An Approach To. Web Application Threat Modeling
|
|
- Allan Haynes
- 8 years ago
- Views:
Transcription
1 An Apprach T Web Applicatin Threat Mdeling By Akash Shrivastava April 2008 Akash.InfSec@gmail.cm
2 1. Overview In present internet cmputing envirnment ne r the ther frm f security has becme a requirement fr all web applicatins. Imprtance f Cnfidentiality, Integrity and Privacy is increasing day by day and security has becme vital in internet technlgy. T design a secure web applicatin, it is very imprtant t analyze and mdel the ptential threats. Threat mdeling is a prcedure fr ptimizing Netwrk/ Applicatin/ Internet Security by identifying bjectives and vulnerabilities, and then defining cuntermeasures t prevent, r mitigate the effects f, threats t the system. [5] A threat is a ptential r actual undesirable event that may be malicius (such as DS attack) r incidental (Infrmatin Disclsure). Threat mdeling is a planned activity fr identifying and assessing applicatin threats and vulnerabilities. Threat Mdeling is an nging prcess s a framewrk shuld be develped and implemented by the cmpanies fr threats mitigatin. The aim f this paper is t identify relevant threats and vulnerabilities in the Web Applicatin and build a Security Framewrk t help in designing a secure Web Applicatin. 2. Practical Utilities f Threat Mdeling There are varius vulnerabilities present in the Web Applicatins. Organizatins shuld invest in the vulnerabilities accrding t their impact n the rganizatin. A vulnerability that can be explited is a threat t rganizatin s functins and assets. Threat Mdeling can be used t: Identify ptential threats that can be explited t launch a successful attack against applicatin and rganizatin s assets. Design the applicatin t meet the Security bjectives. Help making key engineering decisins while priritizing ptential threats. Identify the vulnerabilities thse are actually critical in the unique envirnment such as cmpany netwrk. Priritize and Reduce risk f security issues arising during develpment and peratins. [8]
3 3. Prcedure f Web Applicatin Threat Mdeling Majr steps invlved in the Threat Mdeling f Web Applicatin are mentined belw: Security Objectives Identificatin Assets Identificatin Applicatin Walkthrugh System Mdeling Threats Identificatin Vulnerabilities Identificatin Threat Agent Selectin Threat Histry Examinatin Priritizing the Assets & Vulnerabilities Threat Impact Analysis 3.1 Security Objectives Identificatin: Security bjectives are gals and cnstraints related t the Cnfidentiality, Integrity, and Availability f custmer s data and applicatins. The Security Objectives are: Prtect custmer accunt details and custmer credit histry fr example prevent attackers frm btaining sensitive custmer data, including passwrds, prfile infrmatin, financial histry, custmer Credit Card Numbers, Bank details, r travel itineraries. Ensure the availability f the applicatin at any time i.e. meet Service-Level Agreements (SLA) fr applicatin availability r meeting Cmpliance requirement r standard. Prevent unauthrized users frm mdifying infrmatin, especially financial infrmatin. The guarantee the cmpany makes t their custmers abut service availability, cnfidentiality r integrity f data such as prtect the cmpany's nline business credibility r what guarantee the cmpany makes t their custmers abut cnfidentiality r integrity f the data.
4 3.2 Assets Identificatin: An asset is a resurce f value which varies by perspective. T the business, an asset might be the availability f infrmatin, r the infrmatin itself, such as custmer data. It is imprtant t identify and create a list f assets that invlves cnsidering every ptential cmpany asset and deciding whether r nt it fits within the "security perimeter. Fllwing is a list f cmmn sensitive assets [7]: Cmputers and Laptps Ruters and Netwrking equipment Printers & Fax Machines Cameras, digital r analg, with cmpany-sensitive phtgraphs Data - sales, custmer infrmatin, emplyee infrmatin Cmpany Smartphnes/ PDAs VIP Phnes, IP PBXs (digital versin f phne exchange bxes), related servers VIP r regular phne call recrdings and recrds Lg f emplyees daily schedule and activities Web pages, especially thse that ask fr custmer details and thse that are backed by web scripts that query a database Web server cmputer Security cameras Emplyee access cards. Access pints (i.e., any scanners that cntrl rm entry) T an attacker, an asset culd be the ability t misuse an applicatin fr unauthrized access t data r privileged peratins.
5 3.3 Applicatin Walkthrugh: In this step the web applicatin is summarized int what it des, its cmmunicatin and security mechanism etc. This step is all abut acquiring maximum pssible infrmatin abut the target applicatin. The bjective is t identify the applicatin's key functinality, characteristics, rles, key usage, technlgy and security mechanism etc. This will help t identify relevant threats during phase f Identify Threats. Fllwing things need t be cnsidered t create an applicatin walkthrugh: Gather details abut the deplyment tplgy, lgical layers key services, Cmmunicatin prts and prtcls. Identify the applicatin's rles like wh can d what within yur applicatin, Higherprivileged grups f users, Identify internal user and Administratr, Guest user and Internet user, identify Web Service r Database rles. It is a very imprtant factr t identify the key usage scenaris f yur applicatin. What are the imprtant features f yur applicatin? What des it d? Sme typical scenari will be user view and search prducts and add them in Shpping Cart, Registered user lgs in and place an rder thrugh Shpping Cart. Identifying the functinality and usage f the applicatin helps yu t understand hw the applicatin is prjected t be used and hw it can be misused. Identify and list the Technlgies and Sftware that the applicatin uses. Fr example Operating System type, Web Server type and versin, Database, Technlgy used i.e..net r C# r any ther etc. This nt nly helps t put mre fcus n technlgy-specific threats but als helps us t determine the crrect and mst apprpriate mitigatin techniques. Identify which Security Mechanism is being used by the applicatin. Varius key pints shuld be cnsidered when identifying applicatin security mechanisms knwn. Fr example: Input and data validatin Authenticatin & Authrizatin Mechanism Sessin Management Cryptgraphy Technique used Auditing and lgging
6 3.4 System Mdeling: At the start f the Threat Mdeling prcess, the security designer needs t understand the system abslutely. With the help f the use cases and architectural mdel, system mdel fr the applicatin can be created. The mre yu knw abut the applicatin, the easier it is t expse threats and discver vulnerabilities. This step invlves breaking dwn the applicatin t create a security prfile. The prcess f decmpsitin f the applicatin invlves understanding every cmpnent (Website, Web Service r Database) and its intercnnectins, defining usage scenaris, and identifying assumptins and dependencies (external r internal such as AD, Mail System etc). There are different techniques that can be used t mdel a cmputing system. Fllwing pints can be cnsidered t create a mdel f the applicatin/ System: Identify trust bundaries f the system such as a perimeter firewall r the bundary between the Web Applicatin and a third-party service. Draw the Data Flw Diagram (DFD) f the applicatin which dissects the applicatin int its functinal cmpnents and indicates the flw f data int and ut f the varius parts f system cmpnents such as user lgin methd, data flw between Web Applicatin, Database Server and a Third Party Service r Web Service. Identify the entry pints t the applicatin as they als serve as entry pints fr attacks such as Web request thrugh Prt 80 r Prt 443, Lgin Pages fr internal and external users, admin pages etc. Identify exit pints as they can als be used as an attack vectr such as search page, which writes the client's search string and the crrespnding results and index page, which displays prduct details. What we need is a system mdel that reveals the essential characteristics f the system and helps in identifying threats which may arise due t specific applicatin lgic r technlgy engaged in the applicatin. The mre cmplete and detailed the mdel is, the mre successful the ther stages will be.
7 3.5 Threats Identificatin: In this step, thse threats are identified, which may affect the system and cmprmise the assets. Threat identificatin is the key t a secure system. Identifying threats cnsists f analyzing each entry/ exit pints, examine the applicatin tier-by-tier, layer-by-layer and feature-by-feature. The fllwing threats culd affect the applicatin: Dictinary based Brute Frce attacks. Netwrk eavesdrpping ccurs between the brwser and Web server t capture client credentials. An attacker may capture ckies t take-ff the identity. SQL Injectin, which enables an attacker t make use f an input validatin vulnerability t execute cmmands in the database and thereby access and/r mdify data. Crss-site scripting thrugh injecting script cde. Infrmatin leakage. An attacker takes cntrl f the Web server, gain unauthrized access t the database, and run cmmands against the database r gain unauthrized access t Web server resurces and static files. Discvery f encryptin keys used t encrypt sensitive data (including client credit card numbers) in the database.
8 3.6 Vulnerabilities Identificatin: T identify weaknesses related t yur threats, layers f applicatin shuld be reviewed. Using vulnerability categries help fcusing n thse areas where mistakes are mst ften made. Cmmn applicatin vulnerabilities are: Authenticatin related vulnerability such as lack f passwrd cmplexity enfrcement r lacks f passwrd retry lgic Invalidated Data & Inputs Is all input validated? Hw is it validated? Is it validated fr type, length, frmat, and range? What des gd data lk like? Where is it validated? Exceptin handling What infrmatin is needed fr trubleshting? What infrmatin shuld be presented t the end user? An attacker may gain useful exceptin details Prviding detail errr message t the end-user/ client Weak Encryptin key r encryptin key is using wrng algrithm Revealing an administratin functin thrugh the Web applicatin Remte Cde Executin vulnerability SQL Injectin r Crss Site Scripting Username enumeratin Parameter Tempering Authrizatin Manipulatin and User Privilege Escalatin Sessin & Ckie
9 3.7 Threat Agent Selectin: Threat agent is the persn r event that has the ability t generate threats. In the abve mentined scenari fllwing are the main threat agent/ event: Insiders and users Hackers and Crackers (Hackers/ Crackers Grup) Wrm, Trjans and Viruses Natural and envirnmental events (Flds, Fire etc) 3.8 Threat Histry Examinatin: Nw we have a cmpiled list f current threats. But it is always better t cnsider future threats, which may arise. The first step twards predicting future threats is t examine the cmpany's recrds and speak with lng-time emplyees abut past security threats that the cmpany has faced. Mst threats repeat themselves, s by catalging the cmpany's past experiences and including the relevant threats n yur threat list yu'll get a mre cmplete picture f yur cmpany's vulnerabilities. 3.9 Priritizing the Assets & Vulnerabilities: We have nw develped a cmplete list f all the assets and security threats that the cmpany may face. It is imprtant t cnsider that every asset r threat des nt have the same pririty level. In this step, we shall priritize the assets and vulnerabilities in rder t knw the cmpany's greatest security risks. Fllwing step shuld be taken t priritize the Assets & Vulnerabilities: Develping a Risk and Prbability Calculatin Matrix Calculate Risk. Calculate Prbability. Calculate Impact The implementatin f the cuntermeasure depends n the criticality f the assets and vulnerabilities. There are varius techniques available t priritize threats and vulnerabilities. Micrsft s DREAD (Damage, Reprducibility, Explitability, Affected Users, and Discverability) mdel f priritizing threats and vulnerabilities seems t be ne f the ppular methds.
10 3.10 Threat Impact Analysis: The term Impact is used t indicate the result f a threat reaching an asset. Threat Impact can be categrized int fllwing: Minr: minr lss f a business asset, n change in business rder Mderate: business disruptin, mderate changes in way f cnducting business Majr: ut f business unless cuntermeasures are deplyed immediately Catastrphic: ut f business frm the mment that the threat was realized The impact f a threat may affect Market Shares, Business Capital, Users, Stakehlders & Business Partners Trust and Cmpany reputatin. The immediate utcme f the threats reaching t an asset culd be disclsure, mdificatin, destructin, lss, interruptin and unauthrized access.
11 4. Develpment f Security Threat Respnse Plan: In this step a primary respnse plan t a particular threat based n the pririty list f assets and vulnerabilities shuld be develped. Althugh these security respnses are nt the nly apprpriate ways t deal with a security threat, but they cver the vast majrity f the threats the cmpany faces. Apart frm the primary respnse plan t the threats, fllwing implementatin is required as security strategy: Implementing Netwrk ACLs Implementing IDS/IPS Implementing IDM Backups Cntent & Filtering Implementing Physical Security
12 Cnclusin: Mdeling the applicatin is imprtant t identify threats and vulnerabilities in the applicatin, which may affect the cmpany business. It prvides an understanding f the cmpany assets and risk t the applicatin, assets and verall business. We have discussed ptential threats t the applicatin and requirement fr the threat mdeling prcess. Threat mdeling prcess prvides a security framewrk t secure the web applicatin. Using the frame is helpful in identifying threats and vulnerabilities in the System. While creating and implementing a Frame fr Web Applicatin security, tw main pints are cnsidered as critical: 1. The mst cmmn mistakes, which the develpers make 2. The mst prficient imprvements Based n the study, it can be cncluded that mdeling the applicatin fr present and future threats and vulnerabilities can prvide great level f security t the cmpany. Security plicies can be a very helpful practice in prtecting netwrks frm the threats vulnerabilities and maintains Cnfidentiality, Integrity and Availability f the system. Finally, being ever cautius and watchful will keep the attackers at hliday. S, it is always better t hide yurself frm Hacker, Cracker and Script Kiddies t survive in the tday's technlgical envirnment.
13 References: 1. Understanding and Develping a Threat Assessment Mdel, Stilians Vidalis and Andrew Blyth, University f Glamrgan. 2. J.D.Nswrthy, A Practical Risk Analysis Apprach: Managing BCM Risk. Cmputers & Security, Pg Analyzing Threat Agents & Their Attributes, Dr. Stilians Vidalis, Dr. Andrew Jnes, University f Glamrgan. 4. Electrnic Warfare Assciatin Australia (URL: An Intrductin t FAIR: The Factr Analysis f Infrmatin Risk (FAIR) Framewrk. (URL:
Session 9 : Information Security and Risk
INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Infrmatin Management Framewrk 2 Infrmatin
More informationHIPAA HITECH ACT Compliance, Review and Training Services
Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical
More informationPersonal Data Security Breach Management Policy
Persnal Data Security Breach Management Plicy 1.0 Purpse The Data Prtectin Acts 1988 and 2003 impse bligatins n data cntrllers in Western Care Assciatin t prcess persnal data entrusted t them in a manner
More informationChapter 7 Business Continuity and Risk Management
Chapter 7 Business Cntinuity and Risk Management Sectin 01 Business Cntinuity Management 070101 Initiating the Business Cntinuity Plan (BCP) Purpse: T establish the apprpriate level f business cntinuity
More informationGUIDANCE FOR BUSINESS ASSOCIATES
GUIDANCE FOR BUSINESS ASSOCIATES This Guidance fr Business Assciates dcument is intended t verview UPMCs expectatins, as well as t prvide additinal resurces and infrmatin, t UPMC s HIPAA business assciates.
More informationPOLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014
State f Michigan POLICY 1390 Infrmatin Technlgy Cntinuity f Business Planning Issued: June 4, 2009 Revised: June 12, 2014 SUBJECT: APPLICATION: PURPOSE: CONTACT AGENCY: Plicy fr Infrmatin Technlgy (IT)
More informationSystems Support - Extended
1 General Overview This is a Service Level Agreement ( SLA ) between and the Enterprise Windws Services t dcument: The technlgy services the Enterprise Windws Services prvides t the custmer. The targets
More informationFirst Global Data Corp.
First Glbal Data Crp. Privacy Plicy As f February 23, 2015 Ding business with First Glbal Data Crp. ("First Glbal", First Glbal Mney, "we" r "us", which includes First Glbal Data Crp. s subsidiary, First
More informationesupport Quick Start Guide
esupprt Quick Start Guide Last Updated: 5/11/10 Adirndack Slutins, Inc. Helping Yu Reach Yur Peak 908.725.8869 www.adirndackslutins.cm 1 Table f Cntents PURPOSE & INTRODUCTION... 3 HOW TO LOGIN... 3 SUBMITTING
More informationIn addition to assisting with the disaster planning process, it is hoped this document will also::
First Step f a Disaster Recver Analysis: Knwing What Yu Have and Hw t Get t it Ntes abut using this dcument: This free tl is ffered as a guide and starting pint. It is des nt cver all pssible business
More informationWEB APPLICATION SECURITY TESTING
WEB APPLICATION SECURITY TESTING Cpyright 2012 ps_testware 1/7 Intrductin Nwadays every rganizatin faces the threat f attacks n web applicatins. Research shws that mre than half f all data breaches are
More informationIntegrating With incontact dbprovider & Screen Pops
Integrating With incntact dbprvider & Screen Pps incntact has tw primary pints f integratin. The first pint is between the incntact IVR (script) platfrm and the custmer s crprate database. The secnd pint
More informationThe Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future
The Imprtance Advanced Data Cllectin System Maintenance Berry Drijsen Glbal Service Business Manager WHITE PAPER knwledge t shape yur future The Imprtance Advanced Data Cllectin System Maintenance Cntents
More informationCASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT
CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT Plicy Number: 2.20 1. Authrity Lcal Gvernment Act 2009 Lcal Gvernment Regulatin 2012 AS/NZS ISO 31000-2009 Risk Management Principles
More informationNetwork Security Trends in the Era of Cloud and Mobile Computing
Research Reprt Abstract: Netwrk Security Trends in the Era f Clud and Mbile Cmputing By Jn Oltsik, Senir Principal Analyst and Bill Lundell, Senir Research Analyst With Jennifer Gahm, Senir Prject Manager
More information5.2.1 Passwords. Information Technology Policy. Policy. Purpose. Policy Statement. Applicability of this Policy
Infrmatin Technlgy Plicy 5.2.1 Passwrds Plicy Area: 5.2 Security Title: 5.2.1 Passwrds Issued by: Assistant Vice-President/CIO, ITS Date Issued: 2006 July 24 Last Revisin Date: 2011 Octber 19 Apprved by:
More informationThe Importance of Market Research
The Imprtance f Market Research 1. What is market research? Successful businesses have extensive knwledge f their custmers and their cmpetitrs. Market research is the prcess f gathering infrmatin which
More information2008 BA Insurance Systems Pty Ltd
2008 BA Insurance Systems Pty Ltd BAIS have been delivering insurance systems since 1993. Over the last 15 years, technlgy has mved at breakneck speed. BAIS has flurished in this here tday, gne tmrrw sftware
More informationACTIVITY MONITOR. Live view of remote desktops. You may easily have a look at any user s desktop.
Web Develpment Offshre Develpment Outsurcing SEO ACTIVITY MONITOR This pwerful tl allws yu t track any LAN, giving yu the mst detailed infrmatin n what, hw and when yur netwrk users perfrmed. Whether it
More informationACTIVITY MONITOR Real Time Monitor Employee Activity Monitor
ACTIVITY MONITOR Real Time Mnitr Emplyee Activity Mnitr This pwerful tl allws yu t track any LAN, giving yu the mst detailed infrmatin n what, hw and when yur netwrk users perfrmed. Whether it is a library
More informationTrustED Briefing Series:
TrustED Briefing Series: Since 2001, TrustCC has prvided IT audits and security assessments t hundreds f financial institutins thrugh ut the United States. Our TrustED Briefing Series are white papers
More informationThe user authentication process varies from client to client depending on internal resource capabilities, and client processes and procedures.
Learn Basic Single Sign-On Authenticatin Tale s Basic SSO applicatin grants Learn access t users withut requiring that they enter authenticatin lgin credentials (username and passwrd). The access pint
More informationHIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337
HIPAA Cmpliance 101 Imprtant Terms Cvered Entities (CAs) The HIPAA Privacy Rule refers t three specific grups as cvered entities, including health plans, healthcare clearinghuses, and health care prviders
More informationKey Steps for Organizations in Responding to Privacy Breaches
Key Steps fr Organizatins in Respnding t Privacy Breaches Purpse The purpse f this dcument is t prvide guidance t private sectr rganizatins, bth small and large, when a privacy breach ccurs. Organizatins
More informationCOPIES-F.Y.I., INC. Policies and Procedures Data Security Policy
COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus
More informationHave some knowledge of how queries execute. Must be able to read a query execution plan and understand what is happening.
Curse 2786B: Designing a Micrsft SQL Server 2005 Infrastructure Abut this Curse This tw-day instructr-led curse prvides database administratrs wrking in enterprise envirnments with the knwledge and skills
More informationRECOMMENDATIONS SECURITY ONLINE BANK TRANSACTIONS. interests in the use of IT services, such as online bank services of Société Générale de Banques au
RECOMMENDATIONS SECURITY ONLINE BANK TRANSACTIONS Best practices IT security refers t the bdy f techniques and best practices t prtect yur cmputers and yur interests in the use f IT services, such as nline
More informationName. Description. Rationale
Cmplliiance Cmpnentt Descriptin Ratinale Benefits List the Dmain List the Discipline List the Technlgy Area List Prduct Cmpnent Dcument the Cmpliance Cmpnent Type Cmpnent Sub-type DEEFFI INITION Hst-Based
More informationSecurity in Business and Applications. Madison Hajeb Stefan Hurst Benjamin Von Slade
Security in Business and Applicatins Madisn Hajeb Stefan Hurst Benjamin Vn Slade Intrductin Prject Cncept - Implement security in a small business setting Original Plan - D sme security audits fr small
More informationHEAL-Link Federation Higher Education & Research. Exhibit 2. Technical Specifications & Attribute Specifications
HEAL-Link Federatin Higher Educatin & Research Exhibit 2 Technical Specificatins & Attribute Specificatins Trust Relatinship Trust relatinship amng the federatin, federatin members and federatin partners
More informationMulti-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company, 2014-2021
Multi-Year Accessibility Plicy and Plan fr NSF Canada and NSF Internatinal Strategic Registratins Canada Cmpany, 2014-2021 This 2014-21 accessibility plan utlines the plicies and actins that NSF Canada
More informationCNS-205: Citrix NetScaler 11 Essentials and Networking
CNS-205: Citrix NetScaler 11 Essentials and Netwrking Overview The bjective f the Citrix NetScaler 11 Essentials and Netwrking curse is t prvide the fundatinal cncepts and skills necessary t implement,
More informationVCU Payment Card Policy
VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this
More informationInstallation Guide Marshal Reporting Console
INSTALLATION GUIDE Marshal Reprting Cnsle Installatin Guide Marshal Reprting Cnsle March, 2009 Cntents Intrductin 2 Supprted Installatin Types 2 Hardware Prerequisites 3 Sftware Prerequisites 3 Installatin
More information2. When logging is used, which severity level indicates that a device is unusable?
Last updated by Admin at March 3, 2015. 1. What are the mst cmmn syslg messages? thse that ccur when a packet matches a parameter cnditin in an access cntrl list link up and link dwn messages utput messages
More informationSecurity Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview
Security Services Service Descriptin Versin 1.00 Effective Date: 07/01/2012 Purpse This Enterprise Service Descriptin is applicable t Security Services ffered by the MN.IT Services and described in the
More informationThe actions discussed below in this Appendix assume that the firm has already taken three foundation steps:
MAKING YOUR MARK 6.1 Gd Practice This sectin presents an example f gd practice fr firms executing plans t enter the resurces sectr supply chain fr the first time, r fr thse firms already in the supply
More informationCDC UNIFIED PROCESS PRACTICES GUIDE
Dcument Purpse The purpse f this dcument is t prvide guidance n the practice f Risk Management and t describe the practice verview, requirements, best practices, activities, and key terms related t these
More informationIT Help Desk Service Level Expectations Revised: 01/09/2012
IT Help Desk Service Level Expectatins Revised: 01/09/2012 Overview The IT Help Desk team cnsists f six (6) full time emplyees and fifteen (15) part time student emplyees. This team prvides supprt fr 25,000+
More informationUBC Incident Response Plan V1.5
UBC Incident Respnse Plan V1.5 Cntents 1. Ratinale... 2 2. Objective... 2 3. Applicatin... 2 4. Reprting a Cmputer Security Incident... 2 5. Managing the Security Incident... 2 5.1. All Incidents... 2
More informationCompleting the CMDB Circle: Asset Management with Barcode Scanning
Cmpleting the CMDB Circle: Asset Management with Barcde Scanning WHITE PAPER The Value f Barcding Tday, barcdes are n just abut everything manufactured and are used fr asset tracking and identificatin
More informationOnline Learning Portal best practices guide
Online Learning Prtal Best Practices Guide best practices guide This dcument prvides Micrsft Sftware Assurance Benefit Administratrs with best practices fr implementing e-learning thrugh the Micrsft Online
More informationTHE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM
THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant
More informationCorporate Account Takeover & Information Security Awareness
Crprate Accunt Takever & Infrmatin Security Awareness What is Crprate Accunt Takever? A fast grwing electrnic crime where thieves typically use sme frm f malware t btain lgin credentials t Crprate Online
More informationRequest for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply
Sectin 1 General Infrmatin RFR Number: (Reference BPO Number) Functinal Area (Enter One Only) F50B3400026 7 Infrmatin System Security Labr Categry A single supprt resurce may be engaged fr a perid nt t
More informationResearch Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012
Research Reprt Abstract: The Emerging Intersectin Between Big Data and Security Analytics By Jn Oltsik, Senir Principal Analyst With Jennifer Gahm Nvember 2012 2012 by The Enterprise Strategy Grup, Inc.
More informationImproved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1
Imprved Data Center Pwer Cnsumptin and Streamlining Management in Windws Server 2008 R2 with SP1 Disclaimer The infrmatin cntained in this dcument represents the current view f Micrsft Crpratin n the issues
More informationConfiguring and Monitoring Network Elements
Cnfiguring and Mnitring Netwrk Elements eg Enterprise v5.6 Restricted Rights Legend The infrmatin cntained in this dcument is cnfidential and subject t change withut ntice. N part f this dcument may be
More informationNetwork Defense Specialist. Course Title: Network Defense Specialist: Security and Vulnerability Assessment
Curse Title: Netwrk Defense Specialist: Security and Vulnerability Assessment Page 1 f 11 Curse Descriptin The Netwrk Defense Series frm EC-Cuncil Press is cmprised f 5 bks designed t educate learners
More informationOCR LEVEL 2 CAMBRIDGE TECHNICAL
Cambridge TECHNICALS OCR LEVEL 2 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT SETTING UP AN IT NETWORK M/601/3274 LEVEL 2 UNIT 6 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 SETTING UP AN IT NETWORK
More informationPlus500CY Ltd. Statement on Privacy and Cookie Policy
Plus500CY Ltd. Statement n Privacy and Ckie Plicy Statement n Privacy and Ckie Plicy This website is perated by Plus500CY Ltd. ("we, us r ur"). It is ur plicy t respect the cnfidentiality f infrmatin and
More informationUsing PayPal Website Payments Pro UK with ProductCart
Using PayPal Website Payments Pr UK with PrductCart Overview... 2 Abut PayPal Website Payments Pr & Express Checkut... 2 What is Website Payments Pr?... 2 Website Payments Pr and Website Payments Standard...
More informationData Protection Act Data security breach management
Data Prtectin Act Data security breach management The seventh data prtectin principle requires that rganisatins prcessing persnal data take apprpriate measures against unauthrised r unlawful prcessing
More informationCopyright 2013, SafeNet, Inc. All rights reserved. http://www.safenet-inc.com/ We have attempted to make these documents complete, accurate, and
ii Cpyright 2013, SafeNet, Inc. All rights reserved. http://www.safenet-inc.cm/ We have attempted t make these dcuments cmplete, accurate, and useful, but we cannt guarantee them t be perfect. When we
More informationGetting Started Guide
AnswerDash Resurces http://answerdash.cm Cntextual help fr sales and supprt Getting Started Guide AnswerDash is cmmitted t helping yu achieve yur larger business gals. The utlined pre-launch cnsideratins
More informationResearch Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013
Research Reprt Abstract: Advanced Malware Detectin and Prtectin Trends By Jn Oltsik, Senir Principal Analyst With Jennifer Gahm, Senir Prject Manager September 2013 2013 by The Enterprise Strategy Grup,
More informationENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY
ENTERPRISE RISK MANAGEMENT POLICY Plicy N. 10014 Review Date Octber 1, 2014 Effective Date March 1, 2014 Crss- Respnsibility Vice President, Reference Administratin Apprver Executive Cuncil 1. 1. Plicy
More informationexpertise hp services valupack consulting description security review service for Linux
expertise hp services valupack cnsulting descriptin security review service fr Linux Cpyright services prvided, infrmatin is prtected under cpyright by Hewlett-Packard Cmpany Unpublished Wrk -- ALL RIGHTS
More informationProcess of Setting up a New Merchant Account
Prcess f Setting up a New Merchant Accunt Table f Cntents PCI DSS... 3 Wh t cntact?... 3 Bakcgrund n PCI... 3 Why cmply?... 3 Hw t cmply?... 3 PCI DSS Scpe... 4 Des PCI DSS Apply t Me?... 4 What if I am
More informationHP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents
HP ExpertOne HP2-T21: Administering HP Server Slutins Industry Standard Servers Exam preparatin guide Table f Cntents Overview 2 Why take the exam? 2 HP ATP Server Administratr V8 certificatin 2 Wh shuld
More informationInstallation Guide Marshal Reporting Console
Installatin Guide Installatin Guide Marshal Reprting Cnsle Cntents Intrductin 2 Supprted Installatin Types 2 Hardware Prerequisites 2 Sftware Prerequisites 3 Installatin Prcedures 3 Appendix: Enabling
More informationSecurely Managing Cryptographic Keys used within a Cloud Environment
Securely Managing Cryptgraphic Keys used within a Clud Envirnment Dr. Sarbari Gupta sarbari@electrsft-inc.cm 703-437-9451 ext 12 2012 NIST Cryptgraphic Key Management Wrkshp September 10-11, 2012 Intrductin
More informationInformation Services Hosting Arrangements
Infrmatin Services Hsting Arrangements Purpse The purpse f this service is t prvide secure, supprted, and reasnably accessible cmputing envirnments fr departments at DePaul that are in need f server-based
More informationKnowledge Base Article
Knwledge Base Article Crystal Matrix Interface Cmparisn TCP/IP vs. SDK Cpyright 2008-2012, ISONAS Security Systems All rights reserved Table f Cntents 1: INTRODUCTION... 3 1.1: TCP/IP INTERFACE OVERVIEW:...
More informationCisco IT Essentials v4.1. Course Overview. Total Hours: 240
PC Hardware and Sftware Teacher Resurce Cisc Essentials v4.1 Curse Overview Ttal Hurs: 240 Fundamental Chapters 1-10 Chapter 1: Intrductin t the Persnal Cmputer Hurs: 14.00 Gal: Chapter 2: The chapter
More informationUnified Infrastructure/Organization Computer System/Software Use Policy
Unified Infrastructure/Organizatin Cmputer System/Sftware Use Plicy 1. Statement f Respnsibility All emplyees are charged with the security and integrity f the cmputer system. Emplyees are asked t help
More informationUniversity of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments
University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Cntents: Purpse Applicability Plicy Statement Respnsibilities f a Merchant Department Prcess t Becme a Merchant Department
More informationBusiness Intelligence and DataWarehouse workshop
Business Intelligence and DataWarehuse wrkshp Benefits: Enables the Final year BE student/ Junir IT prfessinals t get a perfect blend f thery and practice n Business Intelligence and Data warehuse s as
More informationThe Acunetix Web Vulnerability Scanner
The Acunetix Web Vulnerability Scanner Website security is pssibly tday's mst verlked aspect f securing the enterprise and shuld be a pririty in any rganizatin. Increasingly, hackers are cncentrating their
More informationServ-U Distributed Architecture Guide
Serv-U Distributed Architecture Guide Hrizntal Scaling and Applicatin Tiering fr High Availability, Security, and Perfrmance Serv-U Distributed Architecture Guide v14.0.1.0 Page 1 f 16 Intrductin Serv-U
More informationPCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities
PCI - Why Yu Need t be Cmpliant When Accepting Credit Card Payments Tuesday, March 27, 2012 Agenda Breach Events & Cmmnalities Evlutin f PCI PCI Requirements Risks f Nn-cmpliance Industry Initiatives t
More informationA96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015
A96 CALA Plicy n the use f Cmputers in Accredited Labratries Revisin 1.5 August 4, 2015 A96 CALA Plicy n the use f Cmputers in Accredited Labratries TABLE OF CONTENTS TABLE OF CONTENTS... 1 CALA POLICY
More informationBackupAssist SQL Add-on
WHITEPAPER BackupAssist Versin 6 www.backupassist.cm 2 Cntents 1. Requirements... 3 1.1 Remte SQL backup requirements:... 3 2. Intrductin... 4 3. SQL backups within BackupAssist... 5 3.1 Backing up system
More informationChristchurch Polytechnic Institute of Technology Access Control Security Standard
CPIT Crprate Services Divisin: ICT Christchurch Plytechnic Institute f Technlgy Access Cntrl Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument CPP121a Principles Infrmatin
More informationWhat is Software Risk Management? (And why should I care?)
What is Sftware Risk Management? (And why shuld I care?) Peter Kulik, KLCI, Inc. 1 st Editin, Octber 1996 Risks are schedule delays and cst verruns waiting t happen. As industry practices have imprved,
More informationData Protection Policy & Procedure
Data Prtectin Plicy & Prcedure Page 1 Prcnnect Marketing Data Prtectin Plicy V1.2 Data prtectin plicy Cntext and verview Key details Plicy prepared by: Adam Haycck Apprved by bard / management n: 01/01/2015
More informationChange Management Process
Change Management Prcess B1.10 Change Management Prcess 1. Intrductin This plicy utlines [Yur Cmpany] s apprach t managing change within the rganisatin. All changes in strategy, activities and prcesses
More informationDepartment of CSIT Organizes a 2-Day Skill Development Workshop On Basic Networking Tools and Concepts. On 14-15 March 2016
Department f CSIT Organizes a 2-Day Skill Develpment Wrkshp On Basic Netwrking Tls and Cncepts On 14-15 March 2016 In Jint Cllabratin With Skill Develpment Cell Guru Ghasidas Vishwavidyalaya, Bilaspur
More informationX7500 Series, X4500 Scanner Series MFPs: LDAP Address Book and Authentication Configuration and Basic Troubleshooting Tips
X7500 Series, X4500 Scanner Series MFPs: LDAP Address Bk and Authenticatin Cnfiguratin and Basic Trubleshting Tips Lexmark Internatinal 1 Prerequisite Infrm atin In rder t cnfigure a Lexmark MFP fr LDAP
More informationMaaS360 Cloud Extender
MaaS360 Clud Extender Installatin Guide Cpyright 2012 Fiberlink Cmmunicatins Crpratin. All rights reserved. Infrmatin in this dcument is subject t change withut ntice. The sftware described in this dcument
More informationRisk Management Policy AGL Energy Limited
Risk Management Plicy AGL Energy Limited AUGUST 2014 Table f Cntents 1. Abut this Dcument... 2 2. Plicy Statement... 2 3. Purpse... 2 4. AGL Risk Cntext... 3 5. Scpe... 3 6. Objectives... 3 7. Accuntabilities...
More informationLogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide
LgMeIn Rescue Web SSO via SAML 2.0 LgMeIn Rescue Web SSO via SAML 2.0 Cnfiguratin Guide 02-19-2014 Cpyright 2015 LgMeIn, Inc. 1 LgMeIn Rescue Web SSO via SAML 2.0 Cntents 1 Intrductin... 3 1.1 Dcument
More informationThe Cost Benefits of the Cloud are More About Real Estate Than IT
y The Cst Benefits f the Clud are Mre Abut Real Estate Than IT #$#%&'()*( An Osterman Research Executive Brief Published December 2010 "#$#%&'()*( Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn
More informationFirewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)
Firewall/Prxy Server Settings t Access Hsted Envirnment Client firewall settings in mst cases depend n whether the firewall slutin uses a Stateful Inspectin prcess r ne that is cmmnly referred t as an
More informationIntel Hybrid Cloud Management Portal Update FAQ. Audience: Public
Intel Hybrid Clud Management Prtal Update FAQ Audience: Public Purpse: Prepare fr the launch f the Intel Hybrid Clud Platfrm multi-user/multi-tier update Versin: Final FAQs What s new in the Intel Hybrid
More informationDefining Sales Campaign Automation How e-mail, the Killer App, is best applied to marketing
Defining Sales Campaign Autmatin Hw e-mail, the Killer App, is best applied t marketing Summary: Cmpanies tday are steadily adpting strategies and technlgies t reach prspects, custmers, and partners thrugh
More informationResearch Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012
Research Reprt Abstract: Security Management and Operatins: Changes n the Hrizn By Jn Oltsik, Senir Principal Analyst With Kristine Ka and Jennifer Gahm July 2012 2012, The Enterprise Strategy Grup, Inc.
More informationDeployment Overview (Installation):
Cntents Deplyment Overview (Installatin):... 2 Installing Minr Updates:... 2 Dwnlading the installatin and latest update files:... 2 Installing the sftware:... 3 Uninstalling the sftware:... 3 Lgging int
More informationA. Early Case Assessment
Electrnic Discvery Reference Mdel Standards fr the identificatin f electrnically stred infrmatin in discvery http://www.edrm.net/resurces/standards/identificatin A. Early Case Assessment Once a triggering
More informationSMART Active Directory Migrator 9.0.2. Requirements
SMART Active Directry Migratr 9.0.2 January 2016 Table f Cntents... 3 SMART Active Directry Migratr Basic Installatin... 3 Wrkstatin and Member Server System... 5 Netwrking... 5 SSL Certificate... 6 Service
More informationService Request Form
New Prfessinal Services Order Frm Editable PDF Service Request Frm If yu have any questins while filling ut this frm, please cntact yur CDM, email Prfessinal Services at PS@swipeclck.cm, r call 888-223-3250
More informationFINRA Regulation Filing Application Batch Submissions
FINRA Regulatin Filing Applicatin Batch Submissins Cntents Descriptin... 2 Steps fr firms new t batch submissin... 2 Acquiring necessary FINRA accunts... 2 FTP Access t FINRA... 2 FTP Accunt n FINRA s
More informationIN-HOUSE OR OUTSOURCED BILLING
IN-HOUSE OR OUTSOURCED BILLING Medical billing is ne f the mst cmplicated aspects f running a medical practice. With thusands f pssible cdes fr diagnses and prcedures, and multiple payers, the ability
More informationPreparing to Deploy Reflection : A Guide for System Administrators. Version 14.1
Preparing t Deply Reflectin : A Guide fr System Administratrs Versin 14.1 Table f Cntents Table f Cntents... 2 Preparing t Deply Reflectin 14.1:... 3 A Guide fr System Administratrs... 3 Overview f the
More informationAnalytical Techniques created for the offline world can they yield benefits online?
Analytical Techniques created fr the ffline wrld can they yield benefits nline? Dr. Barry Leventhal BarryAnalytics Limited Transfrming Data Abut BarryAnalytics Advanced Analytics Cnsultancy funded in 2009
More informationSystems Load Testing Appendix
Systems Lad Testing Appendix 1 Overview As usage f the Blackbard Academic Suite grws and its availability requirements increase, many custmers lk t understand the capability f its infrastructure. As part
More informationMobile Workforce. Improving Productivity, Improving Profitability
Mbile Wrkfrce Imprving Prductivity, Imprving Prfitability White Paper The Business Challenge Between increasing peratinal cst, staff turnver, budget cnstraints and pressure t deliver prducts and services
More informationEnterprise Security Management CIS 259
Enterprise Security Management CIS 259 Prerequisites CIS 175 Descriptin This curse is designed t cver the managerial aspects f cmputer security and risk management fr enterprises. The student will attain
More informationResearch Report. Abstract: Data Center Networking Trends. January 2012. By Jon Oltsik With Bob Laliberte and Bill Lundell
Research Reprt Abstract: Data Center Netwrking Trends By Jn Oltsik With Bb Laliberte and Bill Lundell January 2012 2012 Enterprise Strategy Grup, Inc. All Rights Reserved. Intrductin Research Objective
More information