Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

Slides:



Advertisements
Similar presentations
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Advertisements

Lisa Farmer, Cedo Vicente, Eric Ahlm
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
SiteLock Internet Security: Big Threats for Small Business.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Protecting Customer Websites and Web Applications Web Application Security.
Securing Information Systems
Application Data Security Stallion Winter Seminar 2009 Otepää, March 06th 2009.
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Imperva Total Application Security Idan Soen, CISSP Security Engineer SecureSphere – The First Dynamic Profiling Firewall Idan Soen, CISSP Security Engineer.
Virtual techdays INDIA │ 9-11 February 2011 Security Discussion: Ask the Experts M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation Anirudh.
Web Application Firewall (WAF) RSA ® Conference 2013.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 14: Configuring Server Security Compliance
Security Testing Case Study 360logica Software Testing Services.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010.
Deconstructing API Security
Web Portals Gateway To Information Or A Hole In Our Perimeter Defenses sm sm Deral Heiland – Layered Defense Research.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Computer Security Keeping you and your computer safe in the digital world.
Securing Information Systems
Securing Information Systems
BUILD SECURE PRODUCTS AND SERVICES
TMG Client Protection 6NPS – Session 7.
Top 5 Open Source Firewall Software for Linux User
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Critical Security Controls
Barracuda Web Filtering Service
Chapter 7: Identifying Advanced Attacks
TOPIC: Web Security (Part-4)
World Wide Web policy.
Real-time protection for web sites and web apps against ATTACKS
E-commerce Application Security
Threat Management Gateway
Fortinet Network Security Expert 4 Written Exam - FortiOS 5.4 Exam NSE4-5.4 Dumps PDF.
Cross-Site Request Forgeries: Exploitation and Prevention
Securing Information Systems
Today’s Risk. Today’s Solutions. Cyber security and
Security Threats Haunting the E-Commerce Industry. How Can Security Testing Help?
Introducing ProxyClient
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Securing Your Web Application and Database
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Lecture 3: Secure Network Architecture
F5 Networks Solutions Silverline Silverline
Designing IIS Security (IIS – Internet Information Service)
Module 4 System and Application Security
Hosted Security.
INTERNET SECURITY.
Presentation transcript:

Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez Project Part III Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez

Our Security Problem Is Website Attacks Firewall are common in every network deployment, so attackers use websites to get access to internal network Every industry, be it online hop, retail stores, educational institution or government sector has a website for public use, which makes the website problem very common in multiple industries.

SQL Injection Web Attack Example Query Injected by the Attacker Output from the Query Note: Account Numbers masked to protect customer identity

PHP File Inclusion Web Attack Example

Cross Side Scripting (XSS) In the code below, you will see that XSS can easily send you to an evil site http://www.infotech.northwestern.edu/index.php? name=<script language=javascript>window.location= “http://www.veryevilsite.com/toldya.htm”;</script> In the code below, you will see that XSS may cause denial of service with just one line of code http://www.avatar.com/ccs1-release-testing/rao.php? name=<script language=javascript>setInterval ("window.open('http://www.cs.northwestern.edu/~ychen/','innerName')",10);</script> The link above will open a window of Dr. Chen’s webpage and request it every 10 milliseconds. (changed from every 100 milliseconds  )

Other Web Attacks Attackers can target vulnerabilities in browser (Internet Explorer or Firefox, java console, plugins, etc

Our Solution Criteria for Evaluation Cost Effective Few False Positives High Availability Effective for new threats Ease of Configuration Out of the box functionality Solution Web Application Firewall Manual Code Reviews and Pen Tests Bluecoat Web Filter IDS/IPS not ideal for web solution

Solution Considerations Web Application Firewalls (WAF) Writing Secure Code is much easier said than done WAF can block variety of traffic High Performance and low latency; only looks at Layer 7 Addresses PCI 6.6 requirement for web security Out of the box Web Security Solution - “Virtual Patch” Gartner’s Magic Quadrant on WAFs due in Q4 of 2009 Costs around $35,000 for the appliance Common Web Application Firewalls (WAFs) include WebDefend, ModSecurity (open source) and Imperva SecureSphere

WAF Architecture Choices WAF Defined WAF Architecture Choices Placed between Firewall and Web Application (Inline) E.g. Reverse Proxy Mode and Transparent Mode Connected to Network Port on same switch as Web Application (Out of Band) E.g. Network Monitor Mode Blocks traffic by using TCP Resets Has no latency and prevents single point of failure Security Models Allow only “Good” Traffic (Positive) Block only Malicious Traffic (Negative)

Dynamic Profiling (Automated Application Learning) How WAF does the job? Dynamic Profiling (Automated Application Learning) Session Protecting Engine SSL Decryption Data leakage protection

Manual Code Reviews and Application Pen Tests Best Defense of Websites Manual tests done by experts Whitebox testing available Costs are $300 per 500 lines of code Average Web Application Code Review costs $30,000 (50,000 lines of code)

Bluecoat Web Filter Defined Blue Coat WebFilter is an “on-proxy” web filtering solution that protects internal users from Spyware Phishing attacks P2P IM and streaming traffic Adult content (sorry) Botnets (yayy) Appliance starts at $10,000

Bluecoat Web Filter – How it Works Refer to whitepaper to explain this

Bluecoat on the Fly detection (Dynamic Detection) Refer to whitepaper to explain this

Magic Quadrant for Secure Web Gateways

Web Application Firewalls Cost/Risk Analysis Web Application Firewalls Costs: Open Source Options available Risks: Developers should stay on top Manual Code Reviews and Application Pen Test Costs: Very High Costs $300 per 500 lines of code Risks: Minimal; code is checked by ethical hackers Bluecoat Web Filter Costs: Appliance + Support Costs Risks: Moderate; claims 98% coverage of malware

Web Application Firewalls Feasibility Analysis Web Application Firewalls Feasible because open source options available. Huge Community Support Manual Code Reviews and Application Pen Tests Not feasible for most organizations; very costly PCI accepts WAF in place of this Bluecoat Web Filter Feasible because of its database + Dynamic Protection Network license needed rather than per client

Business/Legal Consequence Web Application Firewall (WAF) Lessens the risk of web applications significantly No legal consequences Manual Code Review and Application Pen Tests Business case not strong; compliance accepts WAF Legal consequences applicable as exploits discovered are documented and failure to remediation can be bad Bluecoat Web Filter Strong Business case, given web attacks in today’s world User privacy is a big legal concern

Corporate Context All three solutions are necessary for all the Industries Government: Needless to say Education: Private student records are at risk Healthcare: Private health info at risk Private: Social Security, Credit cards, Intellectual Property at Risk Failure to implement these solutions result in compromises which causes falling share price, dropping consumer confidence, bad reputation + high remediation costs

Related Work and Research in This Area SANS Paper on Web Based Threats http://www.sans.org/reading_room/whitepapers/application/web_based_attacks_2053?show=2053.php&cat=application Symantec’s Paper on Web Based Threats http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf DevShed.com’s Cross Side Scripting Paper http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting/1/ Bluecoat Webfilter datasheet http://www.bluecoat.com/doc/direct/789 Web Application Firewall http://www.owasp.org/index.php/Web_Application_Firewall 20

Thank You! Jibran Ilyas Frank LaSota Paul Lowder Juan Mendez Thank You 21