Difference between revisions of "Web Site Security"
From MgmtWiki
(→Full Name and Context) |
(→Problems) |
||
| Line 10: | Line 10: | ||
==Problems== | ==Problems== | ||
| + | * After 20 years of web based attacks on users, protection is still dependent on the education of users, who are known to be gullible. This is the most recent report from the NSS<ref>NSSlabs, ''NSS Labs Announces Results of 2018 Web Browser Security Test.'' (2018-12-05) https://globenewswire.com/news-release/2018/12/05/1662619/0/en/NSS-Labs-Announces-Results-of-2018-Web-Browser-Security-Test.html</ref> | ||
| + | <blockquote>Education is a key component of protection against SEM and phishing attacks. Users who are able to identify socially engineered attacks rely less on technology for protection against such attacks. NSS Labs recommends supplementing browser protection with user education to protect against attacks that bypass browser protections.</blockquote> | ||
| + | |||
==Solutions== | ==Solutions== | ||
* The [[Web Site]] exposes its name in a manner that allows the user to make a meaningful trust decision. | * The [[Web Site]] exposes its name in a manner that allows the user to make a meaningful trust decision. | ||
Revision as of 10:46, 8 December 2018
Contents
Full Title and Meme
For most of humanity their computer is first and foremost a communications device talking to a collection of Web Sites who must be trusted by the user to enable a meaningful experience.
Context
- The day when a personal computer was for running application for the user is long gone, never to return.
- Today a personal computer depends on cloud based service for nearly all of its functionality.
- Web Site security is becoming widely known as Cyber-Security, probably because that sounds more important somehow.
- This page will only consider the use of a trusted User Agent, typically a web browser from a well-known and trusted vendor.
- For the case of the user allowing a Native App to be installed on their personal device, see the page Native App Security.
Problems
- After 20 years of web based attacks on users, protection is still dependent on the education of users, who are known to be gullible. This is the most recent report from the NSS[1]
Education is a key component of protection against SEM and phishing attacks. Users who are able to identify socially engineered attacks rely less on technology for protection against such attacks. NSS Labs recommends supplementing browser protection with user education to protect against attacks that bypass browser protections.
Solutions
- The Web Site exposes its name in a manner that allows the user to make a meaningful trust decision.
- Most browsers come with a feature that will evaluate any file downloaded to a computer based on a set of constantly updated filters installed in the cloud.
References
Organizational Support
- The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of web site software.
- ISACs are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators.
