HKBU IS WEEK– PROTECT YOUR WEBSITE AGAINST HACKING Dr. Ricci IEONG, CISSP, CISA, CISM, CEH, CCSK, CCSP, CCFP, ACE, GPEN, GIAC Advisory Board, ISSAP, ISSMP, ISO 27001LA, STAR Auditor Principal Consultant, eWalker Consulting (HK) Ltd Agenda • World of Web Applications • Threats to the World • Common Web Security Attack • OWASP Top 10 Attacks • Web Securing Best Practices Web Applications in University • Web information environment • Mobile information environment • eLearning platforms (Moodle and Blackboard) • Student records and registration systems • University e-Library system • Email System • Web and file sharing servers • Assignment collection system • Research supporting systems • Students managed systems • … Characteristics of Hacker-like Environment • Openness • Massive number of computer across the network • No-monitoring • Fast Internet connections • 24x7 available World’s Biggest Data Breaches (Jan 2017) http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches- hacks/ Attacks from Web Application varies • Threat action categories over time by percent of breaches and percent of records 2014 breaches, n=1598 Source: Verizon “2014 Data Breach Investigations Report” and “2015 Data Breach Investigations Report” Web Threats information from Symantec Vol 20 2015 report • Other than seasonal type of web attacks, 6 out of Top 10 vulnerabilities were found to be related to SSL related vulnerabilities • Others are • PHP information disclosure vulnerability • XSS attack • NB. Year 2014 records Top 5 Zero-Day Vulnerabilities Recently Published or Announced Vulnerabilities (in 2016 from McAfee) Security Trend in HK (2016Q4)