Similar documents
Endpoint Security - what-if analysis 1

PRESENTED BY:

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Bank Infrastructure - Video - 1

Authentication Security

Keep the Door Open for Users and Closed to Hackers

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

ADC im Cloud - Zeitalter

STEVE GOODING JUNE 15, 2018

Ethical Hacking and Prevention

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Copyright

The Interactive Guide to Protecting Your Election Website

cs642 /introduction computer security adam everspaugh

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Software Defined Perimeter & PrecisionAccess. Secure. Simple.

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

Certified Cyber Security Analyst VS-1160

Securing Cloud Computing

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Combating Common Web App Authentication Threats

Accounting Information Systems

Phishing Read Behind The Lines

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

The Digital Risk Dilemma

PROVE IT! Matt and Dan, Dan and Matt, Those Fookers!

Securing Internet Communication

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Sichere Software vom Java-Entwickler

1 About Web Security. What is application security? So what can happen? see [?]

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Internet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

Topics. Ensuring Security on Mobile Devices

Webomania Solutions Pvt. Ltd. 2017

Application Layer Security

Application Security & Verification Requirements

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CS System Security Mid-Semester Review

Welcome to the OWASP TOP 10

How. Biometrics. Expand the Reach of Mobile Banking ENTER

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Gladiator Incident Alert

Secure Application Development. OWASP September 28, The OWASP Foundation

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Network Intrusion Goals and Methods

Who We Are! Natalie Timpone

Five steps to securing personal data online Gary Shipsey Managing Director

It s About the Data, Stupid.

AKAMAI CLOUD SECURITY SOLUTIONS

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Modern two-factor authentication: Easy. Affordable. Secure.

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

HP 2012 Cyber Security Risk Report Overview

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Cyber Security Issues

Securing Your Salesforce Org: The Human Factor. February 2016 User Group Meeting

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Ethical Hacker Foundation and Security Analysts Course Semester 2

Modern IP Communication bears risks

Vulnerabilities in online banking applications

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

THREAT LANDSCAPE AT THE UW

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Vidder PrecisionAccess

How Breaches Really Happen

EMPLOYEE SKILLS TRAINING PLATFORM. On-access skills training and measurement for all employees

Securing Internet Communication: TLS

Dumpswheel. Exam : v10. Title : Certified Ethical Hacker Exam ( CEH v 10) Vendor : EC-COUNCIL. Version : DEMO.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Curso: Ethical Hacking and Countermeasures

Security Course. WebGoat Lab sessions

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

RSA Web Threat Detection

The Data Breach: How to Stay Defensible Before, During & After the Incident

Transcription:

Cross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping Protocol abuse Man-in-the-middle API attacks Cross-site scripting Injection Cross-site request forgery Malware Man-in-the-middle DDoS Abuse of functionality Credential theft Credential stuffing Session hijacking Brute force DDoS Phishing Key disclosure Protocol abuse Session hijacking Certificate spoofing

Malware Man-in-the-browser Session hijacking Cross-site request forgery SYN, UDP, and HTTP floods SSL renegotiation DNS amplification Heavy URL Cross-site scripting API attacks Man-in-the-middle Key disclosure Eavesdropping DNS cache poisoning DNS spoofing DNS hijacking Protocol abuse Dictionary attacks Cross-site scripting Injection Cross-site request forgery Malware Abuse of functionality Man-in-the-middle Credential theft Credential stuffing Phishing Certificate spoofing Protocol abuse

Injection DNS Hijacking DDoS Cross-site scripting

Injection DNS Hijacking DDoS Cross-site scripting

Lessons learned from a decade of breaches prove the App Sec story.

Research Scope 433 Cases Analyzed 338 Cases w/ Breached Records Qty 26 Countries 37 Industries Breach cases with any of the following true Confirmed breached data count and type Confirmed attack vector and/or breach root cause Confirmed breach cost to victim organization Confirmed threat actor profits or cost to impacted business

Breached Records Scope 10.3B Credentials 3.4B Security Q&A s 1B CC s 550M PHI 280M SSN s 167M Credit Score 36M Minor Data 36M Passports 22M Biometric email messages IM identities private messages chat logs web activity political views drinking habits drug habits sexual fetishes age income geographic location payment histories payment methods FAFSA student loan apps beauty ratings fitness level car ownership status account balances net worth financial investments SF-86 form personal data physical attributes sexual orientation buying preferences employers job titles employment histories of current and former customers work habits career levels professional skills

Impact of Breaches Assumed BREACH WORLD ATTACKERS HAVE ENOUGH DATA to answer your secret questions Democracy is for CYBER-SALE Password cracking accuracy <6 hrs 92 % Compromised 3 username & passwords per person online 86 % US population equivalent of compromised SSN s

Identities are the Keys to Apps 86% APPS OR IDENTITIES Were the initial targets in 86% of breaches

Apps are the first target in the majority of breaches Breaches starting at the app have the highest breach costs #1 Target: Apps 29 % Other 24 % ID s 53 % 47 % 22 % INITIAL TARGETS BREACH COSTS RECORDS BREACHED BIGGEST BUSINESS RISK

Web application vulnerabilities are the root cause of 38% of breaches #1 Root Cause: Web Application Vulnerabilities 23% SQL INJECTION 52% 38% FORUM VULNERABILITES (Injection) BREACH ROOT CAUSE

Identities are the first target in 33% of breaches Breaches starting with identity attacks collect the most data #2 Target: Identities 33 % 24 % 75 % INITIAL TARGETS BREACH COSTS RECORDS BREACHED BIGGEST ATTACKER OPPORTUNITY

Identity Crisis 20 % of employees would sell their work password 10 % for less than $1,000

14% Unauthorized Access & Cred Stuffing ATTACKERS ARE GOING PHISHING IN OVER STOCKED PONDS. 19% Phishing BREACH ROOT CAUSE

Troubling Tidbits Businesses often don t know they are compromised for year or more

Troubling Tidbits Passwords are public. We did not find a single case in which passwords were properly hashed. Leaked US spy agency materials wreaked havoc, and this could be our new norm There are so many stolen credit cards for sale that they are only selling for $0.0003 a record. Automated verification systems are easily bypassed with stolen data, and Synthetic IDs a.k.a. virtual people are on the rise. Yahoo + Sony databases 59% the same. Re-used online credentials make the attacker reward one to many. Spy agencies target system administrators with phishing attacks powered by social media data.

Stay Up to Date by Following Us Twitter LinkedIn Email Updates RSS Learn, download, follow, share. F5Labs.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback