SlideShare una empresa de Scribd logo

Mitigating Web 2.0 Threats

Kim Jensen
Kim Jensen

Mitigating Web 2.0 Threats - Good report on threats from Web 2.0 websites like Facebook, LinkedIn, MySpace, YouTube, Live.com and others

Tecnología
1 de 21
Descargar para leer sin conexión
Mitigating Web 2.0 Threats Or, “This isn’t your mother’s internet!” David Sherry CISSP CISM Chief Information Security Officer Sponsored By: Brown University
Security @ Brown •Security evangelism •Public Safety support •Incident Response Team •Human Resources support •Audit support •Records Management •Compliance and legal •Business Continuity standards •Disaster Recovery •Firewalls, IDS, IPS, VPN, •Copyright / DMCA agent sniffers, A/V, DNS, etc…. •Discipline Committee •Security audits and •Mandatory / elective training certifications •Awareness 2
Today’s Agenda (or is it a mashup?) • Our changing world of security • What is web 2.0? • Attack vectors and areas of concern • The evolution of the threats….they’re nothing new! • What should be focused on • Recommendations to reduce the threat
Our World is Changing May you live in interesting times….. Chinese Proverb • Compliance is a key competency of security pros • Identity Theft is fastest growing crime • President’s Cyber Security Initiative provides spotlight • Online underground economy has matured • National and global economy means “do more with less” • Threat evolution: • Infrastructure > web/messaging > DLP > Web 2.0
What is Web 2.0? Used with permission via Creative Commons: http://kosmar.de/archives/2005/11/11/the-huge-cloud-lens-bubble-map-web20/
What is Web 2.0? From Wikipedia: (which is, itself, a 2.0 phenomenon) "Web 2.0" refers to web development and web design that facilitates interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web. Examples of Web 2.0 include web-based communities, hosted services, web applications, social-networking sites, video-sharing sites, wikis, blogs, mashups and folksonomies. A Web 2.0 site allows its users to interact with other users or to change website content, in contrast to non-interactive websites where users are limited to the passive viewing of information that is provided to them.
Common Web 2.0 Descriptors • “User generated content” • “Mashups and web services” • “Consumer and enterprise convergence” • “Diversity of client software” • “Complexity and asynchronous operations”
The Enterprise Triple-Threat of 2.0 1. Loss of productivity 2. Vulnerable to data leaks 3. Increased security risks
Characteristics of Web 2.0 Security • Web filtering is no longer adequate • AJAX, SAML, XML create problems for detection • RSS and RIA can enter directly into networks • Non-static makes identification difficult • High bandwidth use can hinder availability • User generated content hard to contain
Web 2.0 Attack Vectors • Blogs • Social networks • Web portals • Mashups • Pop-ups • Anonymizing proxies • Spamdexing • Widgets
Web 2.0 Areas of Concern • Client side issues • Transparency and cross-domain communications; AJAX and JavaScript attacks on the rise • Protocols • New protocols on top of HTTP/S (SOAP, XML, etc) • Information sources • Concerns over integrity, transiency, and diversity • Information structures • Variations of data structures, injection attacks • Server side • Architecture, authorization, and authentication weaknesses
Evolution of the Threats in 2.0 • USB and auto-run malicious code • Insiders are a threat, but they don’t know it • Adobe PDFs and Flash replace Word and Excel • Worms travel through social spaces into offices • DOS attacks against social networks • Malware travels via all conduits • Pop-ups advertise seemingly legitimate services and take advantage of current events
So what do you focus on? From Secure Enterprise 2.0, the dangers come from: 1. Insufficient authentication controls 2. Cross-site scripting 3. Cross-site request forgery 4. Phishing 5. Information leakage 6. Injection flaws 7. Information integrity 8. Insufficient anti-automation www.secure-enterprise20.org
Recommendations for Web 2.0 Technical: • Experts recommend a three-tiered, integrated data protection approach: • Maintain vigilant anti-virus protection • Establish a robust anti-malware protection program • Utilize an AJAX-aware analysis platform • Use real-time content and security scanning • Make sure browsers and plug-ins are patched • Don’t just patch “high” rated patches! • Remember your end points • Use encryption as a key strategic defense
Recommendations for Web 2.0 Managerial: • Ensure that your policies are current and address 2.0 • Subjective policy setting • Group level access • Productivity based policies • Use a Data Loss Prevention as an essential teaching tool • Education and awareness must go beyond passwords • Ensure cross-functional response and participation • Speak with data!
Ensuring a Defensive Web 2.0 Policy • Revisit your Acceptable Use Policy • View the policy from a web 2.0 lens • Be sure to cover new technologies like anonymizing proxies • Include other groups for strength • Human Resources, Risk Management, Privacy, Physical Security, Audit, and Legal • Step up your training and awareness for Web 2.0 concerns
Support your policy through technology • IDS / IPS • Bandwidth shaping and throttling • Standard images • Group policy objects • Firewall rules • Anti-virus, spyware, and malware • Monitor for your good name!
Summary • We are living in a changing world, and Web 2.0 is part of it • 2.0 brings added challenges and characteristics to security professionals • There are technical and managerial solutions to reduce Web 2.0 concerns • Like all emerging technologies and their related threats, a holistic security approach is needed
There is never enough time; thank you for some of yours. David Sherry, CISSP CISM Chief Information Security Officer Brown University Campus Box 1885 Providence, RI 02912 401.863-7266 david_sherry@brown.edu
Thanks to our Sponsors Product trial download page Free Whitepaper: Reduce shopping cart abandonment. Increase revenue.

Recomendados

Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Kim Jensen
 
State of Internet 2H 2008
State of Internet 2H 2008State of Internet 2H 2008
State of Internet 2H 2008Kim Jensen
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityNational LECET
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118AngelaHoltby
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0Jason Edelstein
 
Security and privacy
Security and privacySecurity and privacy
Security and privacyMohammed Adam
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby
 
Cyber Security College Workshop
Cyber Security College WorkshopCyber Security College Workshop
Cyber Security College WorkshopRahul Nayan
 

Recomendados

Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Kim Jensen
 
State of Internet 2H 2008
State of Internet 2H 2008State of Internet 2H 2008
State of Internet 2H 2008Kim Jensen
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityNational LECET
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118AngelaHoltby
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0Jason Edelstein
 
Security and privacy
Security and privacySecurity and privacy
Security and privacyMohammed Adam
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby
 
Cyber Security College Workshop
Cyber Security College WorkshopCyber Security College Workshop
Cyber Security College WorkshopRahul Nayan
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowStephen Cobb
 
ACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securityACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securitysiswarren
 
INSECURE Magazine - 39
INSECURE Magazine - 39INSECURE Magazine - 39
INSECURE Magazine - 39Felipe Prado
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data ProtectionUthsoNandy
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalCheryl Goldberg
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadaysPECB
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Ijnsa050215
Ijnsa050215Ijnsa050215
Ijnsa050215IJNSA Journal
 
Isolation Platform - Data Sheet
Isolation Platform - Data SheetIsolation Platform - Data Sheet
Isolation Platform - Data SheetSutedjo Tjahjadi
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technicalStephen Cobb
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Creus Moreira Carlos
 
Etude sur le marché de la cyber sécurité (2011)
Etude sur le marché de la cyber sécurité (2011) Etude sur le marché de la cyber sécurité (2011)
Etude sur le marché de la cyber sécurité (2011) PwC France
 
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportTECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportSymantec
 
Sizing the Cyber Skills Gap
Sizing the Cyber Skills GapSizing the Cyber Skills Gap
Sizing the Cyber Skills GapStephen Cobb
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & PrivacyNawanan Theera-Ampornpunt
 
The next generation - by Stuart Ntlathi
The next generation - by Stuart NtlathiThe next generation - by Stuart Ntlathi
The next generation - by Stuart NtlathiRAMP Group
 
Ave Maria en Kathedraal de Gaudi
Ave Maria en Kathedraal de GaudiAve Maria en Kathedraal de Gaudi
Ave Maria en Kathedraal de GaudiLuiz Carlos Dias
 

Más contenido relacionado

La actualidad más candente

Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowStephen Cobb
 
ACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securityACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securitysiswarren
 
INSECURE Magazine - 39
INSECURE Magazine - 39INSECURE Magazine - 39
INSECURE Magazine - 39Felipe Prado
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data ProtectionUthsoNandy
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalCheryl Goldberg
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadaysPECB
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Isolation Platform - Data Sheet
Isolation Platform - Data SheetIsolation Platform - Data Sheet
Isolation Platform - Data SheetSutedjo Tjahjadi
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technicalStephen Cobb
 
Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Creus Moreira Carlos
 
Etude sur le marché de la cyber sécurité (2011)
Etude sur le marché de la cyber sécurité (2011) Etude sur le marché de la cyber sécurité (2011)
Etude sur le marché de la cyber sécurité (2011) PwC France
 
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportTECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportSymantec
 
Sizing the Cyber Skills Gap
Sizing the Cyber Skills GapSizing the Cyber Skills Gap
Sizing the Cyber Skills GapStephen Cobb
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 

La actualidad más candente (20)

Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrow
 
ACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securityACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of security
 
INSECURE Magazine - 39
INSECURE Magazine - 39INSECURE Magazine - 39
INSECURE Magazine - 39
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian Lee
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_Final
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadays
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
Ijnsa050215
Ijnsa050215Ijnsa050215
Ijnsa050215
 
Isolation Platform - Data Sheet
Isolation Platform - Data SheetIsolation Platform - Data Sheet
Isolation Platform - Data Sheet
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Cybersecurity for the non-technical
Cybersecurity for the non-technicalCybersecurity for the non-technical
Cybersecurity for the non-technical
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012
 
Etude sur le marché de la cyber sécurité (2011)
Etude sur le marché de la cyber sécurité (2011) Etude sur le marché de la cyber sécurité (2011)
Etude sur le marché de la cyber sécurité (2011)
 
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportTECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
 
Sizing the Cyber Skills Gap
Sizing the Cyber Skills GapSizing the Cyber Skills Gap
Sizing the Cyber Skills Gap
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 

Destacado

The next generation - by Stuart Ntlathi
The next generation - by Stuart NtlathiThe next generation - by Stuart Ntlathi
The next generation - by Stuart NtlathiRAMP Group
 
Ave Maria en Kathedraal de Gaudi
Ave Maria en Kathedraal de GaudiAve Maria en Kathedraal de Gaudi
Ave Maria en Kathedraal de GaudiLuiz Carlos Dias
 
Czytam, więc wiem
Czytam, więc wiemCzytam, więc wiem
Czytam, więc wiemporanny24
 
Otoño en la Patagonia argentina
Otoño en la Patagonia argentinaOtoño en la Patagonia argentina
Otoño en la Patagonia argentinaLuiz Carlos Dias
 
Henk Kleynhans
Henk KleynhansHenk Kleynhans
Henk KleynhansRAMP Group
 
Spam & Spyware Legal Study 2009
Spam & Spyware Legal Study 2009Spam & Spyware Legal Study 2009
Spam & Spyware Legal Study 2009Kim Jensen
 

Destacado (6)

The next generation - by Stuart Ntlathi
The next generation - by Stuart NtlathiThe next generation - by Stuart Ntlathi
The next generation - by Stuart Ntlathi
 
Ave Maria en Kathedraal de Gaudi
Ave Maria en Kathedraal de GaudiAve Maria en Kathedraal de Gaudi
Ave Maria en Kathedraal de Gaudi
 
Czytam, więc wiem
Czytam, więc wiemCzytam, więc wiem
Czytam, więc wiem
 
Otoño en la Patagonia argentina
Otoño en la Patagonia argentinaOtoño en la Patagonia argentina
Otoño en la Patagonia argentina
 
Henk Kleynhans
Henk KleynhansHenk Kleynhans
Henk Kleynhans
 
Spam & Spyware Legal Study 2009
Spam & Spyware Legal Study 2009Spam & Spyware Legal Study 2009
Spam & Spyware Legal Study 2009
 

Similar a Mitigating Web 2.0 Threats

Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceQualys
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016Tomppa Järvinen
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Innovators
 
Cerdant Security State of the Union
Cerdant Security State of the UnionCerdant Security State of the Union
Cerdant Security State of the UnionDavid Perkins
 
Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity nado-web
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦Infosec train
 
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦priyanshamadhwal2
 
Security+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdfSecurity+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdfinfosecTrain
 
CompTIA Security+ (Plus) Certification Training Course
CompTIA Security+ (Plus) Certification Training CourseCompTIA Security+ (Plus) Certification Training Course
CompTIA Security+ (Plus) Certification Training CourseInfosecTrain Education
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfInfosec train
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfpriyanshamadhwal2
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
 
Cybersecurity.pptx
Cybersecurity.pptxCybersecurity.pptx
Cybersecurity.pptxJohn Donahue
 

Similar a Mitigating Web 2.0 Threats (20)

Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015
 
Cerdant Security State of the Union
Cerdant Security State of the UnionCerdant Security State of the Union
Cerdant Security State of the Union
 
Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
 
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
 
Security+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdfSecurity+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdf
 
CompTIA Security+ (Plus) Certification Training Course
CompTIA Security+ (Plus) Certification Training CourseCompTIA Security+ (Plus) Certification Training Course
CompTIA Security+ (Plus) Certification Training Course
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdf
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdf
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
Cybersecurity.pptx
Cybersecurity.pptxCybersecurity.pptx
Cybersecurity.pptx
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 

Más de Kim Jensen

Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsKim Jensen
 
OpenDNS presenter pack
OpenDNS presenter packOpenDNS presenter pack
OpenDNS presenter packKim Jensen
 
Infoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedInfoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedKim Jensen
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
5 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 20035 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 2003Kim Jensen
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Kim Jensen
 
Cisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportCisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportKim Jensen
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat ReportKim Jensen
 
Security Survey 2013 UK
Security Survey 2013 UKSecurity Survey 2013 UK
Security Survey 2013 UKKim Jensen
 
Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Kim Jensen
 
DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012Kim Jensen
 
Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Kim Jensen
 
Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Kim Jensen
 
State of Web Q3 2011
State of Web Q3 2011State of Web Q3 2011
State of Web Q3 2011Kim Jensen
 
Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Kim Jensen
 
Corporate Web Security
Corporate Web SecurityCorporate Web Security
Corporate Web SecurityKim Jensen
 
Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Kim Jensen
 
Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Kim Jensen
 
Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Kim Jensen
 
Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)Kim Jensen
 

Más de Kim Jensen (20)

Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
 
OpenDNS presenter pack
OpenDNS presenter packOpenDNS presenter pack
OpenDNS presenter pack
 
Infoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedInfoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updated
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
5 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 20035 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 2003
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014
 
Cisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportCisco 2013 Annual Security Report
Cisco 2013 Annual Security Report
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
 
Security Survey 2013 UK
Security Survey 2013 UKSecurity Survey 2013 UK
Security Survey 2013 UK
 
Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report
 
DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012
 
Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)
 
Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Data Breach Investigations Report 2012
Data Breach Investigations Report 2012
 
State of Web Q3 2011
State of Web Q3 2011State of Web Q3 2011
State of Web Q3 2011
 
Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011
 
Corporate Web Security
Corporate Web SecurityCorporate Web Security
Corporate Web Security
 
Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011
 
Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011
 
Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010
 
Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)
 

Último

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Último (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

Mitigating Web 2.0 Threats

  • 1. Mitigating Web 2.0 Threats Or, “This isn’t your mother’s internet!” David Sherry CISSP CISM Chief Information Security Officer Sponsored By: Brown University
  • 2. Security @ Brown •Security evangelism •Public Safety support •Incident Response Team •Human Resources support •Audit support •Records Management •Compliance and legal •Business Continuity standards •Disaster Recovery •Firewalls, IDS, IPS, VPN, •Copyright / DMCA agent sniffers, A/V, DNS, etc…. •Discipline Committee •Security audits and •Mandatory / elective training certifications •Awareness 2
  • 3. Today’s Agenda (or is it a mashup?) • Our changing world of security • What is web 2.0? • Attack vectors and areas of concern • The evolution of the threats….they’re nothing new! • What should be focused on • Recommendations to reduce the threat
  • 4. Our World is Changing May you live in interesting times….. Chinese Proverb • Compliance is a key competency of security pros • Identity Theft is fastest growing crime • President’s Cyber Security Initiative provides spotlight • Online underground economy has matured • National and global economy means “do more with less” • Threat evolution: • Infrastructure > web/messaging > DLP > Web 2.0
  • 5. What is Web 2.0? Used with permission via Creative Commons: http://kosmar.de/archives/2005/11/11/the-huge-cloud-lens-bubble-map-web20/
  • 6.
  • 7. What is Web 2.0? From Wikipedia: (which is, itself, a 2.0 phenomenon) "Web 2.0" refers to web development and web design that facilitates interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web. Examples of Web 2.0 include web-based communities, hosted services, web applications, social-networking sites, video-sharing sites, wikis, blogs, mashups and folksonomies. A Web 2.0 site allows its users to interact with other users or to change website content, in contrast to non-interactive websites where users are limited to the passive viewing of information that is provided to them.
  • 8. Common Web 2.0 Descriptors • “User generated content” • “Mashups and web services” • “Consumer and enterprise convergence” • “Diversity of client software” • “Complexity and asynchronous operations”
  • 9. The Enterprise Triple-Threat of 2.0 1. Loss of productivity 2. Vulnerable to data leaks 3. Increased security risks
  • 10. Characteristics of Web 2.0 Security • Web filtering is no longer adequate • AJAX, SAML, XML create problems for detection • RSS and RIA can enter directly into networks • Non-static makes identification difficult • High bandwidth use can hinder availability • User generated content hard to contain
  • 11. Web 2.0 Attack Vectors • Blogs • Social networks • Web portals • Mashups • Pop-ups • Anonymizing proxies • Spamdexing • Widgets
  • 12. Web 2.0 Areas of Concern • Client side issues • Transparency and cross-domain communications; AJAX and JavaScript attacks on the rise • Protocols • New protocols on top of HTTP/S (SOAP, XML, etc) • Information sources • Concerns over integrity, transiency, and diversity • Information structures • Variations of data structures, injection attacks • Server side • Architecture, authorization, and authentication weaknesses
  • 13. Evolution of the Threats in 2.0 • USB and auto-run malicious code • Insiders are a threat, but they don’t know it • Adobe PDFs and Flash replace Word and Excel • Worms travel through social spaces into offices • DOS attacks against social networks • Malware travels via all conduits • Pop-ups advertise seemingly legitimate services and take advantage of current events
  • 14. So what do you focus on? From Secure Enterprise 2.0, the dangers come from: 1. Insufficient authentication controls 2. Cross-site scripting 3. Cross-site request forgery 4. Phishing 5. Information leakage 6. Injection flaws 7. Information integrity 8. Insufficient anti-automation www.secure-enterprise20.org
  • 15. Recommendations for Web 2.0 Technical: • Experts recommend a three-tiered, integrated data protection approach: • Maintain vigilant anti-virus protection • Establish a robust anti-malware protection program • Utilize an AJAX-aware analysis platform • Use real-time content and security scanning • Make sure browsers and plug-ins are patched • Don’t just patch “high” rated patches! • Remember your end points • Use encryption as a key strategic defense
  • 16. Recommendations for Web 2.0 Managerial: • Ensure that your policies are current and address 2.0 • Subjective policy setting • Group level access • Productivity based policies • Use a Data Loss Prevention as an essential teaching tool • Education and awareness must go beyond passwords • Ensure cross-functional response and participation • Speak with data!
  • 17. Ensuring a Defensive Web 2.0 Policy • Revisit your Acceptable Use Policy • View the policy from a web 2.0 lens • Be sure to cover new technologies like anonymizing proxies • Include other groups for strength • Human Resources, Risk Management, Privacy, Physical Security, Audit, and Legal • Step up your training and awareness for Web 2.0 concerns
  • 18. Support your policy through technology • IDS / IPS • Bandwidth shaping and throttling • Standard images • Group policy objects • Firewall rules • Anti-virus, spyware, and malware • Monitor for your good name!
  • 19. Summary • We are living in a changing world, and Web 2.0 is part of it • 2.0 brings added challenges and characteristics to security professionals • There are technical and managerial solutions to reduce Web 2.0 concerns • Like all emerging technologies and their related threats, a holistic security approach is needed
  • 20. There is never enough time; thank you for some of yours. David Sherry, CISSP CISM Chief Information Security Officer Brown University Campus Box 1885 Providence, RI 02912 401.863-7266 david_sherry@brown.edu
  • 21. Thanks to our Sponsors Product trial download page Free Whitepaper: Reduce shopping cart abandonment. Increase revenue.