Which of the following will protect your Web site from attack: network perimeter firewalls, encryption, antivirus, or multi-factor authentication?
None of the above, says one Web security researcher.
That leaves it up to Microsoft, Mozilla, and all of the foremost makers of Web browsers to protect cyber space from a litany of emerging Web-based attacks including cross-site scripting, cross-site request forgeries, and browser port scanning.
What's worse, poor Web site security can lead to browser infections, which can lead to malicious software installing itself on a user's computer and attacking corporate systems from the inside. "Intranet hacks are happening already," Jeremiah Grossman, founder and chief technology officer of Web application security firm WhiteHat Security, told InformationWeek.
Grossman and Robert Hansen, CEO of security consulting firm SecTheory, described how it works during a presentation at last week's Black Hat USA 2007 conference in Las Vegas. It starts when a user visits any Web page -- a blog, social networking site, etc. -- that either has been designed to distribute malware or is a legitimate site infected with malware. Once that malware infects and takes control of the browser running on the user's PC, the browser can be instructed to hand over its network address translation ID, which is designed to keep internal network addresses hidden from the outside world. Once this is done, the attacker has been handed the information needed to peruse network addresses located inside the local network.
One of the problems with securing Web sites is that the building and securing of Web sites is treated as two separate processes. "The security guys have no control over the Web site," Grossman said. "The developers do, and they don't work for security."
While Microsoft and Mozilla have made strides in improving the security of Internet Explorer and Firefox, respectively, it's incumbent upon them to ensure that their browsers can figh toff new threats.
[Interop ITX 2017] State Of DevOps ReportThe DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.