SlideShare uma empresa Scribd logo
1 de 13
Media web application
security and vulnerabilities
Eoin Keary CISSP CISA
CTO/Founder edgescan.com
Hacker/Software Security Geek
OWASP Global Board Member (2009-2014)
OWASP Person of the Year 2015 & 2016
Always-on: The pressure to maintain a 24x7 service.
Reputation: one thing that matters above all for most media organizations.
Footprint: The public footprint makes for prime targets for visible impact to a wide audience
Propaganda is alive and well
Cyber attack has become an effective tool in its deployment by both state and non-state groups.
Attempts to raise the profile of a cause, to sow the seeds of fear or to sway public opinion
Threat actors: hacktivists, terrorist and nation states.
Media industry is highly likely to face a CyberAttack in order to disrupt service.
Tactics such as
• DDoS (Denial of Service)
• Defacement
• Integrity Attacks
• Highly-sophisticated Advanced Persistent Threat campaigns conducted by nation states.
Media Business Model & Challenges
2016 – First 90 days
• 83,000 impacted by breach at Gyft Inc
• 63,000 records exposed at UCF (Florida)
• 15,000 credit cards Bailey's Inc.
• Hyatt data beach 250 hotels in 50 countries
• Neiman Marcus – 5,200 accounts
• TaxSlayer – 8,800 customers
43%
50%
49%
58%
8%
4.10%
4.20%
0% 10% 20% 30% 40% 50% 60% 70%
HACKING ATTEMPT
DOS
MALWARE
PHISHING
SQL INJECTION
MOBILE ATTACKS
SOCIAL MEDIA ATTACK
Probability of an Attack Type – Media Orgs
edgescan research - 2016
edgescan.com “Media vertical” Web Security Survey – January 2016 - August 2016
11 Sites Randomly Surveyed globally
• Newspaper
• Television
• Radio
• Social Media
• News Feeds / PR
2%
32%
27%
39%
Frequency of Detection
Critical Risk
High Risk
Medium Risk
Low Risk
Old Vulnerabilities
99.9% of the exploited vulnerabilities in had been
compromised more than a year after the associated CVE
was published. - “Zero day’s” are overrated.
Security by Numbers
Likelihood of a vulnerability being discovered – Web Applications
Challenges to Media
What are we protecting?
Journalist
• Protect sources
• Prevent future storylines being revealed
Broadcaster
• Guarantee content distributed has not been tampered with.
• Protect my systems against denial of service attacks – availability
• Prevent unauthorised access to raw footage
• Live studio production, Control Signals/Technology won't be tampered with.
Rights Holder
• Prevent unauthorised access to my content.
Production team
• Grant access to the content to authorised staff.
Dangerous Times - Journalists
• There is not a journalist working who doesn't expose themselves to a web-
based attack at least once every day.
– journalists have to click links
– open email attachments
– Consider:
• Using an iDevice for mail (not jailbroken)
• Don’t use “office” with Macros enabled
• Enable FDE (Full disk Encryption)
• Patch
• Use and Ad-blocker (I said it!!)
• Don’t use IE (Internet Explorer) or any old browser.
• Disable Flash
Fullstack Protection
Web Applications
App Server
SSL/TLS
Databases
Services
Operating Systems
Networks
Continuous Vigilance
Conclusion
• Fullstack protection is key
– Applications and Hosting environments
• Continuous assessment to match ever-
changing systems & environments
• Journalist procedures – unique problem
• Security is a journey never a destination.

Mais conteúdo relacionado

Mais procurados

Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
Department of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in CyberspaceDepartment of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in Cyberspace
Department of Defense
 

Mais procurados (20)

Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
 
Cert adli wahid_iisf2011
Cert adli wahid_iisf2011Cert adli wahid_iisf2011
Cert adli wahid_iisf2011
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, Future
 
Bo e v1.0
Bo e v1.0Bo e v1.0
Bo e v1.0
 
National Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip VictorNational Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip Victor
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
 
Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...
Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...
Luncheon 2015-08-20 - Multi-vector DDOS Attacks Detection and Mitigation by P...
 
2017 K12 Educators Security Briefing - Matthew Rosenquist
2017 K12 Educators Security Briefing - Matthew Rosenquist2017 K12 Educators Security Briefing - Matthew Rosenquist
2017 K12 Educators Security Briefing - Matthew Rosenquist
 
Communicating cybersecurity
Communicating cybersecurityCommunicating cybersecurity
Communicating cybersecurity
 
Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
 Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats" Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
 
CERT Certification
CERT CertificationCERT Certification
CERT Certification
 
Webroot Antivirus Web Security
Webroot Antivirus Web Security Webroot Antivirus Web Security
Webroot Antivirus Web Security
 
Virtual Bridge Sessions: The National Cyber Security Centre at Your Service
Virtual Bridge Sessions: The National Cyber Security Centre at Your ServiceVirtual Bridge Sessions: The National Cyber Security Centre at Your Service
Virtual Bridge Sessions: The National Cyber Security Centre at Your Service
 
Smart Citizen Cyber Resilience in Asia and Pacific
Smart Citizen Cyber Resilience in Asia and PacificSmart Citizen Cyber Resilience in Asia and Pacific
Smart Citizen Cyber Resilience in Asia and Pacific
 
Department of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in CyberspaceDepartment of Defense Strategy for Operating in Cyberspace
Department of Defense Strategy for Operating in Cyberspace
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
 
cybersecurity- A.Abutaleb
cybersecurity- A.Abutalebcybersecurity- A.Abutaleb
cybersecurity- A.Abutaleb
 

Semelhante a Media-web_application_security_and_vulnerabilities

20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clinton
CIONET
 
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
SOD-Presentation-Des-Moines-10.19.21-v2.pptxSOD-Presentation-Des-Moines-10.19.21-v2.pptx
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
TamaOlan1
 
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptxWhy-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
dhananjay80
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report
Mandar Kharkar
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank
shreemala1
 

Semelhante a Media-web_application_security_and_vulnerabilities (20)

Cyber security # Lec 1
Cyber security # Lec 1Cyber security # Lec 1
Cyber security # Lec 1
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clinton
 
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
SOD-Presentation-Des-Moines-10.19.21-v2.pptxSOD-Presentation-Des-Moines-10.19.21-v2.pptx
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
 
Brooks18
Brooks18Brooks18
Brooks18
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
 
Cyber security and its controls.pptx
Cyber security and its controls.pptxCyber security and its controls.pptx
Cyber security and its controls.pptx
 
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptxWhy-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
Why-Cyber-Security-Matters-Protecting-Your-Business-and-Your-Reputation.pptx
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptx
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
The State of Endpoint Security Today
The State of Endpoint Security Today The State of Endpoint Security Today
The State of Endpoint Security Today
 
Subhankar Dutta, Cyber security presentation.pptx
Subhankar Dutta, Cyber security presentation.pptxSubhankar Dutta, Cyber security presentation.pptx
Subhankar Dutta, Cyber security presentation.pptx
 
Social media risks and controls
Social media risks and controlsSocial media risks and controls
Social media risks and controls
 
M1_Introduction_IPS.pptx
M1_Introduction_IPS.pptxM1_Introduction_IPS.pptx
M1_Introduction_IPS.pptx
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank
 
Rishabhcyber security.pptx
Rishabhcyber security.pptxRishabhcyber security.pptx
Rishabhcyber security.pptx
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
Threat Detection as presented at the 2016 DGI Cyber security Conference
Threat Detection as presented at the 2016 DGI Cyber security ConferenceThreat Detection as presented at the 2016 DGI Cyber security Conference
Threat Detection as presented at the 2016 DGI Cyber security Conference
 
THESIS-2(2)
THESIS-2(2)THESIS-2(2)
THESIS-2(2)
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 

Mais de Eoin Keary

Mais de Eoin Keary (20)

IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
 
edgescan vulnerability stats report (2018)
 edgescan vulnerability stats report (2018)  edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan   vulnerability stats report 2019 - h-isac-2-2-2019Edgescan   vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong   cloud versionWeb security – everything we know is wrong   cloud version
Web security – everything we know is wrong cloud version
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
 

Último

一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 

Último (20)

一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni  9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni  9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 

Media-web_application_security_and_vulnerabilities

  • 1. Media web application security and vulnerabilities
  • 2. Eoin Keary CISSP CISA CTO/Founder edgescan.com Hacker/Software Security Geek OWASP Global Board Member (2009-2014) OWASP Person of the Year 2015 & 2016
  • 3. Always-on: The pressure to maintain a 24x7 service. Reputation: one thing that matters above all for most media organizations. Footprint: The public footprint makes for prime targets for visible impact to a wide audience Propaganda is alive and well Cyber attack has become an effective tool in its deployment by both state and non-state groups. Attempts to raise the profile of a cause, to sow the seeds of fear or to sway public opinion Threat actors: hacktivists, terrorist and nation states. Media industry is highly likely to face a CyberAttack in order to disrupt service. Tactics such as • DDoS (Denial of Service) • Defacement • Integrity Attacks • Highly-sophisticated Advanced Persistent Threat campaigns conducted by nation states. Media Business Model & Challenges
  • 4. 2016 – First 90 days • 83,000 impacted by breach at Gyft Inc • 63,000 records exposed at UCF (Florida) • 15,000 credit cards Bailey's Inc. • Hyatt data beach 250 hotels in 50 countries • Neiman Marcus – 5,200 accounts • TaxSlayer – 8,800 customers
  • 5. 43% 50% 49% 58% 8% 4.10% 4.20% 0% 10% 20% 30% 40% 50% 60% 70% HACKING ATTEMPT DOS MALWARE PHISHING SQL INJECTION MOBILE ATTACKS SOCIAL MEDIA ATTACK Probability of an Attack Type – Media Orgs edgescan research - 2016
  • 6. edgescan.com “Media vertical” Web Security Survey – January 2016 - August 2016 11 Sites Randomly Surveyed globally • Newspaper • Television • Radio • Social Media • News Feeds / PR 2% 32% 27% 39% Frequency of Detection Critical Risk High Risk Medium Risk Low Risk
  • 7. Old Vulnerabilities 99.9% of the exploited vulnerabilities in had been compromised more than a year after the associated CVE was published. - “Zero day’s” are overrated.
  • 8. Security by Numbers Likelihood of a vulnerability being discovered – Web Applications
  • 9. Challenges to Media What are we protecting? Journalist • Protect sources • Prevent future storylines being revealed Broadcaster • Guarantee content distributed has not been tampered with. • Protect my systems against denial of service attacks – availability • Prevent unauthorised access to raw footage • Live studio production, Control Signals/Technology won't be tampered with. Rights Holder • Prevent unauthorised access to my content. Production team • Grant access to the content to authorised staff.
  • 10. Dangerous Times - Journalists • There is not a journalist working who doesn't expose themselves to a web- based attack at least once every day. – journalists have to click links – open email attachments – Consider: • Using an iDevice for mail (not jailbroken) • Don’t use “office” with Macros enabled • Enable FDE (Full disk Encryption) • Patch • Use and Ad-blocker (I said it!!) • Don’t use IE (Internet Explorer) or any old browser. • Disable Flash
  • 11. Fullstack Protection Web Applications App Server SSL/TLS Databases Services Operating Systems Networks
  • 13. Conclusion • Fullstack protection is key – Applications and Hosting environments • Continuous assessment to match ever- changing systems & environments • Journalist procedures – unique problem • Security is a journey never a destination.