PROTECTING SYSTEMS AND DATA PASSWORD ADVICE

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "PROTECTING SYSTEMS AND DATA PASSWORD ADVICE"

Transcription

1 PROTECTING SYSTEMS AND DATA PASSWORD ADVICE DECEMBER 2012 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using, the information contained in this document or its references. You should make your own judgement as regards use of this document and seek independent professional advice on your particular circumstances. 1

2 Contents Introduction..3 Passwords Areas for attention Origin of the advice given in this document CPNI advice.4 Non-administrator account - specific advice Administrator account - specific advice Password strength Lockout configuration Password storage Hardware Remote connection Testing and automation Third parties Monitoring of accounts for anomalous usage Security skills and awareness Further guidance 7 2

3 Introduction Passwords A password is a string of characters used in combination with other information to identify an individual. Password protection is used to prevent unauthorised access to systems and/or material. Areas for attention There are techniques which attackers can use to determine or to discover password data. Approaches include cracking or guessing of passwords, interception during transmission and conducting a search throughout an IT infrastructure for stored password information. Many of these techniques can be applied by automated tools. Focusing on the following areas will make it more difficult for an attacker to establish and make use of passwords. Default passwords Weak passwords Password composition Password re-use and password sharing Storage of passwords Transmission of passwords Measures to protect administrator-level accounts need extra consideration. An attacker will seek escalated privileges through the compromise of these accounts. It is important that robust measures are in place to protect administrator-level accounts. Origin of the advice given in this document CPNI is participating in an international government-industry effort to promote the Top 20 Critical Security Controls for Effective Cyber Defence, published by SANS (see Further Guidance section document 3). Within the 20 controls (and sub-controls) there are measures relating to the use of passwords. CPNI have undertaken work to pull-together the password-related content within Version 4 of the Consensus Audit Guidelines (CAG4) document. The following notation is used in this document to reference advice given within the Critical Security Controls: [CSC XX-YY] where XX is the control number (1-20) and YY is the sub-control (00 indicates advice outside of the sub-control list, but within the control text). In addition, to ensure that a balanced view is provided, CPNI have captured some additional comments covering both conventional and new thinking in the area. This password advice document is intended to be an evolving document that seeks to reflect new thinking and different views on the topic. t is anticipated that this short reference document will be updated periodically. 3

4 CPNI advice Non-administrator account - specific advice Non-administrator accounts should have strong passwords that contain letters, numbers and special characters [CSC 16-08]. Non-administrator accounts should be configured to require password changes every 90 days [CSC 16-08]. Non-administrator accounts should have passwords that have a minimal age of 1 day [CSC 16-08]. Non-administrator accounts should not permit the re-use of the previous 15 passwords [CSC 16-08]. Administrator account - specific advice Administrator accounts must have strong passwords that are complex containing letters, numbers and special characters intermixed with no dictionary words present [CSC 12-02]. Administrator accounts must be configured to require regular password changes on a frequent interval tied to the complexity of the password. Interval should not exceed 90 days [CSC & 12-05]. Administrator accounts must not permit re-use of the previous 15 passwords. Re-use must not be permitted within a certain timeframe [CSC 12-09]. Administrator accounts must not be shared or even occasionally used by anyone other than the account holder [CSC 12-08]. Administrators must establish different passwords for their administrator and nonadministrator accounts [CSC 12-08]. All administrative access, including domain administrative access, should use two-factor authentication [CSC 12-12]. Password strength Complexity and length are important in preventing passwords being cracked or guessed. Recommendations for password complexity are provided above for non-administrator and administrator accounts. 4

5 It is recommended that organisations insist on the use of strong passwords for all accounts. Strong passwords should be of sufficient length to increase the difficulty it takes to crack the password [CSC 12-02]. Techniques for the generation of strong passwords are covered by documents listed within the Further Guidance section document 1 (section 3.2.4) and also in document 2. Some organisations are abandoning the practice of changing passwords at regular intervals, taking the view that changing encourages the storage of passwords by less secure means (e.g. hardcopy). Emphasis is placed instead on the use of strong passwords. However, strong passwords can be more difficult to remember, leading to increased requests for reset and the temptation to use the same password across multiple systems. Pass phrases containing multiple dictionary words along with special characters can be easier to remember, but can only be considered acceptable if they are of a reasonable length [CSC 12-02]. Lockout configuration Account lockout should be used and configured such that after a set number of failed login attempts the account is locked for a standard period of time [CSC 16-09]. Disabling an account is a denial of service. An exponentially increasing delay after each failed authentication attempt could also be considered (also known as exponential back-off). Systems should automatically create a report on a daily basis that includes a list of lockedout and disabled accounts [CSC 16-03]. Password storage Passwords must not be stored as clear text. Passwords for all systems should be stored in a hashed format, produced using an established cryptographic hashing function [CSC 12-06]. An iterated hashing function should be used. The hashed representation of a password should be produced using a salt. A unique salt should be used for each account, and should be changed when the password is changed. Salt values should be held separately from the hashed values. Files containing encrypted or hashed passwords required for systems to authenticate users should be readable only with super-user privileges [CSC 12-06]. Hardware Before deploying any new devices in a networked environment, organisations should change all default user IDs and passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value [CSC & 12-04]. 5

6 Network devices should be managed using true two-factor authentication and encrypted sessions [CSC 10-05]. Where sensitive data is held on a laptop or other portable device, the use of measures such as BIOS passwords and disk encryption should be considered. Remote Connection Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication [CSC 13-07]. Testing and automation For all types of account, checks should be in place to ensure that chosen passwords meet the requirements in terms of complexity and originality. Built-in operating system features can enforce this [CSC 12-00]. Password composition and entropy should be tested, preferably when the password is set or changed by the account user. Weak scores should result in the proposed password being rejected. Software tools are available to do this. Testing must be conducted periodically to ensure that the password policy is enforced. This can be achieved by creating a temporary, disabled, limited privilege test account on 10 different systems and then attempting to change the password on the account to a value that does not meet the organisation s password policy. Temporary test accounts should be established in a number of different, randomly-selected systems across an organisation s IT infrastructure [CSC 12-00]. An automated process should be established to periodically search for clear text s and documents containing the word password, as well as other likely indicators of password information, in the filename or body [CSC 20-05]. Systems should automatically create a report on a daily basis that includes a list of accounts with passwords that exceed the maximum password age and accounts with passwords that never expire. This list should be sent to the associated systems administrator in a secure fashion [CSC 16-03]. Third parties Where services are outsourced, instructions should be provided that clearly describe the measures which must be taken (and those which should be taken) by a third party to protect credentials which allow access to systems or data relating to the issuing organisation [CSC 12-14]. 6

7 Where a third party uses passwords to restrict access to systems or data relating to the issuing organisation, the third party should be accountable for the use of the passwords. This should form part of the contractual agreement [CSC 12-14]. Monitoring of accounts for anomalous usage In addition to good security measures directly relating to passwords, organisations must monitor user accounts. Failed login attempts should be always be logged. Attempts to access deactivated accounts should be captured, as should the use of credentials from new devices. User profiles should be constructed using information relating to typical account usage such as time-of-day access and typical duration [12-10]. Timely alerting must be established for serious anomalies and daily reporting should also be configured. In addition, configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators group [12-11]. Security Skills and Awareness Some end-users will be fooled via social engineering scams in which they are tricked into providing passwords. Understand technical skills gaps within the workforce and fill these gaps through policy, training and awareness [CSC 09-00]. Further guidance 1. Guide to Enterprise Password Management, Recommendations of the National Institute of Standards and Technology. Scarfone K., Souppaya M., NIST Special Publication , April 2009, source: [correct as of August 2012]. 2. Electronic Authentication Guideline, Recommendations of the National Institute of Standards and Technology. Burr, W.E., Dodson, D.F., Polk, W.T., NIST Special Publication Version 1.0.2, April 2006, source: [correct as of September 2012]. This document has been written to be consistent with: 3. Top 20 Critical Controls for Effective Cyber Defense, Version 4. Published by The SANS Institute, October 2012, source: [correct as of November 2012]. End of document 7

SANS Institute First Five Quick Wins

SANS Institute First Five Quick Wins #1 QUICK WIN- APPLICATION WHITELISTING SANS Critical Controls: #2: Inventory of Authorized and Unauthorized Software 1) Deploy application whitelisting technology that allows systems to run software only

More information

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access

More information

The City of New York

The City of New York The Policy All passwords and personal identification numbers (PINs) used to protect City of New York systems shall be appropriately configured, periodically changed, and issued for individual use. Scope

More information

SPEAR PHISHING UNDERSTANDING THE THREAT

SPEAR PHISHING UNDERSTANDING THE THREAT SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business

More information

Simplifying Your Approach. Password Guidance

Simplifying Your Approach. Password Guidance Simplifying Your Approach Password Guidance Page 2 Password Guidance Simplifying Your Approach Contents Foreword... 3 Introduction: the problems with passwords... 4 Tip 1: Change all default passwords...

More information

Guideline on Access Control

Guideline on Access Control CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0

More information

idata Improving Defences Against Targeted Attack

idata Improving Defences Against Targeted Attack idata Improving Defences Against Targeted Attack Summary JULY 2014 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does

More information

CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS

CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Cyber Security Assessments of Industrial Control Systems Good Practice

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

BYOD Guidance: Architectural Approaches

BYOD Guidance: Architectural Approaches GOV.UK Guidance BYOD Guidance: Architectural Approaches Published Contents 1. Service separation 2. Scenario 1: Exposing internal web applications 3. Scenario 2: Exposing email, calendar and contacts This

More information

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre

More information

Implementation Guide

Implementation Guide Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein

More information

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH March 2016 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer,

More information

e-governance Password Management Guidelines Draft 0.1

e-governance Password Management Guidelines Draft 0.1 e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Top 20 Critical Security Controls

Top 20 Critical Security Controls Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need

More information

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft- Musina Local Municipality Information and Communication Technology User Account Management Policy -Draft- Version Control Version Date Author(s) Details V1.0 June2013 Perry Eccleston Draft Policy Page

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

CAPITAL UNIVERSITY PASSWORD POLICY

CAPITAL UNIVERSITY PASSWORD POLICY 1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

ICT USER ACCOUNT MANAGEMENT POLICY

ICT USER ACCOUNT MANAGEMENT POLICY ICT USER ACCOUNT MANAGEMENT POLICY Version Control Version Date Author(s) Details 1.1 23/03/2015 Yaw New Policy ICT User Account Management Policy 2 Contents 1. Preamble... 4 2. Terms and definitions...

More information

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused. DRAFT 6.1 Information Systems Passwords OVERVIEW Passwords are an important aspect of information security. They are the front line of protection for user accounts. A poorly chosen password may result

More information

Cal State Fullerton Account and Password Guidelines

Cal State Fullerton Account and Password Guidelines Cal State Fullerton Account and Password Guidelines Purpose The purpose of this guideline is to establish a standard for account use and creation of strong passwords which adheres to CSU policy and conforms

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

OPEN DATA: ADOPTING A SECURITY-MINDED APPROACH

OPEN DATA: ADOPTING A SECURITY-MINDED APPROACH OFFICIAL OPEN DATA: ADOPTING A SECURITY-MINDED APPROACH November 2015 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

FIREWALLS VIEWPOINT 02/2006

FIREWALLS VIEWPOINT 02/2006 FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 13 DECEMBER 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation

More information

Use of tablet devices in NHS environments: Good Practice Guideline

Use of tablet devices in NHS environments: Good Practice Guideline Use of Tablet Devices in NHS environments: Good Practice Guidelines Programme NPFIT Document Record ID Key Sub-Prog / Project Technology Office Prog. Director Chris Wilber Status APPROVED Owner James Wood

More information

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

Vice President of Information

Vice President of Information Name of Policy: Password security policy 1 Policy Number: Approving Officer: Responsible Agent: Technology Scope: 3 3364-65-07 President all University campuses New policy proposal Major revision of existing

More information

Compliance Guide: PCI DSS

Compliance Guide: PCI DSS Compliance Guide: PCI DSS PCI DSS Compliance Compliance mapping using Huntsman INTRODUCTION The Payment Card Industry Data Security Standard (PCI DSS) was developed with industry support by the PCI Security

More information

FAQs about PAS 1192-5, A Specification for securityminded building information modelling, digital built environments and smart asset management

FAQs about PAS 1192-5, A Specification for securityminded building information modelling, digital built environments and smart asset management FAQs about PAS 1192-5, A Specification for securityminded building information modelling, digital built environments and smart asset management May 2015 Disclaimer Reference to any specific commercial

More information

Catapult PCI Compliance

Catapult PCI Compliance Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

RSA SecurID Software Token Security Best Practices Guide

RSA SecurID Software Token Security Best Practices Guide RSA SecurID Software Token Security Best Practices Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA, the RSA

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Account Management Standards

Account Management Standards Account Management Standards Overview These standards are intended to guide the establishment of effective account management procedures that promote the security and integrity of University information

More information

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance

More information

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing

More information

PASSWORD MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region

PASSWORD MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region PASSWORD MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Date: Completed By: Name: Department: Position: Phone: Email Address: Section 1: Security Education and Awareness

More information

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support Desktop Support and Data Breaches: The Unknown Dangers Bryan Hood Senior Solutions Engineer, Bomgar bhood@bomgar.com Session Description

More information

Section 12 MUST BE COMPLETED BY: 4/22

Section 12 MUST BE COMPLETED BY: 4/22 Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

More information

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/ Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013 An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

More information

Portal Administration. Administrator Guide

Portal Administration. Administrator Guide Portal Administration Administrator Guide Portal Administration Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec

More information

Network Security Policy

Network Security Policy KILMARNOCK COLLEGE Network Security Policy Policy Number: KC/QM/048 Date of First Issue: October 2009 Revision Number: 3 Date of Last Review: October 2011 Date of Approval \ Issue May 2012 Responsibility

More information

Web Plus Security Features and Recommendations

Web Plus Security Features and Recommendations Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of

More information

Password regulations for Karolinska Institutet

Password regulations for Karolinska Institutet Password regulations for Karolinska Institutet Dnr 1-213/2015 Version 2.0 Applicable from 2015-05-18 Password regulations for Karolinska Institutet - Summary Purpose The main purpose of these regulations

More information

BlackBerry 10.3 Work and Personal Corporate

BlackBerry 10.3 Work and Personal Corporate GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations March 2009 Version 2.2 This page intentionally left blank. 2 1. Introduction...4

More information

Windows Operating Systems. Basic Security

Windows Operating Systems. Basic Security Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System

More information

Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation Nokia E61 Nokia E61 Legal Notice Copyright Nokia 2006. All rights reserved. Reproduction, transfer, distribution or storage

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

Information Technology Services Standards

Information Technology Services Standards Owner: IT Security and Page 1 of 10 Table of Contents 1 Purpose... 2 2 Entities Affected by this Standard... 2 3 Definitions... 2 4 Standards... 3 4.1 General... 3 4.2 Password Construction... 4 4.2.1

More information

Using Remote Desktop Clients

Using Remote Desktop Clients CYBER SECURITY OPERATIONS CENTRE December 2011 Using Remote Desktop Clients INTRODUCTION 1. Remote access solutions are increasingly being used to access sensitive or classified systems from homes and

More information

Service Accounts A Secant Standards White Paper

Service Accounts A Secant Standards White Paper Service Accounts A Secant Standards White Paper Publication No.:101 Version: 11/28/11 ABOUT STANDARDS Secant is pleased to publicly release several key technology standards for reference by our clients

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

Configuring Facebook for a More Secure Social Networking Experience

Configuring Facebook for a More Secure Social Networking Experience CPF 00009-15-CID361-9H-Facebook* 10 November 2015 Configuring Facebook for a More Secure Social Networking Experience Settings Settings are available under the Facebook Configuration Arrow. General Settings

More information

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations 11/2010 This document includes the following topics: About this guide (page 2) TeamViewer remote desktop support

More information

AlienVault for Regulatory Compliance

AlienVault for Regulatory Compliance AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on

More information

Global ediscovery Client Data Security. Managed technology for the global legal profession

Global ediscovery Client Data Security. Managed technology for the global legal profession Global ediscovery Client Data Security Managed technology for the global legal profession Epiq Systems is a global leader in providing fully integrated technology products and services for ediscovery and

More information

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions

More information

Adobe Systems Software Ireland Ltd

Adobe Systems Software Ireland Ltd Adobe Systems Software Ireland Ltd Own motion investigation report 13/00007 Timothy Pilgrim, Australian Privacy Commissioner Contents Overview... 2 Background... 3 Relevant provisions of the Privacy Act...

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Use QNAP NAS for Backup

Use QNAP NAS for Backup Use QNAP NAS for Backup BACKUP EXEC 12.5 WITH QNAP NAS Copyright 2010. QNAP Systems, Inc. All Rights Reserved. V1.0 Document revision history: Date Version Changes Apr 2010 1.0 Initial release Note: Information

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3 FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

More information

BlackBerry 10.3 Work Space Only

BlackBerry 10.3 Work Space Only GOV.UK Guidance BlackBerry 10.3 Work Space Only Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network architecture

More information

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report

More information

Automating Compliance Reporting for PCI Data Security Standard version 1.1

Automating Compliance Reporting for PCI Data Security Standard version 1.1 PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security

More information

Common Cyber Threats. Common cyber threats include:

Common Cyber Threats. Common cyber threats include: Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...

More information

Authentication Solutions Buyer's Guide

Authentication Solutions Buyer's Guide WHITE PAPER: AUTHENTICATION SOLUTIONS BUYER'S GUIDE........................................ Authentication Solutions Buyer's Guide Who should read this paper Individuals who would like more details regarding

More information

New Systems and Services Security Guidance

New Systems and Services Security Guidance New Systems and Services Security Guidance Version Version Number Date Author Type of modification / Notes 0.1 29/05/2012 Donna Waymouth First draft 0.2 21/06/2012 Donna Waymouth Update re certificates

More information

State of Vermont. User Password Policy and Guidelines

State of Vermont. User Password Policy and Guidelines State of Vermont User Password Policy and Guidelines Date of Rewrite Approval: 10/2009 Originally Approved: 4/08/2005 Approved by: Neale F. Lunderville Policy Number: fib lleul~ 1.0 Introduction... 3 1.1

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration

More information

Cyber Exploits: Improving Defenses Against Penetration Attempts

Cyber Exploits: Improving Defenses Against Penetration Attempts Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How

More information