What Makes a Good Security Architecture?
|
|
- Roy Terry
- 8 years ago
- Views:
Transcription
1 What Makes a Good Security Architecture? What makes a good security architecture? How many times have you heard some organisations state, our policy is that anti-virus software is installed on all servers. But why? What is the AV software actually doing? It is a good policy if the server is a mail server, or a file and print server, where the AV software has actually got a job to do. But why do you need AV software on a database server? Ah well, to protect the server in case malicious software is loaded onto it. Well AV software is not going to provide any protection against normal SQL traffic to the database server. And if the so called protection is to protect against system administrators loading malicious software onto the server, first system administrators should be checking any files before they load it onto the server. And second, any malicious system administrator will just turn off the AV software and then load the Trojan or whatever. The end result is costs are increased, server performance is decreased, and no decrease in risk. An expensive policy, providing a false sense of security! There are a number of principles that should be deployed in any security architecture, which include in no particular order, and are expanded below: 1. Use layered defences 2. Keep it simple stupid 3. Build-in maintainability 4. Segregation 5. Minimise the number of users 6. Default no trust 7. Expect the unexpected 8. Use assured products 9. Don t gold plate the solution 10. Enable the business 11. Deploy deterrents 12. Use barriers 13. Detect intrusions 14. React against intrusions 1. Use Layered Defences Relying on a single defence is a risky strategy. If this defence should fail for whatever reason, then the system is vulnerable to attack. The design of castles used for millennium relied on multiple layers of defences. Deploying multiple security controls means that if one control fails, the other security controls will protect the system. Thus a system that is protected by security controls A, B, C, D, E and F has six levels of protection, either one of them can potentially protect the system. This type of protection is often described as the onion security model. Page 1 of 5
2 2. Keep it Simple Stupid How can complexity improve security? Any system that relies on security controls of A and B and C and D and E and F has six ways to go wrong, against a system that only replies on one security control, which has only one way to go wrong. It is lot easier to look after a single system than multiple systems. There is a world of difference between a system relying on security controls A and B and C, and a system relying on security controls of D or E or F. The latter is called layered defences (see above), whereas the former is called coupling of security controls. Hence deploy the KISS principle, and keep any solution simple as far as possible. 3. Build-in Maintainability Maintainability should be built in at the design stage for any system. This means that the system is designed to be able to rapidly deploy patches, and version upgrades are planned as part of the overall lifecycle. Where this has been forgotten, this can create huge risks for the business. In one particular case, the business were running a system on hardware which should be consigned to a museum, written in a computer language where there are only a few people left with relevant skills, and they are rapidly approaching retirement. So what happens when there are no more spares left in the world? The business are playing Russian roulette every day, and unless they come up with a replacement system, it won t be a matter of if, but a question of when the catastrophe will happen. Malware is now been released within days of a patch been released. Failure to rapidly deploy the security patches puts at risk your system from being attacked. The PCI DSS requires that all security patches are deployed within one month of release. This really should be viewed as the minimum standard, with the aim to push out security patches a lot faster. The only way that this can be achieved is to design a system that meets this objective. By using automated test scripts, the patch can be tested before being deployed into the live environment. Version upgrades, hardware refreshes should not come as a surprise. Hardware components fail with age. Software is only supported by vendors for a limited period. Which means that after that period, security patches are no longer released and the system is vulnerable to attack. Designing the system so that it has a fixed life of say five years before being upgraded, will ensure that the risks to the system are being managed and not increasing with old age. 4. Segregation Diversifying and not putting all your eggs in one basket is an excellent way to reduce risk as Nobel Laureate Harry Markowitz proved in 1952, when he developed portfolio theory. Just as diversification reduces risk in portfolio theory, so dividing up a network can reduce risk. If one segment of the network comes under attack, then only that segment is affected, and the other segments continue to operate normally. A lot of business can continue to operate normally, despite their being a disaster in one sector. Do you really want Internet users to gain access to your internal network? How to divide up the network will depend greatly on the size of the business, and how the business is organised. Even small organisations should separate their external business systems from their internal systems. However, sub-dividing the network into too many small chunks will just add cost and complexity without increasing security. Page 2 of 5
3 The best advice for any organisation having to comply with PCI DSS is to segregate those systems that are covered by PCI DSS and those that are not. All the information systems of an organisation have different security requirements. Segregation ensures that different levels of security can be deployed, instead of trying to raise all systems up to the highest common denominator in terms of security. 5. Minimise the Number of Users Reducing the number of people who can access the system reduces risk. This includes both authorised users and unauthorised users who just have access to the network. Assume that one person in a hundred is malicious, and one in ten of those malicious users has the capability to exploit the system. Then this means that if 1,000 people can access the system, at least one person will potentially successfully attack the system. Obviously actual statistics will vary between organisations, but the principle is the same, the more people who have access to the system, the greater the risk. A system that can only be accessed by 10 people is thousand times less likely to be attacked, than a system that can be accessed by 10,000 people. 6. Default No Trust Every fraudsters dream is that you will trust them; every burglar hopes that you think everyone is trustworthy and have left windows open and not fitted a burglar alarm. The film Catch Me If You Can proved how Frank Abagnale had managed to abuse trust for many years before finally being caught. If you trust a person or another system not to attack your system, then you are relying on their security. In other words, risk has been transferred from that system or organisation to you. Do you really want to take on the risk of another organisation that is outside of your control? In a standard three layered architecture of web server, application server, database server, security is greatly enhanced by each layer implementing its own security, and not trusting the security of the other layers. For example, validating all input. This means that if a vulnerability in one layer, all the other layers are not automatically vulnerable. Often a completely paranoid approach is not practical, and different degrees of trust have to be applied. This degree of trust should be based on how much control you can place on that other system. For example as explained in ISO/IEC :2006, a simple three layered trust approach could be deployed of low trust for external systems, medium trust for partners where there is a formal contract in place, and high trust for internal systems and users. 7. Expect the Unexpected As Murphy s Law states, anything that can go wrong will go wrong Information security is about mitigating the effects of hazards occurring. During the Second World War in Moscow, a distinguished professor of statistics in suddenly turned up in a bomb shelter, having never frequented the bomb shelter before. When asked why he was there, he stated that in Moscow there are 7 million people and one elephant. Last night they got the elephant. One can hardly assume that Moscow zoo was the target of Nazi air attacks, even so the improbable did occur. Before Australia was discovered, who would have thought that all swans were not white? See Taleb s book on The Black Swan for other improbable events that occurred. Page 3 of 5
4 Don t assume that just because your system has not being attacked before, it doesn t mean that it won t in the future. That is relying on the Law of Small Numbers, which is also known as the Gamblers Fallacy. Chances are that you don t have enough data to estimate the probability. If a risk can be avoided, then avoid it and don t take the chance that it might not occur, however small the odds. 8. Use Assured Products Don t assume that a product or system will provide the protection it claims. Get independent assurance that the security claims are valid. The easiest way to achieve this is wherever possible to use assured products such as products certified under the Common Criteria scheme, or have FIPS certification for cryptographic products. Where it is not possible to use assured products, then use products that have been independently tested against some specification which specially tests the security controls. Forget about those tests which test how easy is it to install the product, or how fancy the management controls are. They may make life easier for administrators, but they do not improve the security of the product. There are many products out there which claim to be secure but are unassured. For example, WinZip claims to be secure because it uses AES-256. However, there are published papers showing how to exploit weaknesses in the WinZip, negating any supposed protection. 9. Don t Gold Plate the Solution Don t gold plate the solution, every security control has to be justified that it is cost effective in reducing the risk down to an acceptable level. It is often difficult, if not impossible, to properly quantify the effect a particular security control, or group of controls, has in reducing risk. However, despite the difficulties, security controls should only be deployed if they adding value in reducing risk. Thus it is important to understand how the security controls work. The objective is not to try and reduce risk to zero, but down to an acceptable level, dependent on the risk appetite of the organisation and the risk tolerance. This inevitably means that more security controls could be deployed, but their extra cost cannot be justified by the business. 10. Enable the Business Enable the business. Information security is not about preventing the business from doing their job, but ensuring that the business can perform their function securely. Hence information security should be seen as an enabler, and not as an inhibitor. The question to always ask is how can this be done securely? It maybe that the costs or restrictions are too high, but then that becomes a risk management decision. However, there is nearly always a solution to the problem, even if it does require some creative thinking. Shops are not designed to minimise shop lifting, but designed to maximise sales. In so doing, shops have to allow a certain amount of shop lifting. This does not mean that the problem is ignored, but rather there is a balance between minimising stock shrinkage and maximising sales. Certain security controls are put in place to minimise stock shrinkage, which have minimal impact on maximising sales. Page 4 of 5
5 11. Deploy Deterrents Deterrents are an important set of security controls in the toolbox. They do not prevent an attacker, but deter an attacker from carrying out an attack. Deterrents are like warning notices. Examples of deterrents include employee contracts, partner agreements, operating procedures, warning notices (e.g. when you login), obfuscation. The job of deterrents is to state to a potential attacker that the amount of effort required to attack the system is going to not worth the potential reward, or the risk of being caught. Ideally a deterrent should have a consequence if the warning is ignored. For example, an employment contract will state that if you attack the system, you risk losing your job with no compensation, and also risk civil and/or criminal action. If the potential reward is 500m probably not much of a deterrent, but more than adequate if the reward is only 500. Deterrents should be used with other security controls, as they only deter and do not prevent or detect an attack. They are particularly useful when trust is involved, for example with employees, partners, service providers, etc. 12. Use Barriers Barriers prevent attackers from gaining access to a system. There are five types of barriers: encryption in transit; encryption at rest; ID&A (identification and authentication); firewalls; and secure disposal. Barriers have a known strength, which is defined in the amount of effort, or resources, required to compromise the barrier. Wherever possible, barriers should be used as the primary defence against attackers in preference to any other form of security control. 13. Detect Intrusions As Elson's Law states Anything that can go wrong already has, you're just not aware of it yet! How do you know your system has not already been attacked and compromised, if you don t have the ability to detect it? Detection systems are analogous to burglar alarms. The most useful detection controls are: automatic monitoring of log files; and HIDS (Host Intrusion Detection Systems). 14. React Against Intrusions What is the point of having a burglar alarm if no one reacts to the alarm? Detection systems by themselves are of no value if no one is looking at the result. Therefore, all detection systems should be reacting against a potential attack, such as generating an alert which system operators can respond to. There are automatic reaction systems, such as anti-virus software, or NIPS (Network Intrusion Systems). Author Eur Ing Harry E. CLARKE, MSc, CEng, MBCS, CITP, CISSP, M.Inst.ISP Page 5 of 5
A Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationSpecific recommendations
Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationWhat Do You Mean My Cloud Data Isn t Secure?
Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationEnsuring security the last barrier to Cloud adoption
Ensuring security the last barrier to Cloud adoption Publication date: March 2011 Ensuring security the last barrier to Cloud adoption Cloud computing has powerful attractions for the organisation. It
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationIntrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science
A Seminar report On Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science SUBMITTED TO: www.studymafia.org SUBMITTED BY: www.studymafia.org
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationOvercoming PCI Compliance Challenges
Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationU06 IT Infrastructure Policy
Dartmoor National Park Authority U06 IT Infrastructure Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without the agreement
More informationWeb Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
More informationAPPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
More informationCompliance Guide: PCI DSS
Compliance Guide: PCI DSS PCI DSS Compliance Compliance mapping using Huntsman INTRODUCTION The Payment Card Industry Data Security Standard (PCI DSS) was developed with industry support by the PCI Security
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationAN OVERVIEW OF VULNERABILITY SCANNERS
AN OVERVIEW OF VULNERABILITY SCANNERS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationKaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management. www.kaseya.com
Kaseya White Paper Endpoint Security Fighting Cyber Crime with Automated, Centralized Management www.kaseya.com To win the ongoing war against hackers and cyber criminals, IT professionals must do two
More informationCaretower s SIEM Managed Security Services
Caretower s SIEM Managed Security Services Enterprise Security Manager MSS -TRUE 24/7 Service I.T. Security Specialists Caretower s SIEM Managed Security Services 1 Challenges & Solution Challenges During
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationSecurityMetrics Vision whitepaper
SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationMAXIMUM PROTECTION, MINIMUM DOWNTIME
MANAGED SERVICES MAXIMUM PROTECTION, MINIMUM DOWNTIME Get peace of mind with proactive IT support Designed to protect your business, save you money and give you peace of mind, Talon Managed Services is
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationSecurity. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October 2015. Page 1 of 9
Security CLOUD VIDEO CONFERENCING AND CALLING Whitepaper October 2015 Page 1 of 9 Contents Introduction...3 Security risks when endpoints are placed outside of firewalls...3 StarLeaf removes the risk with
More informationIntegrating Security into Your Corporate Infrastructure
Integrating Security into Your Corporate Infrastructure December 13, 2001 Matthew K. Miller, CISSP, GIAC Manager, Security Services RedSiren Technologies 1 Who is RedSiren? We are a MSSP Managed Security
More informationIS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS
More informationThe Influence of Software Vulnerabilities on Business Risks 1
The Influence of Software Vulnerabilities on Business Risks 1 Four sources of risk relevant for evaluating the influence of software vulnerabilities on business risks Authors Hilbrand Kramer, MSc (Royal
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationHost/Platform Security. Module 11
Host/Platform Security Module 11 Why is Host/Platform Security Necessary? Firewalls are not enough All access paths to host may not be firewall protected Permitted traffic may be malicious Outbound traffic
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationInsightCloud. www.insightcloud.com. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?
What is InsightCloud? InsightCloud is a web portal enabling Insight customers to purchase and provision a wide range of Cloud services in a straightforward and convenient manner. What is SaaS? Software
More informationLot 1 Service Specification MANAGED SECURITY SERVICES
Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services
More informationAgenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007
Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation =
More informationFirewalls and Network Defence
Firewalls and Network Defence Harjinder Singh Lallie (September 12) 1 Lecture Goals Learn about traditional perimeter protection Understand the way in which firewalls are used to protect networks Understand
More informationHOSTING. Managed Security Solutions. Managed Security. ECSC Solutions
Managed Security Managed Security MANAGED SECURITY SOLUTIONS I would highly recommend for your company s network review... were by far the best company IT Manager, Credit Management Agency Presenting IT
More informationTHREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS
THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS Learn more about Symantec security here OVERVIEW Data and communication protection isn t a problem limited to large enterprises. Small and
More informationEA-ISP-012-Network Management Policy
Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationWHITE PAPER. Running. Windows Server 2003. in a Post-Support World. By Nick Cavalancia
Running Windows Server 2003 in a Post-Support World By Nick Cavalancia TABLE OF CONTENTS Introduction 1 The Challenge of Staying on Windows Server 2003 2 Building a Vulnerability Mitigation Strategy 4
More informationsafe and sound processing online card payments securely
safe and sound processing online card payments securely Executive summary The following information and guidance is intended to provide key payment security advice to new or existing merchants who trade
More informationADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationWebsite Security: A good practice guide
Authors: Computer Security Technology Ltd (CSTL) is a London based independent IT security specialist with over 15 years of experience. CSTL supply solutions, services, and advice to safeguard business
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationWHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?
WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber
More informationGuidelines for Web applications protection with dedicated Web Application Firewall
Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security
More informationIs Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting
Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Clark Schaefer Consulting Serving elite and emerging companies with practical solutions
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationBanking Security using Honeypot
Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information
More informationManaging Vulnerabilities For PCI Compliance
Managing Vulnerabilities For PCI Compliance Christopher S. Harper Vice President of Technical Services, Secure Enterprise Computing, Inc. June 2012 NOTE CONCERNING INTELLECTUAL PROPERTY AND SOLUTIONS OF
More informationManaging internet security
Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More information1. Thwart attacks on your network.
An IDPS can secure your enterprise, track regulatory compliance, enforce security policies and save money. 10 Reasons to Deploy an Intrusion Detection and Prevention System Intrusion Detection Systems
More informationINCREASING THE VALUE OF PENETRATION TESTING
PRESENTED BY BRETT MOORE APRIL 2008, AUCKLAND, NEW ZEALAND www.insomniasec.com Table of Contents 1. What is penetration testing... 3 2. Why carry out penetration testing... 4 3. Measuring the value of
More informationWelcome to the Protecting Your Identity. Training Module
Welcome to the Training Module 1 Introduction Does loss of control over your online identities bother you? 2 Objective By the end of this module, you will be able to: Identify the challenges in protecting
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationExternal Supplier Control Requirements
External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationNetwork Segmentation
Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or
More informationBest Practices Top 10: Keep your e-marketing safe from threats
Best Practices Top 10: Keep your e-marketing safe from threats Months of work on a marketing campaign can go down the drain in a matter of minutes thanks to an unforeseen vulnerability on your campaign
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationBSM for IT Governance, Risk and Compliance: NERC CIP
BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationPATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
PATCH MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationUnified Threat Management, Managed Security, and the Cloud Services Model
Unified Threat Management, Managed Security, and the Cloud Services Model Kurtis E. Minder CISSP Global Account Manager - Service Provider Group Fortinet, Inc. Introduction Kurtis E. Minder, Technical
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationWhite Paper. To upgrade or consolidate - that is the question. Why not do both?
White Paper To upgrade or consolidate - that is the question. Why not do both? To upgrade or consolidate -that is the question. Why not do both? By Mark Jones, dsp You have virtualised your datacentre
More informationUsing Remote Desktop Clients
CYBER SECURITY OPERATIONS CENTRE December 2011 Using Remote Desktop Clients INTRODUCTION 1. Remote access solutions are increasingly being used to access sensitive or classified systems from homes and
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationALERT LOGIC FOR HIPAA COMPLIANCE
SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare
More informationThe Small Business Heroes guide to taking card payments for retailers
The Small Business Heroes guide to taking card payments for retailers Every retailer wants to make more money, and one of the easiest ways to do this is to start taking card payments. No matter how small
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationPresented By: Bryan Miller CCIE, CISSP
Presented By: Bryan Miller CCIE, CISSP Speaker Introduction Risks Controls Why We Should Pen Test Why We Don t Pen Test Tools & Techniques Low Hanging Fruit Case Studies Copyright 2010 Syrinx Technologies
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationTHE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005
THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 13 DECEMBER 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation
More information