The Corporate Web Security Landscape

The Corporate Web Security Landscape

Peter WoodChief Executive Officer

First•Base Technologies LLP

An Ethical Hacker’s View

Slide 2 © First Base Technologies 2011

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First•Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’Chair of Advisory Board at CSA UK & IrelandVice Chair of BCS Information Risk Management and Audit GroupVice President UK/EU Global Institute for Cyber Security + ResearchMember of ISACA Security Advisory GroupCorporate Executive Programme ExpertKnowthenet.org.uk ExpertIISP Interviewer

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa


Information leakage


Web Security Issues

• Drive-by malware infection

• Phishing and spear phishing

• Social networking attacks


Web Security Issues





The Statistics

Cisco 1Q11 Global Threat Report


Drive-by Malware Infection

• Just surfing to a compromised website is enough to infect your computer

• The malware exploits security holes in browsers and plug-ins


Drive-by Malware Infection

• Web sites often employ JavaScript, Java, ActiveX, PHP or Adobe Flash

• These allow continuous communication between browser and server without user intervention

• Legitimate uses include changing web banners, loading lists or sending data to servers

• If a browser has an unpatched vulnerability, malicious scripts can access a user's computer directly

• Thus malware can move from the server to the browser, and via the vulnerability to the user's computer, without any conscious action by the website visitor at all

• Even legitimate, well-known and frequently-visited websites can be infected

Browser Version %


Operation Aurora

• Two days after the attack became public, McAfee reported that the attackers had exploited purported zero-day vulnerabilities (unfixed and previously unknown to the target system developers) in Internet Explorer and dubbed the attack ‘Operation Aurora’

• In an advisory on January 14, 2010, Microsoft said that attackers targeting Google and other U.S. companies used software that exploits a hole in Internet Explorer

• The vulnerability affected Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4


Web Security Issues






Spear phishing


Web Security Issues




Slide 15 © First Base Technologies 2011January 2009 - www.lavasoft.com

Malware on LinkedIn


Malware on Facebook

• Users don’t always realize that third-party widgets for Facebook, for example, aren’t written by Facebook

• Some collect more information than necessary or safe• Others have been written specifically to install adware

or generate revenue• “Secret Crush” on Facebook spread spyware• Victims received an invitation to find out who has a

secret “crush” on them, lured them into installing the Secret Crush app, which spread spyware via an iFrame

• The attack became worm-like when it required the victim to invite at least five friends before learning who their “crush” was

Kelly Jackson Higgins, DarkReading

Slide 17 © First Base Technologies 20113 May 2011- http://technolog.msnbc.msn.com

Slide 18 © First Base Technologies 2011http://www.independent.co.uk

Social Networking Attacks


DON’T PANIC!(assuming you’re the only user)


Patch and Check Regularly!


Control Your Web Browsing

Think Before You Click!

Don’t Forget to Cross Your Fingers!

Peter WoodChief Executive Officer

First•Base Technologies LLP

[email protected]

Twitter: peterwoodx

Blog: fpws.blogspot.com

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Need more information?

Technology

The Corporate Web Security Landscape