SlideShare una empresa de Scribd logo

Web security

Jin Castor
Jin Castor
Tecnología
1 de 41
Descargar para leer sin conexión
Internet & Web Security Prepared by: Jean Michael Castor
Introduction • As of 1996, the Internet connected an estimated 13 million computers in 195 countries on every continent, even Antarctica . The Internet is not a single network, but a worldwide collection of loosely connected networks that are accessible by individual computer hosts in a variety of ways, including gateways, routers, dial-up connections, and Internet service providers.
Introduction • The Internet is easily accessible to anyone with a computer and a network connection. Individuals and organizations worldwide can reach any point on the network without regard to national or geographic boundaries or time of day.
Introduction • However, along with the convenience and easy access to information come new risks. Among them are the risks that valuable information will be lost, stolen, corrupted, or misused and that the computer systems will be corrupted. If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper and locked in a file cabinet.
Introduction • Intruders do not need to enter an office or home, and may not even be in the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can create new electronic files, run their own programs, and hide evidence of their unauthorized activity.
Basic Security Concepts • Three basic security concepts important to information on the Internet are confidentiality, integrity, and availability. Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.
Basic Security Concepts • Confidentiality - restricting access to information to authorized users. • Integrity - ensuring that stored data and data in transit are not modified unintentionally or maliciously. • Availability - ensuring that network services are not interrupted unintentionally or maliciously.
Internet Security Today • What are the main security-related problems on the Internet Today? – Hijacked web servers – Denial-of-Service Attacks – Unsolicited Commercial E-Mail – Operator Error, Natural Disasters – Microsoft... – Probe – Scan – Packet Sniffer – Malicious Code
Internet Security Today • What are not the major security-related problems? – Eavesdropped electronic mail. • (Misdirected email is a problem.) • (Email swiped from backup tapes is a problem.) – Sniffed credit card numbers. • (Credit card numbers stolen from databases is a problem.) – Hostile Java & ActiveX applets.
Hijacked Web Servers
Hijacked Web Servers • FBI – August 17, 1996 - Attacks on the Communications Decency Act. • CIA – September 18, 1996 - “Central Stupidity Agency” • NetGuide Live – “CMP Sucks.”
Hijacked Web Servers • Attacker gains access and changes contents of web server. • Usually stunts. • Can be very bad: – Attacker can plant hostile applets. – Attacker can plant data sniffers – Attacker can use compromised machine to take over internal system.
Hijacked Web Servers • Usually outsiders. • (Could be insiders masquerading as outsiders.) • Nearly impossible to trace.
How do they do it? • Administrative passwords captured by a password sniffer. • Utilize known vulnerability: – sendmail bug. – Buffer overflow. • Use web server CGI script to steal /etc/passwd file, then crack passwords. • Mount the web server’s filesystem.
How do you defend against it? • Patch known bugs. • Don’t run unnecessary services on the web server.
How do you defend? • Practice good host security. • Monitor system for unauthorized changes. – Tripwire • Monitor system for signs of penetration – Intrusion detection systems
How do you defend? • Make frequent backups. • Have a hot spare ready. • Monitor your system frequently.
Denial-of-Service Attacks
Denial-of-Service • Publicity is almost as good as changing somebody’s web server. – Attack on PANIX – Attack on CyberPromotions • Costs real money – Lost Sales – Damage to reputation
Kinds of Denial-of-Service Attacks • Direct attack: attack the machine itself. • Indirect attack: attack something that points to the machine. • Reputation attack: attack has nothing to do with the machine, but references it in some way.
Direct Denial-Of-Service Attack • Send a lot of requests (HTTP, finger, SMTP) – Easy to trace. – Relatively easy to defend against with TCP/IP blocking at router.
Direct Denial-Of-Service Attack 2 • SYN Flooding – Subverts the TCP/IP 3-way handshake • SYN / ACK / ACK – Hard to trace • Each SYN has a different return address. – Defenses now well understood • Ignore SYNs from impossible addresses. • Large buffer pools (10 → 1024) • Random drop, Oldest drop.
Indirect Denial-Of-Service Attack • Attack Routing • Attack routers (hard) • Inject bogus routes on BGP4 peering sessions (easy) – Accidents have been widely reported. – Expect to see an actual BGP4 attack sometime this year.
Reputation-based Denial-Of-Service Attack • Spoofed e-mail To: everybody@AOL.COM From: astrology@mail.vineyard.net Subject: Call Now! Hello. My name is Jean Dixon … • We got 3.9MB of angry responses.
Unsolicited Commercial E-Mail
Unsolicited Commercial E-Mail • Pits freedom-of-speech against right of privacy. • Consumes vast amounts of management time. • Drain on system resources.
Who are the bulk-mailers? • Advertising for Internet neophytes. • Advertising for sexually-oriented services. • Advertising get-rich-quick schemes. • Advertising bulk-mail service.
How do they send out messages? • Send directly from their site. • Send through an innocent third party. • Coming soon: – Sent with a computer virus or ActiveX applet
How did they get my e-mail addresses? • Usenet & Mailing list archives. • Collected from online address book. – AOL registry. – University directory. • Guessed – Sequential CompuServe addresses. • Break into machine & steal usernames.
Operator Error & Natural Disasters
Operator Error & Natural Disasters • Still a major source of data loss. • Hard to get management to take seriously. – Not sexy. – Preparation is expensive. – If nothing happens, money seems misspent.
Operator Error • Accidentally delete a file. • Accidentally install a bad service. • Accidentally break a CGI script. • Psychotic break.
Natural Disaster • Fire • Flood • Earthquake
Solutions • Frequent Backups – Backup to high-speed tape. – Real-time backup to spare machines. – Make sure some backups are off-site. • Recovery plans. • Recovery center. • Test your backups & plans!
Microsoft
Microsoft • Danger of homogeneous environment. • No demonstrated commitment to computer security. – Windows 95 is not secure. – Word Macro Viruses. – ActiveX – SMB • Windows NT …?
Probe • A probe is characterized by unusual attempts to gain access to a system or to discover information about the system. One example is an attempt to log in to an unused account. Probing is the electronic equivalent of testing doorknobs to find an unlocked door for easy entry. Probes are sometimes followed by a more serious security event, but they are often the result of curiosity or confusion.
Scan • A scan is simply a large number of probes done using an automated tool. Scans can sometimes be the result of a misconfiguration or other error, but they are often a prelude to a more directed attack on systems that the intruder has found to be vulnerable.
Packet Sniffer • A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travels over the network in clear text. With perhaps hundreds or thousands of passwords captured by the sniffer, intruders can launch widespread attacks on systems.
Malicious Code • Malicious code is a general term for programs that, when executed, would cause undesired results on a system. Users of the system usually are not aware of the program until they discover the damage. Malicious code includes Trojan horses, viruses, and worms. Trojan horses and viruses are usually hidden in legitimate programs or files that attackers have altered to do more than what is expected. Worms are self-replicating programs that spread with no human intervention after they are started.
Malicious Code • Viruses are also self-replicating programs, but usually require some action on the part of the user to spread inadvertently to other programs or systems. These sorts of programs can lead to serious data loss, downtime, denial of service, and other types of security incidents.

Recomendados

Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Hannah Jane del Castillo
 
Cyber security mis
Cyber security misCyber security mis
Cyber security misAditya Singh Rana
 
9 - Security
9 - Security9 - Security
9 - SecurityRaymond Gao
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer CrimesRaffa Learning Community
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Cyber security # Lec 1
Cyber security # Lec 1Cyber security # Lec 1
Cyber security # Lec 1Kabul Education University
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 

Recomendados

Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Hannah Jane del Castillo
 
Cyber security mis
Cyber security misCyber security mis
Cyber security misAditya Singh Rana
 
9 - Security
9 - Security9 - Security
9 - SecurityRaymond Gao
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer CrimesRaffa Learning Community
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Cyber security # Lec 1
Cyber security # Lec 1Cyber security # Lec 1
Cyber security # Lec 1Kabul Education University
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
Computer Security 101
Computer Security 101Computer Security 101
Computer Security 101Progressive Integrations
 
System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abusePrakash Raval
 
Computer security
Computer securityComputer security
Computer securityUniv of Salamanca
 
Computer Security risks Shelly
Computer Security risks ShellyComputer Security risks Shelly
Computer Security risks ShellyAdeel Khurram
 
Hacking
Hacking Hacking
Hacking thajmohammed
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeNiraj Solanke
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Grade 7 Chap 10 Cyber Threats and Security
Grade 7 Chap 10 Cyber Threats and SecurityGrade 7 Chap 10 Cyber Threats and Security
Grade 7 Chap 10 Cyber Threats and SecuritySultanaShaikh7
 
CYBER CRIME AND SECURITY
CYBER CRIME AND SECURITYCYBER CRIME AND SECURITY
CYBER CRIME AND SECURITYSahil Vashishtha
 
Need For Ethical & Security Issue In It
Need For Ethical & Security Issue In ItNeed For Ethical & Security Issue In It
Need For Ethical & Security Issue In ItSonali Srivastava
 
System failure
System failureSystem failure
System failurechrispaul8676
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeAfnanHusain
 
Introduction to Cyber Crime
Introduction to Cyber CrimeIntroduction to Cyber Crime
Introduction to Cyber CrimeDr Raghu Khimani
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer PrivacySaqib Raza
 
Cyber Attack Analysis
Cyber Attack AnalysisCyber Attack Analysis
Cyber Attack Analysiscodefortomorrow
 
cyber_security
cyber_securitycyber_security
cyber_securityJana Baxter
 
Ethical hacking (legal)
Ethical hacking (legal)Ethical hacking (legal)
Ethical hacking (legal)Thangaraj Murugananthan
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer securityArzath Areeff
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_securityMichael Freyberger
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 

Más contenido relacionado

La actualidad más candente

Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abusePrakash Raval
 
Computer Security risks Shelly
Computer Security risks ShellyComputer Security risks Shelly
Computer Security risks ShellyAdeel Khurram
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Grade 7 Chap 10 Cyber Threats and Security
Grade 7 Chap 10 Cyber Threats and SecurityGrade 7 Chap 10 Cyber Threats and Security
Grade 7 Chap 10 Cyber Threats and SecuritySultanaShaikh7
 
Need For Ethical & Security Issue In It
Need For Ethical & Security Issue In ItNeed For Ethical & Security Issue In It
Need For Ethical & Security Issue In ItSonali Srivastava
 
Introduction to Cyber Crime
Introduction to Cyber CrimeIntroduction to Cyber Crime
Introduction to Cyber CrimeDr Raghu Khimani
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer PrivacySaqib Raza
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer securityArzath Areeff
 

La actualidad más candente (20)

Network security basics
Network security basicsNetwork security basics
Network security basics
 
Computer Security 101
Computer Security 101Computer Security 101
Computer Security 101
 
System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abuse
 
Computer security
Computer securityComputer security
Computer security
 
Computer Security risks Shelly
Computer Security risks ShellyComputer Security risks Shelly
Computer Security risks Shelly
 
Hacking
Hacking Hacking
Hacking
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Grade 7 Chap 10 Cyber Threats and Security
Grade 7 Chap 10 Cyber Threats and SecurityGrade 7 Chap 10 Cyber Threats and Security
Grade 7 Chap 10 Cyber Threats and Security
 
CYBER CRIME AND SECURITY
CYBER CRIME AND SECURITYCYBER CRIME AND SECURITY
CYBER CRIME AND SECURITY
 
Need For Ethical & Security Issue In It
Need For Ethical & Security Issue In ItNeed For Ethical & Security Issue In It
Need For Ethical & Security Issue In It
 
System failure
System failureSystem failure
System failure
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Introduction to Cyber Crime
Introduction to Cyber CrimeIntroduction to Cyber Crime
Introduction to Cyber Crime
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer Privacy
 
Cyber Attack Analysis
Cyber Attack AnalysisCyber Attack Analysis
Cyber Attack Analysis
 
cyber_security
cyber_securitycyber_security
cyber_security
 
Ethical hacking (legal)
Ethical hacking (legal)Ethical hacking (legal)
Ethical hacking (legal)
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
 
Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
 

Destacado

Web application security
Web application securityWeb application security
Web application securityJin Castor
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based SecurityJohn Wiley
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 

Destacado (9)

Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
 
Web application security
Web application securityWeb application security
Web application security
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based Security
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar a Web security

Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security PresentationPraphullaShrestha1
 
Complete notes security
Complete notes securityComplete notes security
Complete notes securityKitkat Emoo
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer CrimesRaffa Learning Community
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYafaque jaya
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
Orientation 28 sep education purpose only.pptx
Orientation 28 sep education purpose only.pptxOrientation 28 sep education purpose only.pptx
Orientation 28 sep education purpose only.pptx230405
 
Network security threats and solutions
Network security threats and solutionsNetwork security threats and solutions
Network security threats and solutionshassanmughal4u
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedBule Hora University
 
Application of security computer
Application of security computerApplication of security computer
Application of security computeribrahimzubairu2003
 

Similar a Web security (20)

Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
 
Complete notes security
Complete notes securityComplete notes security
Complete notes security
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yours
 
Hackers
HackersHackers
Hackers
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
How to become Hackers .
How to become Hackers .How to become Hackers .
How to become Hackers .
 
Cyberterrorism
CyberterrorismCyberterrorism
Cyberterrorism
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorism
 
Hackers Cracker Network Intruder
Hackers Cracker Network IntruderHackers Cracker Network Intruder
Hackers Cracker Network Intruder
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
Orientation 28 sep education purpose only.pptx
Orientation 28 sep education purpose only.pptxOrientation 28 sep education purpose only.pptx
Orientation 28 sep education purpose only.pptx
 
Network security threats and solutions
Network security threats and solutionsNetwork security threats and solutions
Network security threats and solutions
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
 
Application of security computer
Application of security computerApplication of security computer
Application of security computer
 

Más de Jin Castor

Information security
Information security Information security
Information securityJin Castor
 
Introduction to E-commerce
Introduction to E-commerceIntroduction to E-commerce
Introduction to E-commerceJin Castor
 
Introduction to Infographics Designing
Introduction to Infographics DesigningIntroduction to Infographics Designing
Introduction to Infographics DesigningJin Castor
 
Creative designing using Adobe Products
Creative designing using Adobe ProductsCreative designing using Adobe Products
Creative designing using Adobe ProductsJin Castor
 
Introduction to Adobe Illustrator
Introduction to Adobe IllustratorIntroduction to Adobe Illustrator
Introduction to Adobe IllustratorJin Castor
 
SEO Advanced and scalable link building
SEO Advanced and scalable link building SEO Advanced and scalable link building
SEO Advanced and scalable link building Jin Castor
 
Introduction to Web Designing
Introduction to Web DesigningIntroduction to Web Designing
Introduction to Web DesigningJin Castor
 
Introduction to search engine optimization
Introduction to search engine optimizationIntroduction to search engine optimization
Introduction to search engine optimizationJin Castor
 
Web services protocols
Web services protocolsWeb services protocols
Web services protocolsJin Castor
 
Introduction to xampp
Introduction to xamppIntroduction to xampp
Introduction to xamppJin Castor
 
Drupal introduction
Drupal introductionDrupal introduction
Drupal introductionJin Castor
 
Control statements in Java
Control statements in JavaControl statements in Java
Control statements in JavaJin Castor
 
Switch statements in Java
Switch statements in JavaSwitch statements in Java
Switch statements in JavaJin Castor
 
Looping statements in Java
Looping statements in JavaLooping statements in Java
Looping statements in JavaJin Castor
 

Más de Jin Castor (16)

Information security
Information security Information security
Information security
 
Introduction to E-commerce
Introduction to E-commerceIntroduction to E-commerce
Introduction to E-commerce
 
Introduction to Infographics Designing
Introduction to Infographics DesigningIntroduction to Infographics Designing
Introduction to Infographics Designing
 
Creative designing using Adobe Products
Creative designing using Adobe ProductsCreative designing using Adobe Products
Creative designing using Adobe Products
 
Introduction to Adobe Illustrator
Introduction to Adobe IllustratorIntroduction to Adobe Illustrator
Introduction to Adobe Illustrator
 
SEO Advanced and scalable link building
SEO Advanced and scalable link building SEO Advanced and scalable link building
SEO Advanced and scalable link building
 
Introduction to Web Designing
Introduction to Web DesigningIntroduction to Web Designing
Introduction to Web Designing
 
Introduction to search engine optimization
Introduction to search engine optimizationIntroduction to search engine optimization
Introduction to search engine optimization
 
Web services protocols
Web services protocolsWeb services protocols
Web services protocols
 
Introduction to xampp
Introduction to xamppIntroduction to xampp
Introduction to xampp
 
Drupal introduction
Drupal introductionDrupal introduction
Drupal introduction
 
Control statements in Java
Control statements in JavaControl statements in Java
Control statements in Java
 
Switch statements in Java
Switch statements in JavaSwitch statements in Java
Switch statements in Java
 
Looping statements in Java
Looping statements in JavaLooping statements in Java
Looping statements in Java
 
Java input
Java inputJava input
Java input
 
Java arrays
Java arraysJava arrays
Java arrays
 

Último

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 

Último (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 

Web security

  • 1. Internet & Web Security Prepared by: Jean Michael Castor
  • 2. Introduction • As of 1996, the Internet connected an estimated 13 million computers in 195 countries on every continent, even Antarctica . The Internet is not a single network, but a worldwide collection of loosely connected networks that are accessible by individual computer hosts in a variety of ways, including gateways, routers, dial-up connections, and Internet service providers.
  • 3. Introduction • The Internet is easily accessible to anyone with a computer and a network connection. Individuals and organizations worldwide can reach any point on the network without regard to national or geographic boundaries or time of day.
  • 4. Introduction • However, along with the convenience and easy access to information come new risks. Among them are the risks that valuable information will be lost, stolen, corrupted, or misused and that the computer systems will be corrupted. If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper and locked in a file cabinet.
  • 5. Introduction • Intruders do not need to enter an office or home, and may not even be in the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can create new electronic files, run their own programs, and hide evidence of their unauthorized activity.
  • 6. Basic Security Concepts • Three basic security concepts important to information on the Internet are confidentiality, integrity, and availability. Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.
  • 7. Basic Security Concepts • Confidentiality - restricting access to information to authorized users. • Integrity - ensuring that stored data and data in transit are not modified unintentionally or maliciously. • Availability - ensuring that network services are not interrupted unintentionally or maliciously.
  • 8. Internet Security Today • What are the main security-related problems on the Internet Today? – Hijacked web servers – Denial-of-Service Attacks – Unsolicited Commercial E-Mail – Operator Error, Natural Disasters – Microsoft... – Probe – Scan – Packet Sniffer – Malicious Code
  • 9. Internet Security Today • What are not the major security-related problems? – Eavesdropped electronic mail. • (Misdirected email is a problem.) • (Email swiped from backup tapes is a problem.) – Sniffed credit card numbers. • (Credit card numbers stolen from databases is a problem.) – Hostile Java & ActiveX applets.
  • 11. Hijacked Web Servers • FBI – August 17, 1996 - Attacks on the Communications Decency Act. • CIA – September 18, 1996 - “Central Stupidity Agency” • NetGuide Live – “CMP Sucks.”
  • 12. Hijacked Web Servers • Attacker gains access and changes contents of web server. • Usually stunts. • Can be very bad: – Attacker can plant hostile applets. – Attacker can plant data sniffers – Attacker can use compromised machine to take over internal system.
  • 13. Hijacked Web Servers • Usually outsiders. • (Could be insiders masquerading as outsiders.) • Nearly impossible to trace.
  • 14. How do they do it? • Administrative passwords captured by a password sniffer. • Utilize known vulnerability: – sendmail bug. – Buffer overflow. • Use web server CGI script to steal /etc/passwd file, then crack passwords. • Mount the web server’s filesystem.
  • 15. How do you defend against it? • Patch known bugs. • Don’t run unnecessary services on the web server.
  • 16. How do you defend? • Practice good host security. • Monitor system for unauthorized changes. – Tripwire • Monitor system for signs of penetration – Intrusion detection systems
  • 17. How do you defend? • Make frequent backups. • Have a hot spare ready. • Monitor your system frequently.
  • 19. Denial-of-Service • Publicity is almost as good as changing somebody’s web server. – Attack on PANIX – Attack on CyberPromotions • Costs real money – Lost Sales – Damage to reputation
  • 20. Kinds of Denial-of-Service Attacks • Direct attack: attack the machine itself. • Indirect attack: attack something that points to the machine. • Reputation attack: attack has nothing to do with the machine, but references it in some way.
  • 21. Direct Denial-Of-Service Attack • Send a lot of requests (HTTP, finger, SMTP) – Easy to trace. – Relatively easy to defend against with TCP/IP blocking at router.
  • 22. Direct Denial-Of-Service Attack 2 • SYN Flooding – Subverts the TCP/IP 3-way handshake • SYN / ACK / ACK – Hard to trace • Each SYN has a different return address. – Defenses now well understood • Ignore SYNs from impossible addresses. • Large buffer pools (10 → 1024) • Random drop, Oldest drop.
  • 23. Indirect Denial-Of-Service Attack • Attack Routing • Attack routers (hard) • Inject bogus routes on BGP4 peering sessions (easy) – Accidents have been widely reported. – Expect to see an actual BGP4 attack sometime this year.
  • 24. Reputation-based Denial-Of-Service Attack • Spoofed e-mail To: everybody@AOL.COM From: astrology@mail.vineyard.net Subject: Call Now! Hello. My name is Jean Dixon … • We got 3.9MB of angry responses.
  • 26. Unsolicited Commercial E-Mail • Pits freedom-of-speech against right of privacy. • Consumes vast amounts of management time. • Drain on system resources.
  • 27. Who are the bulk-mailers? • Advertising for Internet neophytes. • Advertising for sexually-oriented services. • Advertising get-rich-quick schemes. • Advertising bulk-mail service.
  • 28. How do they send out messages? • Send directly from their site. • Send through an innocent third party. • Coming soon: – Sent with a computer virus or ActiveX applet
  • 29. How did they get my e-mail addresses? • Usenet & Mailing list archives. • Collected from online address book. – AOL registry. – University directory. • Guessed – Sequential CompuServe addresses. • Break into machine & steal usernames.
  • 31. Operator Error & Natural Disasters • Still a major source of data loss. • Hard to get management to take seriously. – Not sexy. – Preparation is expensive. – If nothing happens, money seems misspent.
  • 32. Operator Error • Accidentally delete a file. • Accidentally install a bad service. • Accidentally break a CGI script. • Psychotic break.
  • 33. Natural Disaster • Fire • Flood • Earthquake
  • 34. Solutions • Frequent Backups – Backup to high-speed tape. – Real-time backup to spare machines. – Make sure some backups are off-site. • Recovery plans. • Recovery center. • Test your backups & plans!
  • 36. Microsoft • Danger of homogeneous environment. • No demonstrated commitment to computer security. – Windows 95 is not secure. – Word Macro Viruses. – ActiveX – SMB • Windows NT …?
  • 37. Probe • A probe is characterized by unusual attempts to gain access to a system or to discover information about the system. One example is an attempt to log in to an unused account. Probing is the electronic equivalent of testing doorknobs to find an unlocked door for easy entry. Probes are sometimes followed by a more serious security event, but they are often the result of curiosity or confusion.
  • 38. Scan • A scan is simply a large number of probes done using an automated tool. Scans can sometimes be the result of a misconfiguration or other error, but they are often a prelude to a more directed attack on systems that the intruder has found to be vulnerable.
  • 39. Packet Sniffer • A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travels over the network in clear text. With perhaps hundreds or thousands of passwords captured by the sniffer, intruders can launch widespread attacks on systems.
  • 40. Malicious Code • Malicious code is a general term for programs that, when executed, would cause undesired results on a system. Users of the system usually are not aware of the program until they discover the damage. Malicious code includes Trojan horses, viruses, and worms. Trojan horses and viruses are usually hidden in legitimate programs or files that attackers have altered to do more than what is expected. Worms are self-replicating programs that spread with no human intervention after they are started.
  • 41. Malicious Code • Viruses are also self-replicating programs, but usually require some action on the part of the user to spread inadvertently to other programs or systems. These sorts of programs can lead to serious data loss, downtime, denial of service, and other types of security incidents.