IT-security. What has happened in 2H 2008 regarding IT-security. Read about Koobface discovery by Websense Security Labs.Websense Security Labs detailed report.
Discusses the security threats associated with web 2.0 and the one's you should be concerned about.
Additional information can be found at: http://www.senseofsecurity.com.au
Cyber Security is: âProtection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.â
IT-security. What has happened in 2H 2008 regarding IT-security. Read about Koobface discovery by Websense Security Labs.Websense Security Labs detailed report.
Discusses the security threats associated with web 2.0 and the one's you should be concerned about.
Additional information can be found at: http://www.senseofsecurity.com.au
Cyber Security is: âProtection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.â
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Cyberskills shortage:Where is the cyber workforce of tomorrowStephen Cobb
Â
I created this presentation, "Cyberskills shortage:Where is the cyber workforce of tomorrow" for a webinar to raise awareness of the need to educate more people about cybersecurity. The webinar recording is here: https://www.brighttalk.com/webcast/1718/106371
The importance of information security nowadaysPECB
Â
Nowadays living without access to the information of interest at any time, any place through countless types
of devices has become unimaginable. However, its security has become more important than information
access itself. In fact today information security rules the worldâŚ! Why?
"How To Defeat Advanced Malware: New Tools for Protection and Forensics" is a FREE continuing education class that has been designed specifically for CIO's, CTO's, CISO's and senior executives who work within the financial industry and are responsible for their company's endpoint protection.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
Â
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
Etude sur le marchĂŠ de la cyber sĂŠcuritĂŠ (2011) PwC France
Â
LâĂŠtude ÂŤ Cyber Security M&A Âť analyse les opĂŠrations de fusions-acquisitions sur le marchĂŠ de la cyber sĂŠcuritĂŠ, comprenant toutes les entreprises qui fournissent des produits et/ou services pour des applications offensives comme dĂŠfensives, dans les secteurs industriel, IT et tĂŠlĂŠcom. Les informations utilisĂŠes, issues de Thomson Fianncial, analysent les transactions entre le 1er janvier 2008 et le 30 juin 2011.
Retrouvez toutes nos publications : http://www.pwc.fr/publications
TECHNICAL WHITE PAPERâś Symantec Website Security Threat ReportSymantec
Â
The biggest story in 2014 was, of course, the Heartbleed bug, which shook the foundations of Internet security. This wasnât about criminals being clever; it was about the inherent vulnerabilities of human-built software, and it reminded everyone of the need for vigilance, better implementation, and more diligent website security.
Of course, while Heartbleed hit the headlines, criminals were still hard at work making their own opportunities for exploitation, theft and disruption. 2014 saw criminals grow more professional, sophisticated, and aggressive in their tactics to the detriment of businesses and individuals alike.
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
Cyberskills shortage:Where is the cyber workforce of tomorrowStephen Cobb
Â
I created this presentation, "Cyberskills shortage:Where is the cyber workforce of tomorrow" for a webinar to raise awareness of the need to educate more people about cybersecurity. The webinar recording is here: https://www.brighttalk.com/webcast/1718/106371
The importance of information security nowadaysPECB
Â
Nowadays living without access to the information of interest at any time, any place through countless types
of devices has become unimaginable. However, its security has become more important than information
access itself. In fact today information security rules the worldâŚ! Why?
"How To Defeat Advanced Malware: New Tools for Protection and Forensics" is a FREE continuing education class that has been designed specifically for CIO's, CTO's, CISO's and senior executives who work within the financial industry and are responsible for their company's endpoint protection.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
Â
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
Etude sur le marchĂŠ de la cyber sĂŠcuritĂŠ (2011) PwC France
Â
LâĂŠtude ÂŤ Cyber Security M&A Âť analyse les opĂŠrations de fusions-acquisitions sur le marchĂŠ de la cyber sĂŠcuritĂŠ, comprenant toutes les entreprises qui fournissent des produits et/ou services pour des applications offensives comme dĂŠfensives, dans les secteurs industriel, IT et tĂŠlĂŠcom. Les informations utilisĂŠes, issues de Thomson Fianncial, analysent les transactions entre le 1er janvier 2008 et le 30 juin 2011.
Retrouvez toutes nos publications : http://www.pwc.fr/publications
TECHNICAL WHITE PAPERâś Symantec Website Security Threat ReportSymantec
Â
The biggest story in 2014 was, of course, the Heartbleed bug, which shook the foundations of Internet security. This wasnât about criminals being clever; it was about the inherent vulnerabilities of human-built software, and it reminded everyone of the need for vigilance, better implementation, and more diligent website security.
Of course, while Heartbleed hit the headlines, criminals were still hard at work making their own opportunities for exploitation, theft and disruption. 2014 saw criminals grow more professional, sophisticated, and aggressive in their tactics to the detriment of businesses and individuals alike.
Automating Critical Security Controls for Threat Remediation and ComplianceQualys
Â
Trends like the increased use of cloud computing by businesses and their vendors introduce new complexities in reducing risk and assessing security across the supply chain. Demonstrating continuous risk reduction and compliance with internal policies and external regulations, fixing violations and configuration drift, centrally managing exceptions, and documenting progress are all common challenges.
The Center for Internet Securityâs (CIS) Critical Security Controls (CSCs) were selected and prioritized by leading security experts to stop todayâs most common and serious cyber threats. By implementing these controls, organizations can improve their security posture and reduce the risk of threats to critical assets, data, and network infrastructure.
In this webcast SANS Senior Analyst John Pescatore and Tim White, Director of Product Management for Qualys Policy Compliance (PC), discuss how you can achieve continuous security and compliance, and leverage Qualys solutions to address all 20 CSCs.
The presentation encompasses:
⢠An overview of the CIS Critical Security Controls, including ongoing updates
⢠Success patterns organizations have demonstrated for using the controls to their advantage
⢠How an automation can reduce the staffing load to determine whether controls are in place and effective
⢠How to prioritize remediation efforts
⢠Real-world examples of recent attacks that leveraged misconfigured systems
Watch the on-demand webcast: https://goo.gl/j6Posx
Cerdant is celebrating its 15th year providing the best security possible to all our customers. Our system enhancements and increased IDS capabilities will shorten the time interval on âdiscovery and containmentâ to reduce or eliminate âexfiltrationâ. Mike also reviewed the top information security stories of 2016 and revealed the top tools for combatting cybercriminals.
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
Your organisationâs data are now everywhere: on your servers and your desktop PCs; on your employeesâ smart phones, tablet computers and laptops; on social networks; and in public clouds. Some of these data require special protection but they also need to be accessed remotely, which makes security a considerable challenge. Can you trust public clouds to keep your data safe and secure? Can you trust your own internal systems? And on what criteria and risk management strategies should you base your trust? -- Dr Mark Ian Williams's presentation at the April 2012 'Why Cloud? Why now?' conference at the headquarters of the Institute of Chartered of Accountants of England Wales.
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
Â
James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers:
⢠The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS.
⢠Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections)
⢠Best practices for how to protect your environment from the latest threats
Top Application Security Trends of 2012DaveEdwards12
Â
Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.
Learn all about the Latest CompTIA Security+ SYO-701 Exam in 2 minutes! Swipe through the slides to discover the new updates in this latest version, its course content, target audience, exam details, career scope, and more.
đđđđŤđ đ˛đ¨đŽđŤ đĽđđđŤđ§đ˘đ§đ đŁđ¨đŽđŤđ§đđ˛ đ§đ¨đ°! đ https://www.infosectrain.com/courses/comptia-security/
In the ever-evolving cybersecurity landscape, the latest version of the CompTIA Security+ (SY0-701) training course from InfosecTrain is your gateway to mastering the core skills necessary to secure data and information systems in the digital age.
The CompTIA Security+ SY0-701 course from InfosecTrain, provides a comprehensive and expert-led training experience, covering five key domains that are essential for understanding and excelling in the field of information security. Participants will delve into general security concepts, threats, vulnerabilities, mitigations, security architecture, security operations, and security program management. The course features practical exercises and hands-on labs to develop participantâs skills, ensuring that participants are well-prepared for the SY0-701 certification exam.
Unlock essential cybersecurity skills with InfosecTrain's latest CompTIA Security+ (SY0-701) course. Master core competencies in data and information system security, covering the latest threats, automation, zero trust principles, IoT security, and risk management. Be exam-ready and secure success on your first attempt.
Learn all about the đđđđđŹđ đđ¨đŚđŠđđđ đđđđŽđŤđ˘đđ˛+ đđđ-đđđ đđąđđŚ in 2 minutes!
Swipe through the slides to discover the new updates in this latest version, its course content, target audience, exam details, career scope and more..
Application Security-Understanding The HorizonLalit Kale
Â
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover broader aspects of Application Security basics. This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
⢠Data Breach and Cloud Misconfigurations
⢠Insecure Application User Interface (API)
⢠The growing impact of AI and ML
⢠Malware Attack
⢠Single factor passwords
⢠Insider Threat
⢠Shadow IT Systems
⢠Crime, espionage and sabotage by rogue nation-states
⢠IoT
⢠CCPA and GDPR
⢠Cyber attacks on utilities and public infrastructure
⢠Shift in attack vectors
Ethical Hacking and Cybersecurity â Key Trends in 2022PECB
Â
In recent years, there has been a significant number of cyberattacks resulting in massive business disruptions.
In this regard, many organizations are hiring ethical hacking groups to help prevent future attacks.
Amongst others, the webinar covers:
⢠2021 Cyber-incidents
⢠2021 Black swans
⢠Ransomware vNext
⢠IoT - internet of things
⢠Cyber security insurance evolution
⢠Cyber best practices & frameworks
⢠The 2022 black swans
Presenter:
Our first presenter for this webinar is Peter Geelen, director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy.
Our second presenter is Erwin AM Geirnaert, Co-founder and Chief Application Security Architect at Shift Left Security, a Belgian cybersecurity start-up specialized in securing start-ups, scale ups and SMBs against malicious cybercriminals. Erwin is a specialist in mobile security, J2EE security .NET security, API Security and web services security. Erwin has more than 20 yearsâ experience in executing security tests aka penetration testing of web applications, mobile apps, APIs and thick client applications. He is also a recognized application security expert and speaker at international events like Javapolis, LSEC, OWASP, Eurostar, Infosecurity, etc.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/ZHQQ1yJX2uU
Website link: https://pecb.com/
- Introduction to Web Security
- Why Is Security So Important?
- Web Security Considerations
- Web Security Approaches
- Secure Socket Layer (SSL) and Transport Layer Security (TLS)
- Secure Electronic Transaction (SET)
- Recommended Reading
- Problems
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Â
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Â
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
Â
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. Whatâs changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Â
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as âpredictable inferenceâ.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Â
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Â
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overviewâ
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
Â
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Â
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
Â
As AI technology is pushing into IT I was wondering myself, as an âinfrastructure container kubernetes guyâ, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefitâs both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
Â
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties â USA
Expansion of bot farms â how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks â Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
Â
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Â
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But thereâs more:
In a second workflow supporting the same use case, youâll see:
Your campaign sent to target colleagues for approval
If the âApproveâ button is clicked, a Jira/Zendesk ticket is created for the marketing design team
Butâif the âRejectâ button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
1. Mitigating Web 2.0 Threats
Or, âThis isnât your motherâs internet!â
David Sherry CISSP CISM
Chief Information Security Officer
Sponsored By: Brown University
2. Security @ Brown
â˘Security evangelism â˘Public Safety support
â˘Incident Response Team â˘Human Resources support
â˘Audit support â˘Records Management
â˘Compliance and legal â˘Business Continuity
standards â˘Disaster Recovery
â˘Firewalls, IDS, IPS, VPN, â˘Copyright / DMCA agent
sniffers, A/V, DNS, etcâŚ. â˘Discipline Committee
â˘Security audits and â˘Mandatory / elective training
certifications â˘Awareness
2
3. Todayâs Agenda (or is it a mashup?)
⢠Our changing world of security
⢠What is web 2.0?
⢠Attack vectors and areas of concern
⢠The evolution of the threatsâŚ.theyâre nothing new!
⢠What should be focused on
⢠Recommendations to reduce the threat
4. Our World is Changing
May you live in interesting timesâŚ..
Chinese Proverb
⢠Compliance is a key competency of security pros
⢠Identity Theft is fastest growing crime
⢠Presidentâs Cyber Security Initiative provides spotlight
⢠Online underground economy has matured
⢠National and global economy means âdo more with lessâ
⢠Threat evolution:
⢠Infrastructure > web/messaging > DLP > Web 2.0
5. What is Web 2.0?
Used with permission via Creative Commons: http://kosmar.de/archives/2005/11/11/the-huge-cloud-lens-bubble-map-web20/
6.
7. What is Web 2.0?
From Wikipedia: (which is, itself, a 2.0 phenomenon)
"Web 2.0" refers to web development and web design that
facilitates interactive information sharing, interoperability,
user-centered design and collaboration on the World Wide
Web. Examples of Web 2.0 include web-based communities,
hosted services, web applications, social-networking sites,
video-sharing sites, wikis, blogs, mashups and
folksonomies. A Web 2.0 site allows its users to interact
with other users or to change website content, in contrast
to non-interactive websites where users are limited to the
passive viewing of information that is provided to them.
8. Common Web 2.0 Descriptors
⢠âUser generated contentâ
⢠âMashups and web servicesâ
⢠âConsumer and enterprise convergenceâ
⢠âDiversity of client softwareâ
⢠âComplexity and asynchronous operationsâ
9. The Enterprise Triple-Threat of 2.0
1. Loss of productivity
2. Vulnerable to data leaks
3. Increased security risks
10. Characteristics of Web 2.0 Security
⢠Web filtering is no longer adequate
⢠AJAX, SAML, XML create problems for
detection
⢠RSS and RIA can enter directly into networks
⢠Non-static makes identification difficult
⢠High bandwidth use can hinder availability
⢠User generated content hard to contain
11. Web 2.0 Attack Vectors
⢠Blogs
⢠Social networks
⢠Web portals
⢠Mashups
⢠Pop-ups
⢠Anonymizing proxies
⢠Spamdexing
⢠Widgets
12. Web 2.0 Areas of Concern
⢠Client side issues
⢠Transparency and cross-domain communications; AJAX and
JavaScript attacks on the rise
⢠Protocols
⢠New protocols on top of HTTP/S (SOAP, XML, etc)
⢠Information sources
⢠Concerns over integrity, transiency, and diversity
⢠Information structures
⢠Variations of data structures, injection attacks
⢠Server side
⢠Architecture, authorization, and authentication weaknesses
13. Evolution of the Threats in 2.0
⢠USB and auto-run malicious code
⢠Insiders are a threat, but they donât know it
⢠Adobe PDFs and Flash replace Word and Excel
⢠Worms travel through social spaces into offices
⢠DOS attacks against social networks
⢠Malware travels via all conduits
⢠Pop-ups advertise seemingly legitimate
services and take advantage of current events
14. So what do you focus on?
From Secure Enterprise 2.0, the dangers come from:
1. Insufficient authentication controls
2. Cross-site scripting
3. Cross-site request forgery
4. Phishing
5. Information leakage
6. Injection flaws
7. Information integrity
8. Insufficient anti-automation
www.secure-enterprise20.org
15. Recommendations for Web 2.0
Technical:
⢠Experts recommend a three-tiered, integrated data
protection approach:
⢠Maintain vigilant anti-virus protection
⢠Establish a robust anti-malware protection program
⢠Utilize an AJAX-aware analysis platform
⢠Use real-time content and security scanning
⢠Make sure browsers and plug-ins are patched
⢠Donât just patch âhighâ rated patches!
⢠Remember your end points
⢠Use encryption as a key strategic defense
16. Recommendations for Web 2.0
Managerial:
⢠Ensure that your policies are current and address 2.0
⢠Subjective policy setting
⢠Group level access
⢠Productivity based policies
⢠Use a Data Loss Prevention as an essential teaching tool
⢠Education and awareness must go beyond passwords
⢠Ensure cross-functional response and participation
⢠Speak with data!
17. Ensuring a Defensive Web 2.0 Policy
⢠Revisit your Acceptable Use Policy
⢠View the policy from a web 2.0 lens
⢠Be sure to cover new technologies like anonymizing proxies
⢠Include other groups for strength
⢠Human Resources, Risk Management, Privacy, Physical
Security, Audit, and Legal
⢠Step up your training and awareness for Web
2.0 concerns
18. Support your policy through technology
⢠IDS / IPS
⢠Bandwidth shaping and throttling
⢠Standard images
⢠Group policy objects
⢠Firewall rules
⢠Anti-virus, spyware, and malware
⢠Monitor for your good name!
19. Summary
⢠We are living in a changing world, and Web
2.0 is part of it
⢠2.0 brings added challenges and
characteristics to security professionals
⢠There are technical and managerial solutions
to reduce Web 2.0 concerns
⢠Like all emerging technologies and their
related threats, a holistic security approach
is needed
20. There is never enough time;
thank you for some of yours.
David Sherry, CISSP CISM
Chief Information Security Officer
Brown University
Campus Box 1885
Providence, RI 02912
401.863-7266
david_sherry@brown.edu