security on web 2.0 krasznay csaba. google search trends
TRANSCRIPT
Security on Web 2.0
Krasznay Csaba
Google Search Trends
Press Trends
malware
deface
data breach
gossip
phishing
deathlynching
anti-privacy
child porn
data retention
Media Image of Web 2.0
What really is Web 2.0?
Threats exploit Vulnerabilities
causeIncidentsdamage
Assets have Impacts
onOwner
Risk Assessment
• Hacker attack• Malware
infection• Data loss• No traces• Copyright
violation• Software errors• Data leaks
• Infection and downtime
• Data leaks• Legal prosecution• Productivity loss • Resource waste• Reputation
damage
• Botnets• Financial losses• Identity theft• Harassment• Age verification
threats• Spam• Hiding of origin• Resource
consumption• Information fraud• Inaccuracies of
data
Web 2.0 threats
• Injection Attacks• Cross-Site scripting• Cross-Domain Attacks• Malicious scripts• Framework vulnerabilities
• Access, Authentication, Authorisation
• Development Process Issues
• Knowledge and Information Management vulnerabilities
• End-user Related problems
• General Software and Scripting Vulnerabilities
Web 2.0 vulnerabilities
Target: the Person• Think about Cyber-bullying and
cyber-stalking• Threats: Identity theft, Harassment,
Age verification threats• Vulnerabilities: Access,
Authentication, Authorization; End-user Related problems
• Incident:the story of Megan Meier • And think about what happened
with Lori Drew…• Asset: Private information, personal
reputation, Physical security• Impact: lethal…
Target: the Company• Think about the Twitter account
hacks• Threats: Identity theft,
Harassment, Spam, Information fraud
• Vulnerabilities: : Access, Authentication, Authorization; Knowledge and Information Management vulnerabilities
• Incident: celebrity Twitter hacks • Asset: Corporate and personal
reputation, Corporate secrets• Impact: high
Target: the Country• Think about WikiLeaks• Threat: Data leak• Vulnerabilities: Access,
Authentication, Authorisation; Development Process Issues; Knowledge and Information Management vulnerabilities; End-user Related problems; General Software and Scripting Vulnerabilities
• Incident: Afghan War Diary• Impact: high (maybe lethal?)
Target: the Computer• Think about the Web 2.0 worms• Threats: Botnets, Financial
losses, Identity theft, Spam, Hiding of origin, Resource consumption
• Vulnerabilities: Access, Authentication, Authorisation; Development Process Issues; End-user Related problems; General Software and Scripting Vulnerabilities
• Incident: the KOOBFACE worm• Impact: high
Conclusions
• Nothing has changed in our behavior for centuries, but we have new tools and broader audience
• Web 2.0 services are generally more secure in traditional technical aspect than other type of web services, but preventive controls are not enough
• We have to deal with the problem between the keyboard and the chair…
Maslow's hierarchy of needs
• Web 2.0 realizes three layers of human needs
• So people needs safety and security – but maybe we didn’t realize it yet
• If Web 2.0 can be lethal, do we also need the physiological layer?
Countermeasures
• Technical countermeasures:– Preventive controls focusing on information (DLP)– Detective controls (log management)– Secure applications (WAF, application controls)
• Administrative countermeasures– New security policy approach– New legal background– Broad awareness training– Communication, communication, communication
• Mathematical countermeasures– The more information we have the less value they have
THANK YOU!
E-mail: [email protected]: www.krasznay.huFacebook: http://www.facebook.com/krasznay.csabaTwitter: http://twitter.com/csabika25