What Makes a Good Security Architecture?

Size: px
Start display at page:

Download "What Makes a Good Security Architecture?"

Transcription

1 What Makes a Good Security Architecture? What makes a good security architecture? How many times have you heard some organisations state, our policy is that anti-virus software is installed on all servers. But why? What is the AV software actually doing? It is a good policy if the server is a mail server, or a file and print server, where the AV software has actually got a job to do. But why do you need AV software on a database server? Ah well, to protect the server in case malicious software is loaded onto it. Well AV software is not going to provide any protection against normal SQL traffic to the database server. And if the so called protection is to protect against system administrators loading malicious software onto the server, first system administrators should be checking any files before they load it onto the server. And second, any malicious system administrator will just turn off the AV software and then load the Trojan or whatever. The end result is costs are increased, server performance is decreased, and no decrease in risk. An expensive policy, providing a false sense of security! There are a number of principles that should be deployed in any security architecture, which include in no particular order, and are expanded below: 1. Use layered defences 2. Keep it simple stupid 3. Build-in maintainability 4. Segregation 5. Minimise the number of users 6. Default no trust 7. Expect the unexpected 8. Use assured products 9. Don t gold plate the solution 10. Enable the business 11. Deploy deterrents 12. Use barriers 13. Detect intrusions 14. React against intrusions 1. Use Layered Defences Relying on a single defence is a risky strategy. If this defence should fail for whatever reason, then the system is vulnerable to attack. The design of castles used for millennium relied on multiple layers of defences. Deploying multiple security controls means that if one control fails, the other security controls will protect the system. Thus a system that is protected by security controls A, B, C, D, E and F has six levels of protection, either one of them can potentially protect the system. This type of protection is often described as the onion security model. Page 1 of 5

2 2. Keep it Simple Stupid How can complexity improve security? Any system that relies on security controls of A and B and C and D and E and F has six ways to go wrong, against a system that only replies on one security control, which has only one way to go wrong. It is lot easier to look after a single system than multiple systems. There is a world of difference between a system relying on security controls A and B and C, and a system relying on security controls of D or E or F. The latter is called layered defences (see above), whereas the former is called coupling of security controls. Hence deploy the KISS principle, and keep any solution simple as far as possible. 3. Build-in Maintainability Maintainability should be built in at the design stage for any system. This means that the system is designed to be able to rapidly deploy patches, and version upgrades are planned as part of the overall lifecycle. Where this has been forgotten, this can create huge risks for the business. In one particular case, the business were running a system on hardware which should be consigned to a museum, written in a computer language where there are only a few people left with relevant skills, and they are rapidly approaching retirement. So what happens when there are no more spares left in the world? The business are playing Russian roulette every day, and unless they come up with a replacement system, it won t be a matter of if, but a question of when the catastrophe will happen. Malware is now been released within days of a patch been released. Failure to rapidly deploy the security patches puts at risk your system from being attacked. The PCI DSS requires that all security patches are deployed within one month of release. This really should be viewed as the minimum standard, with the aim to push out security patches a lot faster. The only way that this can be achieved is to design a system that meets this objective. By using automated test scripts, the patch can be tested before being deployed into the live environment. Version upgrades, hardware refreshes should not come as a surprise. Hardware components fail with age. Software is only supported by vendors for a limited period. Which means that after that period, security patches are no longer released and the system is vulnerable to attack. Designing the system so that it has a fixed life of say five years before being upgraded, will ensure that the risks to the system are being managed and not increasing with old age. 4. Segregation Diversifying and not putting all your eggs in one basket is an excellent way to reduce risk as Nobel Laureate Harry Markowitz proved in 1952, when he developed portfolio theory. Just as diversification reduces risk in portfolio theory, so dividing up a network can reduce risk. If one segment of the network comes under attack, then only that segment is affected, and the other segments continue to operate normally. A lot of business can continue to operate normally, despite their being a disaster in one sector. Do you really want Internet users to gain access to your internal network? How to divide up the network will depend greatly on the size of the business, and how the business is organised. Even small organisations should separate their external business systems from their internal systems. However, sub-dividing the network into too many small chunks will just add cost and complexity without increasing security. Page 2 of 5

3 The best advice for any organisation having to comply with PCI DSS is to segregate those systems that are covered by PCI DSS and those that are not. All the information systems of an organisation have different security requirements. Segregation ensures that different levels of security can be deployed, instead of trying to raise all systems up to the highest common denominator in terms of security. 5. Minimise the Number of Users Reducing the number of people who can access the system reduces risk. This includes both authorised users and unauthorised users who just have access to the network. Assume that one person in a hundred is malicious, and one in ten of those malicious users has the capability to exploit the system. Then this means that if 1,000 people can access the system, at least one person will potentially successfully attack the system. Obviously actual statistics will vary between organisations, but the principle is the same, the more people who have access to the system, the greater the risk. A system that can only be accessed by 10 people is thousand times less likely to be attacked, than a system that can be accessed by 10,000 people. 6. Default No Trust Every fraudsters dream is that you will trust them; every burglar hopes that you think everyone is trustworthy and have left windows open and not fitted a burglar alarm. The film Catch Me If You Can proved how Frank Abagnale had managed to abuse trust for many years before finally being caught. If you trust a person or another system not to attack your system, then you are relying on their security. In other words, risk has been transferred from that system or organisation to you. Do you really want to take on the risk of another organisation that is outside of your control? In a standard three layered architecture of web server, application server, database server, security is greatly enhanced by each layer implementing its own security, and not trusting the security of the other layers. For example, validating all input. This means that if a vulnerability in one layer, all the other layers are not automatically vulnerable. Often a completely paranoid approach is not practical, and different degrees of trust have to be applied. This degree of trust should be based on how much control you can place on that other system. For example as explained in ISO/IEC :2006, a simple three layered trust approach could be deployed of low trust for external systems, medium trust for partners where there is a formal contract in place, and high trust for internal systems and users. 7. Expect the Unexpected As Murphy s Law states, anything that can go wrong will go wrong Information security is about mitigating the effects of hazards occurring. During the Second World War in Moscow, a distinguished professor of statistics in suddenly turned up in a bomb shelter, having never frequented the bomb shelter before. When asked why he was there, he stated that in Moscow there are 7 million people and one elephant. Last night they got the elephant. One can hardly assume that Moscow zoo was the target of Nazi air attacks, even so the improbable did occur. Before Australia was discovered, who would have thought that all swans were not white? See Taleb s book on The Black Swan for other improbable events that occurred. Page 3 of 5

4 Don t assume that just because your system has not being attacked before, it doesn t mean that it won t in the future. That is relying on the Law of Small Numbers, which is also known as the Gamblers Fallacy. Chances are that you don t have enough data to estimate the probability. If a risk can be avoided, then avoid it and don t take the chance that it might not occur, however small the odds. 8. Use Assured Products Don t assume that a product or system will provide the protection it claims. Get independent assurance that the security claims are valid. The easiest way to achieve this is wherever possible to use assured products such as products certified under the Common Criteria scheme, or have FIPS certification for cryptographic products. Where it is not possible to use assured products, then use products that have been independently tested against some specification which specially tests the security controls. Forget about those tests which test how easy is it to install the product, or how fancy the management controls are. They may make life easier for administrators, but they do not improve the security of the product. There are many products out there which claim to be secure but are unassured. For example, WinZip claims to be secure because it uses AES-256. However, there are published papers showing how to exploit weaknesses in the WinZip, negating any supposed protection. 9. Don t Gold Plate the Solution Don t gold plate the solution, every security control has to be justified that it is cost effective in reducing the risk down to an acceptable level. It is often difficult, if not impossible, to properly quantify the effect a particular security control, or group of controls, has in reducing risk. However, despite the difficulties, security controls should only be deployed if they adding value in reducing risk. Thus it is important to understand how the security controls work. The objective is not to try and reduce risk to zero, but down to an acceptable level, dependent on the risk appetite of the organisation and the risk tolerance. This inevitably means that more security controls could be deployed, but their extra cost cannot be justified by the business. 10. Enable the Business Enable the business. Information security is not about preventing the business from doing their job, but ensuring that the business can perform their function securely. Hence information security should be seen as an enabler, and not as an inhibitor. The question to always ask is how can this be done securely? It maybe that the costs or restrictions are too high, but then that becomes a risk management decision. However, there is nearly always a solution to the problem, even if it does require some creative thinking. Shops are not designed to minimise shop lifting, but designed to maximise sales. In so doing, shops have to allow a certain amount of shop lifting. This does not mean that the problem is ignored, but rather there is a balance between minimising stock shrinkage and maximising sales. Certain security controls are put in place to minimise stock shrinkage, which have minimal impact on maximising sales. Page 4 of 5

5 11. Deploy Deterrents Deterrents are an important set of security controls in the toolbox. They do not prevent an attacker, but deter an attacker from carrying out an attack. Deterrents are like warning notices. Examples of deterrents include employee contracts, partner agreements, operating procedures, warning notices (e.g. when you login), obfuscation. The job of deterrents is to state to a potential attacker that the amount of effort required to attack the system is going to not worth the potential reward, or the risk of being caught. Ideally a deterrent should have a consequence if the warning is ignored. For example, an employment contract will state that if you attack the system, you risk losing your job with no compensation, and also risk civil and/or criminal action. If the potential reward is 500m probably not much of a deterrent, but more than adequate if the reward is only 500. Deterrents should be used with other security controls, as they only deter and do not prevent or detect an attack. They are particularly useful when trust is involved, for example with employees, partners, service providers, etc. 12. Use Barriers Barriers prevent attackers from gaining access to a system. There are five types of barriers: encryption in transit; encryption at rest; ID&A (identification and authentication); firewalls; and secure disposal. Barriers have a known strength, which is defined in the amount of effort, or resources, required to compromise the barrier. Wherever possible, barriers should be used as the primary defence against attackers in preference to any other form of security control. 13. Detect Intrusions As Elson's Law states Anything that can go wrong already has, you're just not aware of it yet! How do you know your system has not already been attacked and compromised, if you don t have the ability to detect it? Detection systems are analogous to burglar alarms. The most useful detection controls are: automatic monitoring of log files; and HIDS (Host Intrusion Detection Systems). 14. React Against Intrusions What is the point of having a burglar alarm if no one reacts to the alarm? Detection systems by themselves are of no value if no one is looking at the result. Therefore, all detection systems should be reacting against a potential attack, such as generating an alert which system operators can respond to. There are automatic reaction systems, such as anti-virus software, or NIPS (Network Intrusion Systems). Author Eur Ing Harry E. CLARKE, MSc, CEng, MBCS, CITP, CISSP, M.Inst.ISP Page 5 of 5

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access

More information

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations

More information

Specific recommendations

Specific recommendations Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It

More information

What Do You Mean My Cloud Data Isn t Secure?

What Do You Mean My Cloud Data Isn t Secure? Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there

More information

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement

More information

How to complete the Secure Internet Site Declaration (SISD) form

How to complete the Secure Internet Site Declaration (SISD) form 1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,

More information

Need to be PCI DSS compliant and reduce the risk of fraud?

Need to be PCI DSS compliant and reduce the risk of fraud? Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Ensuring security the last barrier to Cloud adoption

Ensuring security the last barrier to Cloud adoption Ensuring security the last barrier to Cloud adoption Publication date: March 2011 Ensuring security the last barrier to Cloud adoption Cloud computing has powerful attractions for the organisation. It

More information

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult

More information

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science A Seminar report On Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science SUBMITTED TO: www.studymafia.org SUBMITTED BY: www.studymafia.org

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

The Education Fellowship Finance Centralisation IT Security Strategy

The Education Fellowship Finance Centralisation IT Security Strategy The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and

More information

AN OVERVIEW OF VULNERABILITY SCANNERS

AN OVERVIEW OF VULNERABILITY SCANNERS AN OVERVIEW OF VULNERABILITY SCANNERS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole

More information

Overcoming PCI Compliance Challenges

Overcoming PCI Compliance Challenges Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the

More information

U06 IT Infrastructure Policy

U06 IT Infrastructure Policy Dartmoor National Park Authority U06 IT Infrastructure Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without the agreement

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data

More information

Compliance Guide: PCI DSS

Compliance Guide: PCI DSS Compliance Guide: PCI DSS PCI DSS Compliance Compliance mapping using Huntsman INTRODUCTION The Payment Card Industry Data Security Standard (PCI DSS) was developed with industry support by the PCI Security

More information

PCI Compliance for Healthcare

PCI Compliance for Healthcare PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc. Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Web Application Security

Web Application Security Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4

More information

The Influence of Software Vulnerabilities on Business Risks 1

The Influence of Software Vulnerabilities on Business Risks 1 The Influence of Software Vulnerabilities on Business Risks 1 Four sources of risk relevant for evaluating the influence of software vulnerabilities on business risks Authors Hilbrand Kramer, MSc (Royal

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management. www.kaseya.com

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management. www.kaseya.com Kaseya White Paper Endpoint Security Fighting Cyber Crime with Automated, Centralized Management www.kaseya.com To win the ongoing war against hackers and cyber criminals, IT professionals must do two

More information

WHITE PAPER. Running. Windows Server 2003. in a Post-Support World. By Nick Cavalancia

WHITE PAPER. Running. Windows Server 2003. in a Post-Support World. By Nick Cavalancia Running Windows Server 2003 in a Post-Support World By Nick Cavalancia TABLE OF CONTENTS Introduction 1 The Challenge of Staying on Windows Server 2003 2 Building a Vulnerability Mitigation Strategy 4

More information

Caretower s SIEM Managed Security Services

Caretower s SIEM Managed Security Services Caretower s SIEM Managed Security Services Enterprise Security Manager MSS -TRUE 24/7 Service I.T. Security Specialists Caretower s SIEM Managed Security Services 1 Challenges & Solution Challenges During

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding

More information

SecurityMetrics Vision whitepaper

SecurityMetrics Vision whitepaper SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

MAXIMUM PROTECTION, MINIMUM DOWNTIME

MAXIMUM PROTECTION, MINIMUM DOWNTIME MANAGED SERVICES MAXIMUM PROTECTION, MINIMUM DOWNTIME Get peace of mind with proactive IT support Designed to protect your business, save you money and give you peace of mind, Talon Managed Services is

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

Integrating Security into Your Corporate Infrastructure

Integrating Security into Your Corporate Infrastructure Integrating Security into Your Corporate Infrastructure December 13, 2001 Matthew K. Miller, CISSP, GIAC Manager, Security Services RedSiren Technologies 1 Who is RedSiren? We are a MSSP Managed Security

More information

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October 2015. Page 1 of 9

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October 2015. Page 1 of 9 Security CLOUD VIDEO CONFERENCING AND CALLING Whitepaper October 2015 Page 1 of 9 Contents Introduction...3 Security risks when endpoints are placed outside of firewalls...3 StarLeaf removes the risk with

More information

Host/Platform Security. Module 11

Host/Platform Security. Module 11 Host/Platform Security Module 11 Why is Host/Platform Security Necessary? Firewalls are not enough All access paths to host may not be firewall protected Permitted traffic may be malicious Outbound traffic

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Lot 1 Service Specification MANAGED SECURITY SERVICES

Lot 1 Service Specification MANAGED SECURITY SERVICES Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS

More information

InsightCloud. www.insightcloud.com. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

InsightCloud. www.insightcloud.com. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS? What is InsightCloud? InsightCloud is a web portal enabling Insight customers to purchase and provision a wide range of Cloud services in a straightforward and convenient manner. What is SaaS? Software

More information

Firewalls and Network Defence

Firewalls and Network Defence Firewalls and Network Defence Harjinder Singh Lallie (September 12) 1 Lecture Goals Learn about traditional perimeter protection Understand the way in which firewalls are used to protect networks Understand

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS Learn more about Symantec security here OVERVIEW Data and communication protection isn t a problem limited to large enterprises. Small and

More information

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007 Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation =

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions Managed Security Managed Security MANAGED SECURITY SOLUTIONS I would highly recommend for your company s network review... were by far the best company IT Manager, Credit Management Agency Presenting IT

More information

EA-ISP-012-Network Management Policy

EA-ISP-012-Network Management Policy Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:

More information

Is Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Is Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Clark Schaefer Consulting Serving elite and emerging companies with practical solutions

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

SERENA SOFTWARE Serena Service Manager Security

SERENA SOFTWARE Serena Service Manager Security SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand

More information

safe and sound processing online card payments securely

safe and sound processing online card payments securely safe and sound processing online card payments securely Executive summary The following information and guidance is intended to provide key payment security advice to new or existing merchants who trade

More information

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations

More information

Website Security: A good practice guide

Website Security: A good practice guide Authors: Computer Security Technology Ltd (CSTL) is a London based independent IT security specialist with over 15 years of experience. CSTL supply solutions, services, and advice to safeguard business

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Teradata and Protegrity High-Value Protection for High-Value Data

Teradata and Protegrity High-Value Protection for High-Value Data Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber

More information

Best Practices Top 10: Keep your e-marketing safe from threats

Best Practices Top 10: Keep your e-marketing safe from threats Best Practices Top 10: Keep your e-marketing safe from threats Months of work on a marketing campaign can go down the drain in a matter of minutes thanks to an unforeseen vulnerability on your campaign

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

Reducing Application Vulnerabilities by Security Engineering

Reducing Application Vulnerabilities by Security Engineering Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

Managing internet security

Managing internet security Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further

More information

Managing Vulnerabilities For PCI Compliance

Managing Vulnerabilities For PCI Compliance Managing Vulnerabilities For PCI Compliance Christopher S. Harper Vice President of Technical Services, Secure Enterprise Computing, Inc. June 2012 NOTE CONCERNING INTELLECTUAL PROPERTY AND SOLUTIONS OF

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

Multi-factor authentication

Multi-factor authentication CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

INCREASING THE VALUE OF PENETRATION TESTING

INCREASING THE VALUE OF PENETRATION TESTING PRESENTED BY BRETT MOORE APRIL 2008, AUCKLAND, NEW ZEALAND www.insomniasec.com Table of Contents 1. What is penetration testing... 3 2. Why carry out penetration testing... 4 3. Measuring the value of

More information

Welcome to the Protecting Your Identity. Training Module

Welcome to the Protecting Your Identity. Training Module Welcome to the Training Module 1 Introduction Does loss of control over your online identities bother you? 2 Objective By the end of this module, you will be able to: Identify the challenges in protecting

More information

1. Thwart attacks on your network.

1. Thwart attacks on your network. An IDPS can secure your enterprise, track regulatory compliance, enforce security policies and save money. 10 Reasons to Deploy an Intrusion Detection and Prevention System Intrusion Detection Systems

More information

Network Segmentation

Network Segmentation Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Seven Things To Consider When Evaluating Privileged Account Security Solutions Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

Unified Threat Management, Managed Security, and the Cloud Services Model

Unified Threat Management, Managed Security, and the Cloud Services Model Unified Threat Management, Managed Security, and the Cloud Services Model Kurtis E. Minder CISSP Global Account Manager - Service Provider Group Fortinet, Inc. Introduction Kurtis E. Minder, Technical

More information

ALERT LOGIC FOR HIPAA COMPLIANCE

ALERT LOGIC FOR HIPAA COMPLIANCE SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare

More information

Cybernetic Global Intelligence. Service Information Package

Cybernetic Global Intelligence. Service Information Package Cybernetic Global Intelligence Service Information Package / 2015 Content Who we are Our mission Message from the CEO Our services 01 02 02 03 Managed Security Services Penetration Testing Security Audit

More information

The Small Business Heroes guide to taking card payments for retailers

The Small Business Heroes guide to taking card payments for retailers The Small Business Heroes guide to taking card payments for retailers Every retailer wants to make more money, and one of the easiest ways to do this is to start taking card payments. No matter how small

More information

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline

More information

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction

More information

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention Whitepaper The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention May 2007 Copyright Sentrigo Ltd. 2007, All Rights Reserved The Challenge: Securing the Database Much of the effort

More information

Using Remote Desktop Clients

Using Remote Desktop Clients CYBER SECURITY OPERATIONS CENTRE December 2011 Using Remote Desktop Clients INTRODUCTION 1. Remote access solutions are increasingly being used to access sensitive or classified systems from homes and

More information

Presented By: Bryan Miller CCIE, CISSP

Presented By: Bryan Miller CCIE, CISSP Presented By: Bryan Miller CCIE, CISSP Speaker Introduction Risks Controls Why We Should Pen Test Why We Don t Pen Test Tools & Techniques Low Hanging Fruit Case Studies Copyright 2010 Syrinx Technologies

More information