Home
Business Guide
 
simplicable technology guide   »  security   »  web security illustrated

Web Security Illustrated

        posted by , March 05, 2013

Illustrations of 6 common web security attacks:

1. Distributed Denial of Service (DDoS)

A DDoS attack seeks to bring a website down by flooding it with requests.

ddos protection

DDoS attackers use an array of strategies to paralyse a website. It is common for attackers to:

- tie up network resources such as connections or bandwidth
- tie up server resources such as cpu and memory
- use a zombie army of devices that have been taken over by malware
- focus on layer 4 or layer 7
- exploit vulnerabilities in network equipment
- exploit vulnerabilities in server software and web applications
- use spoofed IPs
- make expensive requests (large files, complex queries etc ...) and then ignore responses

Defences for DDoS include network equipment, specialized hardware and best practices for application development and deployment.

2. Social Engineering

Hacking is a lot of work — in many cases it is easier for an attacker to just call up and ask for information.

In one 2003 information security study — 90% of office workers were willing to give up their password for a cheap pen.

Social Engineering starts with a pretext: a lie to gain the users trust. It often ends with the user divulging sensitive information.

Example: An attacker calls a list of users claiming to be tech support. Some users will have a problem with their computers and be happy to divulge passwords or type in commands.


Social engineering

The best defence for social engineering is user awareness and training.

3. Man in the Middle

A form of electronic eavesdropping — two victims think they are talking to each other but both are actually talking to an attacker.

man in the middle attack

Man in the middle attacks are often used to:

- steal sensitive information from both victims
- execute fraudulent transactions
- inject advertisements and spam

Secure cryptography and strong authentication can prevent most man in the middle attacks.

4. Phishing

Phishing attempts to steal sensitive data by masquerading as a trust worthy website.
phishing

The best defence for phishing is user education and tools to warn users of phishing websites. Fighting other attacks such as spam, malware and dns poisoning is also key.

5. SQL Injection

SQL injection is an attack that hides database commands in user input. Attackers submit combinations of special characters and SQL specially designed to trick a website into executing database commands.
SQL injection

SQL Injection can be avoided with properly implemented user input validation or escaping.

6. DNS Poisoning

DNS poisoning targets services that translates domain names to IPs. The goal is to send users to the attacker's IP when they request a website or service.

DNS poisoning

DNS Poisoning is often used to steal data, spread false information or vandalize websites.

DNS Poisoning can be prevented by ensuring the security of root and cache DNS servers and local caches on host machines. There is also a cryptographic extension to DNS (DNSSEC) that provides origin authentication of DNS data.

25 Shares Google Twitter Facebook



Related Articles



Enterprise Architecture
How to architect an organization.




The most important diagram in all of business architecture — without it your EA efforts are in vain.

ESB vs. ETL — what you need to know to make an informed choice.

How to architect an organization.

All systems need to be replaced with time. However, just because a system is legacy — doesn't mean it needs to be replaced immediately.


Recently on Simplicable


The 9 Principles Of Soa Design

posted by Anna Mar
Service-oriented Architecture (SOA) is as simple as can be — it can all be boiled down to these 9 principles.

Enterprise Architecture Guide

posted by John Spacey
A large collection of enterprise architecture tools.

What Big Data Really Means

posted by John Spacey
The 3 things you need to know to cut through the big data hype.

9 Reasons You Need a Current State Architectural Blueprint

posted by Anna Mar
A current state enterprise architecture blueprint represents your organization's high level architecture. It's probably the most important documentation that any IT organization can create and maintain.

Sitemap













about     contact     sitemap     privacy     terms of service     copyright