This document outlines the key points from a presentation on online security and privacy issues. It discusses the growing security landscape including major data breaches in 2012. It covers how cybercrime has become a profitable business and ways identities and financial data are sold on the black market. The presentation demonstrates common vulnerabilities like SQL injection and explains how even small businesses are at risk. It provides an overview of strategies to minimize risk, including secure coding practices, scanning tools, and compliance with standards like PCI DSS.
In May 2017, Cybersecurity Malaysia confirm the "WannaCry" ransom ware attack spread across Malaysia.
The attack, which locks computers and holds users' files for ransom reported to hit 200,000 victims in 150
countries. The National Health Service reported the massive ransom ware attack shut down work at 16
hospitals across the United Kingdom. Hackers threaten to delete patient records and other critical files if
hospitals don’t pay them.
Mock phishing exercises let you emulate real phishing attacks against your own customers or employees. A fantastic way to training subjects by example and measure susceptibility to phishing attacks.
Chief Information Security Officers are using the Intrusion Kill Chain strategy to achieve higher levels of security within their organization. This session will provide background context and outline how to mitigate the most sophisticated attackers using AWS Cloud.
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseDavid Freeman
As the world’s largest professional network, LinkedIn is subject to a barrage of fraudulent and/or abusive activity aimed at its member-facing products. LinkedIn’s Security Data Science team is tasked with detecting bad activity and building proactive solutions to keep it from happening in the first place. In this talk we explore various types of abuse we see at LinkedIn and discuss some of the solutions we’ve built to defend against them. We focus on ways bad actors can enter the site: fake accounts and account takeover. Some common themes include:
- Precision/recall tradeoffs: No model is 100% accurate, so we must always make a call on where to draw the line when flagging accounts or activity as abusive. What’s the cost of labeling a good member as bad vs. labeling a bad member as good?
- Online/offline tradeoffs: Online models can stop fraudulent activity before it has a chance to gain traction; offline models can use more data and cast a wider net, while also requiring less engineering effort to build. For any given abuse pattern, we must consider whether we can detect and stop the activity in real-time and also whether it’s worth the effort to do so.
- Machine learning vs. heuristic rules: Machine-learned models can be very powerful, but they also require sufficient well-labeled training data and are more difficult to maintain. Heuristic (though still data-driven!) rules can often achieve 90% of the goal with 10% of the effort — but how do you tell when this is the case?
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
Passwords are used for user authentication by almost every Internet service today, despite a number of well-known weaknesses: passwords are often simple and easy to guess; they are re-used across sites; and they are susceptible to phishing. Numerous methods to replace or supplement passwords have been proposed, such as two-factor authentication or biometric authentication, but none has been adopted widely, leaving most accounts on most websites protected by a password only.
One approach to strengthening password-based authentication without changing user experience is to classify login attempts into *normal* and *suspicious* activity based on a number of parameters such as source IP, geolocation, browser configuration, time of day, and so on. For the suspicious attempts the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by many Internet services but have never been studied publicly.
In this work we propose a statistical framework for measuring the validity of a login attempt. We built a prototype implementation and tested on real login data from LinkedIn using only two features: IP address and browser's useragent. We find that we can achieve good accuracy using only *user login history* and *reputation systems*; in particular, a nascent service with no labeled account takeover data can still use our framework to protect its users. When combined with labeled data, our system can achieve even higher accuracy.
In May 2017, Cybersecurity Malaysia confirm the "WannaCry" ransom ware attack spread across Malaysia.
The attack, which locks computers and holds users' files for ransom reported to hit 200,000 victims in 150
countries. The National Health Service reported the massive ransom ware attack shut down work at 16
hospitals across the United Kingdom. Hackers threaten to delete patient records and other critical files if
hospitals don’t pay them.
Mock phishing exercises let you emulate real phishing attacks against your own customers or employees. A fantastic way to training subjects by example and measure susceptibility to phishing attacks.
Chief Information Security Officers are using the Intrusion Kill Chain strategy to achieve higher levels of security within their organization. This session will provide background context and outline how to mitigate the most sophisticated attackers using AWS Cloud.
Data Science vs. the Bad Guys: Defending LinkedIn from Fraud and AbuseDavid Freeman
As the world’s largest professional network, LinkedIn is subject to a barrage of fraudulent and/or abusive activity aimed at its member-facing products. LinkedIn’s Security Data Science team is tasked with detecting bad activity and building proactive solutions to keep it from happening in the first place. In this talk we explore various types of abuse we see at LinkedIn and discuss some of the solutions we’ve built to defend against them. We focus on ways bad actors can enter the site: fake accounts and account takeover. Some common themes include:
- Precision/recall tradeoffs: No model is 100% accurate, so we must always make a call on where to draw the line when flagging accounts or activity as abusive. What’s the cost of labeling a good member as bad vs. labeling a bad member as good?
- Online/offline tradeoffs: Online models can stop fraudulent activity before it has a chance to gain traction; offline models can use more data and cast a wider net, while also requiring less engineering effort to build. For any given abuse pattern, we must consider whether we can detect and stop the activity in real-time and also whether it’s worth the effort to do so.
- Machine learning vs. heuristic rules: Machine-learned models can be very powerful, but they also require sufficient well-labeled training data and are more difficult to maintain. Heuristic (though still data-driven!) rules can often achieve 90% of the goal with 10% of the effort — but how do you tell when this is the case?
Server-Side Second Factors: Approaches to Measuring User AuthenticityDavid Freeman
Passwords are used for user authentication by almost every Internet service today, despite a number of well-known weaknesses: passwords are often simple and easy to guess; they are re-used across sites; and they are susceptible to phishing. Numerous methods to replace or supplement passwords have been proposed, such as two-factor authentication or biometric authentication, but none has been adopted widely, leaving most accounts on most websites protected by a password only.
One approach to strengthening password-based authentication without changing user experience is to classify login attempts into *normal* and *suspicious* activity based on a number of parameters such as source IP, geolocation, browser configuration, time of day, and so on. For the suspicious attempts the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by many Internet services but have never been studied publicly.
In this work we propose a statistical framework for measuring the validity of a login attempt. We built a prototype implementation and tested on real login data from LinkedIn using only two features: IP address and browser's useragent. We find that we can achieve good accuracy using only *user login history* and *reputation systems*; in particular, a nascent service with no labeled account takeover data can still use our framework to protect its users. When combined with labeled data, our system can achieve even higher accuracy.
Content Management System Security.
How to secure your CMS?
Common rules:
+ Choose your CMS with both functionality and security in mind
+ Update with urgency
+ Use a strong password (admin dashboard access, database users, etc.)
+ Have a firewall in place (detect or prevent suspicious requests)
+ Keep track of the changes to your site and their source code
+ Give the user permissions (and their levels of access) a lot of thought
+ Limit the type of files to non-executables and monitor them closely
+ Backup your CMS (daily backups of your files and databases)
+ Uninstall plugins you do not use or trust.
The Internet is a fun place to be, but it is full of dangers too.This presentation helps you understand:
a. Types of Threats on the Internet
b. The Dos of Internet Security
c. The Don'ts of Internet Security
A publication to help business owners understand the need for cyber insurance, the news notification laws that impact business and what covers a cyber insurance policy provides.
Cyber Risks & Liabilities - Cyber Security for Small Businessesntoscano50
High-profile cyber attacks on companies such as Target and Sears have raised awareness of the growing threat of cybercrime. Recent surveys conducted by the Small Business Authority, Symantec, Kaspersky Lab and the National Cybersecurity Alliance suggest that many small business owners are still operating under a false sense of cyber security.
The statistics of these studies are grim; the vast majority of U.S. small businesses lack a formal Internet security policy for employees, and only about half have even rudimentary cybersecurity measures in place. Furthermore, only about a quarter of small business owners have had an outside party test their computer systems to ensure they are hacker proof, and nearly 40 percent do not have their data backed up in more than one location.
This was the presentation I made to the @LeedsSharp group in Leeds 26/02/2015. It focusses on web application security and the steps you need to take to counter most of the threats which are out there today as determined by the OWASP Top 10. Solutions focus on the MVC.net framework, there is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
KnowBe4 helps you keep your network secure with Kevin Mitnick security awareness training. You are able to send simulated phishing attacks before and after the training. Created ‘by admins for admins’, a minimum of time is needed with visible proof the security awareness training works. Find out what your email attack footprint looks like and ask for our free Email Exposure Check.
Based on Kevin’s 30+ year unique first-hand hacking experience, you are now able to train employees with next-generation web-based training and testing, to quickly solve the increasingly urgent security problem of Social Engineering.
10 best cybersecurity companies in healthcare for 2021insightscare
10 Best Cybersecurity Companies in Healthcare for 2021 features a few cybersecurity companies that ensure the safety & confidentiality of healthcare data.
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...Amazon Web Services
Storytelling is a powerful tool for cybersecurity leaders aiming to improve communication with IT and non-IT stakeholders alike; the most trusted advisors are effective storytellers. With the right data—like the recently released 2019 Verizon Data Breach Investigations Report—CISOs and their teams can tell meaningful and relevant stories that help organizations strengthen their security cultures and empower executives to make better decisions about resource allocation and risk tolerance.
When thieves strike: Executive briefing on SWIFT attacksSangram Gayal
Executive briefing on the significance of SWIFT attacks and countermeasures. http://www.pwc.in/assets/pdfs/consulting/cyber-security/thought-leadership/when-thieves-strike-executive-briefing.pdf
These are from the National Cyber Security Alliance (NCSA) for National Cyber Security Awareness Month (NCSAM) and are free to use. See https://staysafeonline.org/ for more info.
Abridged version of my mvc security presentation covering the OWASP Top 10 security vulnerabilities and how they can be mitigated against in the Microsoft Mvc framework. Covers SQL Injection, XSS, CSRF etc. There is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
I am trying to tell about phishing attack and how we can train ourselves against through KnowBe4.
Md Mofijul Haque
Business Development Executive
Desh Cyber Limited
Cybersecurity Threats Web Developers Must Know.pptxMaster Infotech
To safeguard your websites and applications, educate yourself on all current risks.
Also if you are looking for a safe platform for E-Commerce web design in Arizona, call us at Master Infotech.
Content Management System Security.
How to secure your CMS?
Common rules:
+ Choose your CMS with both functionality and security in mind
+ Update with urgency
+ Use a strong password (admin dashboard access, database users, etc.)
+ Have a firewall in place (detect or prevent suspicious requests)
+ Keep track of the changes to your site and their source code
+ Give the user permissions (and their levels of access) a lot of thought
+ Limit the type of files to non-executables and monitor them closely
+ Backup your CMS (daily backups of your files and databases)
+ Uninstall plugins you do not use or trust.
The Internet is a fun place to be, but it is full of dangers too.This presentation helps you understand:
a. Types of Threats on the Internet
b. The Dos of Internet Security
c. The Don'ts of Internet Security
A publication to help business owners understand the need for cyber insurance, the news notification laws that impact business and what covers a cyber insurance policy provides.
Cyber Risks & Liabilities - Cyber Security for Small Businessesntoscano50
High-profile cyber attacks on companies such as Target and Sears have raised awareness of the growing threat of cybercrime. Recent surveys conducted by the Small Business Authority, Symantec, Kaspersky Lab and the National Cybersecurity Alliance suggest that many small business owners are still operating under a false sense of cyber security.
The statistics of these studies are grim; the vast majority of U.S. small businesses lack a formal Internet security policy for employees, and only about half have even rudimentary cybersecurity measures in place. Furthermore, only about a quarter of small business owners have had an outside party test their computer systems to ensure they are hacker proof, and nearly 40 percent do not have their data backed up in more than one location.
This was the presentation I made to the @LeedsSharp group in Leeds 26/02/2015. It focusses on web application security and the steps you need to take to counter most of the threats which are out there today as determined by the OWASP Top 10. Solutions focus on the MVC.net framework, there is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
KnowBe4 helps you keep your network secure with Kevin Mitnick security awareness training. You are able to send simulated phishing attacks before and after the training. Created ‘by admins for admins’, a minimum of time is needed with visible proof the security awareness training works. Find out what your email attack footprint looks like and ask for our free Email Exposure Check.
Based on Kevin’s 30+ year unique first-hand hacking experience, you are now able to train employees with next-generation web-based training and testing, to quickly solve the increasingly urgent security problem of Social Engineering.
10 best cybersecurity companies in healthcare for 2021insightscare
10 Best Cybersecurity Companies in Healthcare for 2021 features a few cybersecurity companies that ensure the safety & confidentiality of healthcare data.
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...Amazon Web Services
Storytelling is a powerful tool for cybersecurity leaders aiming to improve communication with IT and non-IT stakeholders alike; the most trusted advisors are effective storytellers. With the right data—like the recently released 2019 Verizon Data Breach Investigations Report—CISOs and their teams can tell meaningful and relevant stories that help organizations strengthen their security cultures and empower executives to make better decisions about resource allocation and risk tolerance.
When thieves strike: Executive briefing on SWIFT attacksSangram Gayal
Executive briefing on the significance of SWIFT attacks and countermeasures. http://www.pwc.in/assets/pdfs/consulting/cyber-security/thought-leadership/when-thieves-strike-executive-briefing.pdf
These are from the National Cyber Security Alliance (NCSA) for National Cyber Security Awareness Month (NCSAM) and are free to use. See https://staysafeonline.org/ for more info.
Abridged version of my mvc security presentation covering the OWASP Top 10 security vulnerabilities and how they can be mitigated against in the Microsoft Mvc framework. Covers SQL Injection, XSS, CSRF etc. There is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
I am trying to tell about phishing attack and how we can train ourselves against through KnowBe4.
Md Mofijul Haque
Business Development Executive
Desh Cyber Limited
Cybersecurity Threats Web Developers Must Know.pptxMaster Infotech
To safeguard your websites and applications, educate yourself on all current risks.
Also if you are looking for a safe platform for E-Commerce web design in Arizona, call us at Master Infotech.
Worried about cyber attacks on your website? Learn about the 3 most types of online threats, and how you can keep your site protected from bad actors. https://www.webguru-india.com/blog/website-security-guide/
Introduction to the Current Threat LandscapeMelbourne IT
Do you know what threats are lurking in the shadows? Have you been compromised without even knowing about it? Most companies don't even know if their business has been subjected to attacks and even worse, may have lost sensitive data without knowing about it until it’s too late.
The latest vulnerabilities highlight the extent and depth that hackers are adopting to steal your content or destroy trust in your brand. Our industry experts joining us for the presentation have a wealth of experience in robust security strategies and will be discussing the current online threat landscape, the most prominent approaches to security breaches and what you need to consider to protect your online presence from any potential malicious attacks.
About Melbourne IT:
Melbourne IT Enterprise Services designs, builds and operates custom cloud solutions for Australia’s leading enterprises. Its expert staff help enterprises solve business challenges and build cultures that enable organisations to use technology investments efficiently to improve long-term value. With more than 15 years’ experience in delivering managed outcomes to Australian enterprises, Melbourne IT has been long associated with enabling success. Its certified cloud, consulting, and security experts repeatedly deliver results. Many of the brands you already know and trust rely on Melbourne IT. For more information, visit www.melbourneitenterprise.com.au
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
Cerdant’s Director of Engineering, Joshua Skeens, presented the best ‘bets’ to increase your security odds. Josh warned customers to stop gambling with their data, and cautioned against weak, guessable passwords stating, “Use 2-Factor Authentication everywhere!” The first step in creating the best security posture possible for your business will always be just getting started, and to keep momentum Josh suggests implementing 1 new security practice each week.
The Small Business Cyber Security Best Practice GuideInspiring Women
Cyber security is a big problem for small business.
Small business is the target of 43% of all
cybercrimes.
• 60% of small businesses who experience a
significant cyber breach go out of business within the
following
6 months.
• 22% of small businesses that were breached by the
2017 Ransomware attacks were so affected they could
not continue operating.
• 33% of businesses with fewer than 100 employees
don’t take proactive measures against cyber security
breaches.
• 87% of small businesses believe their business is
safe from cyberattacks because they use antivirus
software alone.
• Cybercrime costs the Australian economy more than
$1bn annually.
10 ways to protect your e commerce site from hacking & fraudWebSitePulse
According to the Hacked Website Report by Sucuri, the number of websites getting compromised by hackers is increasing every year. The damage related to cybercrime is expected to hit $6 trillion by the end of 2020.
If you are planning to launch an eCommerce website or already running a successful one, you must have to upgrade the security of your website regularly. Here, I am sharing some useful ways to keep your eCommerce site safe from hackers and fraudsters.
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
Based on the below and using the 12 categories of threats identify 3 .pdfarri2009av
Based on the below and using the 12 categories of threats identify 3 examples you can find
online, in the media for each of the threats listed on the right column. You can use news articles
to justify the threats. Use the most current news article you can find. Add the reference link for
each article and place in APA format. Prepare a memo to your CEO with your finding. On the
same memo research current vendors that provide phishing email tools to train your employees
and provide a recommendation to the CEO about which to buy. Compare at least 2 vendors and
identify the following. Features Cost Add the Phishing Quiz Exercise discussed in class to the
bottom of your memo pages. Take the quiz and answer the below Identify which questions you
got wrong from the quiz Provide a brief explanation on why you got it wrong. What did you
learn about phishing emails and what would you recommend in order to avoid falling for a
phishing email?
Solution
1) Threat to intellectual property: Hacking , After conducting a forensic review of the drives,
Bailey(CEO of IT company) learned that intruders had been lurking on two of his company’s
servers for almost a year. These hackers, who were traced to a university in Beijing, had entered
the company’s extranet through an unpatched vulnerability in the Solaris operating system. As
far as Bailey could tell, they hadn’t accessed any classified information. But they were able to
view mountains of intellectual property, including design information and product specifications
related to transportation and communications systems, along with information belonging to the
company’s customers and partners.
Activist hackers, or hacktivists, can also be a danger to companies. For example, early last year
members of Anonymous, the hacker collective, copied and publicly released sensitive files of
H.B. Gary Federal, a security company.
Cpoyrights deviation or piracy :
Intellectual property theft involves robbing people or companies of their ideas, inventions, and
creative expressions—known as “intellectual property”—which can include everything from
trade secrets and proprietary products and parts to movies, music, and software.
It is a growing threat—especially with the rise of digital technologies and Internet file sharing
networks. And much of the theft takes place overseas, where laws are often lax and enforcement
is more difficult. All told, intellectual property theft costs U.S. businesses billions of dollars a
year and robs the nation of jobs and tax revenues.
Preventing intellectual property theft is a priority of the FBI’s criminal investigative program. It
specifically focuses on the theft of trade secrets and infringements on products that can impact
consumers’ health and safety, such as counterfeit aircraft, car, and electronic parts. Key to the
program’s success is linking the considerable resources and efforts of the private sector with law
enforcement partners on local, state, federal, and international levels.
.
The basic fundamental of cybersecurity and how can it be used for unethical purposes.
For this type of presentations (customised), you can contact me here : rishav.sadhu11@gmail.com
You've seen the headlines. You're beginning to understand the importance of cybersecurity. Where do you begin? It's important to understand the common methods of attack and ways you can begin to protect your organization today. For more information on our cybersecurity education please visit FPOV.com/edu.
Similar to Online Security and Privacy Issues (20)
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1. Presented by ebusinessmantra at
Online Security and Privacy Issues
www.ebusinessmantra.com
Presented by ebusinessmantra at
ecommerce Conference at Umass Dartmouth, MA
April 19, 2013
2. Agenda
(In)Security Landscape
It’s all business
What is your identity worth?
How does it work on the web?
Does it matter to SMB?
Problem
www.ebusinessmantra.com
Does it matter to SMB?
Myths about security
Vulnerability Exploits (Hacking 101) Demo
SQL Injection, XSS, Google Hacking
How do you minimize the risk?
Security Tools - Demo
Discussions
ProblemSolution
3. About ebusinessmantra
WebApplication Security Consultants
Assess and recommend security solutions
Through partnerships, we offer:
WebApplication Security Scanner
WebApplication Firewalls
www.ebusinessmantra.com
WebApplication Firewalls
Database Firewalls
File Systems Monitoring
Training and eLearning (in process)
Customers: *.mil, *.gov, *edu , *.org, *.com
Web Site Design and Development (past)
7. Top 10 security breaches of 2012
Wyndham Hotels – 600,000 credit cards #s stored in plain text, $10.5
billion in fraudulent transactions
Yahoo – 400,000 passwords stored in plain text (SQL injection)
Apple – 11 million Unique Device Identifiers - access user names, devices
names, cell phone numbers and addresses
Global Payments – 1.5 million credit card numbers withTrack 2 data used
www.ebusinessmantra.com
Global Payments – 1.5 million credit card numbers withTrack 2 data used
to clone credit cards
Ghostshell - Hactivist Group stole account information for 1.6 government
and contractors
LinkedIn – 6.5 million (hashed) passwords – published on web
Nationwide and Allied Insurance Co. – 1.1 million applicants’ info
South Carolina DOR – 3.8 million tax records
Zappos – 24 million customer data
Government Sector – 94 million Personal Identifiable Information (PII)
12. Business of cybercrime
Cybercrime is a highly organized, well run profitable business
Hierarchal structure - specialists
Programmer, Hackers, Distributors, Hosting Providers, Money
Mule, Cashiers,Tellers (FBI classification)
www.ebusinessmantra.com
Mule, Cashiers,Tellers (FBI classification)
14. Fraudulent tax returns
Alabama: 1000 false returns for $1.7 million
LA County: 65 false returns for $358,000
www.ebusinessmantra.com
Fort Lauderdale: 2000 false tax returns were filed from
10/2010 - 6/2012 for $11 million.
15. Your identity @ bargain price…
Fullz Info USAType A
package
# of records Price/record
Full Name
Email address + password
PhysicalAddress
Phone Number
1- 499 0.25
500 - 4999 0.22
5000 - 9999 0.18
www.ebusinessmantra.com
Phone Number
DOB, SSN, DL Numbers
Bank Name,Account number
+ routing number
Employer's name + # years of
employment
10000 - 16499 0.16
Fullz Info USAType B package includes mother’s maiden name.
Web site claims to have 99 to 100% of people in US in their database and have most
upto date database.
16. Typical Offers on Black Market - Price List
Products Price
Credit card details $2 - $90
Physical credit cards $190 + cost of details
Card cloners $200 - $1000
Bank credentials $80 to $700 (with guaranteed balance)
www.ebusinessmantra.com
Bank credentials $80 to $700 (with guaranteed balance)
Bank transfers and cashing checks from 10% to 40% of total
Online stores and pay platforms $80 - $1500 with guaranteed balance
17. (In)Security Landscape
Pretty grim, sobering landscape!
Notable web sites have been hacked (Govt.,
security firms, banks)
Many are not reported and many more do not
know they are being hacked. Your web site might
www.ebusinessmantra.com
know they are being hacked. Your web site might
have been hacked and you may be unaware of it.
Organized crimes, blackmail/extortion,
defraud IRS
High costs to remediate: $90 - $300 per
record, plus lost business, tangible and
intangible losses
18. How does it work on the web?
Hackers exploit vulnerabilities in the code
to steal data
to make you, web site users, do things that you did not intend to
to distribute and install malware, ransom-ware, in general, bad-
ware
www.ebusinessmantra.com
ware
Monitor your activities on the computer, web site and report data
19. We are Small Business, it does not matter
to us…
S&M are most vulnerable because they don’t have resources that
large organizations have.
Your site could be used to launch or distribute malware
www.ebusinessmantra.com
Your site could be used to launch or distribute malware
You may not think you are at risk – but actually you could be –
usingWordPress or some other platform which may be
vulnerable
Google search for vulnerabilities inWordPress site.
20. We don’t have anything of value on our
web site…
Even if you don’t believe you have anything of value on your website, it
could be used as a means for malicious acts. Here are some negative side-
effects:
Credibility
www.ebusinessmantra.com
Block -Your business website could be blocked by your Internet service provider
or even Google, Bing, and other search engines.
http://www.google.com/safebrowsing/diagnostic?site=domainname
Blacklisting -Your email address or entire domain could be blacklisted by spam
filtering services.
http://www.spamhaus.org: Track internet spam senders and spam services and provide real-time anti-
spam protection and to identify and pursue spammers worldwide
Time and money - remediation
21. Myths about security
We have SSL (https) on my web site
Our network has firewalls
Our site is password protected
Our developers will deal with security
www.ebusinessmantra.com
Our developers will deal with security
Our OS and software are upto date and patched
These are essential but none of these protect your web site from
being hacked.
22. Are you chasing the mice or protecting the
cheese?
www.ebusinessmantra.com
24. Vulnerability Exploits - Hacking 101
Demo
SQL Injection
Cross Site Scripting
Google Hacking
www.ebusinessmantra.com
25. Injection Attack
Very widely used by hackers and is one of the top 10
vulnerabilities in web applications
SQL Injection Attack Demo
www.ebusinessmantra.com
26. Cross Site Scripting Attack
Another very frequently used attack method - Demo
www.ebusinessmantra.com
27. Google hacking demo
Have you Googled yourself or your business?
Advance Google search –
Demo
inurl:admin intext:username=AND email=AND password= OR pass=
filetype:xls
www.ebusinessmantra.com
filetype:xls
"your password is" filetype:txt
Tools that can do the search for you - demo
28. How do you minimize risk?
Awareness
All stakeholders must recognize the risks and work towards mitigation
Culture within the organization, mandate from the management
Examples – IT (network security), coders (perplexed), management (state of
denial), users (unsafe browsing, cool sites!)
Develop security strategy
Secure Coding Practices during SDLC
Developers need to understand the threats; write secure code; follow
www.ebusinessmantra.com
Developers need to understand the threats; write secure code; follow
published guidelines
Resource Intensive: time and $ - training, coding, testing
QA
During all stages of application development life cycle
At regular intervals while in production
Web Application Scanning, static code analysis
Monitoring
Web Application Scanning (demo)
Web Application Firewall
Database Firewall
Compliance
29. Security Strategy
Web Site Scanning
Snapshot of vulnerabilities (new vulnerabilities), fix
vulnerabilities, and install patches
Web Application Firewall
Real time, continuous
Set policies to alerts and/or block attacks
www.ebusinessmantra.com
Set policies to alerts and/or block attacks
Virtual patch from scanning results
Block traffic from certain region
Database Firewall
Data Protection
Set policies to alert and/or block attacks
(Prevent) Internal and external threats
Secured Hosting
36. How can we help…
Security Assessment
Develop a strategy
Implement strategy
Training
www.ebusinessmantra.com
Training
37. Take away
Web presence and doing business on web is essential
Security should also be part of the web strategy
Internal and external threats
Develop a strategy for securing data
www.ebusinessmantra.com
Develop a strategy for securing data
Take action
Call us if you need help with securing your digital assests.