This document discusses practical information security topics for web development. It begins with an introduction of the author and defines information security as protecting data from unauthorized access, use, disclosure, disruption or destruction. It then discusses how rapid web development can introduce security risks if new tools are not fully understood. The document outlines several common attacks like XSS, SQL injection, brute forcing and social engineering. It provides examples of each attack and emphasizes that social engineering is effective because it manipulates human psychology. The document concludes by advising the reader on how to prevent attacks through security awareness training and ethical hacking assessments.
2. About me
Ron van der Molen
Father of a son, always learning
@RonvdMolen (twitter)
RonXS (IRC Freenode)
ron@wizkunde.nl
Wizkunde
My History
Ron van der Molen 2014 - Wizkunde.nl
3. What is information
security?
The practice of defending information from
unauthorized access, use, disclosure,
disruption, modification, perusal, inspection,
recording or destruction
CIA
Confidentiality
Integrity
Availability
Ron van der Molen 2014 - Wizkunde.nl
4. Impact of Information
Security on WebDev
A rapid process, where innovation is one of
the largest contradictions to information
security
Building better, more stable, feature rich
applications by implementing new
tools/frameworks everyday, without knowing
the full extent of knowledge that the
developers have who are writing the code.
Ron van der Molen 2014 - Wizkunde.nl
5. Impact of Information
Security on WebDev
Use the tools to build code
Maintainable
Updateable
Reusable
Interchangeable
Educationable
This can also include secure, if the
developers at hand, invest time in good
coding practices and good security
strategies
Ron van der Molen 2014 - Wizkunde.nl
6. Most used attacks
Cross Site Scripting (XSS)
Cross Site Request Forgery (XSRF)
SQL Injection
Time Based Attacks
Sessions Fixation
Brute Forcing
Ron van der Molen 2014 - Wizkunde.nl
7. Cross Site Scripting
Abusing the fact that a user trusts a website
Trusted content
Output is said to be genuine
Example
Ron van der Molen 2014 - Wizkunde.nl
8. Cross-Site Request
Forgery
Abusing the fact that a website trusts a
browser
(Also called “reversed XSS”)
Example
Ron van der Molen 2014 - Wizkunde.nl
9. SQL Injection
Abusing bad coding practises to inject SQL
Retreive information
Get unauthorized access
Damage the system
Example
Ron van der Molen 2014 - Wizkunde.nl
10. Time Based Attacks
Profiling the system, to get data disclosure
without needing explicit access to the
software itself
Abusing facts or other security flaws get
easier like this
Example
Ron van der Molen 2014 - Wizkunde.nl
11. Session Fixation
Abusing another users session to get
unauthorized access
Cookie Hijacking
XSS Scripting
Sometimes refered to as persistent XSS
Example
Ron van der Molen 2014 - Wizkunde.nl
12. Bruteforcing
Send a huge amount of requests to the
server, and force your way in by trial and
error.
This can be more effective as you might think
In combination with time based attacks!
Example
Ron van der Molen 2014 - Wizkunde.nl
13. More Attacks
Code Injection
Denial of Service (I.E. Syn Flooding)
Lower layer architectural attacks
Stack Overflow attacks
Heap Overflow attacks
Many many more known and unknown
attacks!
Ron van der Molen 2014 - Wizkunde.nl
14. Social Engineering
What is it?
Using social skills, to change facts or hack
and manipulate your way into a normally
secured situation
Yes, its also social engineering if you
manipulate or LIE to a person by changing
facts to alter the outcome of a problem /
situation
Ron van der Molen 2014 - Wizkunde.nl
15. Social Engineering
What is it?
Where is this an issue?
Everywhere!!!
Larger organisations
Inter organisation collaboration
So how does it work?
Ron van der Molen 2014 - Wizkunde.nl
16. Social Engineering
How does it work?
Psychology
Small Talk
Common Sense
Brutality
Insecurity / Uncertainty
Emotions
Ron van der Molen 2014 - Wizkunde.nl
17. Social Engineering
How does it work?
Reverse Psychology
The problem solver
The damsel in distress
Information by incentives
Random rewards to buy information
Discount websites to buy information
Ron van der Molen 2014 - Wizkunde.nl
18. Social Engineering
How does it work?
Toolkit of a social engineer
Guts
His mouth, you need to be able to talk
Knowing the targets habits
Social Media
Screen Reading
Sticky notes
Ron van der Molen 2014 - Wizkunde.nl
19. Social Engineering
Who does this?
Everybody, including you and me
Lie
Cheat
Manipulate
Self preservation
Ron van der Molen 2014 - Wizkunde.nl
20. Social Engineering
How is that even lucrative?
Information has value, and with value
comes buyers
Kevin mitnick – The Art of Deception
Slot Machine example
Ron van der Molen 2014 - Wizkunde.nl
21. Social Engineering
How to prevent it?
Security through obscurity
Create security regulations for your
company
Train employees on a regular basis
Assess your organisation by ethical hackers
It will not rule out Social Engineers!
Ron van der Molen 2014 - Wizkunde.nl