SlideShare a Scribd company logo
Media web application
security and vulnerabilities
Eoin Keary CISSP CISA
CTO/Founder edgescan.com
Hacker/Software Security Geek
OWASP Global Board Member (2009-2014)
OWASP Person of the Year 2015 & 2016
Always-on: The pressure to maintain a 24x7 service.
Reputation: one thing that matters above all for most media organizations.
Footprint: The public footprint makes for prime targets for visible impact to a wide audience
Propaganda is alive and well
Cyber attack has become an effective tool in its deployment by both state and non-state groups.
Attempts to raise the profile of a cause, to sow the seeds of fear or to sway public opinion
Threat actors: hacktivists, terrorist and nation states.
Media industry is highly likely to face a CyberAttack in order to disrupt service.
Tactics such as
• DDoS (Denial of Service)
• Defacement
• Integrity Attacks
• Highly-sophisticated Advanced Persistent Threat campaigns conducted by nation states.
Media Business Model & Challenges
2016 – First 90 days
• 83,000 impacted by breach at Gyft Inc
• 63,000 records exposed at UCF (Florida)
• 15,000 credit cards Bailey's Inc.
• Hyatt data beach 250 hotels in 50 countries
• Neiman Marcus – 5,200 accounts
• TaxSlayer – 8,800 customers
43%
50%
49%
58%
8%
4.10%
4.20%
0% 10% 20% 30% 40% 50% 60% 70%
HACKING ATTEMPT
DOS
MALWARE
PHISHING
SQL INJECTION
MOBILE ATTACKS
SOCIAL MEDIA ATTACK
Probability of an Attack Type – Media Orgs
edgescan research - 2016
edgescan.com “Media vertical” Web Security Survey – January 2016 - August 2016
11 Sites Randomly Surveyed globally
• Newspaper
• Television
• Radio
• Social Media
• News Feeds / PR
2%
32%
27%
39%
Frequency of Detection
Critical Risk
High Risk
Medium Risk
Low Risk
Old Vulnerabilities
99.9% of the exploited vulnerabilities in had been
compromised more than a year after the associated CVE
was published. - “Zero day’s” are overrated.
Security by Numbers
Likelihood of a vulnerability being discovered – Web Applications
Challenges to Media
What are we protecting?
Journalist
• Protect sources
• Prevent future storylines being revealed
Broadcaster
• Guarantee content distributed has not been tampered with.
• Protect my systems against denial of service attacks – availability
• Prevent unauthorised access to raw footage
• Live studio production, Control Signals/Technology won't be tampered with.
Rights Holder
• Prevent unauthorised access to my content.
Production team
• Grant access to the content to authorised staff.
Dangerous Times - Journalists
• There is not a journalist working who doesn't expose themselves to a web-
based attack at least once every day.
– journalists have to click links
– open email attachments
– Consider:
• Using an iDevice for mail (not jailbroken)
• Don’t use “office” with Macros enabled
• Enable FDE (Full disk Encryption)
• Patch
• Use and Ad-blocker (I said it!!)
• Don’t use IE (Internet Explorer) or any old browser.
• Disable Flash
Fullstack Protection
Web Applications
App Server
SSL/TLS
Databases
Services
Operating Systems
Networks
Continuous Vigilance
Conclusion
• Fullstack protection is key
– Applications and Hosting environments
• Continuous assessment to match ever-
changing systems & environments
• Journalist procedures – unique problem
• Security is a journey never a destination.

More Related Content

What's hot

Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
Neha Agarwal
 
Cert adli wahid_iisf2011
Cert adli wahid_iisf2011Cert adli wahid_iisf2011
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, Future
Priyanka Aash
 
Bo e v1.0
Bo e v1.0Bo e v1.0
National Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip VictorNational Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip Victor
Knowledge Group
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Cybersecurity Education and Research Centre
 
Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...
Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...
Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...
North Texas Chapter of the ISSA
 
2017 K12 Educators Security Briefing - Matthew Rosenquist
2017 K12 Educators Security Briefing - Matthew Rosenquist2017 K12 Educators Security Briefing - Matthew Rosenquist
2017 K12 Educators Security Briefing - Matthew Rosenquist
Matthew Rosenquist
 
Communicating cybersecurity
Communicating cybersecurityCommunicating cybersecurity
Communicating cybersecurity
Jisc
 
Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
 Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats" Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
EC-Council
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
John Gilligan
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
CERT Certification
CERT CertificationCERT Certification
CERT Certification
Conferencias FIST
 
Webroot Antivirus Web Security
Webroot Antivirus Web Security Webroot Antivirus Web Security
Webroot Antivirus Web Security
Andrew Close
 
Virtual Bridge Sessions: The National Cyber Security Centre at Your Service
Virtual Bridge Sessions: The National Cyber Security Centre at Your ServiceVirtual Bridge Sessions: The National Cyber Security Centre at Your Service
Virtual Bridge Sessions: The National Cyber Security Centre at Your Service
College Development Network
 
Smart Citizen Cyber Resilience in Asia and Pacific
Smart Citizen Cyber Resilience in Asia and PacificSmart Citizen Cyber Resilience in Asia and Pacific
Smart Citizen Cyber Resilience in Asia and Pacific
Mamello Thinyane
 
Department of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in CyberspaceDepartment of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in Cyberspace
Department of Defense
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
Cybersecurity Education and Research Centre
 
cybersecurity- A.Abutaleb
cybersecurity- A.Abutalebcybersecurity- A.Abutaleb
cybersecurity- A.Abutaleb
Fahmi Albaheth
 

What's hot (20)

Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
 
Cert adli wahid_iisf2011
Cert adli wahid_iisf2011Cert adli wahid_iisf2011
Cert adli wahid_iisf2011
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, Future
 
Bo e v1.0
Bo e v1.0Bo e v1.0
Bo e v1.0
 
National Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip VictorNational Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip Victor
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
 
Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...
Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...
Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...
 
2017 K12 Educators Security Briefing - Matthew Rosenquist
2017 K12 Educators Security Briefing - Matthew Rosenquist2017 K12 Educators Security Briefing - Matthew Rosenquist
2017 K12 Educators Security Briefing - Matthew Rosenquist
 
Communicating cybersecurity
Communicating cybersecurityCommunicating cybersecurity
Communicating cybersecurity
 
Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
 Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats" Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
 
CERT Certification
CERT CertificationCERT Certification
CERT Certification
 
Webroot Antivirus Web Security
Webroot Antivirus Web Security Webroot Antivirus Web Security
Webroot Antivirus Web Security
 
Virtual Bridge Sessions: The National Cyber Security Centre at Your Service
Virtual Bridge Sessions: The National Cyber Security Centre at Your ServiceVirtual Bridge Sessions: The National Cyber Security Centre at Your Service
Virtual Bridge Sessions: The National Cyber Security Centre at Your Service
 
Smart Citizen Cyber Resilience in Asia and Pacific
Smart Citizen Cyber Resilience in Asia and PacificSmart Citizen Cyber Resilience in Asia and Pacific
Smart Citizen Cyber Resilience in Asia and Pacific
 
Department of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in CyberspaceDepartment of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in Cyberspace
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
 
cybersecurity- A.Abutaleb
cybersecurity- A.Abutalebcybersecurity- A.Abutaleb
cybersecurity- A.Abutaleb
 

Similar to Media-web_application_security_and_vulnerabilities

Cyber security # Lec 1
Cyber security # Lec 1Cyber security # Lec 1
Cyber security # Lec 1
Kabul Education University
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clinton
CIONET
 
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
SOD-Presentation-Des-Moines-10.19.21-v2.pptxSOD-Presentation-Des-Moines-10.19.21-v2.pptx
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
TamaOlan1
 
Brooks18
Brooks18Brooks18
Brooks18
Chuck Brooks
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
Matthew J McMahon
 
Cyber security and its controls.pptx
Cyber security and its controls.pptxCyber security and its controls.pptx
Cyber security and its controls.pptx
srikmhh
 
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptxWhy-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
dhananjay80
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptx
ParthYadav89
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report
Mandar Kharkar
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
The State of Endpoint Security Today
The State of Endpoint Security Today The State of Endpoint Security Today
The State of Endpoint Security Today
Justine Shaffer
 
Subhankar Dutta, Cyber security presentation.pptx
Subhankar Dutta, Cyber security presentation.pptxSubhankar Dutta, Cyber security presentation.pptx
Subhankar Dutta, Cyber security presentation.pptx
Subhankar26
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controls
Marc Vael
 
Cyber Threats: Understanding, Mitigating, and Securing the Digital Realm
Cyber Threats: Understanding, Mitigating, and Securing the Digital RealmCyber Threats: Understanding, Mitigating, and Securing the Digital Realm
Cyber Threats: Understanding, Mitigating, and Securing the Digital Realm
Future Education Magazine
 
M1_Introduction_IPS.pptx
M1_Introduction_IPS.pptxM1_Introduction_IPS.pptx
M1_Introduction_IPS.pptx
imanuelantoniussohir
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank
shreemala1
 
Rishabhcyber security.pptx
Rishabhcyber security.pptxRishabhcyber security.pptx
Rishabhcyber security.pptx
RishabhDwivedi70
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Accellis Technology Group
 
Threat Detection as presented at the 2016 DGI Cyber security Conference
Threat Detection as presented at the 2016 DGI Cyber security ConferenceThreat Detection as presented at the 2016 DGI Cyber security Conference
Threat Detection as presented at the 2016 DGI Cyber security Conference
SolarWinds
 
THESIS-2(2)
THESIS-2(2)THESIS-2(2)
THESIS-2(2)
Elsayed Muhammad
 

Similar to Media-web_application_security_and_vulnerabilities (20)

Cyber security # Lec 1
Cyber security # Lec 1Cyber security # Lec 1
Cyber security # Lec 1
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clinton
 
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
SOD-Presentation-Des-Moines-10.19.21-v2.pptxSOD-Presentation-Des-Moines-10.19.21-v2.pptx
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
 
Brooks18
Brooks18Brooks18
Brooks18
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
 
Cyber security and its controls.pptx
Cyber security and its controls.pptxCyber security and its controls.pptx
Cyber security and its controls.pptx
 
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptxWhy-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptx
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
The State of Endpoint Security Today
The State of Endpoint Security Today The State of Endpoint Security Today
The State of Endpoint Security Today
 
Subhankar Dutta, Cyber security presentation.pptx
Subhankar Dutta, Cyber security presentation.pptxSubhankar Dutta, Cyber security presentation.pptx
Subhankar Dutta, Cyber security presentation.pptx
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controls
 
Cyber Threats: Understanding, Mitigating, and Securing the Digital Realm
Cyber Threats: Understanding, Mitigating, and Securing the Digital RealmCyber Threats: Understanding, Mitigating, and Securing the Digital Realm
Cyber Threats: Understanding, Mitigating, and Securing the Digital Realm
 
M1_Introduction_IPS.pptx
M1_Introduction_IPS.pptxM1_Introduction_IPS.pptx
M1_Introduction_IPS.pptx
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank
 
Rishabhcyber security.pptx
Rishabhcyber security.pptxRishabhcyber security.pptx
Rishabhcyber security.pptx
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
Threat Detection as presented at the 2016 DGI Cyber security Conference
Threat Detection as presented at the 2016 DGI Cyber security ConferenceThreat Detection as presented at the 2016 DGI Cyber security Conference
Threat Detection as presented at the 2016 DGI Cyber security Conference
 
THESIS-2(2)
THESIS-2(2)THESIS-2(2)
THESIS-2(2)
 

More from Eoin Keary

IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
Eoin Keary
 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
Eoin Keary
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
Eoin Keary
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
Eoin Keary
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
Eoin Keary
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
Eoin Keary
 
edgescan vulnerability stats report (2018)
 edgescan vulnerability stats report (2018)  edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
Eoin Keary
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
Eoin Keary
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
Eoin Keary
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
Eoin Keary
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan   vulnerability stats report 2019 - h-isac-2-2-2019Edgescan   vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
Eoin Keary
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
Eoin Keary
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
Eoin Keary
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
Eoin Keary
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong   cloud versionWeb security – everything we know is wrong   cloud version
Web security – everything we know is wrong cloud version
Eoin Keary
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
Eoin Keary
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
Eoin Keary
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
Eoin Keary
 

More from Eoin Keary (20)

IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
 
edgescan vulnerability stats report (2018)
 edgescan vulnerability stats report (2018)  edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan   vulnerability stats report 2019 - h-isac-2-2-2019Edgescan   vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong   cloud versionWeb security – everything we know is wrong   cloud version
Web security – everything we know is wrong cloud version
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
 

Recently uploaded

Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 

Recently uploaded (19)

Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 

Media-web_application_security_and_vulnerabilities

  • 1. Media web application security and vulnerabilities
  • 2. Eoin Keary CISSP CISA CTO/Founder edgescan.com Hacker/Software Security Geek OWASP Global Board Member (2009-2014) OWASP Person of the Year 2015 & 2016
  • 3. Always-on: The pressure to maintain a 24x7 service. Reputation: one thing that matters above all for most media organizations. Footprint: The public footprint makes for prime targets for visible impact to a wide audience Propaganda is alive and well Cyber attack has become an effective tool in its deployment by both state and non-state groups. Attempts to raise the profile of a cause, to sow the seeds of fear or to sway public opinion Threat actors: hacktivists, terrorist and nation states. Media industry is highly likely to face a CyberAttack in order to disrupt service. Tactics such as • DDoS (Denial of Service) • Defacement • Integrity Attacks • Highly-sophisticated Advanced Persistent Threat campaigns conducted by nation states. Media Business Model & Challenges
  • 4. 2016 – First 90 days • 83,000 impacted by breach at Gyft Inc • 63,000 records exposed at UCF (Florida) • 15,000 credit cards Bailey's Inc. • Hyatt data beach 250 hotels in 50 countries • Neiman Marcus – 5,200 accounts • TaxSlayer – 8,800 customers
  • 5. 43% 50% 49% 58% 8% 4.10% 4.20% 0% 10% 20% 30% 40% 50% 60% 70% HACKING ATTEMPT DOS MALWARE PHISHING SQL INJECTION MOBILE ATTACKS SOCIAL MEDIA ATTACK Probability of an Attack Type – Media Orgs edgescan research - 2016
  • 6. edgescan.com “Media vertical” Web Security Survey – January 2016 - August 2016 11 Sites Randomly Surveyed globally • Newspaper • Television • Radio • Social Media • News Feeds / PR 2% 32% 27% 39% Frequency of Detection Critical Risk High Risk Medium Risk Low Risk
  • 7. Old Vulnerabilities 99.9% of the exploited vulnerabilities in had been compromised more than a year after the associated CVE was published. - “Zero day’s” are overrated.
  • 8. Security by Numbers Likelihood of a vulnerability being discovered – Web Applications
  • 9. Challenges to Media What are we protecting? Journalist • Protect sources • Prevent future storylines being revealed Broadcaster • Guarantee content distributed has not been tampered with. • Protect my systems against denial of service attacks – availability • Prevent unauthorised access to raw footage • Live studio production, Control Signals/Technology won't be tampered with. Rights Holder • Prevent unauthorised access to my content. Production team • Grant access to the content to authorised staff.
  • 10. Dangerous Times - Journalists • There is not a journalist working who doesn't expose themselves to a web- based attack at least once every day. – journalists have to click links – open email attachments – Consider: • Using an iDevice for mail (not jailbroken) • Don’t use “office” with Macros enabled • Enable FDE (Full disk Encryption) • Patch • Use and Ad-blocker (I said it!!) • Don’t use IE (Internet Explorer) or any old browser. • Disable Flash
  • 11. Fullstack Protection Web Applications App Server SSL/TLS Databases Services Operating Systems Networks
  • 13. Conclusion • Fullstack protection is key – Applications and Hosting environments • Continuous assessment to match ever- changing systems & environments • Journalist procedures – unique problem • Security is a journey never a destination.