OTM Security in an Evolving Threat Landscape. Anoop Jangamakote Ryan Haney
|
|
- Jason Chambers
- 8 years ago
- Views:
Transcription
1
2 OTM Security in an Evolving Threat Landscape Anoop Jangamakote Ryan Haney
3 Introduction Table of Contents 1. What is Information Security? Why is it important? 2. Introduction to OTM Security 3. OTM Threat Modeling 4. Secure Infrastructure 5. Functional Security 6. OTM Security Resources 7. Open Discussion / Q&A 3
4 What is Information Security? Protection of information against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. Information Security is a combination of security requirements and goals, business processes, technical controls, policies, and procedures. Shorter and easier: Information security is about making sure information is available when it s needed to only the right people, and being able to verify the availability of and access to information. 4
5 Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 5
6 Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 11 different casinos State of New York PF Changs Albertsons and Super Valu 6
7 Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 11 different casinos State of New York PF Changs Albertsons and Super Valu Community Health Systems UPS Dairy Queen Goodwill 7
8 Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 11 different casinos State of New York PF Changs Albertsons and Super Valu Community Health Systems UPS Dairy Queen Goodwill Home Depot Jimmy John s JP Morgan Chase Sourcebooks 8
9 Why is Security Important? Neiman Marcus White Lodging Sally Beauty Michaels 11 different casinos State of New York PF Changs Albertsons and Super Valu Community Health Systems UPS Dairy Queen Goodwill Home Depot Jimmy John s JP Morgan Chase Sourcebooks Kmart Staples Bebe Sony 9
10 Why is Security Important? These are only the Forbes Top 20 information security breaches in 2014 McAfee estimates the total global cost of cyber and information security breaches to be between $375 and $575 billion dollars to date through Security breaches not only cost money directly, but they can reduce innovation, damage brand reputation, and threaten future business prospects 10
11 OTM Security What in OTM is valuable to an attacker? OTM typically does not contain data that represents the highest risk or highest value to most attackers such as PII and credit card data OTM may contain significant confidential and or proprietary information that is valuable to an attacker for corporate espionage or revenge/embarrassment Access to OTM may grant an attacker an attack vector to another system with higher value data Integration of OTM to JDE/PeopleSoft, SAP, and other business software packages that do contain high volumes of PII or other valuable data - Understanding and evaluating threats to OTM an important step in securing OTM 11
12 OTM Threat Model 1. Identify Assets 2. Architecture Overview 3. Deconstruct the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats Corporate data, financial data, PII, operational intelligence, business processes Diagram and document OTM s physical and logical architecture in your environment - Break down the OTM s architecture areas in step 2 in to security zones such as public/dmz, internal only, and secure/protected. Identify the possible threats to each security zone by analyzing the goals of the potential attacker, the attacker s potential knowledge of your system, and potential vulnerabilities. Create a threat assessment document for potential threats that were identified; this document should include threat methodology, the threat risk (based on likelihood and impact), and corrective actions Classify each threat according to your corporate information security policy, typically high, medium, and low with corresponding levels of priority given to each level of threat 12
13 OTM Threat Model 1. Identify Assets Privileged information rate information 2. Architecture Overview 3. Deconstruct the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats 13
14 Identify the Asset Rate information Confidential/proprietary data Integral to OTM functionality May represent valuable data for corporate espionage Compromise of rate data can have a broad impact on business operations not just to the OTM system owner but also its vendors (carriers) 14
15 OTM Threat Model 1. Identify Assets 2. Architecture Overview Privileged information rate information Web tier, application tier, database tier 3. Deconstruct the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats 15
16 16 Architecture Overview
17 OTM Threat Model 1. Identify Assets 2. Architecture Overview 3. Deconstruct the Application Privileged information rate information Web tier, application tier, database tier Web tier is public/dmz, application tier is internal, and database tier is secure 4. Identify the Threats 5. Document the Threats 6. Rate the Threats 17
18 Architecture Overview Public / DMZ 18
19 Architecture Overview Public / DMZ Internal 19
20 Architecture Overview Public / DMZ Internal Secure / Protected 20
21 OTM Threat Model 1. Identify Assets 2. Architecture Overview 3. Deconstruct the Application 4. Identify the Threats Privileged information rate information Web tier, application tier, database tier Web tier is public/dmz, application tier is internal, and database tier is secure Create a list or matrix of threats to each tier 5. Document the Threats 6. Rate the Threats 21
22 Identify the Threats Public / DMZ Brute force access to OTM front-end Social engineering attack on OTM users to obtain login information or rate data directly Common web vulnerabilities (SQL injection, XSS) Compromised integration points / external systems Unknown threats Internal App layer web service exposure Unknown threats Server level access Log files OTM java / python tools Protected Social engineering attacks on DBAs, other high-privileged administrators OAQ Compromise of HPA computers Unknown threats 22
23 OTM Threat Model 1. Identify Assets 2. Architecture Overview 3. Deconstruct the Application 4. Identify the Threats 5. Document the Threats Privileged information rate information Web tier, application tier, database tier Web tier is public/dmz, application tier is internal, and database tier is secure Create a list or matrix of threats to each tier Create a threat document that addresses the risk of each threat, where risk is a value assigned based on likelihood and consequences of a breach. This document should also include mitigation steps if any exist, whether technical or process based. 6. Rate the Threats 23
24 Probability Document the Threats Risk = Probability x Impact Business Impact Low Medium High Certain High Extreme Extreme Possible Moderate High Extreme Unlikely Low Moderate High 24
25 Document the Threats Brute force access to OTM front-end Risk Analysis: Probability is Possible Impact is Medium Overall risk is High Mitigation Implement strong OTM password policies Low cost, easy to implement Monitor OTM logs for brute force attempts Low cost, easy to implement Use SSO for strong access control at a business level Moderate cost, more difficult to implement 25
26 Rate the Threats Compare each threat to others faced by the root asset, and others faced by the asset and threat tier Rank the threats according to risk, and then evaluate mitigation strategies according to cost and benefit Threat modeling as a part of project planning is particularly valuable, as mitigation strategies can be baked into the solution as it is developed 26
27 Security Infrastructure Encryption Data in flight HTTPS/TLS is supported and recommended between end-users and the OTM web tier HTTPS certificate may be implemented directly on Oracle HTTP Server (OHS), or offloaded to a load balancer In-flight data between OHS and Tomcat is unencrypted, but typically only transits via localhost In-flight data between Tomcat and WebLogic is unencrypted by default using the T3 protocol, but encrypted T3 may be implemented In-flight JDBC data is also unencrypted by default, but may be encrypted using the Oracle standard JDBC driver Data at rest Oracle Transparent Data Encryption may be used on the database for encryption Windows and Linux both offer disk encryption methods Both Oracle TDE and Windows/Linux disk encryption have extremely low overhead using modern CPUs with the AES-NI instruction set Most modern SAN storage systems offer transparent encryption at the block or file level 27
28 Security Infrastructure Access Many different access points and levels to consider: OTM web access, server level access, database access, and access to different levels of data, different OTM servlets, and logs OTM web access can use the default OTM authentication or SSO OTM SSO supports LDAP and Oracle Access Manager Either authentication method still requires users to be assigned to domains Important! Remember that each new domain is created with a default user of <DOMAIN>.ADMIN with the password CHANGEME There are many default OTM users on an initial installation, some can be removed, others cannot System and guest accounts are required for operation, and should be created with unique and secure passwords when installing OTM Older OTM versions used CHANGEME as the default, so OTM installations running 6.2 and older versions should double check and change these values immediately! Server level access can also be tied in to SSO via Active Directory accounts or LDAP on Unix systems OTM log data may contain important or sensitive information, such as the system password in the WebLogic console log; carefully consider the permissions on the OTM log directories 28
29 Security Infrastructure Access Database access is one of the most important considerations for system security Consider limiting and locking down access to OTM out-of-box schemas (GLOGOWNER, REPORTOWNER, etc) and instead creating custom schemas with least-necessary privileges This not only increases security, but decreases the likelihood of system instability and problems during upgrades The number of users and administrators with database access should generally decrease the closer one gets to production Database auditing may be used to audit for successful and or unsuccessful statement executions (either once per user session or each time), activities of all users, activities of a specific user, actions involving a specific database object, actions involving a specific type of SQL statement, actions involving the evocation of a specific privilege, and fine grained auditing where the granularity is extremely customizable. Database auditing can have a significant performance impact, so it is important to implement a strategy that captures the needed information without burdening the system Capturing the audit trail to an operating system file versus to the database audit trail table can improve audit performance 29
30 Security Infrastructure Access OTM Servlets can be extremely powerful and represent a significant risk to the stability of the system Access can be limited by ACL or by removing the servlet at the OTM web tier by modifying the OTM web.xml and commenting out the servlet SQL, Event Diagnostics, and Process servlets are examples that OTM administrators may want to remove or restrict from external facing web servers 30
31 Enabling Security - Functionally Access Control List VPD Account Policy Manage User Access Role Grants User Role User User Grants Access Control List Level Grants 31
32 Account Policies An Account Policy controls user login and password security attributes such as: - User password expiration period - Warning period to alert a user that their password is about to expire - History of used passwords that cannot be re-used until recycled - Number of invalid login attempts to be allowed as well as a lockout duration when a user exceeds the maximum number of login attempts - Number of days to allow a login to be dormant before expiring the user account - Login history to keep track of when a user logs in or attempts to log in to Oracle Transportation Management - Rules that define the content of a password (for example, the minimum number of characters, alpha/numeric/mixed characters, etc..) - Some examples of Account Policies - [a-za-z0-9]$ last character of the password should NOT be a special character - ^.{7,10}$ password must be at least 7 characters long and max of 10 characters - [:digit:] password must contain at least one number - [^a-za-z0-9] password must contain at least one special character - [:alpha:] password must contain at least one alphabetic character 32
33 User/User Role Security - User Roles controls - Data security (ability to view, edit, & delete) - Functional security (ability to execute actions) Access Control List VPD Role Grants User Grants User Role User Preferences Access Control List 33
34 Access Control List - Collection of servlets - Provides the ability for user or user role to view/edit any page in OTM - Restricts access points - Ex: Sq lservlet which allows select/update/delete 34
35 Virtual Private Database - Used when you need to filter based on a User or User Role - Will provide an additional layer of security to specific tables and or columns - For Example: Business has multiple 3PL service providers. They need to use the same role but need to have access to only their data 35
36 User Role/User/Level Grants Enabling Role(s) to have access to multiple other roles Users to have access to multiple roles Defining a clear plan and process to design the proper access to roles for user roles or users will ensure data is not compromised. 36
37 Manage Access Effectively Functional Access Page Access Menu Access 37
38 Think out of the box to secure Using other OTM functions to enable a more secure environment Define and Refine User Menu based on User/Role Define and Refine User Actions based on User/Role Control Actions on data using Action Checks Provide only required data to view leveraging ability of Manager Layout and Screen Sets Be a step ahead: Use Field Screen Sets whenever necessary User Menu User Actions Action Checks Manager Layouts Screen Set Field Screen Sets 38
39 OTM Security Resources OTM Security Guide is an excellent resource for OTM specific recommendations Oracle security alerts are available at Enter your when installing OTM and associated Oracle products for security alerts U.S. Computer Emergency Readiness Team mailing lists will send vulnerability alerts and digests: The National Vulnerability Database provides tools to search for vulnerable versions of OTM and related software at 39
40 40 Open Discussion / Q&A
FileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationSECURITY DOCUMENT. BetterTranslationTechnology
SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationSecurity and Control Issues within Relational Databases
Security and Control Issues within Relational Databases David C. Ogbolumani, CISA, CISSP, CIA, CISM Practice Manager Information Security Preview of Key Points The Database Environment Top Database Threats
More informationMySQL Security: Best Practices
MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationImplementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More information<Insert Picture Here> Oracle Database Vault
Oracle Database Vault Kamal Tbeileh Senior Principal Product Manager, Database Security The following is intended to outline our general product direction. It is intended for information
More informationOracle Database Security
breaking through barriers to progress By Raman Jathar an award winning '2004 Future 50 Company' 18650 W. Corporate Drive Suite 120 Brookfield, WI 53045 262.792.0200 Database Security Lately, database security
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCA SiteMinder. Implementation Guide. r12.0 SP2
CA SiteMinder Implementation Guide r12.0 SP2 This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational purposes only
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationOracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data
Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data Will Fiveash presenter, Darren Moffat author Staff Engineer Solaris Kerberos Development Safe Harbor Statement The following
More informationAuditing the Security of an SAP HANA Implementation
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. 2015 Wellesley Information Services. All rights reserved. Auditing the Security of an SAP HANA Implementation Juan Perez-Etchegoyen
More informationWhite Paper BMC Remedy Action Request System Security
White Paper BMC Remedy Action Request System Security June 2008 www.bmc.com Contacting BMC Software You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information
More informationFileMaker Security Guide The Key to Securing Your Apps
FileMaker Security Guide The Key to Securing Your Apps Table of Contents Overview... 3 Configuring Security Within FileMaker Pro or FileMaker Pro Advanced... 5 Prompt for Password... 5 Give the Admin Account
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationUser Management Guide
AlienVault Unified Security Management (USM) 4.x-5.x User Management Guide USM v4.x-5.x User Management Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationOracle Health Sciences Network. 1 Introduction. 1.1 General Security Principles
Oracle Health Sciences Network Security Guide Release 2.0.0.0 E50290-02 September 2015 1 Introduction The main challenge sponsors face in clinical trials is the elapsed time from the start of the protocol
More informationSecuring Database Servers. Database security for enterprise information systems and security professionals
Securing Database Servers Database security for enterprise information systems and security professionals Introduction: Database servers are the foundation of virtually every Electronic Business, Financial,
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationSymantec Backup Exec 11d for Windows Servers New Encryption Capabilities
WHITE PAPER: ENTERPRISE SECURITY Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities White Paper: Enterprise Security Symantec Backup Exec 11d for Windows Servers Contents Executive
More informationHow To Secure Your Data Center From Hackers
Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationMaking Database Security an IT Security Priority
Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationPCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents
PCI DSS Best Practices with Snare Enterprise InterSect Alliance International Pty Ltd Page 1 of 9 About this document The PCI/DSS documentation provides guidance on a set of baseline security measures
More informationKentico CMS security facts
Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the
More informationPCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.
PCI Compliance Can Make Your Organization Stronger and Fitter Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc. Today s Agenda PCI DSS What Is It? The Regulation 6 Controls 12 Requirements
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationPrivilege Gone Wild: The State of Privileged Account Management in 2015
Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...
More informationSecuring Data in Oracle Database 12c
Securing Data in Oracle Database 12c Thomas Kyte http://asktom.oracle.com/ Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationSecure Configuration Guide
Secure Configuration Guide Oracle Health Sciences Empirica Healthcare 1.0 Part number: E49242-01 Copyright 2013, Oracle and/or its affiliates. All rights reserved. The Programs (which include both the
More informationCA SiteMinder SSO Agents for ERP Systems
PRODUCT SHEET: CA SITEMINDER SSO AGENTS FOR ERP SYSTEMS CA SiteMinder SSO Agents for ERP Systems CA SiteMinder SSO Agents for ERP Systems help organizations minimize sign-on requirements and increase security
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationUSM IT Security Council Guide for Security Event Logging. Version 1.1
USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate
More informationNovaTech NERC CIP Compliance Document and Product Description Updated June 2015
NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC
More informationIntroduction. Connection security
SECURITY AND AUDITABILITY WITH SAGE ERP X3 Introduction An ERP contains usually a huge set of data concerning all the activities of a company or a group a company. As some of them are sensitive information
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationSecure and control how your business shares files using Hightail
HIGHTAIL FOR ENTERPRISE: SECURITY OVERVIEW Secure and control how your business shares files using Hightail Information the lifeblood of any business is potentially placed at risk every time digital files
More informationCONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
More informationEnterprise Manager. Version 6.2. Installation Guide
Enterprise Manager Version 6.2 Installation Guide Enterprise Manager 6.2 Installation Guide Document Number 680-028-014 Revision Date Description A August 2012 Initial release to support version 6.2.1
More informationUsing PowerBroker Identity Services to Comply with the PCI DSS Security Standard
White Paper Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard Abstract This document describes how PowerBroker Identity Services Enterprise and Microsoft Active Directory
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationTechnical Proposition. Security
Technical Proposition ADAM Software NV The global provider of media workflow and marketing technology software ADAM Software NV adamsoftware.net info@adamsoftware.net Why Read this Technical Proposition?
More informationStronger database security is needed to accommodate new requirements
Enterprise Database Security A Case Study Abstract This Article is a case study about an Enterprise Database Security project including the strategy that addresses key areas of focus for database security
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informatione-governance Password Management Guidelines Draft 0.1
e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.
More informationFilr 2.0 Administration Guide. April 2016
Filr 2.0 Administration Guide April 2016 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy,
More informationSQL Server Hardening
Considerations, page 1 SQL Server 2008 R2 Security Considerations, page 4 Considerations Top SQL Hardening Considerations Top SQL Hardening considerations: 1 Do not install SQL Server on an Active Directory
More informationCopyright 2013, Oracle and/or its affiliates. All rights reserved.
1 Security Inside-Out with Oracle Database 12c Denise Mallin, CISSP Oracle Enterprise Architect - Security The following is intended to outline our general product direction. It is intended for information
More informationSample Report. Security Test Plan. Prepared by Security Innovation
Sample Report Security Test Plan Prepared by Security Innovation Table of Contents 1.0 Executive Summary... 3 2.0 Introduction... 3 3.0 Strategy... 4 4.0 Deliverables... 4 5.0 Test Cases... 5 Automation...
More informationOverview. Edvantage Security
Overview West Virginia Department of Education (WVDE) is required by law to collect and store student and educator records, and takes seriously its obligations to secure information systems and protect
More informationDatabase Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG
Database Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Table of Contents Chapter 1 Introduction... 4 1.1 Objective... 4 1.2 Prerequisites of this Guideline...
More informationSB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298
California State Senate Bill 1386 / Assembly Bill 1298 InterSect Alliance International Pty Ltd Page 1 of 8 Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty
More informationDenodo Data Virtualization Security Architecture & Protocols
Denodo Data Virtualization Security Architecture & Protocols XLS Security Architecture & Protocols We include hereinafter a description of the security support in the Denodo Platform. The following diagram
More informationQuestion Name C 1.1 Do all users and administrators have a unique ID and password? Yes
Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more
More informationVendor Questionnaire
Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining
More informationExpert Oracle Application. Express Security. Scott Spendolini. Apress"
Expert Oracle Application Express Security Scott Spendolini Apress" Contents Foreword About the Author About the Technical Reviewer Acknowledgments Introduction xv xvii xix xxi xxiii BChapter 1: Threat
More informationRelease Notes for Websense Email Security v7.2
Release Notes for Websense Email Security v7.2 Websense Email Security version 7.2 is a feature release that includes support for Windows Server 2008 as well as support for Microsoft SQL Server 2008. Version
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationTable of Contents. Application Vulnerability Trends Report 2013. Introduction. 99% of Tested Applications Have Vulnerabilities
Application Vulnerability Trends Report : 2013 Table of Contents 3 4 5 6 7 8 8 9 10 10 Introduction 99% of Tested Applications Have Vulnerabilities Cross Site Scripting Tops a Long List of Vulnerabilities
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationTechnical Findings Sample Report
Technical Findings Sample Report A B C C o m p a n y S a m p l e S e c u r i t y A s s e s s m e n t 2 5 0 S c i e n t i f i c D r i v e S u i t e 3 0 0 N o r c r o s s G A 3 0 0 9 2 P h o n e N u m b
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationTeleran PCI Customer Case Study
Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data
More informationwww.novell.com/documentation Administration Guide Novell Filr 1.0.1 May 2014
www.novell.com/documentation Administration Guide Novell Filr 1.0.1 May 2014 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationLockoutGuard v1.2 Documentation
LockoutGuard v1.2 Documentation (The following graphics are screen shots from Microsoft ISA Server and Threat Management Gateway which are the property of Microsoft Corp. and are included here for instructive
More informationWeb Security School Final Exam
Web Security School Final Exam By Michael Cobb 1.) Which of the following services is not required to run a Windows server solely configured to run IIS and publish a Web site on the Internet? a. IIS Admin
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More information1 Attack Top Attackers Report, Top Targets Report, Top Protocol Used by Attack Report, Top Attacks Report, Top Internal Attackers Report, Top External Attackers Report, Top Internal Targets Report, Top
More informationArchitecture Guidelines Application Security
Executive Summary These guidelines describe best practice for application security for 2 or 3 tier web-based applications. It covers the use of common security mechanisms including Authentication, Authorisation
More informationAchieving PCI Compliance: How Red Hat Can Help. Akash Chandrashekar, RHCE. Red Hat Daniel Kinon, RHCE. Choice Hotels Intl.
Achieving PCI Compliance: How Red Hat Can Help Akash Chandrashekar, RHCE. Red Hat Daniel Kinon, RHCE. Choice Hotels Intl. Agenda Understanding Compliance Security Features within Red Hat Backporting Choice
More informationDepartment of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report
Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report November 2006 promoting efficient & effective local government Executive Summary The Department
More informationCompliance Guide: PCI DSS
Compliance Guide: PCI DSS PCI DSS Compliance Compliance mapping using Huntsman INTRODUCTION The Payment Card Industry Data Security Standard (PCI DSS) was developed with industry support by the PCI Security
More informationObtaining Value from Your Database Activity Monitoring (DAM) Solution
Obtaining Value from Your Database Activity Monitoring (DAM) Solution September 23, 2015 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy Corporation
More informationTransparent Data Encryption: New Technologies and Best Practices for Database Encryption
Sponsored by Oracle : New Technologies and Best Practices for Database Encryption A SANS Whitepaper April 2010 Written by Tanya Baccam, SANS senior instructor and course author for SEC509: Oracle Database
More informationwww.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing
More informationVIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso
VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.
More informationAddressing Cyber Security in Oracle Utilities Applications
Addressing Cyber Security in Oracle Utilities Applications Anthony Shorten Principal Product Manager Oracle Utilities Global Business Unit Sept, 2014 Safe Harbor Statement The following is intended to
More informationUnderstanding and Selecting the Right Secure File Transfer Solution for your Organization
Secure File Transfer Understanding and Selecting the Right Secure File Transfer Solution for your Organization w w w. b i s c o m. c o m 321 Billerica Road, Chelmsford, MA phone: 978-250-1800 email: sales@biscom.com
More informationIn this topic we will cover the security functionality provided with SAP Business One.
In this topic we will cover the security functionality provided with SAP Business One. 1 After completing this topic, you will be able to: Describe the security functions provided by the System Landscape
More informationSoftware Architecture Document
Software Architecture Document Project Management Cell 1.0 1 of 16 Abstract: This is a software architecture document for Project Management(PM ) cell. It identifies and explains important architectural
More informationOracle Database Security. Nathan Aaron ICTN 4040 Spring 2006
Oracle Database Security Nathan Aaron ICTN 4040 Spring 2006 Introduction It is important to understand the concepts of a database before one can grasp database security. A generic database definition is
More informationOracleAS Identity Management Solving Real World Problems
OracleAS Identity Management Solving Real World Problems Web applications are great... Inexpensive development Rapid deployment Access from anywhere BUT. but they can be an administrative and usability
More informationVormetric Encryption Architecture Overview
Vormetric Encryption Architecture Overview Protecting Enterprise Data at Rest with Encryption, Access Controls and Auditing Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationSelecting the Right Active Directory Security Reports for Your Business
Selecting the Right Active Directory Security Reports for Your Business Avril Salter 1. 8 0 0. 8 1 3. 6 4 1 5 w w w. s c r i p t l o g i c. c o m / s m b I T 2011 ScriptLogic Corporation ALL RIGHTS RESERVED.
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationWeb Plus Security Features and Recommendations
Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of
More informationSystem Security Policy Management: Advanced Audit Tasks
System Security Policy Management: Advanced Audit Tasks White Paper October 6, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that
More informationPA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing
for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks
More information