1. Risk Management &Corporate Internet EffortsThomas A. Powelltpowell@pint.comwww.pint.com

2. Our Plan Today Show some existing and emergingproblems Present some possible solutions Illustrate all with examples and stories Have a little fun so it ismemorable, because if you dontremember much today you wont act so lets get memorable 3. Risk ManagementRisk managementis theidentification, assessment, and prioritizationof risks followed by coordinated andeconomical application of resources tominimize, monitor, and control theprobability and/or impact of unfortunateevents or to maximize the realization ofopportunities. 4. Translation AvoidThisInstead openly acknowledge what could happenand actively decide to address it (or not) 5. A Root Cause forMissing Many Risks? Who exactly owns the Web initiatives and in turn the problems and risksthey may face or create? 6. Everybody Does! 7. Mind the gaps! Diverse ownership often creates: Duplicate (or unnecessary) expenditures Diversity problems Lots of gaps! 8. The Web TeamDoes! 9. BTWThe Web is the Real World Everything isdifferent onlinedont you know? Psstdont tellanyone 10. Things WeDo To OurselvesSometimes we make poordecisions about: Development Design Hosting Security Social Analytics 11. Add To This Things Others Do To Us Impose rules on us Try to hack us Try to trick us Try to crash us Say bad things about usAs well as any black swans oflife we cant account for 12. There Be Web Orcs!I can SQL injectz you! 13. And They Cause Troubles 14. Why EgoDefacement(Relax Faked) This type of tagging for cred 15. Why - HactivismAll fun and games until LOIC is aimed at your site 16. Were Not Targets! 17. Why 4 LulzOk so it isnt funny to you but it is to them 18. Nope, Never Happens After hacking PBS.com they added this article for the Lulz 19. Why SpreadMalware GermsPut malware on your home page to infect others 20. Why ID TheftYou (or your users) are a commodity(at least your id, IP or cc# is) 21. Come on not us! If you get compromisedlegally per California SB1386 you are supposedto disclose 40 other states have similar laws That could be a lot of trouble and $! 22. Why Zombie RecruitingGrow and army and thenAwake my Zombie army and attack! 23. Really for sure not us! 24. Why For The $! 25. Yes - Bad people arerealcredit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove And theyre in your country too 26. Reaction - Build Walls 27. Man the defenses!No worry, IT put a firewall in place 28. Were awake!and what exactly do you see? 29. Just another day on the Internetz 30. The Toolbox is Overflowing 31. Attacker Type #1 Stupid Bot Brigade - Charge!../cmd.exe &1=1;droptable 32. Attacker Type #2 Im just a lowly peasant HTTPrequest. May I pass? 33. Hope Your SiteOwner Thinks Like aBouncer? Yer not on the list. Come on in?! 34. The weak minded areeasily trickedThese are not the requests you are lookingfor 35. 0-day to the Face!To get our new signature files youneed a valid support plan 36. The Appearance ofSecurityThe Intent Thief: How quaint a club! 37. Real Security Tradeoffs This... 38. Security Tradeoffs...or this? 39. We want it all! 40. Dont Worry We UseOpen Source!Its open code to hackers too and ifwidely used becomes a big target 41. Zoinks! 42. But everyone usesthat Indeed that may be true I also evaluate my hamburger quality the same way 43. Evaluating By Looks 44. Custom Troubles Reality: Site owners often theirown worst enemy Excessive customization bynon-security minded devs Now add in some third partycomponents with their owntroubles for good fun Its a 3rdParty Security Party! 45. Instead Its A Target Rich Environment 46. You Must Trust No Inputs 47. Psstyour pants aredown 48. Reallytheyre down 49. Psst.This isnt hidden 50. Whats The Password?Keys to your Web Kingdom 51. No Try Limit = NoSecurity Eventually* No retry limits + No Easy Alerting Let a bot work on it 52. Password PolicyTime! Make your users have some strong password with letters, numbers, really long, etc. Sothey write it down then Or they come up with one and use it everywhereyes absolutely everywhere 53. They Hack There ToHack You HereA users security posture may be weakeron your other sites and... 54. Password Reuse +No Second Form =FailTake this key and believeyou are secure* 55. Whos Watching? Enjoy your double cap, venti, packetcaptured browser session! 56. Better SSL All YourPublic WiFi SessionsNo SSL out in open = grab and go access 57. Always Easiest to Attack People! Name : JimLaFleur Occupation : Chief of Security Organization: Dharma InitiativeFind Jims name/email in your sitecomments, Linkedin, Facebook, etc. 58. Spear Phising Executives are good targets Often C-Level executives are not that cyber savvy Be quite concerned about any systems with electronic fund transfer access 59. Rise of DoSing &Electronic Sit Ins 60. This is YourSite on DoS 61. Just Throw Money At ITSure it helps but there is no silver bulletbox especially without a posture change 62. Tech Just Cant Solve AllAnd tech issues may lead to real corporate trouble 63. Accessibility Risks 64. Privacy Risks 65. IP Risks Your content, sitedesign, source, etc. is easilycopied It can be quite hard to find alloccurrences of it Recourse is tough particularlyif international 66. BTW Ever Look WhatYou Agreed To? 67. Delivery ReallyMatters 68. Speed Fail 69. Misinformation Risks 70. Vetting is for Losers! 71. Speed overSubstance about in the Most of what is written tech world both in blog form and old school media form is bullshit. Most are stories written with little or no research done. Theyre written as quickly as possible. The faster the better.Right from the horses mouth 72. Advertising Risks 73. Click Fraud 74. GIGO Analytics Are your analyticsaccurate? Are you watching themreal time or not? Are you trying to findanswers from reports ormaking reports to answerquestions? 75. Did you know? When it comes to Web analytics* JavaScript Off = Invisible Bad people, bots, etc. do this Cookies off = Big Mess Others can easily forge results 76. Trust But Verify 77. Social Media Risks 78. Watch Out Engaging the Thoughts of CrowdsMobs 79. Yeah Thats Not aGood Use of Social 80. What do you call thisagain? 81. GeoSocial Risks 82. Emergency WebBroadcast System 83. Just in case all thatwasnt scary enough 84. Summary Have you had a security audit of yourWeb properties? How hackable is your site? What disclosure issues may youhave? How aware of your site performanceand uptime? How aware of what Googles indexabout you and your sit are you? 85. Summary What information are you or yourvendors collecting? Is your privacy policy addressing it? Are you aware of privacy regulationsin the markets you serve Are you aware of accessibility concerns Could you be a target? 86. Summary Do you have a social media policy? Do you have a crisis communicationplan? Are you actively watching youranalytics? How active are you monitoring social for Stock issues, HR issues, CustomerIssues 87. Summary If you spend ad dollars online How do you track effectiveness How do you track fraud? Do you have an inventory of 3 PartyrdScripts / Services you use? What are the QoS, Security and Legal terms of these 3rd parties 88. Summary Are you disclosing information bothtechnical and not that you should not? Error pages, source code, socialmedia profiles, etc. What is the fail point of your site orWeb application? Are you ready for a DoS attack? 89. Questions? Thomas A. Powell tpowell@pint.comhttp://www.pint.com Twitter: PINTSD