1 The Top 10/20 Internet Security Vulnerabilities – A Primer This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.

Slides:



Advertisements
Similar presentations
Building Secure Mashups D. K. Smetters PARC Usable.
Advertisements

Grass Valley Learning Center Surf the Net Safely Roger Thornburn.
Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
CS682- Network Management and Security Prof. Katz.
Chapter 6: Project Cost Management
James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
IS 380 OME 1 Fall 2010 Class 1. Administrative Roster Syllabus Review Class overview 10 domains overview.
Web server security Dr Jim Briggs WEBP security1.
HIT241 - COST MANAGEMENT Introduction
Business Math Assignment Press F5 to begin to playing this slide show.
Web Application Security
The Book Sock Riley A. 9PA.  Describe the problem you want to solve. The real world-problem may be one that all the people in your neighborhood face,
A Cryptography Education Tool Anna Yu Department of Computer Science College of Engineering North Carolina A&T State University June 18, 2009.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
LILAC 2008 Perceptions of information: The Net Generation Marian Smith and Dr. Mark Hepworth.
Academic Honesty What is expected of you?.
Reading Reasons Tuesdays with Tiffany.
© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.
20-May-2010 Indic Crossword Site softwares.
Mashithantu Softwares. Agenda Quick Overview Key features Admin features Hit Calculations Advertisers Campaigning Revenue Purpose Server capability Our.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.
IT253: Computer Organization
Computer Security and Penetration Testing
Computer & Internet Security Sean Lanham, CISSP - ISO University of Texas at Arlington Information Security Office.
Finding your customers online Startup and Online Market Build a Launch Page Test and Evaluate using Google AdWords.
-Tyler. Social/Ethical Concern Security -Sony’s Playstation Network (PSN) hacked in April Hacker gained access to personal information -May have.
Stephanie Crawford, e-PRO, Realtor Internet Facts and Figures.
Copyright 2001 Marchanyh1 Auditing Networks, Perimeters and Systems The SANS Top Ten Audit Checklists, Part 1.
By Demi Gardiner 8P Who’s been on your computer??
Copyright © 2005 Ed Lance Fundamentals of Relational Database Design By Ed Lance.
Team 6: (DDoS) The Amazon Cloud Attack Kevin Coleman, Jeffrey Starker, Karthik Rangarajan, Paul Beresuita, Arunabh Verma and Amay Singhal.
Pay Per Click (PPC) – Advertising Jump Start Your Internet Marketing! IMMEDIATE RESULTS WITH UNMATCHED COST – EFFICIENCY! Not only can you begin generating.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Cross Site Scripting and its Issues By Odion Oisamoje.
Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.
Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Introduction.
Interview with a Top Producing Real Estate Agent.
Exploring Career Decisions
General Exam Tips Think Read the question carefully and try to understand the scenario, then think about the Maths you will need to do. Is it perimeter,
THE MONEY MULTIPLIER The money multiplier shows us the impact of a change in demand deposits on loans and eventually the money supply. The money multiplier.
Debbie Haubner Administration of Educational Media
One Of A Kind Weddings Sara Demetrakis.
Security Mindset Lesson Introduction Why is cyber security important?
Security Vulnerability Detection and reduction Linda Cornwall MWSG, CERN 24 Feb 2005
Lesson 42: Estimating with Scientific Notation. The scientific notation problems we have encountered thus far have been carefully designed so the numbers.
ABC’s of the Media Center Hevel and Washington Elementary September 2012.
Get Secure! Facebook Privacy Tutorial Becky Benishek | November 2013.
How to Research Careers. Research  Research - Finding out more by reading and talking to people  Spend time observing the career –Visit job site –Talk.
Overview We are living in a technological world and rapidly advancement in all the different fields of science. With the development in the technology.
How the Domain Name System has impacted Internet history. Fig 1: The structure of the DNS name space.
Creating your online identity
What is a CAT? What is a CAT?.
Should College Students Use Facebook?
Threats to computers Andrew Cormack UKERNA.
Secure Coding Initiative
The KGB the Computer and Me
Protect Your Critical Business Applications With Website Security Testing.
The project partners and their types
Internet Safety – Social Media
OWASP Joomla! (CMS) Vulnerability Scanner Project Flyer
Presentation transcript:

1 The Top 10/20 Internet Security Vulnerabilities – A Primer This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

2 Pay Me Now or Pay Me Later  E = D + R –E = amount of time you’re exposed –D = amount of time it takes to detect an attack –R = amount of time it takes to react to an attack  Easiest way to calculate the cost of an Incident –Multiply average hourly wage * Time * People –Plus the IMPACT on the organization…

3 Why Are We Vulnerable?  Computer systems and programs have become more complex in the past 25 years.  Quality control hasn’t been able to keep up due to market pressures, programming skill deficiencies, etc.  Most of these programs/systems are based on code that was never intended to be “production” quality.They were “proof of concept” programs that became the basis of production systems.

4 So Many Systems, Not Enough Time…..  > X million “hosts” are connected to the Net each month. There aren’t X million sysadmins. Something has to give….  Unfortunately, it’s the sysadmin.  Not enough training, too many conflicting demands on their time.  The Prime Directive: Keep the system up!  Patch the system? When I have time….

5 Hacking = Rocket Science? Not!  Any good hacker can write the attack tool. The real skill is making so easy to use that any can launch the attack.  There are lots of hacker WWW sites where you can get these tools. These sites try to outdo each other by designing the best, baddest, user- friendly site.

6 Why Are the Attacks Successful?  We didn’t close all the doors because we’re too busy doing “real” stuff. –If the hackers got caught, we didn’t punish them. It would be too embarrassing to admit we got hit. Our Incident Response Plans were inadequate.

7 Why Are the Attacks Successful?  Initially, t he attack designers studied (cased) the target code carefully. –A lot of attacks are based on Buffer Overflows. Example: a program expects 80 input characters max. You give it 5000 characters. How does the code handle it?  Now, they just go through holes…

8 CVEs  What’s a CVE number? –CVE = Common Vulnerabilities & Exposures reference number that is used to uniquely identify a vulnerability. –It’s like the Dewey Decimal #’s that are used in the library. You can go to any library and find the same book using the same Dewey catalog number –CVE’s does the same for vulnerabilities.

9 CVEs  Each item in the list is divided into 4 parts –A description of the vulnerability –The systems affected by the vulnerability –A CVE number identifying the vulnerability –Some suggested corrections

The Typical Cube?  What’s wrong with this picture? Source: CSO Magazine

The Typical Cube?  How did you do? Source: CSO Magazine

OWASP Top Ten  OWASP_Top_Ten_Project 12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.