Hewitt.com Redesign Security Considerations Jorgen Hesselberg, MITP’07 Brute Force.

Slides:



Advertisements
Similar presentations
Reseller Program. What Is Document Management System A Document Management System (DMS) is an electronic library of documents. For each document the system.
Advertisements

ETHICAL HACKING.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
SiteLock Brand Guidelines.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
1 ZIXCORP The Criticality of Security Dena Bauckman Director Product Management April 2015.
Documenting Network Design
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
What eMarketing brings to the table & What eMarketing needs from your area EMKT 495 – Week 8 eMKT 4951.
Defining Security Issues
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
PCI: As complicated as it sounds? Gerry Lawrence CTO
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
HRO BY AJITHAA HASAN. Evolving Role of HR  Strategic management decisions  Value-added services  Achieve a competitive edge  Primary functions are.
Web Site Content Protection Solution. Protecting Web Site Content with.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
What eMarketing Brings to the Table & What eMarketing Needs from Your Area EMKT 495.
Akamai Technologies - Overview RSA ® Conference 2013.
Ethical Hacking of Wireless Routers Faizan Zahid CS-340 Nida Noor CS-378.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Kellie E. Tomeo, Esq Rampart International, LLC. AdvantageChallenge Increase existing security personnel productivity Increase existing facility personnel.
Copyright Scott Wright. All rights reserved. 1 SC Selling the Streetwise Security Awareness Program.
# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.
CCT355H5 F Presentation: Phishing November Jennifer Li.
Risk Tolerance: Balancing Business Needs And Risk CALA Road Show Lucent Worldwide Services Security Practice George G. McBride Managing Principal Lucent.
March 21, 2012 John Vigouroux CEO M86 Security (acquired by Trustwave)
12/5/2003Sergio Caltagirone University of Idaho An Active Defense Decision Model Sergio Caltagirone Major Professor: Deborah Frincke, PhD University of.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
SECURITY ON THE WEB SITE Miguel Angel Vazquez Gonzalez.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
SAFEGUARDING YOUR ASSETS AND PREVENTING FRAUD
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Web Applications on the battlefield Alain Abou Tass.
Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.
Security Outsourcing Melissa Karolewski. Overview Introduction Definitions Offshoring MSSP Outsourcing Advice Vendors MSSPs Benefits & Risks Security.
Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.
Why to Register Multiple Domain Name Extensions for Your Website?
Enterprise Risk Management & IT Implications BADM 559 Megan Kasbohm.
Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.
1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.
Proposal and Company Information Document CONTENT About Indagatio Research Our Research Offerings Why Indagatio Research Our Work Process Project Snapshot.
Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.
Port Knocking Benjamin DiYanni.
Risk Identification Canvas – New Product Launch
Company Accenture Plc Headquarters Worldwide Industry
John Butters Running Tiger Teams
Data Security Team 1.
Ways to Secure CMS Websites. The most widely used Content Management Systems are Wordpress, Joomla and Drupal as per statistics. The highest CMS platforms.
Protecting Your Maps and Data when using ArcGIS Server
Building my on-line store
Reconnaissance Report Trillium Technologies
Protect Microsoft Azure Apps from the Risks of Defacement, Data Leakage and Identity Theft “Microsoft Azure is the obvious platform to deploy your cloud.
Corporate Messaging Architecture by Segment
CS101 Security.
Protect Your Ecommerce Site From Hacking and Fraud
Third-party risk management (TPRM)
Neopay Practical Guides #2 PSD2 (Should I be worried?)
CS101 Security.
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Penetration Testing Market Research Report By Forecast to 2023 Industry Survey, Growth, Competitive Landscape and Forecasts to 2023 PREPARED BY Market.
Presentation transcript:

Hewitt.com Redesign Security Considerations Jorgen Hesselberg, MITP’07 Brute Force

Business Background Hewitt Associates Hewitt Associates Market leader in HR management and outsourcing Market leader in HR management and outsourcing Major competitors: Accenture, Watson Wyatt, ADS Major competitors: Accenture, Watson Wyatt, ADS 24,000 employees worldwide 24,000 employees worldwide $3 Billion annual revenue (’06) $3 Billion annual revenue (’06) …last among competitors in internally commissioned web site study

Hewitt.com redesign Implementation approach Outsource website design and development Outsource website design and development ARC Worldwide (Leo Burnett) ARC Worldwide (Leo Burnett) Outsource hosting services Outsource hosting services SAVVIS SAVVIS

Planning and Risk Mitigation Outsourced hosting alleviated security fears Outsourced hosting alleviated security fears Physical separation from Hewitt’s customer data Physical separation from Hewitt’s customer data Legal responsibility on vendors Legal responsibility on vendors Prove that the system is safe before paying Prove that the system is safe before paying Perform thorough ethical hack by outside security firm Perform thorough ethical hack by outside security firm Symantec Symantec

Business Risk Identification DOS attacks would be bad… DOS attacks would be bad… …but defacing the site would be much worse. Loss of credibility in conservative industry Loss of credibility in conservative industry Brand name capital loss (Goodwill) Brand name capital loss (Goodwill) Public embarrassment Public embarrassment Legal implications Legal implications

Vulnerability Report Results Overall, site security was solid. No known vulnerabilities related to the Hewitt.com site. Overall, site security was solid. No known vulnerabilities related to the Hewitt.com site. However, content management tool used to update material on site was accessed through separate site – only protected through encrypted username and password However, content management tool used to update material on site was accessed through separate site – only protected through encrypted username and password

Management Reaction “Does not sound like a big deal” “Probably not much to worry about” “I can’t even remember my own password, much less hack anyone else’s”

Regroup and Recover Hewitt security personnel confirmed that current Hewitt.com site gets attacked more than 1000 times every hour of every day Port sniffing Port sniffing Mini-DOS attacks Mini-DOS attacks Cross site scripting attempts Cross site scripting attempts …etc …etc I presented management with these results...with pretty graphs. I presented management with these results...with pretty graphs.

Solution and Aftermath Management saw potential issue Management saw potential issue Agreed to add VPN requirement to scope to add extra layer of security Agreed to add VPN requirement to scope to add extra layer of security Not a perfect solution, but reduced risk significantly Not a perfect solution, but reduced risk significantly Had to balance practicality and benefits Had to balance practicality and benefits Symantec approved approach, identified risk as ‘acceptable’ Symantec approved approach, identified risk as ‘acceptable’

Hewitt.com launch …within three months: …within three months: Number of hits from target segments increased 354% Number of hits from target segments increased 354% Industry professionals Industry professionals HR Analysts HR Analysts Most popular HR site in the world Most popular HR site in the world More than 400,000 hits a month More than 400,000 hits a month …and no hacker attacks!!! …and no hacker attacks!!!