狠狠撸

狠狠撸Share a Scribd company logo

The Top Ten Cybersecurity Threats of 2008

?
?
Tim Bass
Tim Bass

First, A Brief Overview of OWASP Second, AMCHAM ICT Presentation Top Ten Cybersecurity Threats of 2008 Open Discussion about Threats Third, OWASP Meeting after AMCHAM ICT

1 of 25
The Top Ten Cybersecurity Threats of 2008 Tim Bass, CISSP Chapter Leader, OWASP Thailand [email_address] , +66832975101
AMCHAM – OWASP Thailand Agenda First, A Brief Overview of OWASP Second, AMCHAM ICT Presentation Top Ten Cybersecurity Threats of 2008 Open Discussion about Threats Third, OWASP Meeting after AMCHAM ICT
OWASP – Open Web Application Security Project US 501(c)3, open source non-profit charitable foundation dedicated to enabling organizations so they can develop, maintain, and acquire software they can trust. OWASP does not endorse commercial products or services. Making Security Visible , through… Documentation Top Ten, Dev. Guide, Design Guide, Testing Guide, … Tools WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF Guard, CSRF Tester, Stinger, Pantera, … Working Groups Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone Security, Preventive Security, OWASP SDL, OWASP Governance, RIA Security Community and Awareness Local Chapters, Conferences, Tutorials, Mailing Lists
What Is Unique about OWASP? Everything we do in OWASP is free and open… OWASP Principles All OWASP products are free and open Application security knowledge should be freely available OWASP encourages awareness, discussion, and best practices Making security visible is key to changing the software market OWASP does not recommend any commercial products or services OWASP will not discuss/disclose 0-day exploits
OWASP Corporate Members – October 2008
OWASP Worldwide Community www.owasp.org Note: NYC Chapter Has Over 1000 Members (Google Maps broken)
OWASP Worldwide Community www.owasp.org
OWASP Membership Members have the ability to allocate their membership fees to projects, working groups or chapters they are interested in Members will have the ability to vote of specific OWASP governance issues (Tom to figure this out) Membership makes a public statement of support to OWASP Very important: There is no ‘member-only content’ Apart from the (under construction) OWASP Member packs, there is NOTHING that an member gets that it doesn’t already have (i.e. all OWASP materials and participation are available to everybody (members and non members))
OWASP Main Site Traffic Worldwide Users Most New Visitors /wk
OWASP Conferences
?
OWASP Books (http://stores.lulu.com/owasp)
OWASP Knowledge Base 3,913 total articles 427 presentations 200 updates per day 179 mailing lists 180 blogs monitored 31 doc projects 19 deface attempts 12 grants
OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)
OWASP Tools and Technology
OWASP Board OWASP Board members: Jeff Williams: Chair, Wiki, Management Dave Wichers: Conferences, Financials Tom Brennan : OWASP Governance Sebastien Deleersnyder : OWASP Chapters and Projects Dinis Cruz: Firehose of Ideas and Money spender OWASP Board ‘power’ OWASP Financials (where does the money goes to), leadership assignment, conferences locations, WIKI home page, bank account details :) The rest is ‘soft power’ i.e. we have it until we screw up
Finances and Grants OWASP employees Conferences costs OWASP Admin Grants All membership fees are used to fund grants Revenue source: Conferences Revenue source: Members
AMCHAM – OWASP Thailand Agenda First, A Brief Overview of OWASP Second, AMCHAM ICT Presentation Top Ten Cybersecurity Threats of 2008 Open Discussion about Threats Third, OWASP Meeting after AMCHAM ICT
Components of Cybersecurity Risk Threat Vulnerability Impact (Criticality) Maximum Risk Risk is the Intersection of Threat, Vulnerability & Impact
The Top Ten Cybersecurity Threats for 2008 Background Many organizations publish “threat lists” but these lists confuse, generally mixing vulnerabilities and threats. Because of this confusion and motivated by CISSP colleague at ACIS Professional Center, Thailand, I decided to create a “pure” cybersecurity threat list. Note : OWASP maintains a top ten web vulnerabilities project. http://www.owasp.org/index.php/OWASP_Top_Ten_Project The Top Ten Cybersecurity Threats (this presentation) http://www.thecepblog.com/2008/01/05/the-top-ten-cybersecurity-threats-for-2008/ is unrelated to the OWASP vulnerabilities list.
The Top Ten Cybersecurity Threats for 2008 Collaboration Developed the cybersecurity threat list by seeking comments with peer IT security professionals on the vast CISSP mailing list. Also, published the list in the LinkedIn network, seeking comments with peer IT security professionals on LinkedIn. Published all the comments openly using Google Docs and responded to all comments The entire collaboration process took two of months (started Nov 9 th , published final Jan 5 th ).
The Top Ten Cybersecurity Threats for 2008 Here are the results. (a very good example of collaborative social networking, btw)
The Top Ten Cybersecurity Threats for 2008 On-line masquerading to abuse, attack, blackmail, bully, extort, or molest others. Criminal fraud by password and identity theft via phishing, spyware, malware and theft of hardware. Criminal use of botnets and botnet-like technologies for economic gain, for example email spam and denial of service attacks. Cyberterrorism, bulling, vandalism and other forms of electronic violence and malfeasance. Subversion of democratic political processes. Criminal manipulation and subversion of financial markets. Spying and theft of data by governments, industry, terrorists and other criminals. Denial-of-service attacks by criminals and terrorists. Sabotage, theft and other attacks by disgruntled employees and insiders. Natural disasters, accidents or errors without malicious intent.
AMCHAM – OWASP Thailand Agenda First, A Brief Overview of OWASP Second, AMCHAM ICT Presentation Top Ten Cybersecurity Threats of 2008 Open Discussion about Threats Third, OWASP Meeting after AMCHAM ICT
Joint AMCHAM – OWASP Thailand Meeting Thank You.

More Related Content

The Top Ten Cybersecurity Threats of 2008

  • 1. The Top Ten Cybersecurity Threats of 2008 Tim Bass, CISSP Chapter Leader, OWASP Thailand [email_address] , +66832975101
  • 2. AMCHAM – OWASP Thailand Agenda First, A Brief Overview of OWASP Second, AMCHAM ICT Presentation Top Ten Cybersecurity Threats of 2008 Open Discussion about Threats Third, OWASP Meeting after AMCHAM ICT
  • 3. OWASP – Open Web Application Security Project US 501(c)3, open source non-profit charitable foundation dedicated to enabling organizations so they can develop, maintain, and acquire software they can trust. OWASP does not endorse commercial products or services. Making Security Visible , through… Documentation Top Ten, Dev. Guide, Design Guide, Testing Guide, … Tools WebGoat, WebScarab, Site Generator, Report Generator, ESAPI, CSRF Guard, CSRF Tester, Stinger, Pantera, … Working Groups Browser Security, Industry Sectors, Access Control (XACML), Education, Mobile Phone Security, Preventive Security, OWASP SDL, OWASP Governance, RIA Security Community and Awareness Local Chapters, Conferences, Tutorials, Mailing Lists
  • 4. What Is Unique about OWASP? Everything we do in OWASP is free and open… OWASP Principles All OWASP products are free and open Application security knowledge should be freely available OWASP encourages awareness, discussion, and best practices Making security visible is key to changing the software market OWASP does not recommend any commercial products or services OWASP will not discuss/disclose 0-day exploits
  • 5. OWASP Corporate Members – October 2008
  • 6. OWASP Worldwide Community www.owasp.org Note: NYC Chapter Has Over 1000 Members (Google Maps broken)
  • 8. OWASP Membership Members have the ability to allocate their membership fees to projects, working groups or chapters they are interested in Members will have the ability to vote of specific OWASP governance issues (Tom to figure this out) Membership makes a public statement of support to OWASP Very important: There is no ‘member-only content’ Apart from the (under construction) OWASP Member packs, there is NOTHING that an member gets that it doesn’t already have (i.e. all OWASP materials and participation are available to everybody (members and non members))
  • 9. OWASP Main Site Traffic Worldwide Users Most New Visitors /wk
  • 11. ?
  • 13. OWASP Knowledge Base 3,913 total articles 427 presentations 200 updates per day 179 mailing lists 180 blogs monitored 31 doc projects 19 deface attempts 12 grants
  • 14. OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)
  • 15. OWASP Tools and Technology
  • 16. OWASP Board OWASP Board members: Jeff Williams: Chair, Wiki, Management Dave Wichers: Conferences, Financials Tom Brennan : OWASP Governance Sebastien Deleersnyder : OWASP Chapters and Projects Dinis Cruz: Firehose of Ideas and Money spender OWASP Board ‘power’ OWASP Financials (where does the money goes to), leadership assignment, conferences locations, WIKI home page, bank account details :) The rest is ‘soft power’ i.e. we have it until we screw up
  • 17. Finances and Grants OWASP employees Conferences costs OWASP Admin Grants All membership fees are used to fund grants Revenue source: Conferences Revenue source: Members
  • 18. AMCHAM – OWASP Thailand Agenda First, A Brief Overview of OWASP Second, AMCHAM ICT Presentation Top Ten Cybersecurity Threats of 2008 Open Discussion about Threats Third, OWASP Meeting after AMCHAM ICT
  • 19. Components of Cybersecurity Risk Threat Vulnerability Impact (Criticality) Maximum Risk Risk is the Intersection of Threat, Vulnerability & Impact
  • 20. The Top Ten Cybersecurity Threats for 2008 Background Many organizations publish “threat lists” but these lists confuse, generally mixing vulnerabilities and threats. Because of this confusion and motivated by CISSP colleague at ACIS Professional Center, Thailand, I decided to create a “pure” cybersecurity threat list. Note : OWASP maintains a top ten web vulnerabilities project. http://www.owasp.org/index.php/OWASP_Top_Ten_Project The Top Ten Cybersecurity Threats (this presentation) http://www.thecepblog.com/2008/01/05/the-top-ten-cybersecurity-threats-for-2008/ is unrelated to the OWASP vulnerabilities list.
  • 21. The Top Ten Cybersecurity Threats for 2008 Collaboration Developed the cybersecurity threat list by seeking comments with peer IT security professionals on the vast CISSP mailing list. Also, published the list in the LinkedIn network, seeking comments with peer IT security professionals on LinkedIn. Published all the comments openly using Google Docs and responded to all comments The entire collaboration process took two of months (started Nov 9 th , published final Jan 5 th ).
  • 22. The Top Ten Cybersecurity Threats for 2008 Here are the results. (a very good example of collaborative social networking, btw)
  • 23. The Top Ten Cybersecurity Threats for 2008 On-line masquerading to abuse, attack, blackmail, bully, extort, or molest others. Criminal fraud by password and identity theft via phishing, spyware, malware and theft of hardware. Criminal use of botnets and botnet-like technologies for economic gain, for example email spam and denial of service attacks. Cyberterrorism, bulling, vandalism and other forms of electronic violence and malfeasance. Subversion of democratic political processes. Criminal manipulation and subversion of financial markets. Spying and theft of data by governments, industry, terrorists and other criminals. Denial-of-service attacks by criminals and terrorists. Sabotage, theft and other attacks by disgruntled employees and insiders. Natural disasters, accidents or errors without malicious intent.
  • 24. AMCHAM – OWASP Thailand Agenda First, A Brief Overview of OWASP Second, AMCHAM ICT Presentation Top Ten Cybersecurity Threats of 2008 Open Discussion about Threats Third, OWASP Meeting after AMCHAM ICT
  • 25. Joint AMCHAM – OWASP Thailand Meeting Thank You.