Webzurich - The State of Web Security in Switzerland

Post on 16-Apr-2017

429 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

transcript

BinaryEdge.ioBe Ready. Be Safe. Be Secure.

The State of Web Security in Switzerland

AGENDA

Who am I?

What do we do?

Switzerland and Cybersecurity

Headers

Dataleaks affecting Switzerland

Data exposed

WHO AM I?

Tiago Henriques

Tiago is the CEO and Data necromancer at BinaryEdge however he gets to meddle in the intersection of data science and cybersecurity by providing his team with lovely problems that they solve on a daily basis.

WHAT DO WE DO?

VNC

RDP

Files People

Social

Companyregistration

internal

external

Phone

Email

Linked urls

BGP

AS

Whois

AS membership

AS peer

List of IPs

Sharedinfrastructure

Co-hostedsites

Contact

Geolocation

Officelocations

Socialnetworks

Phone

portscan

dns

torrents

Screenshots

Web

Services

http https

Users

AppsFiles

Peers Torrent name

BannersImage

Classifier

Vulnerabilities

200Ports scanned

per month

>120 millionIPs with services

> 1.5 billionEvents generated

per month

DATA POINTS

metadata

PhotosFamily&friends

Behaviour

LikesTopics

Search

NewsForums

Sub-reddits

DomainsAXFRMX records

WebserverFrameworkHeadersCookies

CertificateConfigurationAuthoritiesEntities

OCR

SWip addressurl address

SMB

WHAT DO WE DO?

balgan@DESKTOP-PAGM894 /cygdrive/d/270m domains/cctld_lists$ head ch.csvgoogle.chuploadable.cheztv.chprojectfreetv.chblick.chricardo.chwatchseries-online.ch20min.chcokeandpopcorn.chbluewin.ch

balgan@DESKTOP-PAGM894 /cygdrive/d/270m domains/cctld_lists$ cat ch.csv | wc -l1533995

SWITZERLAND AND CYBERSECURITY

INSURANCEBANKING PHARMA

SWITZERLAND AND CYBERSECURITY

Source: https://securityheaders.io

SERVER

STRICT-TRANSPORT-SECURITY

X-FRAME-OPTIONS

X-CONTENT-TYPE-OPTIONS

X-XSS-PROTECTION

CONTENT-SECURITY-POLICY

PUBLIC-KEY-PINS

This Server header seems to advertise the software being run on the server but you can remove or change this value.

HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjack-ing.

X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff!”.

X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is “X-XSS-Protection: 1; mode=block”.

Content-Security-Policy is an effective measure to protect your site from XSS attacks. By wh-itelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail.

HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event of a certificate authority is compromised. Analyse this policity in more detail.

HEADERS

Most Common Server Headers (top20)

HEADERS

0 35,00017,5008,750 26,250

Strict-Transport-Security

X-XSS-Protection

Content-Security-Policy(report + enforced)

Public-key-Pins(report + enforced)

X-Content-Type-Options

X-Frame-Options

32,687

31,552

20,220

16,444

1,282

210

Most Common Security Headers in Switzerland

HEADERS

BANKS - WEBSITES

UBS.COM

CREDIT-SUISSE.COM

JULIUSBAER.COM

POSTFINANCE.CH

BANKCOOP.CH

FALCONPB.COM

X-frame-options

Strict-Transport-Security

X-Content-Type-Options

Content-Security-Policy

Public-Key-Pins

X-XSS-Protection

SECURITY HEADER

DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER

RAIFFEISEN.CH

HEADERS

HEADERS

BANKS - E-BANKING

UBS.COM

CREDIT-SUISSE.COM

JULIUSBAER.COM

POSTFINANCE.CH

BANKCOOP.CH

FALCONPB.COM

X-frame-options

Strict-Transport-Security

X-Content-Type-Options

Content-Security-Policy

Public-Key-Pins

X-XSS-Protection

SECURITY HEADER

DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER

RAIFFEISEN.CH

BANKS - E-BANKING

UBS.COM

CREDIT-SUISSE.COM

JULIUSBAER.COM

POSTFINANCE.CH

BANKCOOP.CH

FALCONPB.COM

X-frame-options

Strict-Transport-Security

X-Content-Type-Options

Content-Security-Policy

Public-Key-Pins

X-XSS-Protection

SECURITY HEADER

DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER

RAIFFEISEN.CH

THIS IS HARD TO DO RIGHT!

HEADERS

https://www.troyhunt.com/how-chromes-buggy-content-security-policy-implementation-cost-me-money/

HEADERS

CANTONAL BANKS CYBER COMPETITION - E-BANKING

ZÜRCHER (ZKB.CH)

VAUDOISE (BCV.CH)

BASLER (BKB.CH)

LUZERNER (LUKB.CH)

ST.GALLER (SGKB.CH)

BERNER (BEKB.CH)

X-frame-options

Strict-Transport-Security

X-Content-Type-Options

Content-Security-Policy

Public-Key-Pins

X-XSS-Protection

SECURITY HEADER

DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER

HEADERS

INSURANCE COMPANIES

ZURICH FINANCIAL SERVICES

SWISS RE

WINTERTHUR GROUP

SWISS LIFE

BALOISE

HELVETIA PATRIA

X-frame-options

Strict-Transport-Security

X-Content-Type-Options

Content-Security-Policy

Public-Key-Pins

X-XSS-Protection

SECURITY HEADER

DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER

HEADERS

INVALID CONFIGURATION

SUVA

GROUPE ALLIANZ (SUISSE)

LA MOBILIERE

VAUDOISE ASSURANCES

PHARMACEUTICAL/CHEMICAL COMPANIES

NOVARTIS

ROCHE

SYNGENTA

CLARIANT

CIBA

X-frame-options

Strict-Transport-Security

X-Content-Type-Options

Content-Security-Policy

Public-Key-Pins

X-XSS-Protection

SECURITY HEADER

HEADERS

DOESN’T HAVE SECURITY HEADER HAS SECURITY HEADER

aerzte-zh.ch/

HEADERS

87

33

3

X-FRAME-OPTIONS

X-XSS-PROTECTION

STRICT-TRANSPORT-SECURITY

CONTENT-SECURITY-POLICY

PUBLIC-KEY-PINS

X-CONTENT-TYPE-OPTIONS

0

130 DOCTOR WEBSITES

DATA LEAKS

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

DATA LEAKS AFFECTING SWITZERLAND

UBS

26,763

Credit Suisse

14,262

Julius Bär

765

ZürcherKantonalbank

505

Raiffeisen

442

BanqueCantonale Vaudoise

375

PostFinance

352

FalconPrivate Bank

64

St. GallerKantonalbank

56

LuzernerKantonalbank

50

BernerKantonalbank

47

BaslerKantonalbank

41

Bank Coop

31

BANKS

DATA LEAKS AFFECTING SWITZERLAND

INSURANCE COMPANIES

ZurichFinancialServices2,753

Swiss Re

2,883

WinterthurGroup

554

Swiss Life

507

Baloise

414

HelvetiaPatria

239

Suva

230

Groupe Allianz (Suisse)

6

La Mobiliere

0

VaudoiseAssurances

228

DATA LEAKS AFFECTING SWITZERLAND

PHARMACEUTICAL/CHEMICAL COMPANIES

Novartis

19,872

Roche

17,708

Syngenta

6,409

Clariant

0

Ciba

676

31

DATA LEAKS AFFECTING SWITZERLAND

DATA EXPOSEDDATA EXPOSED

DATA EXPOSEDDATA EXPOSED

DATA EXPOSEDDATA EXPOSED

DATA EXPOSEDDATA EXPOSED

DATA EXPOSEDDATA EXPOSED

Big Data TechnologiesChanges in amount of data exposed on the internetMongoDB Memcached Redis 2 TB

644.3 TB

Aug 2015 Jan 2016 July 2016

724.7 TB 627.7 TB

13.2 TB11.3 TB

710.9 TB 12.0 TB

598.7 TB 27.5 TB 1.5 TB

1.8 TB

619.8 TB

DATA EXPOSEDDATA EXPOSED

BE READY. BE SAFE. BE SECURE.

www.binaryedge.io

CONTIGENCY THREAT SAFE IRRELEVANT

Top related

Security Concept of Switzerland
Documents
CERN IT Department CH-1211 Genève 23 Switzerland t Web application security Sebastian Lopienski & Marthe Engebretsen CERN Computer Security.
Documents
Trade Facilitation and New Security Initiatives: A U.S. Perspective Geneva, Switzerland
Documents
Reliable Security Current State, Challenges, Desired State
Documents
Environmental Security: New Challenges for Comprehensive Security Strategies Dr. Barbara Haering, Switzerland Chair of the Committee on Security Policies.
Documents
Agreement Between The United States And Switzerland · Agreement Between The United States And Switzerland • When you apply for benefits — You may have some Social Security credits
Documents
State and Revolution - WordPress.com...State and Revolution. State and Revolution. Historical Context. •1916: Lenin began writing “Marxism on the State” in exile in Switzerland
Documents
SECURITY PAPERS STATE-OF-THE-ART SECURITY PAPER
Documents
State security, securitisation and human security in ...
Documents
Spatial Data Infrastructures in Switzerland State of play ... · Report meta-information Title Spatial Data Infrastructures in Switzerland: State of Play Spring 2004 Creator Margaret
Documents
Master thesis SECURE STATE OR SECURITY STATE
Documents
Geneva, Switzerland, 15-16 September 2014 Lightweight Cryptography for the Connected Car/ITS Security Shiho Moriai Director, Security Fundamentals Laboratory,
Documents
Charles Siuda Ascom Systems Ltd. CH-3000 Bern, Switzerland ... · Charles Siuda Ascom Systems Ltd. CH-3000 Bern, Switzerland ABSTRACT This paper describes two main aspects of security
Documents
Open Web Application Security Project - OWASP · – Web application threats and countermeasures ... – Web hacking/security is easy to understand/teach ... (Western/French Switzerland)
Documents
Irregular Migration, State Security and Human Security
Documents
Getting Switzerland associated to the ERA › eracademy › documents › CH_in_ERA_LS.pdf · Getting Switzerland associated to the ERA 6 State Secretariat for Education and Research
Documents
CERN IT Department CH-1211 Genève 23 Switzerland t Cyber-security update Sebastian Lopienski CERN Computer Security Team.
Documents
Cyber Security in Switzerland Finding the balance between hype … · 2020-05-13 · Cyber Security in Switzerland Finding the balance between hype and complacency Key points •
Documents
Polycarbonate datapage from Trub Switzerland · © 2010 – Trüb AG Switzerland – Polycarbonate datapage from Trüb Switzerland ICAO Regional Seminar on MRTDs, Biometrics and Security
Documents
ITU Workshop on “Security Aspects of Blockchain · ITU Workshop on “Security Aspects of Blockchain” (Geneva, Switzerland, 21 March 2017) Understanding Blockchain Security Dr.
Documents

Copyright © 2018 DOCUMENTS