Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT...

Post on 14-Dec-2015

213 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

transcript

Vulnerability, Attack, Defense

Split Tunneling

Cross-Site Request Forgery

And You

Mary Henthorn

OIT Senior Technology Analyst

February 8, 2007

Thoughts for Today

The Vulnerability Split Tunneling

An Attack Cross-Site Request Forgery

The Defense You!

Split Tunneling Vulnerability

What?

When?

Why

Virtual Private Network

Secure path between server and client usually described as a tunnel

Split Tunnel

Connection to an outside system Can use client as agent to deliver

payload

Split Tunnels Happen

Client device connects to: Internet Network application Local devices Local network

Why Have Split Tunnels?

Performance Bandwidth conservation Multi-tasking habits Access to local network Access to printers Internet Connection Sharing (ICS) VPN as a Band-Aid

An Attack

VPN as a Band-Aid Doesn’t completely isolate sessions

Cross-Site Request Forgery

Can defeat VPN Facilitated by Split Tunneling Facilitated by XSS vulnerabilities Can be delivered by worms Can be delivered by botnets

Fast - Resilient Complexity depends on target application

CSRF by Any Other Name

CSRF XSRF Injection, code injection Session riding Hostile linking CSRF – pronounced “sea surf” One click attack Confused deputy attack

CSRF

Attacker tricks client (agent) into sending the malicious request

CSRF Attack

Study target application Forge the attack Make attack available to agent Let agent deliver attack “Veni, vidi, vici.”, Samy

Code that Picks the Lock

<img src="https://www.books.com/clickbuy?book=BookID&quantity=100">

You! Good Network Defender!

Educate users Apply security patches and updates Use anti-virus protection Use firewalls Keep browser security high Develop safe applications Alternate access to services

Best Defense No Split Tunneling

Cisco Nortel Citrix UC Davis Thomas Shinder – ISA Server Thomas Berger – Univ. of Salzburg

Defense-in-Breadth

Defense-in-Depth as implemented On or off Expect 100% Even 90% can be costly

Synergistic Security Multiple complimentary controls Each < 100% Combination increases security

Split-Tunneling, Good Practice

Educate users Client security Firewalls Risk vs. Cost Multiple solutions

Vulnerabilities = Attacks

Top related

Digital Image Forgery Detection Using Zernike Moment and … · 2018-05-09 · forgery basics and various types of digital image forgery and forgery detection techniques [5]. Resmi
Documents
Forgery and Alteration
Documents
OIT Powerpoint2007updated
Documents
Scapy Packet Forgery
Documents
OIT Flyer Web viewPlease join us for an in-person OIT Town Hall, ... U.S. Department of Veteran Affairs, ... 04/04/2017 06:54:00 Title: OIT Flyer Subject: OIT flyer with space for
Documents
OIT- Informe Comparado de OIT Sobre Las Reformas Laborales en Chile
Documents
A Brief Review: Copy-Move Forgery Detection · forgery (CMF). For copy-move forgery, the copied region may be rotated or flipped to fit the scene better. In copy–move image forgery,
Documents
MILLER HOMES LAND AT HENTHORN ROAD, CLITHEROE … · 2020-04-01 · Miller Homes Land at Henthorn Road, Clitheroe Written Scheme of Investigation 001 Version (0.2) December 2019 Page
Documents
Henthorn v Fraser [1892]-2-Ch.-27
Documents
OIT Update
Documents
INTRODUCTION - OIT
Documents
Fraud & Forgery
Documents
Queja Oit Power
Documents
Cases on Forgery
Documents
Detection of Forgery
Documents
Forgery...Forgery Forgery and counterfeiting are regulated by the Forgery and Counterfeiting Act 1981.1 This Act, which is based largely on the recommendations of the Law Commission,2
Documents
WORLD FORGERY CATALOGUE
Documents
Handwriting And Forgery
Documents
Oit resolutiones relativasalempleodelosjovenes
News & Politics
fulltext digital forgery
Documents

Copyright © 2018 DOCUMENTS