george iakovakis - Αρχική iakovakis... · 2017-06-21 · methodology introduction: a...
TRANSCRIPT
![Page 1: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/1.jpg)
George IakovakisJanuary 2016
![Page 3: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/3.jpg)
Introduction
What Web Application is…
Why Web applications become main threat to secrecy and integrity of our sensitive data…
What OWASP is…
Analysis of OWASP Top 10 - 2013
Contributions in two different areas :
Detection and prevention of web threats, using appropriate tools and techniques.
Presentation of attacks and trends with the most dangerous threats and vulnerabilities during 2013-2015.
3
![Page 4: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/4.jpg)
OWASP Top 10 – 2013
4
![Page 5: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/5.jpg)
Methodology
Introduction: A description of each threat, a definition and some statistics about it, using data sources like National Vulnerability Database (NVD), Aspect Security, Trustwave, Veracode, WhiteHat Security etc .
Types of Attack : Main attack methods and their subcategories, using Web Hacking Incident Database (WHID) which has real life examples and new entries for many attack methods.
Detection: Detection methods and tools, emphasizing to the most important ones.
Prevention: Prevention techniques and tools separately for every attack, examining the more suitable way to prevent the attacker from being harmful.
5
![Page 6: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/6.jpg)
1. Injection Flaws
Types of Attack SQL Injection LDAP Injection XPath Injection
Detection Database firewall Injection Detection System Vulnerabilities scanning tools
Prevention Strong Authentication – Access Control Avoidance of detailed error messages Input data Validation Using encryption
6
Acunetix Statistical Vulnerabilities Report 2015
![Page 7: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/7.jpg)
2. Broken Authentication and Session Management
Types of Attack Phishing attack Brute force attack Man in the middle attack
Detection IDS Black-list/White-list based tools
Prevention Using a trusted third party Awareness of Users Block the phishing e-mails by various spam filters Using Strong Encryption - Hashing - Salt Using multi factor authentication
7
Verizon 2015 Data Breach Investigations Report
![Page 8: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/8.jpg)
3. Cross Site Scripting (XSS)
8
Types of Attack Persistent or Stored XSS Non-persistent or Reflected XSS DOM Based or Local XSS
Detection Code Review Web server logs
Online attack detection tools:IDS, Web Application Firewalls (WAF)
Prevention Attack prevention utilities/tools (IPS, WAF)
Separation of untrusted data from active browser content
Acunetix Report 2105
![Page 9: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/9.jpg)
4. Insecure Direct Object References
Types of Attack
Path/Directory Traversal
Null Byte Injection
Detection
Using static analysis,
Firewall
Penetration testing
Prevention Access Control
Indirect reference map : The substitution of the internal reference with an alternate ID.
Input User Validation : Using Whitelist - Blacklist
9
![Page 10: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/10.jpg)
5. Security Misconfiguration
Types of Attack
Clickjacking
Application Misconfiguration attacks
Server Misconfiguration attacks
Detection
Security configuration auditing tools
Prevention
Install latest updates and security patches
Change usernames, passwords and ports for default accounts
Monitor your logs
Don't run unnecessary servers or interpreters
10
![Page 11: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/11.jpg)
6.Sensitive Data Exposure
11
Types of Attack SQL Injection
Phishing attack
Man in the middle attack
Prevention Enforce Strict Data Encryption
Have a well-defined password policy
Give access to data if required
Encrypt backups as well
Detection Data leak detection using scanning tools
![Page 12: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/12.jpg)
7. Missing Function Level Access Control
Types of Attack Forced Browsing
DNS Hijacking
Detection Using scanning tools
Prevention Using role-based
authentication
mechanisms
Log sensitive actions
12
Application vulnerability likelihood – WhiteHat Report 2015
![Page 13: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/13.jpg)
8. Cross Site Request Forgery (CSRF) (1/2)
CSRF vs XSS :
Cross-site scripting (XSS) exploits the trust a user has for a particular site
CSRF exploits the trust that a site has in a user's browser.
Types of Attack
Stored CSRF : Attacker can use the application itself to provide the victim the exploit link.
Reflected CSRF : Attacker uses a system outside the application to expose the victim to the exploit link or content
Detection : CSRF is currently difficult to detect reliably using automated techniques.
13
![Page 14: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/14.jpg)
8. Cross Site Request Forgery (CSRF) (2/2)
14
Prevention
![Page 15: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/15.jpg)
9. Using Components with Known
Vulnerabilities
Types of Attack Injections
Cross site scripting
Zero day attack
Detection Using Web Application Firewalls
Prevention Using good component practices
Using threat patterns
15
Aspect Security Report -2014
![Page 16: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/16.jpg)
10. Unvalidated Redirects and Forwards
Types of Attack Redirection – Open Redirect attack
Detection Automated detection with website crawling tools
Manual code scanning
Prevention Force User Notification on Redirects and Forwards
White-Listing URLs
16
![Page 17: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/17.jpg)
Conclusions
Web application vulnerabilities are increasingly posing serious
threats to organizations.
Encryption does not mean data is secured from the attacker.
Developers must give more attention to the inside attackers.
Administrators must give different authorization for different
types of users.
Attackers are particularly targeting sites that are likely to be
trusted by end users, such as social networking sites.
Website security should be a priority in any organization.
17
![Page 18: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/18.jpg)
There is an age-old advisory that says:
“It’s too late to sharpen your sword
when the drum beats for battle”
18
![Page 19: George Iakovakis - Αρχική Iakovakis... · 2017-06-21 · Methodology Introduction: A description of each threat, a definition and some statistics about it, using data sources](https://reader030.vdocuments.mx/reader030/viewer/2022040604/5ea36103deed4322a0417eb4/html5/thumbnails/19.jpg)
References
1. Theoharidou M., Tsalis N., Gritzalis D., “In Cloud we trust: Risk-assessment-as-a-service”, in Proc. of the 7th IFIP International Conference on Trust Management, pp. 100-110, Springer (AICT 401), Spain, 2013.
2. Tsalis N., Mylonas A., Gritzalis D., “An intensive analysis of the availability of security and privacy browser add-ons”, in Proc. of the 10th International Conference on Risks and Security of Internet and Systems, Springer (LNCS), Greece, 2015.
3. Tsalis N., Virvilis N., Mylonas A., Apostolopoulos A., Gritzalis D., “Browser blacklists: A utopia of phishing protection”, in Security and Cryptography, Springer (CCIS), 2015.
4. Tsalis N., Theoharidou M., Gritzalis D., “Return on security investment for Cloud platforms”, in Proc. of the Economics of Security in the Cloud Workshop, pp. 132-137, IEEE Press, UK, 2013.
5. Virvilis N., Mylonas A., Tsalis N., Gritzalis D., "Security busters: Web browser security vs. rogue sites", Computers & Security, Vol. 52. pp. 90-105, July 2015.
6. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., "Mobile devices: A phisher's paradise", in Proc. of the 11th International Conference on Security and Cryptography, pp. 79-87, ScitePress, Austria, 2014.
7. Virvilis N., Gritzalis D., “The Big Four - What we did wrong in Advanced Persistent Threat detection?”, in Proc. of the 8th International Conference on Availability, Reliability & Security, pp. 248-254, IEEE Press, Germany, 2013.
8. Virvilis N., Gritzalis D., “Trusted Computing vs. Advanced Persistent Threats: Can a defender win this game?”, in Proc. of 10th IEEE International Conference on Autonomic and Trusted Computing, pp. 396-403, IEEE Press, Italy, 2013.
19