SlideShare a Scribd company logo
1 of 20
Download to read offline
JP Bourget
Rochester Institute of Technology
Syncurity Networks
Arnold Magnetic Technologies

1NTR0 T0 WEB 2.0 SECUR1TY
Why I may be able to teach you
something
 I secure networks for a living
 Wait… I secure **data** for a living –
  networks are a side effect of data
   Professor – MS in Computer Security and Info
    Assurance
   Business - Network Security Manager
   Student – Security continues to evole – I have to
    keep up - -but I love it (especially the good vs. evil)
   Consultant – I pen test for companies to help
    them identify what weaknesses they have
What is Web 2.0

 Social Networks
    (Facebook, Twitter, Foursquare, MySpace)
   Web based Apps (gmail/webmail, google
    docs, mozy, Mint.com, fb
    apps, wordpress), zillow, lastFM, netflix
   Mobile- Iphone, Android
   A new paradigm in privacy or lack of privacy ( i.e.
    facebook )
   A new model of trust
   (Don’t forget web 3.0 – the intelligent web – it’s on
    it’s way – facebook newsfeed is an example of a
    closed intelligent web)
Web 2.0 Let’s change our
lens
 At a basic level – you interact with data
 We can call that data certain things
   Your facebook or twitter status
   You new film
   Music
   Scripts
   Bank info (and transactions)
   What other examples can you come up with? b
What is YOUR web data exposure

 Do you have a:
   Facebook account?
   Linked in account?
   Dropbox account?
   Blog?
   VPN ?
   Work related Web based application?
    (CRM, upload site, film preview site?)
   Script or film stored on your hard drive right now?
Scary
 The desktop security game may be over
   We have lost
   Your router or DSL modem can be owned by the bad guys
   Your desktop may already be owned – do you care? Do you have
    the ability to detect or fix it?
   Things are getting worse not better
   Blame the industry
   Bruce Potter (shmoo group) says we should revisit the Trusted
    Computing paradigm

   Proof:
   Banks and other secure institutions are already assuming their
    users are insecure
   AV Vendors are sounding the call to action (but they’ll still take
    your $$)
History of vulnerabilities




 Source: NIST Vulnerabilities Database
10 Best Practices to secure
your data
10. Know what data you have – you organized
   your filing cabinets – why not your data
9. Identify which data you care about
   Depending on quantity, you may need to prioritize
   You may need to assess what is really important
    to you ( i.e. what is your irreplaceable data)
   I have 3 types of data: public, private, and work
     What is your gold?
   Apply the other steps to your types of data based
    upon their attributes
10 Best Practices to secure
your data
8. Identify how entities that you share data
   with treat your data
     Merchants
     Banks
     Social Networking
     What other 3rd parties do you share your data
      with?
10 Best Practices to secure
your data
7. Know your footprint --when you save data are
   you aware of the tracks you leave?
     Just because you delete data in Windows/Mac/Linux
    doesn’t mean that data is purged from disk (if I want it
    I can get it)
   Did you share your flash drive, or put it in a computer
    you don’t trust
6. Have a good firewall and have someone help you
   ensure it’s configured correctly
      The AV industry is a hot mess right now – you aren’t
      getting what you’re paying for (but you should still
      have some)
10 Best Practices to secure
your data
5. Don’t click on random links (follow the
   attachment rule)
   5a. Don’t use internet explorer (before 8) it
   has inherent design flaws that will expose you
   or your data
 5bDon’t install programs you don’t know
   what they do or you don’t need – practice
   software minimalism – your CPU and RAM
   will thank you and you’ll have a smaller attack
   surface
10 Best Practices to secure
your data
4. Keep your computer up to date (this is hard
   sometimes)
   AV/IDS/IPS
   Java/Flash/skype/etc
   ADOBE – Huge attack vector lately
   Windows/MaxOSX updates
     Most compromises happen to computers more than
      1-2 months behind on updates
10 Best Practices to secure
your data

3. Physical Security – #s 4-10 can only do so
   much if I can steal your laptop – physical
   access is everything… that’s why data centers
   are so secure – I have unchecked access to
   your machine – game over
10 Best Practices to secure
your data
2. Secure Passwords – 95% of problems start
    with weak passwords
Passwords are your most effective barrier for
    your information
   Password Length   All Characters              Only Lowercase
   3 characters      0.86 seconds                0.02 seconds
   4 characters      1.36 minutes                .046 seconds
   5 characters      2.15 hours                  11.9 seconds
   6 characters      8.51 days                   5.15 minutes
   7 characters      2.21 years                  2.23 hours
   8 characters      2.10 centuries              2.42 days
   9 characters      20 millennia                2.07 months
   10 characters     1,899 millennia             4.48 years
   11 characters     180,365 millennia           1.16 centuries
   12 characters     17,184,705 millennia        3.03 millennia
   13 characters     1,627,797,068 millennia     78.7 millennia
   14 characters     154,640,721,434 millennia   2,046 millennia
10 Best Practices to secure
your data
1. BACKUP – If you have good backups you
     can
        Have your laptop stolen
        Have a disk failure
        Have windows crash
        AND STILL HAVE YOUR DATA
          (but someone else may have it too )
Some More Thoughts

What data do you share out?
 Is it what you intended?
 What does your linked in profile look like?
 What happens when you google yourself?
 What is on your laptop? Is it secured?
 Your phone
 Your iPad?
Your iPh0ne

 Does your iPhone app transmit your
  credentials in plain text? (tweet deck did this
  forever)
 What data do these apps store on your phone
     (iPhone forensics is a hot industry)
 What do you think I can do if I have physical
  access to your iPhone
 Wireless vs. 3G access
Backup Ideas

 To disk (use Time Machine, or windows
  backup)
 To the cloud (getdropbox.com, mozy.com)
 Keep a copy somewhere else – your mom’s
  house – at work – safe deposit box (flip this
  for business)
Wireless Security

 Pay someone $20 to secure your home
  network if you don’t know how to
 Don’t connect to WEP networks (use WPA or
  WPA-2 (even better))
 If you aren’t on a network you (or someone
  you know controls) don’t do anything you
  don’t want exposed
 Thanks for listening
 Any questions?
 You can find me:
     jp@syncurity.net or jp.bourget@gmail.com
     Twitter: punkrokk
     Blog: http://www.syncurity.net
    Sources: NIST, http://onemansblog.com/2007/03/26/how-id-hack-your-weak-
    passwords/

More Related Content

What's hot

What's hot (11)

Who's that knocking on my firewall door?
Who's that knocking on my firewall door?Who's that knocking on my firewall door?
Who's that knocking on my firewall door?
 
Computer security
Computer securityComputer security
Computer security
 
Malware
MalwareMalware
Malware
 
Protect
ProtectProtect
Protect
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
 
Protect Yourself From Internet Pests
Protect Yourself From Internet PestsProtect Yourself From Internet Pests
Protect Yourself From Internet Pests
 
Computer safety
Computer safetyComputer safety
Computer safety
 
Computer And Internet Security
Computer And Internet SecurityComputer And Internet Security
Computer And Internet Security
 
001 ho basic computer
001 ho basic computer001 ho basic computer
001 ho basic computer
 
Safe Computing
Safe ComputingSafe Computing
Safe Computing
 
Online safety, security, ethics & etiquette
Online safety, security, ethics & etiquetteOnline safety, security, ethics & etiquette
Online safety, security, ethics & etiquette
 

Viewers also liked

Michaela Rybičková: Soutěž Společně otevíráme data 2015
Michaela Rybičková: Soutěž Společně otevíráme data 2015Michaela Rybičková: Soutěž Společně otevíráme data 2015
Michaela Rybičková: Soutěž Společně otevíráme data 2015Nadace Open Society Fund Praha
 
Jakub Mráček: Zpráva o konání dobra na českém internetu
Jakub Mráček: Zpráva o konání dobra na českém internetuJakub Mráček: Zpráva o konání dobra na českém internetu
Jakub Mráček: Zpráva o konání dobra na českém internetuNadace Open Society Fund Praha
 
Michal Kubáň: Vše, co jste chtěli vědět o otevřených datech, a báli jste se z...
Michal Kubáň: Vše, co jste chtěli vědět o otevřených datech, a báli jste se z...Michal Kubáň: Vše, co jste chtěli vědět o otevřených datech, a báli jste se z...
Michal Kubáň: Vše, co jste chtěli vědět o otevřených datech, a báli jste se z...Nadace Open Society Fund Praha
 
Roman Řípa: Explore & Influence Your Municipality Budget
Roman Řípa: Explore & Influence Your Municipality BudgetRoman Řípa: Explore & Influence Your Municipality Budget
Roman Řípa: Explore & Influence Your Municipality BudgetNadace Open Society Fund Praha
 
Grabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceGrabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceJP Bourget
 
Michal Kubáň: Otevřená data ve státní správě a samosprávě
Michal Kubáň: Otevřená data ve státní správě a samosprávě Michal Kubáň: Otevřená data ve státní správě a samosprávě
Michal Kubáň: Otevřená data ve státní správě a samosprávě Nadace Open Society Fund Praha
 
Helena Svatošová: Co se podařilo v kampaních v oblasti digitálních práv
Helena Svatošová: Co se podařilo v kampaních v oblasti digitálních právHelena Svatošová: Co se podařilo v kampaních v oblasti digitálních práv
Helena Svatošová: Co se podařilo v kampaních v oblasti digitálních právNadace Open Society Fund Praha
 
Jakub Mráček: Otevřená data - kam kráčí world wide web?
Jakub Mráček: Otevřená data - kam kráčí world wide web?Jakub Mráček: Otevřená data - kam kráčí world wide web?
Jakub Mráček: Otevřená data - kam kráčí world wide web?Nadace Open Society Fund Praha
 
Sebastian Hellmann: Why open data should be open linked data
Sebastian Hellmann: Why open data should be open linked dataSebastian Hellmann: Why open data should be open linked data
Sebastian Hellmann: Why open data should be open linked dataNadace Open Society Fund Praha
 
Financial capability for europe's youth and retirees
Financial capability for europe's youth and retireesFinancial capability for europe's youth and retirees
Financial capability for europe's youth and retireesCSR Europe
 
Enabling technologies cv presentation
Enabling technologies cv presentationEnabling technologies cv presentation
Enabling technologies cv presentationCSR Europe
 
Ideasense: Nápady na aplikace využívající otevřená data měst
Ideasense: Nápady na aplikace využívající otevřená data městIdeasense: Nápady na aplikace využívající otevřená data měst
Ideasense: Nápady na aplikace využívající otevřená data městNadace Open Society Fund Praha
 

Viewers also liked (20)

Petr Kuchař: Otevřená data ve veřejné správě
Petr Kuchař: Otevřená data ve veřejné správěPetr Kuchař: Otevřená data ve veřejné správě
Petr Kuchař: Otevřená data ve veřejné správě
 
Michal Kubáň: Open cities - města 21. století
Michal Kubáň: Open cities - města 21. stoletíMichal Kubáň: Open cities - města 21. století
Michal Kubáň: Open cities - města 21. století
 
Michaela Rybičková: Soutěž Společně otevíráme data 2015
Michaela Rybičková: Soutěž Společně otevíráme data 2015Michaela Rybičková: Soutěž Společně otevíráme data 2015
Michaela Rybičková: Soutěž Společně otevíráme data 2015
 
Jakub Mráček: Zpráva o konání dobra na českém internetu
Jakub Mráček: Zpráva o konání dobra na českém internetuJakub Mráček: Zpráva o konání dobra na českém internetu
Jakub Mráček: Zpráva o konání dobra na českém internetu
 
Sandor Lederer: K-Monitor - Watchdog for Public Funds
Sandor Lederer: K-Monitor - Watchdog for Public FundsSandor Lederer: K-Monitor - Watchdog for Public Funds
Sandor Lederer: K-Monitor - Watchdog for Public Funds
 
Michal Kubáň: Vše, co jste chtěli vědět o otevřených datech, a báli jste se z...
Michal Kubáň: Vše, co jste chtěli vědět o otevřených datech, a báli jste se z...Michal Kubáň: Vše, co jste chtěli vědět o otevřených datech, a báli jste se z...
Michal Kubáň: Vše, co jste chtěli vědět o otevřených datech, a báli jste se z...
 
Pavla Brady: Open data in Opava
Pavla Brady: Open data in OpavaPavla Brady: Open data in Opava
Pavla Brady: Open data in Opava
 
Sander van der Waal: Open Data Census
Sander van der Waal: Open Data CensusSander van der Waal: Open Data Census
Sander van der Waal: Open Data Census
 
Roman Řípa: Explore & Influence Your Municipality Budget
Roman Řípa: Explore & Influence Your Municipality BudgetRoman Řípa: Explore & Influence Your Municipality Budget
Roman Řípa: Explore & Influence Your Municipality Budget
 
Grabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceGrabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/Rackspace
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
Michal Kubáň: Otevřená data ve státní správě a samosprávě
Michal Kubáň: Otevřená data ve státní správě a samosprávě Michal Kubáň: Otevřená data ve státní správě a samosprávě
Michal Kubáň: Otevřená data ve státní správě a samosprávě
 
Helena Svatošová: Co se podařilo v kampaních v oblasti digitálních práv
Helena Svatošová: Co se podařilo v kampaních v oblasti digitálních právHelena Svatošová: Co se podařilo v kampaních v oblasti digitálních práv
Helena Svatošová: Co se podařilo v kampaních v oblasti digitálních práv
 
Jakub Mráček: Otevřená data - kam kráčí world wide web?
Jakub Mráček: Otevřená data - kam kráčí world wide web?Jakub Mráček: Otevřená data - kam kráčí world wide web?
Jakub Mráček: Otevřená data - kam kráčí world wide web?
 
Sebastian Hellmann: Why open data should be open linked data
Sebastian Hellmann: Why open data should be open linked dataSebastian Hellmann: Why open data should be open linked data
Sebastian Hellmann: Why open data should be open linked data
 
Thomas Thurner: Government LOD in Vienna
Thomas Thurner: Government LOD in ViennaThomas Thurner: Government LOD in Vienna
Thomas Thurner: Government LOD in Vienna
 
Financial capability for europe's youth and retirees
Financial capability for europe's youth and retireesFinancial capability for europe's youth and retirees
Financial capability for europe's youth and retirees
 
Enabling technologies cv presentation
Enabling technologies cv presentationEnabling technologies cv presentation
Enabling technologies cv presentation
 
Ideasense: Nápady na aplikace využívající otevřená data měst
Ideasense: Nápady na aplikace využívající otevřená data městIdeasense: Nápady na aplikace využívající otevřená data měst
Ideasense: Nápady na aplikace využívající otevřená data měst
 
Jiri Fiala: Nasi Politici o.s. - new media watchdog
Jiri Fiala: Nasi Politici o.s. - new media watchdogJiri Fiala: Nasi Politici o.s. - new media watchdog
Jiri Fiala: Nasi Politici o.s. - new media watchdog
 

Similar to Intro to web 2.0 Security

Eat Your Vegetables - Data Security for Data Scientists
Eat Your Vegetables - Data Security for Data ScientistsEat Your Vegetables - Data Security for Data Scientists
Eat Your Vegetables - Data Security for Data ScientistsWilliam Voorhees
 
10 steps to protecting your computer to the world of internet.
10 steps to protecting your computer to the world of internet.10 steps to protecting your computer to the world of internet.
10 steps to protecting your computer to the world of internet.Khalil Jubran
 
Derby con 2014
Derby con 2014Derby con 2014
Derby con 2014TonikJDK
 
Security - 101 - ISSA
Security - 101 - ISSASecurity - 101 - ISSA
Security - 101 - ISSAPedro Serrano
 
Webinar Security: Apps of Steel transcription
Webinar Security:  Apps of Steel transcriptionWebinar Security:  Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
B3: Backup & its relevance
B3: Backup & its relevanceB3: Backup & its relevance
B3: Backup & its relevanceRevolucion
 
Roelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slidesRoelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slidesLeon Kuunders
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
 
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security   Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...Deja vu security   Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...adamdeja
 
When Worlds Collide: Ethics and Technology for Lawyers
When Worlds Collide: Ethics and Technology for LawyersWhen Worlds Collide: Ethics and Technology for Lawyers
When Worlds Collide: Ethics and Technology for Lawyersrtrautz
 
Securing, Buying, and buying computers 4-H
Securing, Buying, and buying computers 4-HSecuring, Buying, and buying computers 4-H
Securing, Buying, and buying computers 4-Hjmoore55
 
Measures Companies Need To Take In Order To Prevent...
Measures Companies Need To Take In Order To Prevent...Measures Companies Need To Take In Order To Prevent...
Measures Companies Need To Take In Order To Prevent...April Chesser
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationPa Al
 
Protecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World SafetyProtecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World SafetyAEGILITY
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
 

Similar to Intro to web 2.0 Security (20)

Eat Your Vegetables - Data Security for Data Scientists
Eat Your Vegetables - Data Security for Data ScientistsEat Your Vegetables - Data Security for Data Scientists
Eat Your Vegetables - Data Security for Data Scientists
 
10 steps to protecting your computer to the world of internet.
10 steps to protecting your computer to the world of internet.10 steps to protecting your computer to the world of internet.
10 steps to protecting your computer to the world of internet.
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Derby con 2014
Derby con 2014Derby con 2014
Derby con 2014
 
Security - 101 - ISSA
Security - 101 - ISSASecurity - 101 - ISSA
Security - 101 - ISSA
 
Webinar Security: Apps of Steel transcription
Webinar Security:  Apps of Steel transcriptionWebinar Security:  Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
Cyber security for journalists
Cyber security for journalistsCyber security for journalists
Cyber security for journalists
 
B3: Backup & its relevance
B3: Backup & its relevanceB3: Backup & its relevance
B3: Backup & its relevance
 
Roelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slidesRoelof Temmingh FIRST07 slides
Roelof Temmingh FIRST07 slides
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security   Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...Deja vu security   Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
 
When Worlds Collide: Ethics and Technology for Lawyers
When Worlds Collide: Ethics and Technology for LawyersWhen Worlds Collide: Ethics and Technology for Lawyers
When Worlds Collide: Ethics and Technology for Lawyers
 
NWSLTR_Volume8_Issue1
NWSLTR_Volume8_Issue1NWSLTR_Volume8_Issue1
NWSLTR_Volume8_Issue1
 
Securing, Buying, and buying computers 4-H
Securing, Buying, and buying computers 4-HSecuring, Buying, and buying computers 4-H
Securing, Buying, and buying computers 4-H
 
Measures Companies Need To Take In Order To Prevent...
Measures Companies Need To Take In Order To Prevent...Measures Companies Need To Take In Order To Prevent...
Measures Companies Need To Take In Order To Prevent...
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
 
Protecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World SafetyProtecting Your Privacy: Cyberspace Security, Real World Safety
Protecting Your Privacy: Cyberspace Security, Real World Safety
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
 

Recently uploaded

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 

Recently uploaded (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 

Intro to web 2.0 Security

  • 1. JP Bourget Rochester Institute of Technology Syncurity Networks Arnold Magnetic Technologies 1NTR0 T0 WEB 2.0 SECUR1TY
  • 2. Why I may be able to teach you something  I secure networks for a living  Wait… I secure **data** for a living – networks are a side effect of data  Professor – MS in Computer Security and Info Assurance  Business - Network Security Manager  Student – Security continues to evole – I have to keep up - -but I love it (especially the good vs. evil)  Consultant – I pen test for companies to help them identify what weaknesses they have
  • 3. What is Web 2.0  Social Networks (Facebook, Twitter, Foursquare, MySpace)  Web based Apps (gmail/webmail, google docs, mozy, Mint.com, fb apps, wordpress), zillow, lastFM, netflix  Mobile- Iphone, Android  A new paradigm in privacy or lack of privacy ( i.e. facebook )  A new model of trust  (Don’t forget web 3.0 – the intelligent web – it’s on it’s way – facebook newsfeed is an example of a closed intelligent web)
  • 4. Web 2.0 Let’s change our lens  At a basic level – you interact with data  We can call that data certain things  Your facebook or twitter status  You new film  Music  Scripts  Bank info (and transactions)  What other examples can you come up with? b
  • 5. What is YOUR web data exposure  Do you have a:  Facebook account?  Linked in account?  Dropbox account?  Blog?  VPN ?  Work related Web based application? (CRM, upload site, film preview site?)  Script or film stored on your hard drive right now?
  • 6. Scary  The desktop security game may be over  We have lost  Your router or DSL modem can be owned by the bad guys  Your desktop may already be owned – do you care? Do you have the ability to detect or fix it?  Things are getting worse not better  Blame the industry  Bruce Potter (shmoo group) says we should revisit the Trusted Computing paradigm  Proof:  Banks and other secure institutions are already assuming their users are insecure  AV Vendors are sounding the call to action (but they’ll still take your $$)
  • 7. History of vulnerabilities Source: NIST Vulnerabilities Database
  • 8. 10 Best Practices to secure your data 10. Know what data you have – you organized your filing cabinets – why not your data 9. Identify which data you care about  Depending on quantity, you may need to prioritize  You may need to assess what is really important to you ( i.e. what is your irreplaceable data)  I have 3 types of data: public, private, and work  What is your gold?  Apply the other steps to your types of data based upon their attributes
  • 9. 10 Best Practices to secure your data 8. Identify how entities that you share data with treat your data  Merchants  Banks  Social Networking  What other 3rd parties do you share your data with?
  • 10. 10 Best Practices to secure your data 7. Know your footprint --when you save data are you aware of the tracks you leave?  Just because you delete data in Windows/Mac/Linux doesn’t mean that data is purged from disk (if I want it I can get it)  Did you share your flash drive, or put it in a computer you don’t trust 6. Have a good firewall and have someone help you ensure it’s configured correctly  The AV industry is a hot mess right now – you aren’t getting what you’re paying for (but you should still have some)
  • 11. 10 Best Practices to secure your data 5. Don’t click on random links (follow the attachment rule) 5a. Don’t use internet explorer (before 8) it has inherent design flaws that will expose you or your data  5bDon’t install programs you don’t know what they do or you don’t need – practice software minimalism – your CPU and RAM will thank you and you’ll have a smaller attack surface
  • 12. 10 Best Practices to secure your data 4. Keep your computer up to date (this is hard sometimes)  AV/IDS/IPS  Java/Flash/skype/etc  ADOBE – Huge attack vector lately  Windows/MaxOSX updates  Most compromises happen to computers more than 1-2 months behind on updates
  • 13. 10 Best Practices to secure your data 3. Physical Security – #s 4-10 can only do so much if I can steal your laptop – physical access is everything… that’s why data centers are so secure – I have unchecked access to your machine – game over
  • 14. 10 Best Practices to secure your data 2. Secure Passwords – 95% of problems start with weak passwords Passwords are your most effective barrier for your information Password Length All Characters Only Lowercase 3 characters 0.86 seconds 0.02 seconds 4 characters 1.36 minutes .046 seconds 5 characters 2.15 hours 11.9 seconds 6 characters 8.51 days 5.15 minutes 7 characters 2.21 years 2.23 hours 8 characters 2.10 centuries 2.42 days 9 characters 20 millennia 2.07 months 10 characters 1,899 millennia 4.48 years 11 characters 180,365 millennia 1.16 centuries 12 characters 17,184,705 millennia 3.03 millennia 13 characters 1,627,797,068 millennia 78.7 millennia 14 characters 154,640,721,434 millennia 2,046 millennia
  • 15. 10 Best Practices to secure your data 1. BACKUP – If you have good backups you can  Have your laptop stolen  Have a disk failure  Have windows crash  AND STILL HAVE YOUR DATA  (but someone else may have it too )
  • 16. Some More Thoughts What data do you share out?  Is it what you intended?  What does your linked in profile look like?  What happens when you google yourself?  What is on your laptop? Is it secured?  Your phone  Your iPad?
  • 17. Your iPh0ne  Does your iPhone app transmit your credentials in plain text? (tweet deck did this forever)  What data do these apps store on your phone (iPhone forensics is a hot industry)  What do you think I can do if I have physical access to your iPhone  Wireless vs. 3G access
  • 18. Backup Ideas  To disk (use Time Machine, or windows backup)  To the cloud (getdropbox.com, mozy.com)  Keep a copy somewhere else – your mom’s house – at work – safe deposit box (flip this for business)
  • 19. Wireless Security  Pay someone $20 to secure your home network if you don’t know how to  Don’t connect to WEP networks (use WPA or WPA-2 (even better))  If you aren’t on a network you (or someone you know controls) don’t do anything you don’t want exposed
  • 20.  Thanks for listening  Any questions?  You can find me:  jp@syncurity.net or jp.bourget@gmail.com  Twitter: punkrokk  Blog: http://www.syncurity.net  Sources: NIST, http://onemansblog.com/2007/03/26/how-id-hack-your-weak- passwords/

Editor's Notes

  1. ***Data is the whole point – it’s why we computer – we use data in many different ways –facebook or twitter status, sell data (lexis nexus, research, software, FILMS, MUSIC)AdjunctGlobal Network – 13 networks across the Northern Hemisphere (USA Europe China) --
  2. FB Chat and friend RequestsIf you trust a friend on a social network, how many degrees of trust are you really allowing?
  3. Blame the industry – consumers generally don’t want to be bothered with the complexity or the abstract nature of securing their environment what does error code AEF3424 mean? How do I tell if I have a malware infection? No Good answerSo are you scared yet?