SlideShare uma empresa Scribd logo

2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers

•
•
Raleigh ISSA
Raleigh ISSA

2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers by Nik Patronas, Senior Security Engineer, Shavlik

Tecnologia
1 de 33
Baixar para ler offline
Preventing Client Side Attacks Nik Patronas Senior Security Engineer ISSA March 2010
Agenda: • Attacks are no longer centered on the Microsoft operating system or confined to the data center. • Patching 3rd party applications is not the same as patching the operating system. • Best Practice: Controls for IT Audit, Security, and Operations. • TFTF: Tales From The Field
Once Upon A Time Microsoft Stood Alone As the Cyber Criminal’s Dream Target
The New Danger Zone Client-Side Vulnerabilities
Targets in the New Danger Zone
Over the Past Few Years, Application Vulnerabilities Have Surpassed OS • Adobe Reader - 45 bugs, averaging about one per week • Microsoft's Internet Explorer had 30 bugs • Mozilla Firefox - 102 bugs • Rounding out the list – Adobe Flash – Apple Quicktime – Microsoft Office http://www.forbes.com/2009/12/10/adobe-hackers-microsoft-technology-cio-network-software.html
Adobe is Just One Example Adobe Reader Adobe Flash Mozilla FireFox Apple QuickTime Apple iTunes Apple Safari Sun JRE and 100s more…
Hackers leverage zero- day weakness in IE 6 for targeted attack against Google and more than 30 other 3 companies. I don’t use those apps in my datacenter My datacenter is safe and an attack on workstations or laptops would be minimal.
Hackers don’t have to find you, end users are leading them to your door • Client-Side Vulnerabilities are Now the Primary Infection Vector • Targeted email attacks are exploiting client- side vulnerabilities in Adobe Reader Apple Reader, QuickTime, Adobe Flash and Microsoft Office • Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites http://www.sans.org/top-cyber-security-risks/
Define Enterprise: • Is it based on employees? • Is it based on systems? • Is it based on the complexity of the network? • Is it based on an Audit requirement? • Is it based on Public vs. Private ownership? • Why is a 10,000 employee business different y , p y than a 100 employee business?
Security, Operations, Audit • Q. How does IT Security ensure systems and applications are being patched? • A. IT Security must first know exactly what the organizations owns. • - You simply can not secure what you don’t know you have!
Assessment • Step 1: Asset Inventory – Systems: Domain, Non-Domain, Virtual Systems- On + Offline. – Applications: (Office, 3rd Party, Browsers, In- House) ) – Users: (Administrative Users, Standard Users,) U ) – Virtual Hosts: Vmware Esxi, Microsoft Hyper-V, other. Hyper V other
Risk Assessment • Step 2: Prioritization - Which systems are the highest value to the organization? - Who has access to these systems today and why?? - Who ultimately owns these systems- Audit, Operations, Security, Business Unit, O ti S it B i U it Executives?
Baseline Reporting • Understand which machines are the highest asset value. – According to severity that you ve assigned you’ve • Create reports on – status of patches missing per machine – User Accounts (Who is Admin) – Security Policy (Local GPO) (Local, • Track who performed each patch deployment and when patches were installed • Important for Compliance/Regulatory reporting
Scheduled Release vs. Out of Band • Microsoft Patch Tuesday- Second Tuesday of the Month recommends Critical Patches should be in installed ithi b i i t ll d within 24 hhours. • Microsoft Out of Band Patches- MS10-002, MS08-67- MS08 67 how long before these were applied applied, are they still missing? • How does your patch process change when Microsoft or another vendor goes out of band? • Adobe releases quarterly and just issued an out of band patch Feb 16th 2010
Don’t USE IE! Don’t USE ADOBE! -France, -Germany, SANS • How do I replace ubiquitous apps in an enterprise setting? • How do I roll out PDFXchange Viewer or Foxit Reader? • Is Firefox really any better than IE? • Google Chrome installs at the user level, not an enterprise application.
Organizations Should Still Say No to Standardizing O i ti Sh ld S N t St d di i on One Browser • A standard of at least two different browsers from different vendors can provide more security than a single browser from a single vendor vendor. Publication Date: 26 February 2010/ID Number: G00174224
Complexity Keeps Growing! • How do I reduce my attack surface? • Am I more or less vulnerable with two browsers? • What about the plug-ins for both sets of browsers – Flash.
Patching 3rd Party Apps is Exponentially More Difficult MICROSOFT HAS MATURE PATCH PROCESS
Microsoft Patch Process Sets the Bar • St Structured Guidance: Ad t d G id Advanced Notification, d N tifi ti Patch Tuesday Release Cycle, • Research: MSRC Technet Security Research + MSRC, Technet,Security Defense Blog, MAPP, Exploitability Index • Tools: WU MBSA WSUS, SCCM WU, MBSA, WSUS • Workarounds: Gpolicy, Fix it Tools • Support: Free Email and Support Calls • Zero Day Process: Will go Out of Band if needed Out-of-Band
WSUS • A recent Gartner report titled The Patch Management Market: Collision or Coexistence? dated March 3 2008 states that " Organizations accepting 3, 2008, WSUS as 'good enough' have significantly higher labor costs for content analysis, testing and deployment." “Microsoft’s WSUS comes as part of our University Select Agreement, but WSUS is limited and does not provide the application coverage we need. Different software tools are used by different departments to resolve and manage the patching process, such as custom-built scripts, in order to handle applications not supported by WSUS - which add to IT cost and resources.” • --Pritpal S. Rehal, Senior IT Systems Administrator for University of York
Adobe • Structured Guidance: Advanced Notification, Quarterly Updates, • Research: Adobe PSIRT Blog, • Tools: Adobe Updater, Adobe Download Manager- Be S Sure to Reboot!! (C:ProgramfilesNOS) • W k Workarounds: Ad b J d Adobe Javascript Bl kli t i t Blacklist Framework- “Some Registry Work Required” • Support: Online Forum Email Phone Forum, Email, • Zero Day Process: Will address in the next quarterly patch Updated (Feb 16 2010)
TFTF: Adobe Reader • Home User vs. Enterprise User • Automatic Updates: Doesn’t work for the Enterprise! Windows update became WSUS Adobe could learn from this. • Adobe MSP f S format does not conform to f SCCM. http://forums.adobe.com/thread/537967 • W t t push the latest of Adobe and end up Want to h th l t t f Ad b d d pushing Google and Yahoo Tool bars and Open Office (got the consumer version not the enterprise version). End users self-updating. • Legacy versions: (Reader 5 6 vs 7 8 9)
Adobe Cont… • Q: How do I know that Adobe Flash Player is i t ll d i installed correctly? tl ? • A: Adobe Flash Player requires users to restart their browser after installation To validate that installation. Adobe Flash Player is installed correctly, visit www.adobe.com/software/flash/about/. • http://kb2.adobe.com/cps/520/cpsid_52001.html#noteone
TFTF: Adobe Flash • Want to patch Flash – What version(s) do I have? – IE or Firefox? – Is Firefox open? – IE, no problem. But you need to know what you are running and what versions!
OracleSun Java • Structured Guidance: Notification, Patch Release cycle? • Research http://blogs.sun.com/security/category/alerts • Tools: Java Update, • Workarounds: NA, • JQS: Java Quick Launch Support- service that you need to stop for Java to update. • Support: Paid Support- Premium. • Zero Day Process: NA
TFTF: OracleSun JAVA • When you upgrade or patch JAVA, please leave the previous “Vulnerable” version installed. – Some applications won’t work without those older won t versions. – Push the patch but left the older versions on – and p their vulnerabilities on system. (Note- latest versions Java 6 update14 and up will uninstall previous versions. versions Some versions of Java wont install on 64bit operating systems! • What is my risk? – How do I know which version of JAVA is registered with the OS?
Apple • Structured Guidance: ” For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary g y y patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.” • Research: See Above • Tools: Apple Software Update, Apple Download Site, Bonjour, • Support: Ph or E il “M k sure tto have your hardware seriall Phone Email- “Make h h d i number available”! And well lets just say they might hang up on you….seriously. • Z Zero Day P D Process: See Above
Apple iTunes • When will you accept that a consumer application (iTunes) is running in the enterprise – Does anyone not have an executive using an iPhone? – When I go to patch iTunes it is really: iTunes, Safari, Quicktime – Apples “New Painful Patching Methodology” New Methodology – Home User “Double Click” vs. Enterprise “Silent Install”
TFTF: Apple iTunes • Apple’s “New Painful Patching Methodology” pp g gy – What does a browser have to do with patching iTunes? Apparently everything. – Patch iTunes, also get • Safari • Q icktime Quicktime • MobileMe • Bonjour – Home User “Double Click” vs. Enterprise “Silent Install” – Apple Application Support – How do you feel about apps going outbound?
Custom Built Applications • How many of you have custom applications that y you either built internally or p y purchased from an ISV? • How many were notified by your software vendor or development teams to tell you their code was not vulnerable to (MS09-035) "Vulnerabilities i Mi "V l biliti in Microsoft A ti T ft Active Template l t Library (ATL) which Could Allow Remote Code Execution? This was an out of band patch! • How many checked Visual Studio for this patch?
Best Practice Recommendations 1. Operating System “Security” patches and Service Packs 2. Browsers: IE, Firefox, Safari do each individually. 3. Plug- Ins: Flash, Silverlight, Java, Itunes, Skype g , g , , , yp 4. Office Versions, Office Converters, Install Media 5. .Net, MSXML 6. 6 Media Players: Quick time Real Player Windows Media time, Player, 7. Adobe Reader, PDFreader 8. Custom Built or 3rd Party Applications 9. Databases Systems 10. Citrix Presentation (Install and Execute Modes) 11. Virtual Hyper Visor, Templates, Offline VM’s. yp , p ,
Shavlik Data Team Lives this Daily • Special recognition to Shavlik Data Team members (Jason Miller and Jace McLean) for their contributions. • Resources – http://securitycenterblog.shavlik.com/ – http://www.shavlik.com/webinars.aspx – http://www adobe com/support/security/ http://www.adobe.com/support/security/ – http://support.apple.com/kb/HT1222 – http://blogs.sun.com/security/category/alerts – htt // http://www.microsoft.com/technet/security/current.aspx i ft /t h t/ it / t – http://www.microsoft.com/technet/security/bulletin/Ms09- 035.mspx

Recomendados

Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
jasonhaddix
 
An Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing PlatformAn Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing Platform
Bo-Chun Peng
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 

Recomendados

Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
jasonhaddix
 
An Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing PlatformAn Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing Platform
Bo-Chun Peng
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
rohit_ta
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
E G Innovations Vdi Monitoring
E G Innovations Vdi MonitoringE G Innovations Vdi Monitoring
E G Innovations Vdi Monitoring
ElisaBerneyBrown
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014
Doryan Mathos
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Denim Group
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
Ivanti
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
Concentrated Technology
 
2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013
Raleigh ISSA
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013
Raleigh ISSA
 

Mais conteĂşdo relacionado

Mais procurados

What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
E G Innovations Vdi Monitoring
E G Innovations Vdi MonitoringE G Innovations Vdi Monitoring
E G Innovations Vdi Monitoring
ElisaBerneyBrown
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Denim Group
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
Concentrated Technology
 

Mais procurados (20)

2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
E G Innovations Vdi Monitoring
E G Innovations Vdi MonitoringE G Innovations Vdi Monitoring
E G Innovations Vdi Monitoring
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
 

Destaque

February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slides
Raleigh ISSA
 
Apostila contra-baixo
Apostila contra-baixoApostila contra-baixo
Apostila contra-baixo
eltoleon
 

Destaque (8)

2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013
 
2014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 20142014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 2014
 
2013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 20132013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 2013
 
February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slides
 
2013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 20132013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 2013
 
Raleigh ISSA Chapter Updates- March 2013
Raleigh ISSA Chapter Updates- March 2013Raleigh ISSA Chapter Updates- March 2013
Raleigh ISSA Chapter Updates- March 2013
 
Apostila contra-baixo
Apostila contra-baixoApostila contra-baixo
Apostila contra-baixo
 

Semelhante a 2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers

Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterprise
Marcel de Vries
 
Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019
Microsoft 365 Developer
 
The Coming OSS Sustainability Crisis
The Coming OSS Sustainability CrisisThe Coming OSS Sustainability Crisis
The Coming OSS Sustainability Crisis
Aaron Stannard
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
JAXLondon_Conference
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
Mike Spaulding
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
LeanJS - Lean startup with JavaScript
LeanJS - Lean startup with JavaScriptLeanJS - Lean startup with JavaScript
LeanJS - Lean startup with JavaScript
Johannes Weber
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10
eshwar83
 
Kill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin RightsKill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin Rights
ScriptLogic
 

Semelhante a 2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers (20)

Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterprise
 
Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
The Coming OSS Sustainability Crisis
The Coming OSS Sustainability CrisisThe Coming OSS Sustainability Crisis
The Coming OSS Sustainability Crisis
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
Your Datacenter at risk? – Patching for the Datacenter
Your Datacenter at risk? – Patching for the DatacenterYour Datacenter at risk? – Patching for the Datacenter
Your Datacenter at risk? – Patching for the Datacenter
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Making software development processes to work for you
Making software development processes to work for youMaking software development processes to work for you
Making software development processes to work for you
 
Summer project- Jack Fletcher
Summer project- Jack Fletcher Summer project- Jack Fletcher
Summer project- Jack Fletcher
 
LeanJS - Lean startup with JavaScript
LeanJS - Lean startup with JavaScriptLeanJS - Lean startup with JavaScript
LeanJS - Lean startup with JavaScript
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10
 
Intoduction to software engineering part 1
Intoduction to software engineering part 1Intoduction to software engineering part 1
Intoduction to software engineering part 1
 
Kill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin RightsKill Administrator: Fighting Back Against Admin Rights
Kill Administrator: Fighting Back Against Admin Rights
 
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a Startup
 

Mais de Raleigh ISSA

A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
Raleigh ISSA
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slides
Raleigh ISSA
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues
Raleigh ISSA
 

Mais de Raleigh ISSA (20)

Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9
 
Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8
 
Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7
 
Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slides
 
March 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secMarch 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info sec
 
March 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesMarch 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slides
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
2013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 20132013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 2013
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues
 
2013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 20132013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 2013
 
2013-05 Raleigh ISSA Chapter Updates May 2013
2013-05 Raleigh ISSA Chapter Updates May 20132013-05 Raleigh ISSA Chapter Updates May 2013
2013-05 Raleigh ISSA Chapter Updates May 2013
 
2013-04 Raleigh ISSA Chapter Updates April 2013
2013-04 Raleigh ISSA Chapter Updates April 20132013-04 Raleigh ISSA Chapter Updates April 2013
2013-04 Raleigh ISSA Chapter Updates April 2013
 
2013-02 Raleigh ISSA Chapter Updates February 2013
2013-02 Raleigh ISSA Chapter Updates February 20132013-02 Raleigh ISSA Chapter Updates February 2013
2013-02 Raleigh ISSA Chapter Updates February 2013
 
2013-03 Raleigh ISSA Chapter Updates March 2013
2013-03 Raleigh ISSA Chapter Updates March 20132013-03 Raleigh ISSA Chapter Updates March 2013
2013-03 Raleigh ISSA Chapter Updates March 2013
 
2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Último (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

2010-03 Yesterday's Trusted Web Sites are Today's Malicious Servers

  • 1. Preventing Client Side Attacks Nik Patronas Senior Security Engineer ISSA March 2010
  • 2. Agenda: • Attacks are no longer centered on the Microsoft operating system or confined to the data center. • Patching 3rd party applications is not the same as patching the operating system. • Best Practice: Controls for IT Audit, Security, and Operations. • TFTF: Tales From The Field
  • 3. Once Upon A Time Microsoft Stood Alone As the Cyber Criminal’s Dream Target
  • 4. The New Danger Zone Client-Side Vulnerabilities
  • 5. Targets in the New Danger Zone
  • 6. Over the Past Few Years, Application Vulnerabilities Have Surpassed OS • Adobe Reader - 45 bugs, averaging about one per week • Microsoft's Internet Explorer had 30 bugs • Mozilla Firefox - 102 bugs • Rounding out the list – Adobe Flash – Apple Quicktime – Microsoft Office http://www.forbes.com/2009/12/10/adobe-hackers-microsoft-technology-cio-network-software.html
  • 7. Adobe is Just One Example Adobe Reader Adobe Flash Mozilla FireFox Apple QuickTime Apple iTunes Apple Safari Sun JRE and 100s more…
  • 8. Hackers leverage zero- day weakness in IE 6 for targeted attack against Google and more than 30 other 3 companies. I don’t use those apps in my datacenter My datacenter is safe and an attack on workstations or laptops would be minimal.
  • 9. Hackers don’t have to find you, end users are leading them to your door • Client-Side Vulnerabilities are Now the Primary Infection Vector • Targeted email attacks are exploiting client- side vulnerabilities in Adobe Reader Apple Reader, QuickTime, Adobe Flash and Microsoft Office • Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites http://www.sans.org/top-cyber-security-risks/
  • 10. Define Enterprise: • Is it based on employees? • Is it based on systems? • Is it based on the complexity of the network? • Is it based on an Audit requirement? • Is it based on Public vs. Private ownership? • Why is a 10,000 employee business different y , p y than a 100 employee business?
  • 11. Security, Operations, Audit • Q. How does IT Security ensure systems and applications are being patched? • A. IT Security must first know exactly what the organizations owns. • - You simply can not secure what you don’t know you have!
  • 12. Assessment • Step 1: Asset Inventory – Systems: Domain, Non-Domain, Virtual Systems- On + Offline. – Applications: (Office, 3rd Party, Browsers, In- House) ) – Users: (Administrative Users, Standard Users,) U ) – Virtual Hosts: Vmware Esxi, Microsoft Hyper-V, other. Hyper V other
  • 13. Risk Assessment • Step 2: Prioritization - Which systems are the highest value to the organization? - Who has access to these systems today and why?? - Who ultimately owns these systems- Audit, Operations, Security, Business Unit, O ti S it B i U it Executives?
  • 14. Baseline Reporting • Understand which machines are the highest asset value. – According to severity that you ve assigned you’ve • Create reports on – status of patches missing per machine – User Accounts (Who is Admin) – Security Policy (Local GPO) (Local, • Track who performed each patch deployment and when patches were installed • Important for Compliance/Regulatory reporting
  • 15. Scheduled Release vs. Out of Band • Microsoft Patch Tuesday- Second Tuesday of the Month recommends Critical Patches should be in installed ithi b i i t ll d within 24 hhours. • Microsoft Out of Band Patches- MS10-002, MS08-67- MS08 67 how long before these were applied applied, are they still missing? • How does your patch process change when Microsoft or another vendor goes out of band? • Adobe releases quarterly and just issued an out of band patch Feb 16th 2010
  • 16. Don’t USE IE! Don’t USE ADOBE! -France, -Germany, SANS • How do I replace ubiquitous apps in an enterprise setting? • How do I roll out PDFXchange Viewer or Foxit Reader? • Is Firefox really any better than IE? • Google Chrome installs at the user level, not an enterprise application.
  • 17. Organizations Should Still Say No to Standardizing O i ti Sh ld S N t St d di i on One Browser • A standard of at least two different browsers from different vendors can provide more security than a single browser from a single vendor vendor. Publication Date: 26 February 2010/ID Number: G00174224
  • 18. Complexity Keeps Growing! • How do I reduce my attack surface? • Am I more or less vulnerable with two browsers? • What about the plug-ins for both sets of browsers – Flash.
  • 19. Patching 3rd Party Apps is Exponentially More Difficult MICROSOFT HAS MATURE PATCH PROCESS
  • 20. Microsoft Patch Process Sets the Bar • St Structured Guidance: Ad t d G id Advanced Notification, d N tifi ti Patch Tuesday Release Cycle, • Research: MSRC Technet Security Research + MSRC, Technet,Security Defense Blog, MAPP, Exploitability Index • Tools: WU MBSA WSUS, SCCM WU, MBSA, WSUS • Workarounds: Gpolicy, Fix it Tools • Support: Free Email and Support Calls • Zero Day Process: Will go Out of Band if needed Out-of-Band
  • 21. WSUS • A recent Gartner report titled The Patch Management Market: Collision or Coexistence? dated March 3 2008 states that " Organizations accepting 3, 2008, WSUS as 'good enough' have significantly higher labor costs for content analysis, testing and deployment." “Microsoft’s WSUS comes as part of our University Select Agreement, but WSUS is limited and does not provide the application coverage we need. Different software tools are used by different departments to resolve and manage the patching process, such as custom-built scripts, in order to handle applications not supported by WSUS - which add to IT cost and resources.” • --Pritpal S. Rehal, Senior IT Systems Administrator for University of York
  • 22. Adobe • Structured Guidance: Advanced Notification, Quarterly Updates, • Research: Adobe PSIRT Blog, • Tools: Adobe Updater, Adobe Download Manager- Be S Sure to Reboot!! (C:ProgramfilesNOS) • W k Workarounds: Ad b J d Adobe Javascript Bl kli t i t Blacklist Framework- “Some Registry Work Required” • Support: Online Forum Email Phone Forum, Email, • Zero Day Process: Will address in the next quarterly patch Updated (Feb 16 2010)
  • 23. TFTF: Adobe Reader • Home User vs. Enterprise User • Automatic Updates: Doesn’t work for the Enterprise! Windows update became WSUS Adobe could learn from this. • Adobe MSP f S format does not conform to f SCCM. http://forums.adobe.com/thread/537967 • W t t push the latest of Adobe and end up Want to h th l t t f Ad b d d pushing Google and Yahoo Tool bars and Open Office (got the consumer version not the enterprise version). End users self-updating. • Legacy versions: (Reader 5 6 vs 7 8 9)
  • 24. Adobe Cont… • Q: How do I know that Adobe Flash Player is i t ll d i installed correctly? tl ? • A: Adobe Flash Player requires users to restart their browser after installation To validate that installation. Adobe Flash Player is installed correctly, visit www.adobe.com/software/flash/about/. • http://kb2.adobe.com/cps/520/cpsid_52001.html#noteone
  • 25. TFTF: Adobe Flash • Want to patch Flash – What version(s) do I have? – IE or Firefox? – Is Firefox open? – IE, no problem. But you need to know what you are running and what versions!
  • 26. OracleSun Java • Structured Guidance: Notification, Patch Release cycle? • Research http://blogs.sun.com/security/category/alerts • Tools: Java Update, • Workarounds: NA, • JQS: Java Quick Launch Support- service that you need to stop for Java to update. • Support: Paid Support- Premium. • Zero Day Process: NA
  • 27. TFTF: OracleSun JAVA • When you upgrade or patch JAVA, please leave the previous “Vulnerable” version installed. – Some applications won’t work without those older won t versions. – Push the patch but left the older versions on – and p their vulnerabilities on system. (Note- latest versions Java 6 update14 and up will uninstall previous versions. versions Some versions of Java wont install on 64bit operating systems! • What is my risk? – How do I know which version of JAVA is registered with the OS?
  • 28. Apple • Structured Guidance: ” For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary g y y patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.” • Research: See Above • Tools: Apple Software Update, Apple Download Site, Bonjour, • Support: Ph or E il “M k sure tto have your hardware seriall Phone Email- “Make h h d i number available”! And well lets just say they might hang up on you….seriously. • Z Zero Day P D Process: See Above
  • 29. Apple iTunes • When will you accept that a consumer application (iTunes) is running in the enterprise – Does anyone not have an executive using an iPhone? – When I go to patch iTunes it is really: iTunes, Safari, Quicktime – Apples “New Painful Patching Methodology” New Methodology – Home User “Double Click” vs. Enterprise “Silent Install”
  • 30. TFTF: Apple iTunes • Apple’s “New Painful Patching Methodology” pp g gy – What does a browser have to do with patching iTunes? Apparently everything. – Patch iTunes, also get • Safari • Q icktime Quicktime • MobileMe • Bonjour – Home User “Double Click” vs. Enterprise “Silent Install” – Apple Application Support – How do you feel about apps going outbound?
  • 31. Custom Built Applications • How many of you have custom applications that y you either built internally or p y purchased from an ISV? • How many were notified by your software vendor or development teams to tell you their code was not vulnerable to (MS09-035) "Vulnerabilities i Mi "V l biliti in Microsoft A ti T ft Active Template l t Library (ATL) which Could Allow Remote Code Execution? This was an out of band patch! • How many checked Visual Studio for this patch?
  • 32. Best Practice Recommendations 1. Operating System “Security” patches and Service Packs 2. Browsers: IE, Firefox, Safari do each individually. 3. Plug- Ins: Flash, Silverlight, Java, Itunes, Skype g , g , , , yp 4. Office Versions, Office Converters, Install Media 5. .Net, MSXML 6. 6 Media Players: Quick time Real Player Windows Media time, Player, 7. Adobe Reader, PDFreader 8. Custom Built or 3rd Party Applications 9. Databases Systems 10. Citrix Presentation (Install and Execute Modes) 11. Virtual Hyper Visor, Templates, Offline VM’s. yp , p ,
  • 33. Shavlik Data Team Lives this Daily • Special recognition to Shavlik Data Team members (Jason Miller and Jace McLean) for their contributions. • Resources – http://securitycenterblog.shavlik.com/ – http://www.shavlik.com/webinars.aspx – http://www adobe com/support/security/ http://www.adobe.com/support/security/ – http://support.apple.com/kb/HT1222 – http://blogs.sun.com/security/category/alerts – htt // http://www.microsoft.com/technet/security/current.aspx i ft /t h t/ it / t – http://www.microsoft.com/technet/security/bulletin/Ms09- 035.mspx