This document provides an overview of web security fundamentals and cybersecurity concepts. It discusses the CIA model of confidentiality, integrity and availability and the IAA model of identification, authentication and authorization. It also covers cybersecurity elements like people, processes and technology. The document includes statistics on cyber attacks and examples of real world security incidents. It describes common vulnerabilities like SQL injection and outlines both reactive and proactive approaches to securing websites and avoiding security problems.

1. WEB SECURITY
FUNDAMENTALS
COPYRIGHT 2019 © CYBER GATES
SAMVEL GEVORGYAN
CEO, CYBER GATES
Ph.D. in Information systems and cybersecurity

2. CYBERSECURITY COMPONENTS
WWW.CYBERGATES.ORG
• Confidentiality: Keep secret from those not authorized.
• Integrity: Prevent unauthorized tampering.
• Availability: Ensure authorized parties can access the data.
CIA model
• Identification: Who I claim to be (e.g. username, digital
cert).
• Authentication: How I prove it (password, signature).
• Authorization: What is that person allowed to do e.g. role-
based security.
IAA model

3. CYBERSECURITY ELEMENTS
WWW.CYBERGATES.ORG
• People
• Process
• Technology
Resources
• Policies and procedures
• Roles and responsibilities
• Risk management
Governance

4. STATISTIC DATA
WWW.CYBERGATES.ORG
“Over 3 million suspicious login attempts and other types of
intrusions targeting to information systems and official websites
belonging to the Government of the Republic of Armenia has been
prevented in 2018”
The National Security Service of the Republic of
Armenia
Over 4 thousand hacked websites.
Mass cyber attacks:
 January 2011 (379)
 July 2012 (364)
 February 2013 (275)
 February 2014 (359)
 April 2015 (129)
 December 2016 (188)
Hacked websites

5. MASS ATTACKS
WWW.CYBERGATES.ORG
• Websites that use same CMS (WordPress, Joomla, etc.)
• Websites built by same developer(s)
• Websites that use same technology, library or certain
component
• Websites hosted by same Hosting Provider
• Websites of agencies/companies working in the same
industry
Top 5 categories

6. TARGETED ATTACKS
WWW.CYBERGATES.ORG
• Small outdated websites that are easy to hack
• The government agencies
• News and media websites
• Hosting and Internet Service Providers (ISP)
• Universities and financial institutions
Top 5 categories

7. INCIDENT AND VULNERABILITY FACTS
WWW.CYBERGATES.ORG
The average number of serious
vulnerabilities per website is 56
Serious vulnerabilities are resolved in an
average of 193 days from first notification
43% of cyber attacks target small
businesses
30% of SMEs lack an incident response plan
68% of funds lost as a result of a cyber attack
where declared unrecoverable
60% of small businesses close their doors
within 6 months after a serious cyber attack.

8. REAL WORLD EXAMPLES
WWW.CYBERGATES.ORG
“The revelation of the 3 billion accounts hack
could have implications for the $4.8 billion sale
of Yahoo to Verizon.”
“Microsoft Corp. closed its roughly $26 billion
deal to buy professional-networking site
LinkedIn after a few weeks of an incident when
a hacker put up 167 million LinkedIn passwords
for sale.”

9. COMMON BUSINESS THREATS
WWW.CYBERGATES.ORG

10. EXAMPLE OF A THREAT
WWW.CYBERGATES.ORG
DOES YOUR WEBSITE HOST MALWARES? IS IT SECRETLY MINING BITCOIN?
Check it yourself: www.websecurity.pro

11. TOP VULNERABILITIES
WWW.CYBERGATES.ORG
• Injection
• Broken Authentication
• Sensitive data exposure
• XML External Entities (XXE)
• Broken Access control
• Security misconfigurations
• Cross Site Scripting (XSS)
• Insecure Deserialization
• Using Components with known vulnerabilities
• Insufficient logging and monitoring
OWASP TOP 10
Source: https://www.owasp.org/index.php/Top_10-2017_Top_10

12. EXAMPLE OF AN SQL INJECTION
ATTACK
WWW.CYBERGATES.ORG
Example URL
http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(),5,version(),7+--
Example Output

13. TYPES OF SQL INJECTION ATTACK
WWW.CYBERGATES.ORG
In this type of SQL Injection vulnerability attacker sends a
custom SQL query and gets the output in the screen.
Normal
This type of injection is identical to normal SQL Injection
except that the SQL query returns positive or negative
response.
Blind
http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(),5,version(),7+--
http://site.com/view.php?page=10+and+substring(@@version,1,1)=5+--

14. TESTING AN SQL INJECTION ATTACK
WWW.CYBERGATES.ORG
• SQLmap
Tools
A vulnerable website
Target
• http://webscantest.com/datastore/search_get_by_id.php?id=4
• http://webscantest.com/rest/demo/index.php/products/
http://sqlmap.org
Sample report: http://webscantest.com/report/

15. PLAN A: FIXING THE PROBLEM
WWW.CYBERGATES.ORG
• Support
• E-mail notifications about an incident
• Online support (SIP calls)
• Computer Emergency Response Team (CERT)
• Investigation (Digital Forensics)
• Consultancy
Reactive approaches

16. PLAN B: AVOIDING THE PROBLEM
WWW.CYBERGATES.ORG
• Assessment
• Network/Host Vulnerability Assessment
• Penetration Testing
• Source Code Auditing
• Real-time Protection (NIDS/HIDS, WAF)
• Training and awareness
• Cybersecurity news and analysis
• Public seminars and workshops
• Corporate trainings
• University programs
Proactive approaches

17. EVALUATE RISK IN YOUR BUSINESS
WWW.CYBERGATES.ORG
EVALUATE YOUR BUSINESS RISKS
www.websecurity.pro

18. CONTACT US
WWW.CYBERGATES.ORG