2. CYBERSECURITY COMPONENTS
WWW.CYBERGATES.ORG
• Confidentiality: Keep secret from those not authorized.
• Integrity: Prevent unauthorized tampering.
• Availability: Ensure authorized parties can access the data.
CIA model
• Identification: Who I claim to be (e.g. username, digital
cert).
• Authentication: How I prove it (password, signature).
• Authorization: What is that person allowed to do e.g. role-
based security.
IAA model
4. STATISTIC DATA
WWW.CYBERGATES.ORG
“Over 3 million suspicious login attempts and other types of
intrusions targeting to information systems and official websites
belonging to the Government of the Republic of Armenia has been
prevented in 2018”
The National Security Service of the Republic of
Armenia
Over 4 thousand hacked websites.
Mass cyber attacks:
January 2011 (379)
July 2012 (364)
February 2013 (275)
February 2014 (359)
April 2015 (129)
December 2016 (188)
Hacked websites
5. MASS ATTACKS
WWW.CYBERGATES.ORG
• Websites that use same CMS (WordPress, Joomla, etc.)
• Websites built by same developer(s)
• Websites that use same technology, library or certain
component
• Websites hosted by same Hosting Provider
• Websites of agencies/companies working in the same
industry
Top 5 categories
6. TARGETED ATTACKS
WWW.CYBERGATES.ORG
• Small outdated websites that are easy to hack
• The government agencies
• News and media websites
• Hosting and Internet Service Providers (ISP)
• Universities and financial institutions
Top 5 categories
7. INCIDENT AND VULNERABILITY FACTS
WWW.CYBERGATES.ORG
The average number of serious
vulnerabilities per website is 56
Serious vulnerabilities are resolved in an
average of 193 days from first notification
43% of cyber attacks target small
businesses
30% of SMEs lack an incident response plan
68% of funds lost as a result of a cyber attack
where declared unrecoverable
60% of small businesses close their doors
within 6 months after a serious cyber attack.
8. REAL WORLD EXAMPLES
WWW.CYBERGATES.ORG
“The revelation of the 3 billion accounts hack
could have implications for the $4.8 billion sale
of Yahoo to Verizon.”
“Microsoft Corp. closed its roughly $26 billion
deal to buy professional-networking site
LinkedIn after a few weeks of an incident when
a hacker put up 167 million LinkedIn passwords
for sale.”
10. EXAMPLE OF A THREAT
WWW.CYBERGATES.ORG
DOES YOUR WEBSITE HOST MALWARES? IS IT SECRETLY MINING BITCOIN?
Check it yourself: www.websecurity.pro
11. TOP VULNERABILITIES
WWW.CYBERGATES.ORG
• Injection
• Broken Authentication
• Sensitive data exposure
• XML External Entities (XXE)
• Broken Access control
• Security misconfigurations
• Cross Site Scripting (XSS)
• Insecure Deserialization
• Using Components with known vulnerabilities
• Insufficient logging and monitoring
OWASP TOP 10
Source: https://www.owasp.org/index.php/Top_10-2017_Top_10
12. EXAMPLE OF AN SQL INJECTION
ATTACK
WWW.CYBERGATES.ORG
Example URL
http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(),5,version(),7+--
Example Output
13. TYPES OF SQL INJECTION ATTACK
WWW.CYBERGATES.ORG
In this type of SQL Injection vulnerability attacker sends a
custom SQL query and gets the output in the screen.
Normal
This type of injection is identical to normal SQL Injection
except that the SQL query returns positive or negative
response.
Blind
http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(),5,version(),7+--
http://site.com/view.php?page=10+and+substring(@@version,1,1)=5+--
15. PLAN A: FIXING THE PROBLEM
WWW.CYBERGATES.ORG
• Support
• E-mail notifications about an incident
• Online support (SIP calls)
• Computer Emergency Response Team (CERT)
• Investigation (Digital Forensics)
• Consultancy
Reactive approaches
16. PLAN B: AVOIDING THE PROBLEM
WWW.CYBERGATES.ORG
• Assessment
• Network/Host Vulnerability Assessment
• Penetration Testing
• Source Code Auditing
• Real-time Protection (NIDS/HIDS, WAF)
• Training and awareness
• Cybersecurity news and analysis
• Public seminars and workshops
• Corporate trainings
• University programs
Proactive approaches
17. EVALUATE RISK IN YOUR BUSINESS
WWW.CYBERGATES.ORG
EVALUATE YOUR BUSINESS RISKS
www.websecurity.pro