Security For The People End-User Authentication Security On The Internet. Mark Stanislav
|
|
- Shon Skinner
- 6 years ago
- Views:
Transcription
1 Security For The People End-User Authentication Security On The Internet Mark Stanislav
2 A Few Notes on Research Methodology Worked backwards by establishing a list of services that provide users with availability of two-factor authentication Provides us with a more security-forward data set to begin with Gathered additional details per service regarding not just 2FA details but also TLS usage, browser headers, and cookie security! Focus on data completeness and accuracy as much as reasonably possible but this is *not* a scientific study! Does not include software packages with two factor
3 Primary Data Points Utilized Two-Factor Authentication Browser Security Features When was it first offered to users? How do users enroll to enable it? What method(s) are available? What do companies even call it? HTTP Strict Transport Security Content Security Policy X-Frame-Options X-XSS-Protection X-Content-Type-Options Transport Security Session Cookie HttpOnly Session Cookie Secure Do they utilize SSL/TLS for logins? What is their SSL Labs score?
4 Two Factor Deployments Per Year Since Google Authenticator s presence in 2011 has likely led to the mass Number of Deployments adoption of TOTP Many services that support TOTP just say they use Authenticator Facebook also enabled 2FA for users in * Year of Deployment Allows SMS + TOTP * Note, data is only through July 2014
5 How Does A User Actually Enroll In Two Factor? 132 Ease of enrollment is crucial for adoption of security controls Number of Services Having to call, fax, or even may be enough for a user to go! this seems like too much effort It s great to see such a high percent of services allowing users to self enroll (94%) Phone Call Mixed Self Enroll Method of Two Factor Enrollment But what about ease of use?
6 Collective Method Availability Across Services Number of Services Offering SMS Call Card Token Yubikey TOTP HOTP Mobile Duo Authy Rublon Method 12 of the 74 services that support TOTP are Bitcoin related 92% of all Bitcoin services offer TOTP, 62% only offer it to use 73% of hardware token-enabled services are financial or gaming
7 Number Of Methods Per Service By Percentage 11% 4% 2% Of services that offer only a single method, 51% provide TOTP and 14% provide SMS! 51% 62% of services that offer two methods pair TOTP with SMS 33%! MailChimp and OneLogin offer five methods for users to leverage Clavid offers six methods!
8 Two Factor Moniker Usage Since FA MFA 2-Step Verification as a moniker seems to be SV Other going away Deployment Year Google Deploys 2SV 2011: 15% 2012: 28% 2013: 21% : 17% 2013 * Other is usually for custom branding of Moniker Usage Per Year the service s feature * Note, data is only through July 2014
9 A Bit Of A Glossary HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections. Content Security Policy (CSP) provides a header that allows websites to declare approved sources of content that browsers should be allowed to load on that page. X-Frame-Options can prevent any framing, prevent framing by external sites, or allow framing only by the specified site. X-XSS-Protection enables the XSS filter built into most web browsers IE8, for instance, already has this on by default. X-Content-Type-Options reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable/dynamic HTML. Secure Cookie makes supported browsers only send cookies with the secure flag when the request is going to a HTTPS page. HttpOnly Cookie mitigates cross-site scripting (XSS) attacks by not allowing supported browsers to access cookies client-side Mostly a copy/paste from Wikipedia and OWASP <3
10 Browser Security Features For Service Logins Total Cookie! Cookie! HSTS CSP X-FRAME X-XSS X-Content Sites Secure HttpOnly All Sectors % 7% 56% 22% 22% 75% 78% Technology 83 40% 10% 49% 20% 20% 73% 78% Financial 36 33% 8% 50% 14% 8% 69% 64% Gaming 12 17% 0% 25% 8% 0% 58% 67% Retail 4 50% 0% 75% 50% 50% 75% 100% Social 6 50% 17% 83% 17% 33% 100% 83% Gaming is far behind versus other sectors for browser security Likely because most users spend little time in the browser Social media organizations have more of a focus on browser security due to the common nature of client-side attacks against users
11 SSL/TLS Implementation for Service Logins of the F ratings were because of the OpenSSL CCS 28 vulnerability (CVE ) Total Occurrences Star Wars: The Old Republic actually supported SSL v2!! 7 Amazingly enough, SSLTrust of all people received a C rating 0 A+ A A- B C F Score 3 for their allowance of both 40- bit and 56-bit cipher suites
12 Browser Security + SSL Security All-Stars 2 of 141 services utilized all of tested browser security features and managed to receive an A+ SSL implementation rating
13 Security Pages Yes, Really :) Many companies dedicate an entire page (or at least a big section of a page) to how they protect you and how you can protect yourself Example #1 and others definitely do not Example #2 Example #3 Seems legit.
14 Security Pages Across Two Factor-enabled Services of 51 sites (29%) that do not have a security page are in the domain registration/dns space 72 including GoDaddy, NameCheap, and Hover 54! Count Some of these pages even have a bug bounty and/or responsible disclosure section which is fantastic for further helping to protect users 18 including Google, Facebook, and Coinkite 0 Yes No! Security Page These pages show real concern for security and transparency we could use more!
15 So What Does This All Mean? Consider the data points we now have: Browser security (HTTP headers and cookie security) Transport security (SSL/TLS implementation) Strong authentication (two factor deployments) Corporate security focus (company security page)! What if we could assign a point-scale to those data points and create a composite value of authentication security per service? and what if you had no idea what the hell you were doing?
16 Mark s Authentication Security Scoring Algorithm Crudely Realized Edition MASSACRE
17 How Do We Get a Composite MASSACRE Score? SSL Implementation Browser Security Features Score Points Feature Points A+, A, A-! B+, B, B- C+, C, C-! D+, D, D- F! No SSL/TLS HTTP Strict Transport Security 10 Content Security Policy 15 X-Frame-Options 10 X-XSS-Protection 5 X-Content-Type-Options 5 Secure Session Cookie 10 Security Page Exists? Points Yes 5 HttpOnly Session Cookie 10 Two Factor Enabled? Points Yes point scale add up values to get a score!
18 Professional MASSACRE Scale Score Count Keep in mind, everyone starts with 15 points
19 MASSACRE Scoring Outcomes Best and Worst! Best Scores Company Score GitHub 100 Kraken 100 LastPass 100 FastMail 95 Facebook 90 Best Per Sector Sector Company Score Technology Github, LastPass 100 Financial Kraken 100 Gaming Elder Scrolls Online 65 Retail Etsy 85 Social Facebook 90 Worst Scores Company Score easydns 15 Frostbox 15 Sendloop 15 Fabulous 20 Pobox 20 Worst Per Sector Sector Company Score Technology easydns, Frostbox, Sendloop 15 Financial WeMineLTC 30 Gaming Guild Wars 2, Star Wars: Old Republic, Wildstar 35 Retail Humble Bundle 50 Social HootSuite 45
20 Further Parsing MASSACRE Scores Overall Values Technology Financial Gaming N/A Retail N/A Social N/A
21 How Do Security Features Increase MASSACRE Scores? Overall Values CSP Enabled Security Page? HSTS Enabled SSL ~(A B) SSL ~(C D) SSL ~(F/None) N/A N/A
22 Breaches Of Service Security (Data Loss, Especially) A breach does not include DDoS attacks, direct phishing against customers, dumb users, etc. 28% of services had a public corporate breach Count 54 Breached services had an average MASSACRE score of 64 while unbreached had a worse, So, moot point. Everyone can get hacked :) Sector Total # Breached % Breached 18 Technology % Financial % 0 Yes No Gaming % Retail % Corporate Breach Social %
23 Two Factor Deployments After A Breach Of 37 services that had a deployment date and a breach data, 54% already offered some form of two-factor authentication! Of the 19 services that added 2FA after a breach, it took an average of 255 days to deploy with a median of 128 days It took Linode, Dropbox, MaxCDN, and Buffer < 1 month to deploy 74% offer TOTP (52% offer it across all services) 63% provide 2+ methods (49% across all services)
24 Thanks Go Out To Vikas Kumar and Domenic Rizzolo, two of the amazing interns at Duo Security for doing a ton of data gathering and organization! for being a hugely helpful resource for trying to aggregate 2FA-enabled sites/services to get started with from Qualys for SSL Scoring Steve Werby did similar research on a grander scale last year top websites-password-policies-and-controls- presented-by-steve-werby-at-rich-sec-2013
25 All Done! Questions? Presentations: speakerdeck.com/mstanislav
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationOnline Intensive Ethical Hacking Training
Online Intensive Ethical Hacking Training Feel the heat of Security and Learn something out of the box 0 About the Course This is a 7 Days Intensive Training Program on Ethical Hacking & Cyber Security.
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationJAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS
JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS WHO I AM Working with Django 9 years, 5 at Lawrence Journal- World Commit bit since 2007 Involved in Django s release and
More informationHTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys
HTML5 Unbound: A Security & Privacy Drama Mike Shema Qualys A Drama in Four Parts The Meaning & Mythology of HTML5 Security From Design Security (and Privacy) From HTML5 Design, Doom & Destiny This specification
More informationScan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 11/20/2017 Scan expiration date: 02/18/2018 Part 2. Component
More informationScan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 08/28/2017 Scan expiration date: 11/26/2017 Part 2. Component
More informationTIBCO Cloud Integration Security Overview
TIBCO Cloud Integration Security Overview TIBCO Cloud Integration is secure, best-in-class Integration Platform as a Service (ipaas) software offered in a multi-tenant SaaS environment with centralized
More information2015 Online Trust Audit & Honor Roll Methodology
2015 Online Trust Audit & Honor Roll Methodology Jeff Wilbur VP Marketing, Iconix Craig Spiezle Executive Director & President, OTA 2015 All rights reserved. Online Trust Alliance (OTA) Slide 1 Who Is
More informationStop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico
1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationTabular Presentation of the Application Software Extended Package for Web Browsers
Tabular Presentation of the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationMonitise. RSA Adaptive Authentication On-Premise Implementation Guide. Partner Information. Monitise Mobile Banking Solution
RSA Adaptive Authentication On-Premise Implementation Guide Partner Information Last Modified: June 12, 2013 Product Information Partner Name Web Site www.monitise.com Product Name Version & Platform 5.0
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationOWASP TOP 10. By: Ilia
OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB
More informationMODERN WEB APPLICATION DEFENSES
MODERN WEB APPLICATION DEFENSES AGAINST DANGEROUS NETWORK ATTACKS Philippe De Ryck SecAppDev 2017 https://www.websec.be SETUP OF THE HANDS-ON SESSION I have prepared a minimal amount of slides Explain
More informationNetwork-based Origin Confusion Attacks against HTTPS Virtual Hosting
Network-based Origin Confusion Attacks against HTTPS Virtual Hosting Antoine Delignat-Lavaud, Karthikeyan Bhargavan Prosecco, Inria Paris-Rocquencourt 1 The Web Security Protocol Stack JavaScript runtime
More informationEn#ty Authen#ca#on and Session Management
En#ty Authen#ca#on and Session Management Jim Manico @manicode OWASP Volunteer - Global OWASP Board Member - OWASP Cheat- Sheet Series, Top Ten Proac=ve Controls, OWASP Java Encoder and HTML Sani=zer Project
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationdjango-secure Documentation
django-secure Documentation Release 0.1.2 Carl Meyer and contributors January 23, 2016 Contents 1 Quickstart 3 1.1 Dependencies............................................... 3 1.2 Installation................................................
More informationWeb Application Whitepaper
Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,
More informationDon t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel
Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime
More informationScan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 02/18/2018 Scan expiration date: 05/19/2018 Part 2. Component
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationSecuring Your Salesforce Org: The Human Factor. February 2016 User Group Meeting
Securing Your Salesforce Org: The Human Factor February 2016 User Group Meeting Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationAppGate 11.0 RELEASE NOTES
Changes in 11.0 AppGate 11.0 RELEASE NOTES 1. New packet filter engine. The server-side IP tunneling packet filter engine has been rewritten from scratch, reducing memory usage drastically and improving
More informationADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief
ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI Adaptive Authentication in IBM Tivoli Environments Solution Brief RSA Adaptive Authentication is a comprehensive authentication platform providing costeffective
More informationTesting login process security of websites. Benjamin Krumnow
Testing login process security of websites Benjamin Krumnow Benjamin Krumnow 2 Initial Project: Shepherd Marc Sleegers, B.Sc., master student at the Open University Bachelor Thesis, March 2017 [1] Counting
More informationDevice Recognition Best Practices Guide
Copyright Information 2017. SecureAuth is a copyright of SecureAuth Corporation. SecureAuth s IdP software, appliances, and other products and solutions, are copyrighted products of SecureAuth Corporation.
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationHP 2012 Cyber Security Risk Report Overview
HP 2012 Cyber Security Risk Report Overview September 2013 Paras Shah Software Security Assurance - Canada Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationDefeating All Man-in-the-Middle Attacks
Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type
More informationData Security & Operating Environment
Data Security & Operating Environment Version 1.0, Summer 2018 Last updated: June 21, 2018 https://www.kintone.com/contact/ Contents 1. Service Level Objective (SLO)... 1 2. Availability and Reliability...
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationMWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS
Quit MWR InfoSecurity Advisory Elastic Path Administrative Session Hijacking through Embedded XSS 26 th April 2007 2007-04-26 1 of 7 INDEX 1 Detailed Vulnerability description...4 1.1 Introduction...4
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationImperva Incapsula Website Security
Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as
More informationNortheastern University Systems Security Lab
Northeastern University Systems Security Lab Why is CSP Failing? Trends and Challenges in CSP Adoption Symposium on Research in Attacks, Intrusions and Defenses (RAID) Gothenburg, Sweden, September 2014
More informationO Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web
O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationSecuring today s identity and transaction systems:! What you need to know! about two-factor authentication!
Securing today s identity and transaction systems:! What you need to know! about two-factor authentication! 1 Today s Speakers! Alex Doll! CEO OneID Jim Fenton! Chief Security Officer OneID 2 Contents!
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationTrusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN
Trusted Identities Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN WHAT YOU WILL LEARN TODAY Strong identity verification as a security measure and business enabler Authentication
More informationSecurity Best Practices. For DNN Websites
Security Best Practices For DNN Websites Mitchel Sellers Who am I? Microsoft MVP, ASPInsider, DNN MVP Microsoft Certified Professional CEO IowaComputerGurus, Inc. Contact Information msellers@iowacomputergurus.com
More informationMerchant Toolkit. Multi-Factor Authentication
Merchant Toolkit Multi-Factor Authentication Multi-Factor Authentication (MFA) What is it? Multi-Factor Authentication, or MFA, is an enhanced log in method that requires users to provide at least two
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationContents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4
Contents SSL-Based Services: HTTPS and FTPS 2 Generating A Certificate 2 Creating A Self-Signed Certificate 3 Obtaining A Signed Certificate 4 Enabling Secure Services 5 SSL/TLS Security Level 5 A Note
More informationHIPAA Compliance discussion
HIPAA Compliance discussion GoToWebinar Housekeeping: attendee participation Open and hide your control panel Join audio: Choose Mic & Speakers to use VoIP Choose Telephone and dial using the information
More informationHow NOT To Get Hacked
How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016 Today s Agenda Protecting Against A Hack How should I start?
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2016 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2445 1 Assignment
More informationConsolidated Edition. 5th Annual State of Application Security Report Perception vs. Reality
Consolidated Edition 5th Annual State of Application Security Report Perception vs. Reality January 2016 State of Application Security Report Consolidated Edition 2 Table of Contents Executive Summary...
More informationEXPERIENCE SIMPLER, STRONGER AUTHENTICATION
1 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION 2 Data Breaches are out of control 3 IN 2014... 708 data breaches 82 million personal records stolen $3.5 million average cost per breach 4 We have a PASSWORD
More informationCAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR
PDF NESSUS VULNERABILITY SCANNER - BASICS - SECURITYLEARN CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR 1 / 6 2 / 6 3 / 6 website vulnerability scanner pdf Basics vulnerability scanning with NESSUS...
More informationImproving Password Management. Laura Raderman, Policy and Compliance Coordinator, ISO Ole Villadsen, Research Liaison, Cybersecurity, UL
Improving Password Management Laura Raderman, Policy and Compliance Coordinator, ISO Ole Villadsen, Research Liaison, Cybersecurity, UL Password Management How many passwords do you have? Are they all
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationIBM SmartCloud Notes Security
IBM Software White Paper September 2014 IBM SmartCloud Notes Security 2 IBM SmartCloud Notes Security Contents 3 Introduction 3 Service Access 4 People, Processes, and Compliance 5 Service Security IBM
More informationEn partenariat avec CA Technologies. Genève, Hôtel Warwick,
SIGS Afterwork Event in Geneva API Security as Part of Digital Transformation Projects The role of API security in digital transformation Nagib Aouini, Head of Cyber Security Services Defense & Cyber Security
More informationContents. Multi-Factor Authentication Overview. Available MFA Factors
The purpose of this document is to provide National University student Single Sign-On users with instructions for how to configure and use Multi-Factor Authentication. Contents Multi-Factor Authentication
More informationData Breach Risk Scanning and Reporting
Data Breach Risk Scanning and Reporting 2017. SolarWinds. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document
More informationAdaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief
Adaptive Authentication Adapter for Citrix XenApp Adaptive Authentication in Citrix XenApp Environments Solution Brief RSA Adaptive Authentication is a comprehensive authentication platform providing costeffective
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationScan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Travolutionary ASV Company: Comodo CA Limited 10-03-2018 Scan expiration date: 01-01-2019 Part 2.
More informationJordan Levesque Making sure your business is PCI compliant
Jordan Levesque Making sure your business is PCI compliant Brief overview of PCIDSS What's new in PCI DSS 3.2 Why is PCI important? Dive in! Simple things you can do to be secure Tomorrows session: What
More informationSichere Webanwendungen mit Java
Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP
More informationProtecting Against Online Fraud. F5 EMEA Webinar August 2014
Protecting Against Online Fraud F5 EMEA Webinar August 2014 Agenda Fraud threat trends and business challenges Web fraud protection Mobile fraud protection Security operations center Example architecture
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationRisk Intelligence. Quick Start Guide - Data Breach Risk
Risk Intelligence Quick Start Guide - Data Breach Risk Last Updated: 19 September 2018 --------------------------- 2018 CONTENTS Introduction 1 Data Breach Prevention Lifecycle 2 Choosing a Scan Deployment
More informationCybersecurity in 2016 and Lessons learned
Cybersecurity in 2016 and Lessons learned Dr. Yu Cai Associate Professor Program Chair, Computer Network & System Administration School of Technology Michigan Technological University cai@mtu.edu A Quick
More informationshwedirectory v4.0 Php Web & Business Directory Script Top 12 Features of shwedirectory Premium Edition
shwedirectory v4.0 Php Web & Business Directory Script Top 12 Features of shwedirectory Premium Edition 1. Admin Subdomain 2. Content Security Policy (CSP) Header 3. Subdomain for each city and country
More informationCookies, sessions and authentication
Cookies, sessions and authentication TI1506: Web and Database Technology Claudia Hauff! Lecture 7 [Web], 2014/15 1 Course overview [Web] 1. http: the language of Web communication 2. Web (app) design &
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442
More informationCyber Security Hardening Guide
Cyber Security Hardening Guide HOW FEENICS PROTECTS THE DATA AND INTEGRITY OF TRANSACTIONS FEENICS, INC. 301-2310 St. Laurent Blvd., Ottawa, Ontario K1G 5H9 (855) 333-6427 www.feenics.com Contents The
More informationBEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE
BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE OUR ORGANISATION AND SPECIALIST SKILLS Focused on delivery, integration and managed services around Identity and Access Management.
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationAuthentication Security
Authentication Security Hui Zhu Copyright 2005 www.ebizsec.com Agenda Authentication Components Authentication Hacking Consideration for Authentication Security Principle for Authentication Security Case
More informationHTTPS and the Lock Icon
Web security HTTPS and the Lock Icon Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating HTTPS into the browser Lots of user interface
More informationSSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger
SSL / TLS Crypto in the Ugly Real World Malvin Gattinger 2016-03-17 SSL/TLS Figure 1: The General Picture SSL or TLS Goal: Authentication and Encryption Secure Sockets Layer SSL 1 (never released), 2 (1995-2011)
More informationF5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe
F5 comprehensive protection against application attacks Jakub Sumpich Territory Manager Eastern Europe j.sumpich@f5.com Evolving Security Threat Landscape cookie tampering Identity Extraction DNS Cache
More informationFTP: The Forgotten Cloud. Drew Springall, Zakir Durumeric, and J. Alex Halderman University of Michigan
FTP: The Forgotten Cloud Drew Springall, Zakir Durumeric, and J. Alex Halderman University of Michigan 1 FTP File Transfer Protocol u Simple text-based protocol u View and traverse directory structure
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationThe Way of the Bounty. by David Sopas
The Way of the Bounty by David Sopas (@dsopas) ./whoami Security Consultant for Checkmarx Security Team Leader for Char49 Disclosed more than 50 security advisories Founder of WebSegura.net Love to hack
More informationSecurity Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016
Security Engineering by Ross Andersson Chapter 18 API Security Presented by: Uri Ariel Nepomniashchy 31/5/216 Content What is API API developing risks Attacks on APIs Summary What is API? Interface for
More informationDon't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Steffens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationSSL/TLS Server Test of
SSL/TLS Server Test of www.rotenburger-gruene.de Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. WWW.ROTENBURGER-GRUENE.DE
More informationRequirements from the Application Software Extended Package for Web Browsers
Requirements from the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16 Application
More informationAuthentication CS 4720 Mobile Application Development
Authentication Mobile Application Development System Security Human: social engineering attacks Physical: steal the server itself Network: treat your server like a 2 year old Operating System: the war
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More information