Web Security.ppt

Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc. mnystrom@ Who am I? Security Architect in Cisco’s InfoSec Responsible for consulting with application teams to secure their architecture Monitor for infrastructure vulnerabilities Infrastructure security architect 12 years developing application architectures Java programmer Master of Engineering – NC State University Bachelor’s - Iowa State University – (1990) Why worry? G sanctioned by FTC for exposing private information “…permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the sites customer database.” U.S. Army systems hacked using WebDAV vulnerability in IIS “…it was a disturbingly successful attack, experts say, because the intruder found and exploited a flaw that took security researchers completely by surprise. “ Millions of credit card numbers compromised at Data Processors International All indications are the attack on this companys (Internet) address came from the outside, and efforts continue to analyze this attack to see if it could be traced to the attacker, the investigator said. Utah ISP is victim of retaliation following hackers attack on Al-Jazeera “…impersonating an Al-Jazeera employee, tricked the Web addressing company Network Solutions into making technical changes that effectively turned over temporary control of the networks Arabic and English Web sites...? Why worry? (cont.) The goal of an attack Steal data Blackmail Beachhead for other attacks Bragging rights Vandalism Demonstrate vulnerability/satisfy curiosity Damage company reputation A word of warning These tools and techniques can be dangerous The difference between a hacker and a cracker is…permission Admins will see strange activity in logs, and come looking for you Authorities are prosecuting even the “good guys” for using these tools Commonly attacked services SMTP servers (port 25) sendmail: “The address parser performs insuff