Your SlideShare is downloading. ×
0
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Another Year In Web Security: What did 2012 teach us about surviving 2013?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Another Year In Web Security: What did 2012 teach us about surviving 2013?

3,526

Published on

Webcast Recording: https://www2.gotomeeting.com/register/470974714 …

Webcast Recording: https://www2.gotomeeting.com/register/470974714

If history repeats itself, and the unexpected always happens, how incapable must Man be of learning from experience. Black Hat’s December 2012 webcast will host Jeremiah Grossman, providing an objective analysis of breaches and web security trends in 2012.

Year after year we continue to witness some of the world’s biggest brands in the headlines for security breaches, with what seems no end in sight. And it's not just the Fortune 500 in the cross-hairs; hacktivists, cyber-criminals, and nation-state sponsored attackers have no problem going after anyone and everyone they choose. Some days it's banks. Other days, retailers. Colleges, restaurant chains, technology companies, television networks, state governments, and so on have also been victimized.

Here's the problem: While last year we saw the average number of serious vulnerabilities on websites dropped 66%, showing a glimmer that the open doors for hackers are being closed, the fact of the matter is even just one vulnerability is just as detrimental as 100. This understanding calls for a new way of thinking about defense. Effective defensive is NOT software security perfection, but a strategy that significantly raises the costs of our adversaries to compromise a system with each dollar we invest. In this session, Jeremiah Grossman, CTO and Founder of WhiteHat Security will discuss the key security breaches that’s took place in 2012, the most important new lessons learned, and what it all means for the future of cyber security. Attendees will walk away with an idea of what 2012 research and events meant for security and what we can expect to see in 2013.

Published in: Technology
5 Comments
3 Likes
Statistics
Notes
  • Will the recorded webcast be posted on a site other than gotomeeting? I cannot access the recorded webinar on my Linux machine.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I could not listen to the recorded webcast: https://www2.gotomeeting.com/register/470974714
    Does anyone have other recording?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello dearest,

    I'm a female,Lusee by name.
    Please for a very important issue
    contact me direct in this my private box for further knowing
    (lusee1johnson@yahoo.co.uk),Thanks hoping to see your mail soon.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Please Check this link out at for more info on this topic, it has great information, It's a must see! keratincompplex.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I just noticed the hat-tip to @bugcrowd in slide 20. thanks Jeremiah!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
3,526
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
167
Comments
5
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Another Year In Web Security:What did 2012 teach us about surviving 2013?Jeremiah GrossmanFounder & Chief Technology OfficerBlack Hat Webcast Series12.20.2012 © 2012 WhiteHat Security, Inc. 1
  2. Jeremiah Grossman• Founder & CTO of WhiteHat Security• International Presenter• TED Alumni• InfoWorld Top 25 CTO• Co-founder of the Web Application Security Consortium• Co-author: Cross-Site Scripting Attacks• Former Yahoo! information security officer• Brazilian Jiu-Jitsu Black Belt 2
  3. • Founded 2001 • Headquartered in Santa Clara, CA • Employees: 240+ • WhiteHat Sentinel – SaaS end-to-end website risk management platform (static and dynamic analysis) • Customers: 500+ (Banking, Retail, Healthcare, etc)https://www.whitehatsec.com/ © 2012 WhiteHat Security, Inc. 3
  4. Two Worlds of Web Security Website Web BrowserA website must be able A browser must be ableto defend itself against a to defend itself against ahostile client [browser]. hostile website. 4
  5. What we already knew going in to 2012...• “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” -Verizon Data Breach Investigations Report (2012)• “SQL injection was the means used to extract 83 percent of the total records stolen in successful hacking-related data breaches from 2005 to 2011.” -Privacyrights.org 5 © 2012 WhiteHat Security, Inc.
  6. ...about the victims and attackers...• Website breach victims located all over the world, are large and small, famous and obscure, government and private sector, with primary and secondary systems affected. Whatever is not locked down and publicly accessible, gets hacked.• The three primary threat agents are Hacktivists, Cyber- Criminals, and Nation-State sponsored adversaries. 6
  7. ...the vulnerability within the system...• The SSL-CA infrastructure remains untrustworthy even when root-certs are not constantly compromised, or when Juliano Rizzo and Thai Duong are not releasing research.• Malware is primarily propagated in two ways, via Web browsers and email. Despite $8 billion spent annually on anti- virus products, the malware problem is rampant and extremely lucrative -- for the good guys as well as the bad.• Compliance != ‘Secure,’ yet is a huge market driver.• 8 out of 10 websites have at least one serious vulnerability. During 2011, the average was 79 vulnerabilities per website, with a time-to-fix of 38 days, and a 63% remediation rate. 7
  8. Average annual amount of new serious* vulnerabilities introduced per website *  Serious  Vulnerability:  A  security  weakness  that  if  exploited  may  lead  to  breach  or  data  loss  of  a  system,  its  data,  or  users.  (PCI-­‐ DSS  severity  HIGH,  CRITICAL,  or  URGENT) WhiteHat Sentinel • Software-as-a-Service (annual subscription) • Unlimited vulnerability assessments • 10,000’s of scans concurrently run at any moment • World’s largest Web security army • 100% vulnerability verification • 500+ Customershttps://www.whitehatsec.com/sentinel_services/sentinel_services.html © 2010 WhiteHat Security, Inc. | Page 8
  9. *Sneak Peek* Top Ten Vulnerability Classes (2011) No longer in the Top Ten! Top 15 Vulnerability Classes (2012)Percentage likelihood that at least one serious* vulnerability will appear in a website © 2010 WhiteHat Security, Inc. | Page 9
  10. WASC: Web Hacking Incident Databasehttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database © 2010 WhiteHat Security, Inc. | Page 10
  11. [some interesting]BreachesIn 2012... 11
  12. *SQL Injection Everywhere!*https://krebsonsecurity.com/2011/02/eharmony-hacked/http://www.scmagazine.com.au/News/287402,t-mobile-reused-staff-passwords.aspx © 2010 WhiteHat Security, Inc. | Page 12
  13. SANS Survey on Application Security Programs and Practiceshttp://www.sans.org/reading_room/analysts_program/ © 2010 WhiteHat Security, Inc. | Page 13
  14. http://threatpost.com/en_us/blogs/hotmail-password-reset-bug-exploited-wild-042612 © 2010 WhiteHat Security, Inc. | Page 14
  15. http://www.zdnet.com/nike-hacker-steals-over-80000-7000001177/ © 2010 WhiteHat Security, Inc. | Page 15
  16. http://www.npr.org/blogs/money/2012/08/03/157859194/keeping-the-biggest-secret-in-the-u-s-economy © 2010 WhiteHat Security, Inc. | Page 16
  17. Hack Chainhttp://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ © 2010 WhiteHat Security, Inc. | Page 17
  18. Website SecurityLesson #1:In the era of “The Cloud,” password(s) WILL BEcompromised.• One site one password: Select a unique and hard to guess “pass phrase” for each important website account.• Store passwords “securely”: Use third-party password managers such as LastPass or 1Password, or optionally write down the passwords, or hints, on a piece of paper.• Security questions, are passwords: Treat them accordingly. © 2010 WhiteHat Security, Inc. | Page
  19. Website SecurityLesson #2:The number and severity of Web breaches arelikely to continue, if not increase in 2013.1) Find your websites, all of them: Prioritize by importance to the business.2) You must be this tall to ride this ride: Determine how secure a website must be, relative to the adversaries skills.3) Hack Yourself First: Measure current security posture, as seen by the adversary, and perform vulnerability gap analysis. Must have the right-to- test over third-party vendors.4) Software security best-practices, phooey: Identify where your website security program is failing. Get strategic. Increase the cost to the attacker.5) Consider implementing CSP, HSTS, and SSL-only: Lots of “free” security technology is available. © 2010 WhiteHat Security, Inc. | Page
  20. Website SecurityLesson #3:One vulnerability is all it takes to get hacked, useraccounts taken over, or data compromised.• Disclosure Policies and Bug Bounty Program: People will test the security of your website(s) whether you want them to or not. The question is, do you want to receive any of the information about what they uncover ahead of time?List of currently active bug bounty programshttp://blog.bugcrowd.com/list-of-active-bug-bounty-programs/Web Sites That Accept Security Researchhttp://dankaminsky.com/2012/02/26/review/ © 2010 WhiteHat Security, Inc. | Page
  21. Website SecurityLesson #4:Everyone gets hacked -- eventually.• Detection and Responsiveness: Invest in security products and programs that enable you to be the first to notice an intrusion, rather than the last. © 2010 WhiteHat Security, Inc. | Page
  22. Website Security Align security budgets with how the businessLesson #5: invests in IT. IT IT Security 1 3 Applications 2 2 Host 3 1 Network © 2010 WhiteHat Security, Inc. | Page
  23. © 2010 WhiteHat Security, Inc. | Page 23
  24. Browser SecurityFront door to the cloud © 2010 WhiteHat Security, Inc. | Page 24
  25. The 2 Types of Browser Attacks 1) Attacks designed to escape the browser walls and infect the operating system with malware. (a.k.a. Drive-by-Downloads) Security: Sandboxing, silent and automatic updates, increased software security, anti-phishing & anti-malware warnings, etc. [Enabled by default] 2) Attacks that remain within the browser walls and compromise cloud-based data. XSS, CSRF, Clickjacking, etc. Security: SECURE Cookies, httpOnly, X-Frame-Options, Strict-Transport- Security, X-Content-Type-Options, Content Security Policy, EV-SSL, etc. [Opt-In by website, users can’t protect themselves] © 2010 WhiteHat Security, Inc. | Page
  26. Seen in the wild... Zero-Days Leverage by Malvertising & Drive-by-Downloads © 2010 WhiteHat Security, Inc. | Page 26
  27. Seen in the wild... Zero-Days Leverage by Malvertising & Drive-by-Downloads © 2010 WhiteHat Security, Inc. | Page 27
  28. Seen in the wild... Zero-Days Leverage by Malvertising & Drive-by-Downloads © 2010 WhiteHat Security, Inc. | Page 28
  29. Every day phishing scams Online user tracking Socially engineered malware © 2010 WhiteHat Security, Inc. | Page 29
  30. ...staying within the browser walls...Cross-Site Scripting (XSS),Cross-Site Request Forgery, andClickjacking. 30
  31. http://arstechnica.com/security/2012/12/how-a-computer-worm-slithered-across-a-huge-number-of-tumblr-accounts/ © 2010 WhiteHat Security, Inc. | Page 31
  32. http://krebsonsecurity.com/2012/11/yahoo-email-stealing-exploit-fetches-700/ © 2010 WhiteHat Security, Inc. | Page 32
  33. http://www.zdnet.com/blog/security/adobe-flash-player-xss-flaw-under-active-attack/10344 © 2010 WhiteHat Security, Inc. | Page 33
  34. http://news.softpedia.com/news/Cybercriminals-Hijack-4-5-Million-ADLS-Modems-in-Brazil-to-Serve-Malware-295845.shtml © 2010 WhiteHat Security, Inc. | Page 34
  35. http://nakedsecurity.sophos.com/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/ © 2010 WhiteHat Security, Inc. | Page 35
  36. © 2010 WhiteHat Security, Inc. | Page 36
  37. The Web Wont Be Safe or Secure Until We Break It “Unless youve taken very particular precautions, assume every website you visit knows exactly who you are, where you’re from, etc.”The Web Wont Be Safe or Secure until We Break Ithttp://queue.acm.org/detail.cfm?id=2390758“I Know...” serieshttp://blog.whitehatsec.com/introducing-the-i-know-series/ © 2010 WhiteHat Security, Inc. | Page 37
  38. Web Security Research Continues... ...to be finalized in January, 2013.http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/ © 2010 WhiteHat Security, Inc. | Page 38
  39. For a safer browser experience...1) Uninstall client-side Java.2) All browser plugins should NOT auto-run, instead configured to “click- to-play.”3) Install security and privacy protecting add-ons including Adblock, Disconnect, Ghostery, Collusion, and NoScript.4) Block third-party cookies.5) Use the browser private mode more often.6) Dump cookies more often.7) Use multiple Web browsers. One only for important stuff, another for everything else. 39
  40. Looking back on 2012, the yearlooked A LOT like 2011, and thatshould concern us more thananything as we race into 2013.• What software security “best-practices” actually do make a measurable increase in production website security posture, and how much?• As browsers and other end-user desktop software becomes increasingly secure, where do attacks shift to next? Target anti-virus software?• How do we exponentially increase the attacker’s cost, while only incrementally increasing the defender’s? 40
  41. Thank You!Blog: http://blog.whitehatsec.com/Twitter: http://twitter.com/jeremiahgLinkedIn: https://www.linkedin.com/in/grossmanjeremiah/Email: jeremiah@whitehatsec.com © 2012 WhiteHat Security, Inc. 41

×