The document discusses various risks facing organizations with a web presence and provides recommendations to address those risks. It identifies issues such as security vulnerabilities, privacy concerns, social media risks, and analytics inaccuracies. It recommends that organizations conduct security audits, monitor their websites for hackability, disclose any required information, and stay aware of their site's performance, uptime, and what search engines are indexing about them.

1. Risk Management &
Corporate Internet Efforts
Thomas A. Powell
tpowell@pint.com
www.pint.com

2. Our Plan Today
• Show some existing and emerging
problems
• Present some possible solutions
• Illustrate all with examples and stories
• Have a little fun so it is
memorable, because if you don’t
remember much today you won’t act so
… let’s get memorable

3. Risk Management
“Risk management is the
identification, assessment, and prioritization
of risks followed by coordinated and
economical application of resources to
minimize, monitor, and control the
probability and/or impact of unfortunate
events or to maximize the realization of
opportunities.”

4. Translation – Avoid
This
Instead – openly acknowledge what could happen
and actively decide to address it (or not)

5. A Root Cause for
Missing Many Risks?
• Who exactly owns the Web initiatives
• …and in turn the problems and risks
they may face or create?

6. Everybody Does!

7. Mind the gaps!
Diverse ownership often
creates:
• Duplicate (or unnecessary)
expenditures
• Diversity problems
• Lots of gaps!

8. The Web Team
Does!

9. BTW…The Web is
the Real World
• Everything is
different online
don’t you know?
• Psst…don’t tell
anyone

10. Things We
Do To Ourselves
Sometimes we make poor
decisions about:
• Development
• Design
• Hosting
• Security
• Social
• Analytics

11. Add To This Things
Others Do To Us
• Impose rules on us
• Try to hack us
• Try to trick us
• Try to crash us
• Say bad things about us
As well as any black swans of
life we can’t account for

12. There Be Web Orcs!
I can SQL injectz you!

13. And They Cause
Troubles

14. Why – Ego
Defacement
(Relax – Faked) This type of “tagging” for cred

15. Why - Hactivism
All fun and games until LOIC is aimed at your site

16. We’re Not Targets!

17. Why – 4 Lulz
Ok so it isn’t funny to you but it is to them

18. Nope, Never
Happens
After hacking PBS.com
they added this article for
the “Lulz”

19. Why – Spread
Malware “Germs”
Put malware on your home page to infect others

20. Why – ID Theft
You (or your users) are a commodity
(at least your id, IP or cc# is)

21. Come on not us!
• If you get compromised
legally per California SB
1386 you are supposed
to disclose
• 40 other states have
similar laws
• That could be a lot of
trouble and $!

22. Why – Zombie
Recruiting
Grow and army and then…
“Awake my Zombie army and attack!”

23. Really for sure not us!

24. Why – For The $£¥€!

25. Yes - Bad people are
real
credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove
And they’re in your country too…

26. Reaction - Build Walls

27. Man the defenses!
“No worry, IT put a firewall in place”

28. We’re awake!
and what exactly do you see?

29. Just another day on the
Internetz

30. The Toolbox is
Overflowing

31. Attacker Type #1
Stupid Bot Brigade - “Charge!”
../cmd.exe &1=1;droptable

32. Attacker Type #2
“I’m just a lowly peasant HTTP
request. May I pass?”

33. Hope Your Site
Owner Thinks Like a
Bouncer?
“Yer not on the list. Come on in?!”

34. The weak minded are
easily tricked
“These are not the requests you are looking
for”

35. 0-day to the Face!
“To get our new signature files you
need a valid support plan”

36. The Appearance of
Security
The Intent Thief: “How quaint a club!”

37. Real Security
Tradeoffs
This...

38. Security Tradeoffs
...or this?

39. We want it all!

40. Don’t Worry We Use
Open Source!
It’s open code to “hackers” too and if
widely used becomes a big target

41. Zoinks!

42. But everyone uses
that…
Indeed that may be true
I also evaluate my hamburger
quality the same way

43. Evaluating By Looks

44. Custom Troubles
• Reality: Site owners often their
own worst enemy
• Excessive customization by
non-security minded devs
• Now add in some third party
components with their own
troubles for good fun – It’s a 3rd
Party Security Party!

45. Instead It’s A Target
Rich Environment

46. You Must Trust No Inputs

47. Psst…your pants are
down

48. Really…they’re down

49. Psst….This isn’t hidden

50. What’s The
Password?
Keys to your Web Kingdom

51. No Try Limit = No
Security Eventually*
No retry limits
+ No Easy Alerting
Let a bot work on it

52. Password Policy
Time!
• Make your user’s have
some strong password with
letters, numbers, really
long, etc.
• So…they write it down then
• Or they come up with one
and use it everywhere…yes
absolutely everywhere

53. They Hack There To
Hack You Here
A user’s security posture may be weaker
on your other sites and...

54. Password Reuse +
No Second Form =
Fail
“Take this key and believe
you are secure”*

55. Who’s Watching?
• Enjoy your double cap, venti, packet
captured browser session!

56. Better SSL All Your
Public WiFi Sessions
No SSL out in open = grab and go access

57. Always Easiest to
Attack People!
Name : Jim
LaFleur
Occupation : Chief of Security
Organization: Dharma Initiative
Find Jim’s name/email in your site
comments, Linkedin, Facebook, etc.

58. Spear Phising
• Executives are good targets
• Often C-Level executives are
not that “cyber savvy”
• Be quite concerned about any
systems with electronic fund
transfer access

59. Rise of DoSing &
Electronic Sit Ins

60. This is Your
Site on DoS

61. Just Throw Money At
IT
Sure it helps but there is no “silver bullet”
box especially without a posture change

62. Tech Just Can’t Solve
All
And tech issues may lead to real corporate trouble…

63. Accessibility Risks

64. Privacy Risks

65. IP Risks
• Your content, site
design, source, etc. is easily
copied
• It can be quite hard to find all
occurrences of it
• Recourse is tough particularly
if international

66. BTW Ever Look What
You Agreed To?

67. Delivery Really
Matters

68. Speed Fail

69. Misinformation Risks

70. Vetting is for Losers!

71. Speed over
Substance about in the
“Most of what is written
tech world – both in blog form and old
school media form – is bullshit.”
“Most are stories written with little or
no research done. They’re written as
quickly as possible. The faster the
better.”
Right from the “horse’s mouth”

72. Advertising Risks

73. Click Fraud

74. GIGO™ Analytics
• Are your analytics
accurate?
• Are you watching them
real time or not?
• Are you trying to find
answers from reports or
making reports to answer
questions?

75. Did you know?
• When it comes to Web analytics*
• JavaScript Off = Invisible
• Bad people, bots, etc. do this
• Cookies off = Big Mess
• Others can easily forge results

76. Trust But Verify

77. Social Media Risks

78. Watch Out Engaging the
Thoughts of Crowds
Mobs

79. Yeah That’s Not a
Good Use of Social

80. What do you call this
again?

81. GeoSocial Risks

82. Emergency Web
Broadcast System

83. Just in case all that
wasn’t scary enough

84. Summary
• Have you had a security audit of your
Web properties?
• How hackable is your site?
• What disclosure issues may you
have?
• How aware of your site performance
and uptime?
• How aware of what Google’s index
about you and your sit are you?

85. Summary
• What information are you or your
vendors collecting?
• Is your privacy policy addressing it?
• Are you aware of privacy regulations
in the markets you serve
• Are you aware of accessibility concerns
• Could you be a target?

86. Summary
• Do you have a social media policy?
• Do you have a crisis communication
plan?
• Are you actively watching your
analytics?
• How active are you monitoring social for
• Stock issues, HR issues, Customer
Issues

87. Summary
• If you spend ad dollars online
• How do you track effectiveness
• How do you track fraud?
• Do you have an inventory of 3 Party
rd
Scripts / Services you use?
• What are the QoS, Security and
Legal terms of these 3rd parties

88. Summary
• Are you disclosing information both
technical and not that you should not?
• Error pages, source code, social
media profiles, etc.
• What is the fail point of your site or
Web application?
• Are you ready for a DoS attack?

89. Questions?
Thomas A. Powell
tpowell@pint.com
http://www.pint.com
Twitter: PINTSD