1

V 0.9 Your Security , Our Mission ,1 25% 25% 25% 25%1-Web Application-Email-23DataLoss DB4

2005 ~ 2006 5

410.2%357.8%-6

() ()7NoShort NameDescription1Disposal ComputerDiscovery of computers not disposed of properly2Disposal DocumentDiscovery of documents not disposed of properly3Disposal TapeDiscovery of backup tapes not disposed of properly4Disposal DriveDiscovery of disk drives not disposed of properly5Disposal MobileDiscovery of data on a mobile phone or device such as tablets, etc6EmailEmail communication exposed to unintended third party7FaxFax communication exposed to unintended third party8Fraud SeFraud or scam (usually insider-related), social engineering9HackComputer-based intrusion, data not generally publically exposed10Lost ComputerLost computer (unspecified type in media reports)11Lost DocumentDiscovery of documents not disposed of properly through loss (not theft)12Lost DriveLost data drive, unspecified if IDE, SCSI, thumb drive, etc)13Lost LaptopLost laptop (generally specified as a laptop in media reports)14Lost MediaMedia (i.e. disks) reported to have been lost by a third party15Lost MobileLost mobile phone or device such as tablets, etc (unspecified in media reports)16Lost TapeLost backup tapes8NoShort NameDescription17Missing DocumentMissing document, unknown or disputed whether lost or stolen18Missing LaptopMissing laptop, unknown or disputed whether lost or stolen19Missing MediaMissing media, unknown or disputed whether lost or stolen 20Snail MailPersonal information in "snail mail" exposed to unintended third party21Stolen ComputerStolen desktop (or unspecified computer type in media reports)22Stolen DocumentDocuments either reported or known to have been stolen by a third party23Stolen DriveStolen data drive, unspecified if IDE, SCSI, thumb drive, etc)24Stolen LaptopStolen Laptop (generally specified as a laptop in media reports)25Stolen MediaMedia (disks or other) generally reported or known to have been stolen by a third party26Stolen MobileStolen mobile phone or device such as tablets, etc27Stolen TapeStolen backup tapes28UnknownUnknown or unreported breach type29VirusExposure to personal information via virus or trojan (i.e. keystroke logger, possibly classified as hack)30WebComputer/web-based intrusion, data typically available to the general public via search engines, public pages, etc. -9

() 5 -10

-11

()-- (53%)(36%) (24%) (18%) (12%) (10%) (7%) (7%) ()

1213 14

15

.2. 3. -http://www.cdpa.org.tw/privacyagent.html16

17

-18()A123456789 => zCD#45%FccKc$u ()A123456789 => B125321123 A123456789 => A1*3*5*7*9

19- ( 7-zip) 20

MS Word

7-Zip-() USB MS BitLocker TrueCrypt (Free) http://www.truecrypt.org/: 21

Google rar password cracker, office password cracker 3D GPU 22

ElcomSoft Co.Ltd.: DRMDRM 23

: ACL 24

()25

() ()26

()()27

() : DLPData Loss Prevention: (File Protection): (I/O Protection): USB (Network Protection): Email MSN Skype 28: 291. ()2. ():30

-web application31Web Web Web Web Web Web Gartner 70% Web Google 2/3 Web / (IDS/IDP) Web (Web Application Firewall)

32?Frequent3 out of 4 business websites are vulnerable to attack (Gartner)

Pervasive75% of hacks occur at the Application level (Gartner)

UndetectedQA testing tools not designed to detect security defects in applicationsManual patching - reactive, never ending, time consuming and expensive

DangerousWhen exploited, security defects destroy company value and customer trust

>1000 application Healthchecks 98% vulnerable: all had firewalls and encryption solutions in place

3333STEVE ORRIN:All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points:

Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited;

The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify.

The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications

Finally, the attacks are growing more dangerous, and they usually go undetected.

When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide

34OWASP ! ! Web 35

Web ()Vulnerability Assessment & Consulting ServiceManual Penetration Test & Consulting Service/Automated and Manual Code Review & Consulting ServiceWeb Application Firewall

36 Web Web HTTP

3738

39

Web (Business Logic) 40-41 42

43

44

45

46

hidden form47

JavaScript48

queryLoginStts() -> Ajax(popup/ajax_isUsrLogin.html)..()

49

50

Business Criticality (Impact of Loss)(Defined by Business)Expected Security Assurance (Assessment Depth Expected Level of Security)(Defined by Corporate Security)Assessment Levels Security Assessment Techniques Relative Depth ?

5151 WAF Web () Web Web 5252WAF : 53 HTTPHTTPSSOAPXML-RPC

-Email 54 55

55Anti-Spam & Anti-Virus 56

56/575758

5859

60

(Deidentify)(Dynamic Data Masking)(Mask)(Scrabmle)6061

61

62 (PIM Security) (Auto-Mask) SSL (Remote Wipe) PIM

PIM Security

62-6364

65