Upload
vulien
View
215
Download
2
Embed Size (px)
Citation preview
Data Exposure ReportJanuary 2017
Contents
Executive Summary 3
Data Exposure 4
Sensitive Information 4
Clear-Text Passwords 4
Directory Listings 5
Broken Pages 6
Hacking Attempts 7
Summary 7
Host Details 8
Appendix 10
About Hermetric 10
Disclaimer 10
Legal Notice 10
1
Executive Summary
The Data Exposure Report exposes potential data theft risks for your organization. It wasgenerated by analyzing production traffic going to and fro the organization's production webservers.
The report provides you with:
• Details on possible data exposure.• Suggestions on how to mitigate the data exposure risks.• Summary of general hacking attempts during analysis period.
DATA EXPOSURE
Sensitive Information 3
Clear-Text Passwords 2
Directory Listings 3
Broken Pages 33
HACKING ATTEMPTS
Hacking Attempts 1602
3
Data Exposure
Sensitive Information
Explanation
Sensitive information is information that is typically regarded as confidential. Hackers whosteal such information typically user them to its owner detriment. Examples are SocialSecurity numbers (SSNs) and Credit Card numbers (CCNs).
Details
Type SSN
URL http://math.major-u.edu/a_prof/grade_listing.html
Type SSN
URL http://bio.major-u.edu/discussion_board/help_desk.html
Type CCN
URL http://med.major-u.edu/self_help/billing.html
How to Mitigate
Best practice is to remove such information from the web servers. See OWASP on Sensitive Data Exposure.
Clear-Text Passwords
Explanation
Clear-text passwords are passwords that are sent to the web servers without protection. Ahacker with a sniffer will be able to collect these passwords and use them to log-in withsomeone else's credentials.
4
Details
Host library.major-u.edu
Domain STAFF
Host sports.major-u.edu
Domain GUESTS
How to Mitigate
Best practice is to encrypt this traffic (require https and block http). See OWASP's Cheat Sheet.
Directory Listings
Explanation
Directory listings enable a web user to list all the files in a particular folder. This is typicallyachieved simply by removing the file name in the URL, and may cause unintended data to bedisclosed.
Details
Host math.major-u.edu
Host med.major-u.edu
Host psych.major-u.edu
How to Mitigate
Best practice is to disable directory listings in the web server's configuration files.
5
Broken Pages
Explanation
Broken pages (500 Internal Server Error) are typically errors that are not handled well by theweb application. A hacker may exploit such errors in order to gain knowledge about theapplication's internal structure, which in turn may be exploited in order to gain access to theserver or to steal sensitive information.
Details
Host lib.major-u.edu
Hits 132
Host music.major-u.edu
Hits 42
Host chemistry.major-u.edu
Hits 13
How to Mitigate
Best practice is to fix such errors. This is typically aided by analyzing the web server's errorlogs.
6
Hacking Attempts
Summary
Most Targeted Hosts
HOST NAME COUNT
www.major-u.edu 712
physics.major-u.edu 304
economics.major-u.edu 272
sports.major-u.edu 234
library.major-u.edu 80
TOTAL -
Most Common Attacks
ATTACK TYPE COUNT
Injection 627
Cross-Site Scripting 626
Protocol Manipulation 136
Remote File Inclusion 130
Security Misconfiguration 83
TOTAL -
7
Host Details
ECONOMICS.MAJOR-U.EDU
ATTACK TYPE COUNT
Injection 124
Cross-Site Scripting 74
Remote File Inclusion 42
Protocol Manipulation 30
Security Misconfiguration 2
TOTAL -
LIBRARY.MAJOR-U.EDU
ATTACK TYPE COUNT
Injection 32
Cross-Site Scripting 32
Security Misconfiguration 13
Protocol Manipulation 2
Remote File Inclusion 1
TOTAL -
PHYSICS.MAJOR-U.EDU
ATTACK TYPE COUNT
Cross-Site Scripting 123
Injection 83
Security Misconfiguration 51
Protocol Manipulation 24
Remote File Inclusion 23
TOTAL -
8
SPORTS.MAJOR-U.EDU
ATTACK TYPE COUNT
Cross-Site Scripting 73
Injection 67
Remote File Inclusion 43
Protocol Manipulation 37
Security Misconfiguration 14
TOTAL -
WWW.MAJOR-U.EDU
ATTACK TYPE COUNT
Cross-Site Scripting 324
Injection 321
Protocol Manipulation 43
Remote File Inclusion 21
Security Misconfiguration 3
TOTAL -
9
Appendix
About Hermetric
Hermetric is a security services and consulting company.For more information, visit www.hermetric.com
Disclaimer
The Data Exposure Report was developed by Hermetric Software Services Ltd. as a practicaltool for reducing an organization's risk of data theft. However, the developer of the DataExposure Report does not provide an assurance or any legal warranty as to the ability of theData Exposure Report to fully expose data theft risks. Hermetric Software Services Ltd.hereby disclaim any other warranty, expressed or implied, including, without limitation, anywarranty or fitness of the Data Exposure Report for a particular purpose.
Legal Notice
The information contained in this document is proprietary and confidential information ofHermetric Software Services Ltd. Any unauthorized reproduction, use or disclosure of thismaterial, or any part thereof, is strictly prohibited. This document and information isintended solely for the internal use of authorized Hermetric Software Services Ltd. customers,for the limited purposes set forth herein.
10
About HermetricHermetric is a security services and consulting company.
www.hermetric.com