Electronic Security Initiative 2005 Security Assessment Email & Security Services 23 August 2005.

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

Advertisements

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Enabling Secure Internet Access with ISA Server

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

Attacking Session Management Juliette Lessing

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Web Application Testing with AppScan Terry Labach.

August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Session 11: Security with ASP.NET

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

1 iSAMS by CIS IT Department CIS – IT Department Date : 04 August 2012 Version : 1.0.

Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.

Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.

Security Planning and Administrative Delegation Lesson 6.

Identity on Force.com & Benefits of SSO Nick Simha.

1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

ACM 511 Introduction to Computer Networks. Computer Networks.

Wireless Networking & Security Greg Stabler Spencer Smith.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session.

Safeguarding your Business Assets through Understanding of the Win32 API.

Module 11: Securing a Microsoft ASP.NET Web Application.

Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

TCOM Information Assurance Management Software Hacking.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.

WEB SERVER SOFTWARE FEATURE SETS

Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

MIDN Zac Dannelly. May 2009: President's 60-day Cyberspace Policy Review – "expand and train the workforce” May 2010: The Ad Hoc Committee on Cyber Security.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

IEEE Electronic Security Initiative 2005 Security Assessment & Security Services Department.

Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.

Understanding Security Policies Lesson 3. Objectives.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

Understanding Security Policies

CSCE 548 Student Presentation By Manasa Suthram

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Enabling Secure Internet Access with TMG

Secure Software Confidentiality Integrity Data Security Authentication

E-commerce Application Security

Yahoo Support Ireland Toll-Free Number:

Unable to Login AOL Account Troubleshoot Issues When you are trying to sign in to your AOL mail account then revealed the “unusual activity” or.

Unit 1.6 Systems security Lesson 3

Multifactor Authentication & First Time Login

An Introduction to Web Application Security

2005 Security Assessment Goal: Assess the security of the IEEE Internet facing systems and applications and take steps to mitigate/remediate exposures.

HACKIN G CITRIX.

Active Man in the Middle Attacks

Presentation transcript:

Electronic Security Initiative 2005 Security Assessment & Security Services 23 August 2005

2 Internet Assessment l Results of the Internet Assessment discovered a total of 44 vulnerabilities (Affecting 206 Systems) l High risk exposures were corrected by IEEE IT Staff as soon as they were found.

3 Wireless and Dial-up Wireless Assessment Remediation Summary HighMediumLowTotal Issues Found Issues Resolved Outstanding Issues0000 Percent of Issues Resolved100% l Results of the Wireless & Dialup Assessment discovered a total of 23 vulnerabilities l E&Y did not identify any rouge data carriers on IEEE’s dial-up infrastructure

4 Web Applications l Results of the Web Applications Assessment discovered a total of 39 vulnerabilities across 3 web applications. l The development staff responsible for these applications is working to remediate these security issues.

5 Web Applications (Cont’d)

6 Remediation: XPLORE Security Issues (11 Security Issues Remain) l High Risk (1 issue) - No encryption for application login (TBR 1Q 2006) Username & Password: Clear Text Risk: possible lost of information. Explore Team willing to take the risk

7 Web Applications (Cont’d) Remediation of XPLORE Security Issues l Medium Risk (5 issues) - Username Passed in Clear Text Cookie (TBR 1Q 2006) Risk: User credentials can be compromised - Arbitrary URL Redirection (TBR 1Q 2006) Risk: Facilitates phishing/social engineering attacks - AutoComplete - Not Disabled (TBR 3Q 2006) Risk: Username and Password is Cached - Weak Passwords (TBR 3Q 2006) Risk: Passwords can be guessed - Inadequate Lockout Policy (TBR 3Q 2006) Risk: Enable brute force attacks to guess user passwords

8 Web Applications (Cont’d) Remediation of XPLORE Security Issues l Solving security issues require programming changes, testing and QA. - Most of the critical issues are scheduled to be remediated by 1Q 2006, with the next release of XPLORE. - All remaining issues are to be remediated by 3Q 2006, with future releases of Xplore.

9 Web Applications (Cont’d) Remediation: Renewal Security Issues (7 Security Issues Remain) l High Risk (3 issues) −Option exists for unencrypted authentication (TBR 9/1/2005) Risk: User credentials are sent in cleartext −Application does not enforce password complexity (TBR 9/1/2005) Risk: Passwords can be guessed −Username and Password exposed in the URL (TBR 9/1/2005) Risk: This information can be easily retrieved from a browser history or log file

10 Web Applications (Cont’d) Remediation of Renewal Security Issues l Med Risk (3 issues) - AutoComplete not disabled (TBR 9/1/2005) Risk: Username and Password is cached in the browser - Cross-site Scripting Vulnerabilities (TBR 9/1/2005) Risk: Scripts can be injected into the Renewal application - Inadequate Account Lockout Policy (TBR 9/1/2005) Risk: Enable brute force attacks to guess user passwords

11 Web Applications (Cont’d) Remediation of Renewal Security Issues The High & Medium risk issues are scheduled to be addressed with the next release of Renewal –1 Sep 2005

12 Web Applications (Cont’d) Remediation: Catalog Security Issues (7 Security issues remain) High Risk (1 issue) −Option exists for unencrypted transaction (TRB 9/1/2005) Risk: Sensitive information could be captured by an attacker üActual transmission of Credit Card information is encrypted

13 Web Applications (Cont’d) Remediation of Catalog Security Issues Medium Risk (3 issues) − AutoComplete is not disabled (TBR 9/1/2005) Risk: Username and Password is Cached in the browser − Arbitrary URL Redirection (Remediation Not Possible) Risk: Facilitates phishing/social engineering attacks üRemediation not possible due to limitations of the tools in use. (Commerce Server) üWill no longer exist after BMS takes over the Shop function, scheduled for May − Inadequate Account Lockout Policy (Remediation Not Possible) Risk: Enables brute force attacks to guess user passwords üRemediation not possible due to limitations of the tools in use to authenticate users üWill no longer exist after BMS takes over the Shop function, scheduled for May 2006.

Security Assessment Next Steps l IEEE has remediated all vulnerabilities not requiring programming changes. The final E&Y report will be delivered by COB Wednesday August 23 th. - Original scheduled delivery date: 12 Aug 2005 (Missed) - Vendor requested extension due to: ASC close down – Blackhat/Defcon Lead IEEE tester out of the office (Personal Matter) Additional time to confirm fixes (re-testing) l Complex security issues, requiring programming changes, have been prioritized for implementation.