1 / 32

General Security Guidelines

Presented at: Nextbridge LHR C1 June 1, 2012. General Security Guidelines. Best Practices for Everyone. Topics we will cover in this presentation. What is Information What is Information Security What is Risk Corporate Security How we are linked with Corporate Security

dyre
Télécharger la présentation

General Security Guidelines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented at: Nextbridge LHR C1 June 1, 2012 General Security Guidelines Best Practices for Everyone

  2. Topics we will cover in this presentation What is Information What is Information Security What is Risk Corporate Security How we are linked with Corporate Security User Responsibilities Web Application Vulnerabilities (Case Study) Questions

  3. WHO IS AT THE CENTRE OF SECU RITY U R -

  4. What is Information? Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected

  5. Information can be

  6. Information can be…

  7. What is Information Security? ?

  8. What is Information Security? • The quality or state of being secure to be free from danger • Security is recognized as essential to protect vital processes and the systems that provide those processes • Security is not something you buy, it is something you do

  9. Business survival depends upon Information Security

  10. What is Risk?

  11. Virus Attacks High User Knowledge of IT Systems Theft, Sabotage, Misuse Doing without Knowing Lapse in Physical Security Systems & Network Failure Lack Of Documentation

  12. Sources…!

  13. Corporate Security

  14. Corporate Security is responsibility of everyone

  15. User Responsibilities

  16. User Responsibilities

  17. Report Security Incidents (IT and Non-IT) to Helpdesk through • E-mail to mis@nxb.com.pk • Telephone : Ext#611 • Reporting through helpdesk system @ http://mis.vteamslabs.com e.g.: IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media • Do not discuss security incidents with any one outside organization • Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents

  18. Human Wall is better than Firewall Lets build a human wall around our firewall

  19. Best Practices

  20. Do not let this Happen

  21. Web Application Vulnerabilities No language can prevent insecure code, although there are language features which could aid or hinder a security-conscious developer

  22. Five Evil Sisters

  23. Web Application Vulnerabilities Remote Code Execution This vulnerability allows an attacker to run arbitrary, system level code on the vulnerable server and retrieve any desired information contained therein. Improper coding errors lead to this vulnerability. At times, it is difficult to discover this vulnerability during penetration testing assignments but such problems are often revealed while doing a source code review. However, when testing Web applications it is important to remember that exploitation of this vulnerability can lead to total system compromise withthe same rights as the Web server itself. Rating: Highly Critical

  24. SQL Injection • SQL injection is a very old approach but it's still popular among attackers. This technique allows an attacker to retrieve crucial information from a Web server's database. Depending on the application's security measures, the impact of this attack can vary from basic information disclosure to remote code execution and total system compromise • Rating: Highly Critical

  25. Format String Vulnerability • This vulnerability results from the use of unfiltered user input as the format string parameter in certain Perl or C functions that perform formatting, such as C's printf(). • A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. • Format string vulnerability attacks fall into three general categories: denial of service, reading and writing. • Rating: Highly Critical

  26. Cross Site Scripting • The success of this attack requires the victim to execute a malicious URL which is crafted in such a manner to appear to be legitimate at first look • When visiting such a crafted URL, an attacker can effectively execute something malicious in the victim's browser. Some malicious JavaScript, for example, will be run in the context of the web site which possesses the XSS bug • Rating: Highly Critical

  27. Username Enumeration • Username enumeration is a type of attack where the backend validation script tells the attacker if the supplied username is correct or not. Exploiting this vulnerability helps the attacker to experiment with different usernames and determine valid ones with the help of different error messages • Rating: Critical

  28. Case Study • In this slide, we will cover the following about the subject • What is it about? • Background of the happening • Refer to PDF Reports • Conclusions

  29. Now its your turn to speak

  30. Presented at: Nextbridge LHR C1 May 17, 2012 Best Practices for Everyone General Security Guidelines Designed & Presented by: Abdul Rehman Senior System Administrator

More Related