Internet Security: How to Defend
Against Attackers on the Web
Lesson 5
Mitigating Web Site Risks,
Threats, and Vulnerabilities
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
▪ Compare and contrast Web-based risks.
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
▪ Different types of traffic to Web sites
▪ Common vulnerabilities and attacks impacting Web
applications
▪ Best practices for mitigating known Web application
risks, threats, and vulnerabilities
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Who Is Coming to Your Web
Site?
▪ Company with e-commerce Web site needs
to know types of traffic visiting site
▪ Important for security and marketing
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Web Site Analytics
▪ Web analytics software tracks:
• Visitor location
• Visitor sources
• Visitor type
• Visitor navigation
• Average time on site
• Leave (bounce) rate
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Google Analytics Result
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Google Analytics Dashboard
▪ Some features of Google Dashboard:
• Visits
• Site usage
• Visitors overview
• Map overlay
• Content overview
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Google Analytics Map Overlay
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Whom Do You Want to Come to
Your Site?
▪ Characteristics of site demographic
determine site design
▪ Create customer profile based on desired
demographic
• Profile is a description of your customer
based on various criteria
• Age range, gender, marital status,
geographical location, occupation, etc.
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Market Segmentation
Customer
location
Customer
demographic
Customer
behaviors
Customer
lifestyle
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Accepting User Input
▪ Web site may have interactive elements,
designed to engage visitors so they return
to the site
▪ Interactive elements may introduce security
considerations, including phishing, bullying,
and cyberstalking
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Accepting User Input (Cont.)
▪ Forums
▪ Web site feedback forms
▪ Online surveys
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
OWASP Overview
▪ Open Web Application Security Project
(OWASP)
• A 501(c)3 not-for-profit worldwide charitable
organization focused on improving the
security of application software
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
OWASP Top 10
1. Injection
• Injection flaws allow attackers to relay malicious
code through the Web application to another
system; common attack is SQL injection
Mitigation
• Input validation
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
OWASP Top 10
2. Broken Authentication and Session
Management
• Authentication and session management includes
all aspects of handling user authentication and
managing active sessions
Mitigation
• Strong passwords, password rotation, password
storage and transmission encryption, session ID
protection, limit session caching
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
OWASP Top 10
3. Cross-Site Scripting (XSS)
• A type of computer security vulnerability typically found
in the Web applications that enables malicious
attackers to inject client-side script into the Web pages
viewed by other users
• Two common types: reflected and stored
Mitigation
• End user education (be wary of links)
• Web site security
• Firewall
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
OWASP Top 10
4. Insecure Direct Object Reference
• Occurs when a developer exposes a reference to an
internal implementation object, such as a file, directory,
database record, or key, as a URL or form parameter
Mitigation
• Input validation
• Permissions that lock down objects on the server
(need to be tested)
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Reflected XSS Attack
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
OWASP Top 10
5. Security Misconfigurations
• Default security settings may be insecure
• Administrators may make mistakes during
configuration
Mitigation
• Harden settings, perform security audits, keep
operating system up to date, keep databases current,
review life cycle of products in use, understand
function and role of system, training and research
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
OWASP Top 10
6. Sensitive Data Exposure
• Breaches can expose sensitive data, which
includes credit card numbers, research secrets,
student records, personal information, banking
data, employee records, and more
Mitigation
• Safely secure data in storage and in transit,
secure and manage authentication, authorize
access to data, create data policies
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
OWASP Top 10
7. Missing Function Level Access Control
• If users can access resources or application
features beyond what their roles require, access
controls have failed
• Results from careless permission assignment or a
developer mistake
Mitigation
• Manage authorization and permissions carefully,
perform audits, create policies
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
OWASP Top 10
8. Cross-Site Request Forgery (CSRF)
• Links take visitor to a malicious destination
• A type of malicious exploit of a Web site whereby
unauthorized commands are transmitted from a
user that the Web site trusts
Mitigation
• Log off Web sites when done, don’t store
usernames or passwords, periodically delete
cookies, ensure browsers are up to date, be wary
of unknown sites
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
OWASP Top 10
9. Using Components with Known
Vulnerabilities
• Use of software that's at or exceeds end of life,
unpatched applications, open-source software with
well-known vulnerabilities
Mitigation
• Keep applications up to date, research vulnerabilities,
keep applications and operating systems patched,
remove unused functionality
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
OWASP Top 10
10. Unvalidated Redirects and Forwards
• Unvalidated links from trusted sites that take users to
an unauthorized site to gain sensitive information from
them or to install malicious software on their machines
Mitigation
• Don’t use redirects
• If you must, restrict use of temporary redirects and use
permanent ones wherever possible
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Web Developer Tool Screen Used to
Set a Web site as Preferred Domain
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Additional Web Threats Not in
the OWASP Top 10
▪ Malicious file execution
▪ Information leakage and improper error
handling
▪ Unsecure cryptographic storage
▪ Unsecure communications
▪ Failure to restrict URL access
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Malicious File Execution
▪ A vulnerability caused by unchecked input into
the Web server
▪ Because of unchecked input, attacker’s files
can be executed or processed on Web server
Mitigation
▪ Input validation, denial of certain file extensions,
access control mechanisms, account management,
specific firewall configuration, network segmentation
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Information Leakage and
Improper Error Handling
▪ Attacker exploits information in insecure error
messages
▪ Errors can include error tracing information,
network name, verification of existence of a file,
ID or password login, database details
▪ Mitigation
▪ Policies and procedures, procedure for storing error
messages, careful attention to information in error
messages, adequate permissions
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Unsecure Cryptographic Storage
▪ Sensitive data that is stored without
appropriate encryption
Mitigation
▪ Choose a strong encryption algorithm
▪ Store private keys offline and make accessible only
when needed
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Unsecure Communications
▪ Data that is not secure during transit over a
network or the Internet
Mitigation
▪ Security association (SA) and Internet Key Exchange
(IKE)
▪ Internet Security Protocol (IPSec)
▪ Secure Sockets Layer (SSL)
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
Failure to Restrict URL Access
▪ Information on Web server not sufficiently
protected when direct links aren’t present
▪ User finds hidden URLs
▪ Developers must implement access control for
each function to authorize user explicitly
Mitigation
▪ Careful design planning to implement protection
throughout application
▪ Penetration testing
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 31
Best Practices for Mitigating Known Web
Application Risks, Threats, and
Vulnerabilities
Harden the network
Document network security procedures
Deploy encryption strategies
Educate users
Use preventative mitigation tools
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
Summary
▪ Different types of traffic to Web sites
▪ Common vulnerabilities and attacks
impacting Web applications
▪ Best practices for mitigating known Web
application risks, threats, and
vulnerabilities
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 33
Virtual Lab
▪ Exploiting Known Web Vulnerabilities on a
Live Web Server
Internet Security: How to Defend Against Attackers on the Web
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 34
Purchase answer to see full
attachment