The document discusses cybersecurity risks and provides advice on how to protect against threats. It notes that 5 out of 6 advanced attacks target large companies, while 60% target small and medium businesses. The STRIDE model is described as a framework for categorizing different types of threats. Input validation, authentication, authorization, and applying defense in depth are recommended strategies. The document emphasizes that no software is 100% secure and the goal should be to minimize vulnerabilities and reduce the chances of successful attacks.

1. #‫نا‬‫ح‬‫ا‬_‫يف‬_‫خطر‬!
‫يقات‬‫ب‬‫تط‬‫ل‬‫ا‬ ‫مني‬‫تأ‬ ‫يف‬ ‫مقدمة‬
‫دعبس‬ ‫سامح‬

2. ‫هرس‬‫لف‬‫ا‬
o#‫احنا‬_‫يف‬_‫خطر‬!
o‫اق‬‫رت‬‫الاخ‬ ‫حيدث‬ ‫كيف‬(‫بسط‬‫م‬ ‫مثال‬)
o‫الهاكرز‬ ‫لغة‬..
o‫يه؟‬‫ا‬ ‫ننا‬‫م‬ ‫عاوزة‬ ‫دي‬ ‫الناس‬!!!STRIDE Model
o‫ا‬‫ري‬‫كث‬ ‫ميهنا‬‫تأ‬ ‫يف‬ ‫بتغلط‬ ‫الناس‬ ‫ليل‬‫ا‬ ‫احلاجات‬...Threats categories
o‫الصح‬ ‫امعل‬
o‫مين‬ ‫هتت‬ ‫ان‬‫أ‬...‫؟‬‫نبدأ‬ ‫ين‬‫أ‬ ‫من‬
o‫مه‬‫أ‬10‫ات‬‫ر‬‫ثغ‬OWASP top 10
o‫تفصيل‬‫ل‬‫اب‬ ‫ثغرة‬ ‫سهل‬‫أ‬ ‫و‬ ‫شهر‬‫أ‬ ‫و‬ ‫خطر‬‫أ‬...SQL Injection
o‫بعد‬ ‫ماذا‬...

3. #‫نا‬‫ح‬‫ا‬_‫يف‬_‫خطر‬
o‫نتك‬‫امي‬‫س‬ ‫ير‬‫ر‬‫تق‬ ‫ملخص‬Symantec‫نة‬‫س‬ ‫عن‬2014:
o5‫لك‬ ‫من‬6‫متقدمني‬ ‫قني‬‫رت‬‫خمل‬ ‫هدفا‬ ‫نت‬‫اك‬ ‫كبرية‬ ‫مؤسسات‬
o60%‫املتوسطة‬ ‫و‬ ‫الصغرية‬ ‫املؤسسات‬ ‫هتدف‬‫تس‬ ‫الهجامت‬ ‫من‬
o‫املدافعني‬ ‫من‬ ‫رسع‬‫أ‬ ‫قون‬‫رت‬‫اخمل‬:
o24‫لها‬ ‫حل‬ ‫جياد‬‫ا‬ ‫قبل‬ ‫تغاللها‬‫اس‬ ‫مت‬ ‫ثغرة‬Zero-day vulnerabilities
o‫ول‬‫أ‬5‫بعد‬ ‫هلم‬ ‫حلول‬ ‫جياد‬‫ا‬ ‫مت‬ ‫مهنم‬295‫يوم‬!!
o‫من‬ ‫كرث‬‫أ‬317‫ورت‬ُ‫ط‬ ‫يثة‬‫خب‬ ‫جمية‬‫ر‬‫ب‬ ‫مليون‬
‫املصدر‬:https://www.symantec.com/security_response/publications/threatreport.jsp

4. ‫اق؟‬‫رت‬‫الاخ‬ ‫حيدث‬ ‫يف‬‫ك‬(‫سط‬‫ب‬‫م‬ ‫ثال‬‫م‬)
.1‫الضعف‬ ‫نقاط‬ ‫عن‬ ‫البحث‬ ‫و‬ ‫املسح‬Survey and assess
.2‫علهيا‬ ‫الهجوم‬ ‫و‬ ‫الضعف‬ ‫نقاط‬ ‫تغالل‬‫اس‬Penetrate or Exploit
.3‫الصالحيات‬ ‫يع‬‫توس‬Escalate Privileges
.4‫الضحية‬ ‫از‬‫زت‬‫اب‬Maintain access
•‫بعد‬ ‫فامي‬ ‫ادلخول‬ ‫هيل‬‫تس‬:‫خلفية‬ ‫اب‬‫و‬‫ب‬‫أ‬ ‫فتح‬back-doors,‫ضعيف‬ ‫حساب‬ ‫تخدام‬‫اس‬
‫مني‬‫التأ‬,‫اق‬‫رت‬‫الاخ‬ ‫اثر‬‫أ‬ ‫مسح‬...
.5‫اخلدمة‬ ‫جحب‬Denial of Service
•‫احملروقة‬ ‫رض‬‫ال‬ ‫ياسة‬‫س‬...‫نيا‬‫دل‬‫ا‬ ‫يوقع‬ ‫فشل‬ ‫لو‬
•‫ذاهتا‬ ‫حد‬ ‫يف‬ ‫هدف‬

5. ‫هاكرز‬‫ل‬‫ا‬ ‫لغة‬..
 We have a valuable “asset” (A resource of value such as the
data in a database or on the file system, or a system resource)
that we want to protect.
 ... That asset has a weakness point (vulnerability)
 … that raise a “threat ‫تخوف‬ ”
 … that a “malicious ‫”خبيث‬ user can “penetrate ‫يخترق‬ or hack
‫يخترق‬ or attack‫يهاجم‬ or exploit‫يستغل‬ or compromise ‫يهدد‬,‫يضر‬
‫بـ‬ this vulnerability
 … and harm (cause bad things, like retrieve or damage) that
asset.
 … We need countermeasures ‫وقائية‬ ‫تدابير‬
 … to counter ‫نقاوم‬ or address ‫نعالج‬ this threat
 … and mitigate ‫آثار‬ ‫من‬ ‫تخفيف‬ this risk.

6. ‫يه؟‬‫ا‬ ‫نا‬‫من‬ ‫عاوزة‬ ‫دي‬ ‫ناس‬‫ل‬‫ا‬!!!STRIDE Model
•‫بيثة؟‬‫خل‬‫ا‬ ‫عامل‬‫ال‬ ‫هذه‬ ‫ملثل‬ ‫قني‬‫رت‬‫اخمل‬ ‫افع‬‫و‬‫د‬ ‫يه‬ ‫ما‬‫مايكروسوفت‬ ‫ل‬‫اسأ‬...
• STRIDE Model
• Spoofing ‫نتحال‬‫ا‬: use false identity (credentials, IP, …)
• Tampering ‫تالعب‬,‫تزوير‬ : unauthorized modification of data
• Repudiation ‫ناكر‬‫ا‬
• ‫ته‬‫ز‬‫جنا‬ ‫يف‬ ‫مييش‬ ‫و‬ ‫القتيل‬ ‫يقتل‬
• Information disclosure ‫عن‬ ‫فصاح‬‫ال‬/‫فشاء‬‫ا‬‫املعلومات‬
• ‫الفضاحي‬ ‫من‬ ‫كرت‬ ‫احي‬‫ر‬ ‫اي‬
• Denial of Service ‫جحب‬‫اخلدمة‬
• Elevation of privilege ‫الصالحيات‬ ‫يع‬‫توس‬
• ‫الطبيب‬ ‫الزعمي‬ ‫املشري‬ ‫يق‬‫ر‬‫الف‬...

7. ‫احلاجات‬‫ليل‬‫ا‬‫تغلط‬‫ب‬ ‫ناس‬‫ل‬‫ا‬‫ا‬‫ري‬‫ث‬‫ك‬ ‫ميهنا‬‫تأ‬ ‫يف‬...Threats categories
1. Input validation: How do you know that the input your application receives is
valid and safe?
2. Authentication: Who are you?
3. Authorization: What can you do?
4. Configuration management: How your application manage its settings?
5. Sensitive data: how your application handles any data that must be protected
either in memory, over the network or in persistent stores.
6. Session management: A session refers to a series of related interactions
between a user and your Web application.
7. Cryptography: Cryptography refers to how your application enforces
confidentiality (privacy) and integrity (tamper-proofing ‫تزويرها‬ ‫ميكن‬ ‫ل‬).
8. Parameter manipulation: Query string parameters; form fields; cookies; HTTP
headers
9. Exception management: When your application fails, Do you return friendly
error information to end users? Do you pass valuable exception information
back to the caller?
10. Auditing and logging: Who did what and when?

8. ‫الصح‬ ‫امعل‬...‫ت‬‫ل‬‫ا‬ ‫مني‬‫تأ‬‫ل‬ ‫نصاحئ‬‫ل‬‫ا‬ ‫مه‬‫أ‬‫يقات‬‫ب‬‫ط‬

9. 1-‫هدفك‬ ‫حدد‬
•‫من‬‫أ‬ ‫برانمج‬ ‫مفيش‬100%
•‫هو‬ ‫الهدف‬‫اقات‬‫رت‬‫الاخ‬ ‫مام‬‫أ‬ ‫يصمد‬ ‫لربانمج‬ ‫الوصول‬hack-resilient‫تقليل‬‫ب‬‫بقدر‬ ‫الضعف‬ ‫نقاط‬‫تطاع‬‫املس‬

10. 2-‫امرة‬‫ؤ‬‫امل‬ ‫ية‬‫ر‬‫نظ‬‫ب‬ ‫من‬‫أ‬
•If anything can go wrong, it will! – Murphy’s law
•‫منةل‬ ‫عدوك‬ ‫اكن‬ ‫ن‬‫ا‬,‫هل‬ ‫تمن‬ ‫فال‬
•‫الرحي‬ ‫منه‬ ‫كل‬ ‫ييجي‬ ‫ليل‬‫ا‬ ‫الباب‬,‫اسرتحي‬ ‫و‬ ‫سده‬

11. 3-‫الـ‬Firewall‫الـ‬ ‫و‬Encryption‫كفاية‬ ‫مش‬!!
• Apply defense in depth
• Application  ‫نا‬‫عيش‬ ‫لك‬‫أ‬
• Platform: OS, SQL Server, Runtime, IIS,…
• Infrastructure: Network, routers, ports, switches,
VMs, …
• ‫لكه‬ ‫عىل‬ ‫منفد‬ ‫لكه‬
• ‫بصديق‬ ‫تعن‬‫اس‬

12. 4-‫تصدقها‬ ‫حاجة‬ ‫كل‬ ‫يقول‬ ‫حد‬ ‫ي‬‫أ‬ ‫مش‬Input Validation
• Input is evil, unless proven otherwise
• Do not trust input including form fields, cookies, query strings, HTTP headers
• Do not rely on client-side validation
• Constrain, reject and sanitize input
• Validate for type, length, format and range

13. 5-Authentication & Authorization
•‫ل‬‫اسأ‬ ‫داميا‬...‫نمت‬‫أ‬ ‫من‬‫؟‬--Authentication
•‫ما‬ ‫حد‬ ‫مع‬ ‫تتلكمش‬ ‫ما‬‫فوش‬‫ر‬‫تع‬
•‫حاجة‬ ‫لك‬ ‫هلم‬ ‫تقول‬ ‫ينفع‬ ‫فهم‬‫ر‬‫تع‬ ‫ليل‬‫ا‬ ‫الناس‬ ‫لك‬ ‫مش‬--Authorization
•‫ابملظاهر‬ ‫تنخدعش‬ ‫ما‬
•EFG Hermes office boy!
•‫الناس‬ ‫للك‬ ‫البحري‬ ‫عىل‬ ‫نيا‬‫دل‬‫ا‬ ‫تفتحش‬ ‫ما‬role-based authorization

14. 6-‫احلاجة‬ ‫قدر‬ ‫عىل‬ ‫الصالحيات‬
• Use least privileged process, service, and user accounts

15. 7-‫وقعت‬ ‫لو‬...‫اقف‬‫و‬ ‫اقع‬Fail gracefully
• Never expose error details to end user.

16. 8-‫مصحصح‬ ‫يك‬‫خل‬
• Log errors and critical system events
• Analyze logs periodically

17. 9-‫العجل‬ ‫اع‬‫رت‬‫اخ‬ ‫يدش‬‫تع‬ ‫ما‬
• Use well-known security solutions
• Don’t use custom security solutions without test

18. 10-‫سكل‬‫ل‬‫ا‬ ‫ن‬ِّ‫م‬‫أ‬secure the wire
• Use encrypted communication channel (TLS/SSL, VPN)

19. 11-‫يكرمك‬ ‫هللا‬ ‫الصدر‬ ‫تحة‬‫ف‬ ‫بالش‬
o‫فكرة‬ ‫عىل‬...‫عداء‬‫أ‬ ‫ليك‬ ‫يكون‬ ‫رشط‬ ‫مش‬!

20. ‫نص‬‫و‬‫ب‬...‫سبب‬‫ل‬‫ا‬ ‫نت‬‫أ‬ ‫نك‬‫ا‬ ‫عرف‬ ‫حدش‬ ‫ما‬ ‫و‬ ‫بة‬‫ي‬‫مص‬ ‫حصل‬ ‫لو‬‫؟‬
•‫اتين‬ ‫تمي‬ ‫ي‬‫أ‬ ‫ف‬ ‫سها‬‫لب‬...‫مزحة‬

21. ‫مين‬ ‫هتت‬ ‫ان‬‫أ‬...‫؟‬‫بدأ‬‫ن‬ ‫ين‬‫أ‬ ‫من‬
o‫كثرية‬ ‫ات‬‫ر‬‫الثغ‬,‫ات‬‫ر‬‫الثغ‬ ‫مجيع‬ ‫تغطية‬ ‫ميكن‬ ‫ل‬ ‫و‬‫مه‬‫ابل‬ ‫البدء‬ ‫من‬ ‫لبد‬‫فاملهم‬
o‫مؤسسة‬ ‫حبسب‬SANS(‫ال‬ ‫رجال‬ ‫اعامتد‬ ‫و‬ ‫مين‬‫ال‬ ‫يب‬‫ر‬‫التد‬ ‫جمال‬ ‫يف‬ ‫شهرية‬ ‫رشكة‬‫من‬
‫مقي‬‫ر‬‫ال‬certifications)‫ير‬‫ر‬‫تق‬ ‫يف‬2015,‫من‬ ‫كرث‬‫أ‬ ‫ن‬‫فا‬60%‫عىل‬ ‫متد‬‫تع‬ ‫املؤسسات‬ ‫من‬
OWASP Top 10‫دلهيا‬ ‫اليت‬ ‫ات‬‫ر‬‫الثغ‬ ‫مني‬‫تأ‬ ‫يف‬

22. ‫مه‬‫أ‬10‫ات‬‫ر‬‫ثغ‬OWASP top 101. Injection: any data that will pass to a parser/interpreter is susceptible to this
threat, SQL, LDAP, XML, …
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS): inject script in web page
1. The most popular security flaw
4. Insecure Direct Object References: ability to access protected resources will id
in url without authorization
5. Security Misconfiguration: default settings are insecure, unused services, over-
privileged accounts, …
6. Sensitive Data Exposure: no or weak encryption
7. Missing Function Level Access Control: Anonymous users could access private
functions that aren’t protected by simply change the URL
8. Cross-Site Request Forgery (CSRF): use hijacked cookies to send forget ‫مزور‬
requests to the application
9. Using Components with Known Vulnerabilities: obsolete Adobe Flash version?
10. Unvalidated Redirects and Forwards: Attacker links to unvalidated redirect and
tricks victims into clicking it. Victims are more likely to click on it, since the
link is to a valid site. Attacker targets unsafe forward to bypass security checks.

23. ‫يل‬‫تفص‬‫ل‬‫اب‬ ‫ثغرة‬ ‫سهل‬‫أ‬ ‫و‬ ‫شهر‬‫أ‬ ‫و‬ ‫خطر‬‫أ‬...SQL Injection

24. ‫بعد؟‬ ‫ماذا‬
o‫الـ‬ ‫ثغرة‬ ‫قفل‬ ‫و‬ ‫امج‬‫رب‬‫ال‬ ‫حفص‬SQL Injection

25. ‫ال؟‬‫ؤ‬‫س‬ ‫نده‬‫ع‬ ‫حد‬

26. ‫يال‬‫ز‬‫ج‬ ‫ا‬‫ر‬‫شك‬...