Web Security Illustratedposted by John Spacey, March 05, 2013
Illustrations of 6 common web security attacks:
1. Distributed Denial of Service (DDoS)A DDoS attack seeks to bring a website down by flooding it with requests.
DDoS attackers use an array of strategies to paralyse a website. It is common for attackers to:
- tie up network resources such as connections or bandwidth
- tie up server resources such as cpu and memory
- use a zombie army of devices that have been taken over by malware
- focus on layer 4 or layer 7
- exploit vulnerabilities in network equipment
- exploit vulnerabilities in server software and web applications
- use spoofed IPs
- make expensive requests (large files, complex queries etc ...) and then ignore responses
Defences for DDoS include network equipment, specialized hardware and best practices for application development and deployment.
2. Social EngineeringHacking is a lot of work — in many cases it is easier for an attacker to just call up and ask for information.
In one 2003 information security study — 90% of office workers were willing to give up their password for a cheap pen.
Social Engineering starts with a pretext: a lie to gain the users trust. It often ends with the user divulging sensitive information.
Example: An attacker calls a list of users claiming to be tech support. Some users will have a problem with their computers and be happy to divulge passwords or type in commands.
The best defence for social engineering is user awareness and training.
3. Man in the MiddleA form of electronic eavesdropping — two victims think they are talking to each other but both are actually talking to an attacker.
Man in the middle attacks are often used to:
- steal sensitive information from both victims
- execute fraudulent transactions
- inject advertisements and spam
Secure cryptography and strong authentication can prevent most man in the middle attacks.
4. PhishingPhishing attempts to steal sensitive data by masquerading as a trust worthy website.
The best defence for phishing is user education and tools to warn users of phishing websites. Fighting other attacks such as spam, malware and dns poisoning is also key.
5. SQL InjectionSQL injection is an attack that hides database commands in user input. Attackers submit combinations of special characters and SQL specially designed to trick a website into executing database commands.
SQL Injection can be avoided with properly implemented user input validation or escaping.
6. DNS PoisoningDNS poisoning targets services that translates domain names to IPs. The goal is to send users to the attacker's IP when they request a website or service.
DNS Poisoning is often used to steal data, spread false information or vandalize websites.
DNS Poisoning can be prevented by ensuring the security of root and cache DNS servers and local caches on host machines. There is also a cryptographic extension to DNS (DNSSEC) that provides origin authentication of DNS data.
The most important diagram in all of business architecture — without it your EA efforts are in vain. |
ESB vs. ETL — what you need to know to make an informed choice.|
How to architect an organization.|
All systems need to be replaced with time. However, just because a system is legacy — doesn't mean it needs to be replaced immediately. |