Make your user’s have
some strong password with
letters, numbers, really
long, etc.
• So…they write it down then
• Or they come up with one
and use it everywhere…yes
absolutely everywhere
53. They Hack There To
Hack You Here
A user’s security posture may be weaker
on your other sites and...
54. Password Reuse +
No Second Form =
Fail
“Take this key and believe
you are secure”*
56. Better SSL All Your
Public WiFi Sessions
No SSL out in open = grab and go access
57. Always Easiest to
Attack People!
Name : Jim
LaFleur
Occupation : Chief of Security
Organization: Dharma Initiative
Find Jim’s name/email in your site
comments, Linkedin, Facebook, etc.
58. Spear Phising
• Executives are good targets
• Often C-Level executives are
not that “cyber savvy”
• Be quite concerned about any
systems with electronic fund
transfer access
65. IP Risks
• Your content, site
design, source, etc. is easily
copied
• It can be quite hard to find all
occurrences of it
• Recourse is tough particularly
if international
71. Speed over
Substance about in the
“Most of what is written
tech world – both in blog form and old
school media form – is bullshit.”
“Most are stories written with little or
no research done. They’re written as
quickly as possible. The faster the
better.”
Right from the “horse’s mouth”
74. GIGO™ Analytics
• Are your analytics
accurate?
• Are you watching them
real time or not?
• Are you trying to find
answers from reports or
making reports to answer
questions?
75. Did you know?
• When it comes to Web analytics*
• JavaScript Off = Invisible
• Bad people, bots, etc. do this
• Cookies off = Big Mess
• Others can easily forge results
84. Summary
• Have you had a security audit of your
Web properties?
• How hackable is your site?
• What disclosure issues may you
have?
• How aware of your site performance
and uptime?
• How aware of what Google’s index
about you and your sit are you?
85. Summary
• What information are you or your
vendors collecting?
• Is your privacy policy addressing it?
• Are you aware of privacy regulations
in the markets you serve
• Are you aware of accessibility concerns
• Could you be a target?
86. Summary
• Do you have a social media policy?
• Do you have a crisis communication
plan?
• Are you actively watching your
analytics?
• How active are you monitoring social for
• Stock issues, HR issues, Customer
Issues
87. Summary
• If you spend ad dollars online
• How do you track effectiveness
• How do you track fraud?
• Do you have an inventory of 3 Party
rd
Scripts / Services you use?
• What are the QoS, Security and
Legal terms of these 3rd parties
88. Summary
• Are you disclosing information both
technical and not that you should not?
• Error pages, source code, social
media profiles, etc.
• What is the fail point of your site or
Web application?
• Are you ready for a DoS attack?
89. Questions?
Thomas A. Powell
tpowell@pint.com
http://www.pint.com
Twitter: PINTSD
Notes de l'éditeur
And we promise – there will be no cat pictures today. A single example of one of our products and a few candidates for world’s worst pie charts
Buying a box, list or service isn’t really going to secure that much if you aren’t aware and involved
In particular we often run into an accountability gap
Don’t You Understand!? We’re doing T-Business!!!
This is the runner up in the worlds worst pie chart contestThe most common outcomes: 1) Information Leakage, 2) Downtime, 3) Defacement.Web Application Security Consortium (WebAppSec.org) Web Hacking Incident Database:http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
Relax I faked this … http://www.cornify.com/ - not real in this case but if you had an XSS hole don’t be surprised if the famous Konami code reveals this
Common scheme seen it on sites where they hack wordpress to hack the database of a shared site to hack the home page to spread malware. You find out once Google starts blocking you
All those 404s might be some nice poorly done hack attempts
Here it is the world’s worst pie chart….The Big Three attack methods, according to WebAppSec.org: SQL Injection, XSS, and DoS.
Secunia advisories for Drupal 6.x: http://secunia.com/advisories/product/17839/?task=advisories
This is a well built house!
A customer who shall not be named here.Uses Sitecore as their base CMS.External facing portal uses only a "published view"Sitecore admin and content generation performed from a separate system located behind the DMZ.Publishes pages to the outside portal
The top weaknesses according to WebAppSec.org include:Improper Input HandlingImproper Output HandlingInsufficient Anti-AutomationInsufficient AuthenticationSee also the OWASP Top Ten:https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project1: Injection 2: Cross-Site Scripting (XSS) 3: Broken Authentication and Session Management 4: Insecure Direct Object References 5: Cross-Site Request Forgery (CSRF) 6: Security Misconfiguration 7: Insecure Cryptographic Storage 8: Failure to Restrict URL Access 9: Insufficient Transport Layer Protection 10: Unvalidated Redirects and Forwards
Many of the sites we found with exposed login pages also failed to lock out a user after dozens of retries, open the door to dictionary attacks and brute forcing.
For published Web sites that use authentication, you can also set password policies directly in ASP.NET (web.config), whether the membership provider is AD or SQL Server. See Sitecore CMS 6 Security API Cookbook (section 2.3)http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdfAnd theMicrosoft here documentation:http://msdn.microsoft.com/en-us/library/whae3t94.aspx
Sadly these guys got hacked even … But even if you have second form…. Be careful where you go
The mean streets of starbucks might be a bit meaner than you think….public WiFi is the hackers best friend these days
Meet Firesheep - http://en.wikipedia.org/wiki/Firesheep Easy to do this without but we keep lowering the bar for peopleWhy people don’t do SSL? Cert cost? Server scale
Let’s assume we are going to avoid the impersonation move
“process journalism is the posting of a story before it is fully baked, something the NY Times officially despises, but the do it to” – Mike Arrington of Techcrunch / AOL
Google says it is 2% otherw say that it is > 20% http://www.forbes.com/sites/andygreenberg/2010/10/21/record-click-fraud-boosted-by-fake-video-cell-phone-traffic/
Just cuz I sell you ads doesn’t mean I can’t run your analytics
Southwest airlines darling of social media stumbles with Kevin Smith