Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Security Center Overview Northern Illinois University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Advanced Security Center Overview Northern Illinois University."— Presentation transcript:

1 Advanced Security Center Overview Northern Illinois University

2 2 Who am I?  Nathan McFeters Senior Security Advisor Ernst & Young’s ASC Based out of Chicago, serving as a Security Evangelist for the Midwest region Noted public speaker including: Black Hat Europe (2008), Black Hat Federal (2008), Black Hat Japan (2007) ToorCon 9 (2007) DEFCON 15 (2007) Hack in the Box Malaysia (2007) Speaking at ToorCon Seattle next week Blogger on ZDNet’s Zero Day Security Blog (http://blogs.zdnet.com/security) Security Researcher with numerous vulnerabilities reported to vendors

3 3 Advanced Security Center Overview Dedicated Team Cost Efficient and Scalable Physical and Logical Controls Collaborative Environment Centralized Management & Operations Standardized Methodologies and Tools Consistent Quality Control Procedures Knowledge Transfer

4 4 Global Locations Houston New York London Dublin Paris Buenos Aires Singapore

5 5 Thought Leadership – Publications Network Security Tools HackNotes Linux and Unix Security Portable Reference Defending the Digital Frontier Hacking Exposed: Web Applications - Contributing Author Hacking Exposed: Windows 2000 - Contributing Author Ajax Security Basics, SecurityFocus.com

6 6 Thought Leadership – Public Speaking Black Hat Europe: 2008 Black Hat Federal: 2008 RSA: 2008 Hack in the Box - Malaysia: 2007 ToorCon 9: 2007 Tecnofin Info Security Forum – Mexico City: 2007 DEFCON 15: 2007 Black Hat Europe: 2007 Black Hat Las Vegas: 2005 Vanguard Security Conference: 2005 & 2006 New York Software Industry Association: 2006

7 7 Thought Leadership – Security Advisories  Adobe Security Advisory published two days ago – DNS Rebinding Flaw in Adobe Flash’s URLLoader class due to DNS canonicalization handling  Macintosh Apple Security Bulletin 2008 – Format String Vulnerability in iPhoto on Mac OS X Leopard  CVE-2007-4041 – Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 allow remote attackers to execute arbitrary commands  CVE 2007-3670 – Firefox "firefoxurl://" URI Handler Registration Vulnerability  CVE 2007-3294 - Netscape "navigatorurl://" URI Handler Registration Vulnerability  Security Focus bid 24927 – Trillian is Vulnerable to Remote Command and Remote Code Execution through “aim://” URI  Microsoft Security Bulletin MS07-035 – Integer Overflow Condition in “res://” URI Handler  Microsoft Security Bulletin MS06-056 – XSS Exposure in.NET Framework

8 8 Testing Data Collection  We captured 551 tests with 4200 individual findings  29% of the reports are Infrastructure, and 71% are application  We identified an average of 68.5 instances of issues across all tests  More than 37755 instances of findings  More than 15156 instances (40%) of high risk findings

9 9 Overall Metrics  88% of our tests have at least one high risk finding  58% of all high risk issues require a low level of effort to exploit  54% of all identified issues require only a low level of effort to remediate

10 10 Infrastructure Metrics  Only 1% of all issues identified during infrastructure testing could be remediated by implementing a patch  67% of all issues identified during infrastructure testing could be remediated by a configuration change  “Vulnerable service open” and “Weak Database Administrator Password” are the two most common high risk infrastructure vulnerabilities and make up 58% of all high risk infrastructure issues

11 11 Application Metrics  93% of our application tests have at least one high risk finding  70% of the high risk issues identified during application testing require a low level of effort to exploit  46% of high risk issues identified during application testing require only a low level of effort to remediate  57% of the high risk issues identified during application tests require changes to the application code to be remediated

12 Web Application (In)Security

13 13 The Problem

14 14 The Cause Data Application Server/Services Operating System Infrastructure Traditional Security Source: www.owasp.org Root Cause: Developers without security experience 1.Cross Site Scripting (XSS) 2.Injection Flaws 3.Malicious File Execution 4.Insecure Direct Object Reference 5.Cross Site Request Forgery (CSRF) 6.Information Leakage & Improper Error Handling 7.Broken Authentication and Session Management 8.Insecure Cryptographic Storage 9.Insecure Communications 10.Failure to Restrict URL Access 10 Most Critical Web Application Vulnerabilities

15 15 Web Application Security: The Solution Application Security Testing  Methodology and Tools  Black Box –WebSmack –XS-Sniper  Grey Box –Prohpet –DBHoldup Education  Leverage Test Results  Hands-On Integration of Both into our Client’s Systems Development Lifecycle (SDLC)

16 16 ASC Application Assessment Tools

17 17 ASC Application Assessment Tools (cont.)

18 18 ASC Application Assessment Tools

19 19 ASC Application Assessment Tools (cont.)

Download ppt "Advanced Security Center Overview Northern Illinois University."

Similar presentations

Webgoat.

Webgoat.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Application Security

Introduction to Web Application Security
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
Web Application Security

Web Application Security
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Similar presentations

Ads by Google