SANS Technology Institute Group Discussion/Written Project. GIAC Enterprises Downadup Incident. 3/1/2009 Tim Proffitt Seth Misenar John Jarocki
|
|
- Felix Ward
- 8 years ago
- Views:
Transcription
1 SANS Technology Institute Group Discussion/Written Project GIAC Enterprises Downadup Incident 3/1/2009 Tim Proffitt Seth Misenar John Jarocki
2 Table of Contents Executive Summary...3 Introduction...3 Detection Techniques...3 Detection Testing Results and Certainty...5 Top Three Recommendations...6 Conclusion...9 References...10 GIAC Enterprises Project Plan...11
3 Executive Summary The malware of 2009 is not the virii of 10 years ago where the threat was a rebooting computer or corrupted hard drive. Malware of the present is designed to steal your information assets, take control of your infrastructure, join a botnet or a host of many other criminal activities. In April 8, 2008 Symantec Corp.'s malware tally topped 1 million for the first time in the second half of 2007 as the number of new malicious code threats skyrocketed, the company said in its semiannual report on the state of security. Of the 1.1 million code threats that Symantec has detected since it began writing signatures more than a quarter-century ago, 711,912 were discovered in 2007; 499,811 were picked up in the last six months of the year alone. Nearly two-thirds of all the threats that Symantec has ever uncovered have been found since 2007 (Turner, 2008). The trending of these statistics makes it difficult to believe that traditional antivirus solutions will be sufficient in mitigating malware variants. This should be an alarming statistic for GIAC Enterprises or any organization with information to protect. GIAC Enterprises has provided a secure web application and backend database infrastructure for the workforce to submit and process intellectual property. Although this does provide a layer of defense, it does not protect GIAC Enterprises from all attack vectors. One such attack vector, which is the focus of this report, is malware. Contained within this report, we are recommending several solutions for GIAC Enterprises to utilize to protect its information systems. First, the report outlines the various techniques and tools utilized for detection of Downadup malware. Second, as requested, the tiger team has identified three recommendations for the prevention of malware to GIAC enterprises. Additionally, several general malware prevention solutions are documented for future initiatives as GIAC Enterprises experiences success and growth. Introduction GIAC Enterprises has tasked our group with developing an approach for dealing with malware. In particular, GIAC is concerned with determining: if they are currently infected with Downadup (a.k.a. Conficker); three recommended techniques that could be employed to prevent future malware infections; and a project plan associated with the implementation of these recommendations. While detection and prevention of malware is not an exact science, some basic measures can certainly be employed to mitigate the threat of initial infection and propagation. Detection Techniques The Downadup worm and its variants (Downadup.A, Downadup.B, Downadup.B++) have been highly successful at infecting large numbers of hosts due to a combination of both old and new techniques of propagation, survivability, and self-updating. Some of the specific features that enabled Downadup's growth include (Porras, Saidi, Yegneswaran, 2009): 1. Remote exploitation of a fairly recent RPC-DCOM vulnerability (MS08-067) and then patching that exploit in memory (netapi32.dll). 2. Injection of the worm into a critical system process (service.exe). 3. Detection of attempt to remotely exploit a Downadup-patched system and use this as a peer-to-peer update communication channel. 4. Multiple propagation methods, including direct remote MS exploitation, propagation via NetBIOS shares (using brute force password attempts), and creation of autorun.inf files to infect via
4 attached USB devices or other removable media. 5. Manipulation of Universal Plug and Play (UPnP) to modify the local Internet gateway to allow connections to the locally installed HTTP server for remote computers to connect to. 6. Patching of DNS APIs in memory to monitor and prevent access to security software update sites. 7. Authentication of new worm code updates through the use of digital signatures. Although these variants have been successful, an organization patched for MS08-067, using strong passwords, with firewalls that do not allow inbound connections or self-modification via UPnP, and with Windows AutoRun disabled should have minimal risk of Downadup infections. Although we cannot be 100% sure there has not been an infection, we can recommend some techniques for detecting infected hosts and preventing future infections. At the request of the CIO, the team implemented several techniques to attempt to detect the presence of Downadup-infected hosts. Tasks Executed: - Ran a full virus scan of GIAC Enterprise systems using the existing antivirus solution. This scan was run overnight, to minimize impact to workers processing fortune cookie sayings. - Searched for scheduled tasks of the form "run32dll.exe.*" (using a list of GIAC systems to inspect in hosts.txt): (W32.Downadup.B, 2008) wmic /node:@hosts.txt job list where (command like "run32dll.exe%") list /format:csv - Checked for systems that were vulnerable because they did not have the MS patch installed (Microsoft Security Bulletin MS08-067, 2008). The following wmic command creates a report of all hosts that have the Windows XP version of the patch applied (KB958644): wmic /node:@hosts.txt qfe where hotfixid="kb958644" list brief /format:htable > ms xp.html - Checked for disabled services - Error Reporting Services, BITS, Automatic Updates, Defender wmic /node:@hosts.txt service where (name="ersvc" OR name="bits" OR name="wuauserv" OR name="windefend") get name, state /format:htable > services.html - Looked for increased network congestion - via network monitoring tools (netflow, firewalls), - Checked for failed logins, account lockouts, and lockout resets - in Windows Domain Controller event logs, - Check if System Restore Points have been disabled (On a system where these are enabled, one or more restore points will be listed with the following command. Otherwise, the string No Instance(s) Available. is printed (zeraphis, 2005)),
5 wmic /namespace:\\root\default path SystemRestore get find "No Instance" - Deployed IDS signatures for detection of Downadup as well as other known malware signatures. - Reviewed firewall logs for evidence of outbound propagation traffic or attempts to open ports via UPnP. Detection Testing Results and Certainty The result of our testing did not indicate the presence of Downadup infection, propagation, or postinfection communication at GIAC Enterprises. Although this is excellent news, we cannot state with 100% certainty that an infection has not occurred because of the built in fallibility of each test coupled with the base-rate fallacy (Axelsson, 2000). This is a phenomenon of Bayesian statistics that states that the true positive rate of any detection technique is built from a combination of two factors: 1. The likelihood of an occurrence in the general population (in this case, what percentage of hosts connected to the Internet, directly or indirectly, are infected with Downadup), and 2. The accuracy of the particular test itself. For example, if a service that we test for could be disabled for reasons other than Downadup, then our test does not have a high fidelity. Although calculating the true detection rate of our tests is outside the scope of this assignment, we accept that 100% accuracy is not possible nor required to allow us to state with reasonable certainty that GIAC Enterprises has not been infected with Downadup. Finally, we should note that this investigation was prompted by a notification to the GIAC Enterprises CIO from a peer who received an , apparently from the CIO, that was marked as infected with Downadup. We obtained a sample of this , including full header information. Our review of the headers illuminated that this was spam -- spoofed to appear to come from our CIO's account. Additionally, the currently known Downadup worm variants have multiple propagation vectors, but none of them include transmission via (Porras, et al, 2009). Prevention Techniques Attackers being able to more easily and effectively craft malicious code capable of bypassing antivirus detection coupled with the fact that targeted attacks are increasingly impacting small to medium enterprises such as GIAC Enterprises, it is imperative that additional malware prevention techniques be employed by GIAC Enterprises. While Conficker/Downadup serves as an especially salient example of such malware, the prevention techniques outlined below are more widely applicable than simply one such piece of malicious code. The goal of this phase is to provide recommendations for such preventative techniques and technologies. Though GIAC Enterprises has asked for three recommendations, we thought it prudent to highlight additional methods that could be employed should management determine more or fewer resources are able to be dedicated to this project. However, enumeration of the three most highly recommended prevention techniques will certainly be provided. Also, we would be remiss not to mention that though preventing infection is a most laudable goal, building an infrastructure that supports and provides a facility for detection of malware infection is considerably more important; "prevention is ideal, but detection is a must" (Cole, p. 15, 2001).
6 Top Three Recommendations Patch Management - Employ a 3rd party patch management tool and associated process for ensuring the prompt deployment of patches for applications installed throughout the enterprise. Although tools such as the free Windows Software Update Services (WSUS) from Microsoft are increasingly common to find in small to medium enterprises such as GIAC, simply focusing on Microsoft patches is no longer sufficient. In part, due to our facility for blocking infiltration via the perimeter, attackers are trending toward a focus on client side applications (Turner, 2008). In addition, although 0-day exploits are getting more press in recent years, the fact remains that the overwhelming majority of exploitations target a known vulnerability for which there is a patch. GIAC Enterprises should evaluate 3rd party patch management solutions that are capable of timely distribution of patches for applications used throughout the environment, which could help prevent malware infections exploiting known vulnerabilities. Secure Baseline Configurations - Standardize on hardened baseline configurations derived from industry best practices. Although all systems and applications should have a secure baseline configuration that is consistently used throughout the enterprise, the most important items to address initially would be a base secure desktop and server configuration. Certainly hardened database, network gear, mail, web server specific configurations are important, but ensuring that the basic desktop and server configurations represent sound starting points is key. A hardened baseline configuration can greatly reduce the security exposure to malware infection by limiting the potential vulnerability touch points. Security Awareness Training/Acceptable Use Policy - Provide continuously updated security awareness training to all members of GIAC Enterprises workforce, and ensure our Acceptable Use Policy (AUP) is strict enough to preclude actions commonly associated with malware infection. Most organizations do a poor job providing awareness of security issues to their workforce. End-users serve not only as a common attack vector, but, if properly trained and empowered, can also serve as a member of the security team. A more knowledgeable workforce can serve as a first line of detection of security incidents. Well intentioned users, if properly trained, are also less likely to engage in behaviors that might lead to malware infection. In addition to the base Security Awareness Training, GIAC Enterprises should also have a clear Acceptable Use Policy that makes obvious what actions are expected and prohibited. Additional Recommendations Egress filtering - Where possible, and certainly at the network perimeter, employ egress filtering that allows only business necessary traffic/ports to leave the organization. Strict filtering of outbound traffic serves as a basic implementation of the Defense In Depth principle of least privilege. In addition to the obvious benefit of not acting as an agent of propagation for spreading a malware infection beyond enterprise boundaries, egress filtering can also limit the abilities of the malware itself by disallowing the malicious code from receiving updated instructions or software from an external entity. Only allowing outbound traffic that is necessary for business purposes, while easy to understand, can be extremely difficult to implement for enterprises that lack sufficient understanding of what constitutes business necessary access.
7 Network Access Control (NAC)/Network Access Protection (NAP) - Employ a NAC/NAP solution that is capable of ensuring that a node meets defined minimum security standards before allowing network access. Enterprises typically have less robust security when facing an attacker or malware infection sourced from the internal network. Sales persons, contractors, mobile employees, VPN connections, and partner networks can all serve as sources of malware propagation or attack. Although the details and functionality certainly vary across vendors, NAC/NAP typically provides a facility by which some level of scrutiny can be placed on the security of an endpoint device before allowing it access to the internal network. Possible functionality includes: determining if OS patches are up to date; determining if the latest antivirus signatures are installed; running a lightweight; vulnerability scan against the host; checking for backdoor ports; determine if it is a known corporate asset; check for specific services. Some of this functionality is dependent upon the ability to authenticate to the endpoint system, which precludes a detailed postured assessment of external entities. NAC/NAP can prevent malware infections by potentially denying network access to an infected agent. Internal Network Security - Provide security segmentation via internal firewalls or VLAN based Access Control Lists (ACLs). Most organizations employ a Uniform Protection approach to Defense-in-Depth, which is particularly vulnerable to an internal attack (Cole, Fossen, Northcutt, Wright, p. 25, 2008). Internal firewalls can be employed to limit the internal network traffic to only that which is business necessary. Due to the cost of acquiring and managing internal firewalls, switch based VLAN Access Control Lists could be leveraged instead to limit network traffic. When designing this solution attention should be paid to zones of security and trust. Adopting this approach of internal network security could help to limit spread of malware infection to a particular network segment should any particular attached endpoint become infected. Company Managed Equipment - If 1099 workers are, or become, a considerable threat vector, then company managed equipment could be deployed to ensure consistent security configurations and controls are employed uniformly. Greater control over contractor equipment can help to prevent infection on the systems used by the contractor as well as the possibility of infections of internal systems being sourced from contractor equipment. Intrusion Prevention Systems (IPS) - Employ an Intrusion Prevention System in blocking mode capable of selectively preventing malware propagation over the network. If not already in place, an IPS could help to prevent malware infections that are occurring via the network. IPS being able to mitigate the risk of this is entirely dependent upon network placement and the vector being used for exploitation. Limit administrative privileges - Highly privileged accounts should be limited to those that absolutely require administrative rights for normal operational activities. Although limiting administrative privileges can be considered a component of an overall secure baseline configuration strategy, it is important enough to warrant a separate line item. Quite often the exploitation of vulnerabilities only provides the attacker with the privileges of the user that started the exploited process. With greater attention being paid to client applications, limiting administrative privileges is of even greater importance.
8
9 Conclusion GIAC Enterprises tasked our group with developing an approach for dealing with malware. Of particular import to GIAC was the initial determination of whether or not GIAC systems had been compromised by Downadup. We first highlighted numerous no-cost detection techniques, which all yielded no evidence of compromise. Indeed, the only suggestion of compromise via Downadup was from an message that was supposedly sent from GIAC Enterprises' CIO. Although we cannot state with absolute certainty that GIAC is without infection, it is our opinion that Downadup infection is very unlikely. An additional component of this project was developing three recommendations for GIAC to prevent future malware infections. In order to bolster GIAC's ability to prevent infection via malware, we suggest: a more systematic patch management solution and process; developing secure baseline configurations for GIAC systems and applications; and updating and delivering security awareness training and an acceptable use policy. A project plan for the implementation of these three approaches has been included as Appendix A. Beyond the top three recommendations, we have also provided additional approaches that could be leveraged by GIAC for the prevention of general malware infections. In conclusion, while we found no evidence of infection via Downadup, this scare, while unfounded, can be used as a stimulus to update GIAC's security infrastructure to prevent infections in the future.
10 References Axelsson, Stefan (2000). The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC) 3., Cole, E (2001). Hackers Beware: The Ultimate Guide to Network Security. Indianapolis, IN: SAMS Publishing. Cole, E. Fossen, J. Northcutt, S. Wright, J. (2008, October). Security 401: Security Essentials Bootcamp Bethesda, MD: SANS Institute. Microsoft Security Bulletin MS (2008, October 23) Critical Vulnerability in Server Service Could Allow Remote Code Execution (KB958644). Retrieved February 28, 2009, from Microsoft web site: Porras, P. Saidi, H. Yegneswaran, V. (2009, February 21). An Analysis of Conficker's Logic and Rendezvous Points. Retrieved February 28, 2009, from SRI International Web site: Salusky, W. (2009, January 12). Downadup / Conficker - MS exploit and Windows domain account lockout. Retrieved February 28, 2009, from SANS ISC web site: Turner, D (Ed.) (2008, April). Symantec Global Internet Security Threat Report. Symantec Internet Security Threat Report, XIII, from W32.Downadup.B. (2008, December 31). Retrieved March 1, 2009, from Symantec Security Response Web site: zeraphis, (2005, July). Sysprep changes settings (WLAN for instance). Retrieved March 1, 2009, from PC Review Web site:
11 GIAC Enterprises Project Plan Sponsor: GIAC CIO Scope: This project will implement the top three recommendations proposed by the tiger team to prevent malware such as but not limited to Downadup while still allowing the growth of the business. 1) Phase: Patch Management Process Start date: 3/1/2009 End date: 5/1/2009 Tasks: - Research patch management solutions according to scope - Craft patch management policies and procedures - Beta test chosen solution in GIAC environment - Purchase Solution - Deploy solution - Implement patch management life cycle Milestones: - Purchase Solution - Deployed Solution Resources: - System Administrators for implementation - CIO or IT director for policy creation - Finance for purchasing 2) Phase: Implement Hardening Templates Start date: 4/1/2009 End date: 6/1/2009 Tasks: - Obtain / Craft hardening guides and templates - Craft security policies / standards for hardening systems - Perform Gap Analysis - Identify exceptions - Implement security configuration changes to systems - Audit systems for compliance with templates - Remediate Milestones: - Gap analysis - Audit for compliance Resources: - SME or Security staff - System Administrators for implementation - CIO or IT director for policy creation 3) Phase: Implement Security and Awareness Training with AUP Start date: 5/1/2009
12 End date: 6/1/2009 Tasks: - Purchase / Craft security and awareness training materials - Craft security policies around attendance and reoccurrence - Define mechanisms of communication / presentation - Present the training - Audit for complete attendance Milestones: Resources: - Obtain complete training materials - Present training to users - Security Staff for curriculum - Company trainers if available - CIO or IT director for policy creation
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationIndustrial Security for Process Automation
Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More information13 Ways Through A Firewall
Industrial Control Systems Joint Working Group 2012 Fall Meeting 13 Ways Through A Firewall Andrew Ginter Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationHow To Secure Your System From Cyber Attacks
TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationNetwork Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting
Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationG/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy
For Public Use G/On Basic Best Practice Reference Guide Version 6 Make Connectivity Easy 2006 Giritech A/S. 1 G/On Basic Best Practices Reference Guide v.6 Table of Contents Scope...3 G/On Server Platform
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More information13 Ways Through A Firewall What you don t know will hurt you
Scientech 2013 Symposium: Managing Fleet Assets and Performance 13 Ways Through A Firewall What you don t know will hurt you Andrew Ginter VP Industrial Security Waterfall Security Solutions andrew. ginter
More informationWhy Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.
Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationAlert (TA14-212A) Backoff Point-of-Sale Malware
Alert (TA14-212A) Backoff Point-of-Sale Malware Original release date: July 31, 2014 Systems Affected Point-of-Sale Systems Overview This advisory was prepared in collaboration with the National Cybersecurity
More informationJK0 015 CompTIA E2C Security+ (2008 Edition) Exam
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
More informationTechnical Note. CounterACT: Powerful, Automated Network Protection Inside and Out
CounterACT: Powerful, Contents Introduction...3 Automated Threat Protection against Conficker... 3 How the Conficker Worm Works.... 3 How to Use CounterACT to Protect vs. the Conficker Worm...4 1. Use
More informationTowards End-to-End Security
Towards End-to-End Security Thomas M. Chen Dept. of Electrical Engineering Southern Methodist University PO Box 750338 Dallas, TX 75275-0338 USA Tel: 214-768-8541 Fax: 214-768-3573 Email: tchen@engr.smu.edu
More informationWindows Remote Access
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationDesktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI
Desktop Security Overview and Technology Guidance Michael Ramsey Network Specialist, NC DPI Desktop Security Best practices for both the technical type and the typical user Defensive Layering Top Vulnerabilities
More informationLifecycle Solutions & Services. Managed Industrial Cyber Security Services
Lifecycle Solutions & Services Managed Industrial Cyber Security Services Around the world, industrial firms and critical infrastructure operators partner with Honeywell to address the unique requirements
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationRecommended Practice Case Study: Cross-Site Scripting. February 2007
Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber
More informationFIREWALL POLICY DOCUMENT
FIREWALL POLICY DOCUMENT Document Id Firewall Policy Sponsor Laura Gibbs Author Nigel Rata Date May 2014 Version Control Log Version Date Change 1.0 15/05/12 Initial draft for review 1.1 15/05/14 Update
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationUnit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.
Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014 UNIT 3 RESEARCH PROJECT 2
More informationSecurity Controls Implementation Plan
GIAC Enterprises Security Controls Implementation Plan Group Discussion and Written Project John Hally, Erik Couture 08/07/2011 Table of Contents Executive Summary 3 Introduction 3 Security Controls Implementation
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationToday s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, 2009. Concepts.
Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, 2009 1 Today s Topics Concepts Case Study Sound Security Strategy 2 1 Security = Culture!! Security is a BUSINESS
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationSpam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning
Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning Lee Zelyck Network Administrator Regina Public Library Malware, Spyware, Trojans
More informationMalware Protection II White Paper Windows 7
Malware Protection II White Paper Windows 7 Rohde & Schwarz recognizes the potential risk of computer virus infection when connecting Windows -based test instrumentation to other computers via local area
More informationAnatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow
Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationSpecific recommendations
Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It
More informationUsing Tofino to control the spread of Stuxnet Malware
technical datasheet Application Note Using Tofino to control the spread of Stuxnet Malware This application note describes how to use the Tofino Industrial Security Solution to prevent the spread of the
More informationSeven Strategies to Defend ICSs
INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take
More informationABB s approach concerning IS Security for Automation Systems
ABB s approach concerning IS Security for Automation Systems Copyright 2006 ABB. All rights reserved. Stefan Kubik stefan.kubik@de.abb.com The problem Most manufacturing facilities are more connected (and
More informationBlack Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!
Sample Penetration Testing Report Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$%&'#)*)&'+,-./0.-121.030045.5675895.467:;83-/;0383; th, yyyy A&0#0+4*M:+:#&*#0%+C:,#0+4N:
More informationSociety for Information Management
Society for Information Management The Projected Top 5 Security Issues of 2010 Steve Erdman CSO and Staff Security Consultant of SecureState Network +, MCP Precursor 2009 has been a difficult year in Information
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationHow To Prevent Hacker Attacks With Network Behavior Analysis
E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal
More information2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.
2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program. Entry Name HFA Submission Contact Phone Email Qualified Entries must be received by
More informationEndpoint Security: Moving Beyond AV
Endpoint Security: Moving Beyond AV An Ogren Group Special Report July 2009 Introduction Application whitelisting is emerging as the security technology that gives IT a true defense-in-depth capability,
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationSAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)
SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview
More informationAll Information is derived from Mandiant consulting in a non-classified environment.
Disclaimer: All Information is derived from Mandiant consulting in a non-classified environment. Case Studies are representative of industry trends and have been derived from multiple client engagements.
More informationWhy The Security You Bought Yesterday, Won t Save You Today
9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About
More informationSpyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc.
Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References
More informationMedical Device Security Health Group Digital Output
Medical Device Security Health Group Digital Output Security Assessment Report for the Kodak Color Medical Imager 1000 (CMI-1000) Software Version 1.1 Part Number 1G0434 Revision 2.0 June 21, 2005 CMI-1000
More informationThe Leading Provider of Endpoint Security Solutions
The Leading Provider of Endpoint Security Solutions Innovative Policies to Defend Against Next-Generation Threats Conrad Herrmann CTO and Co-Founder Zone Labs, Inc. Network Security Is an Uphill Battle
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More informationTop Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009
Top Five Data Security Trends Impacting Franchise Operators Payment System Risk September 29, 2009 Top Five Data Security Trends Agenda Data Security Environment Compromise Overview and Attack Methods
More informationNew possibilities in latest OfficeScan and OfficeScan plug-in architecture
New possibilities in latest OfficeScan and OfficeScan plug-in architecture Märt Erik AS Stallion Agenda New in OfficeScan 10.5 OfficeScan plug-ins» More Active Directory support» New automated client grouping
More information5 Steps to Advanced Threat Protection
5 Steps to Advanced Threat Protection Agenda Endpoint Protection Gap Profile of Advanced Threats Consensus Audit Guidelines 5 Steps to Advanced Threat Protection Resources 20 Years of Chasing Malicious
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationMCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationInnovative Defense Strategies for Securing SCADA & Control Systems
1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationDeploying Firewalls Throughout Your Organization
Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense
More informationThe Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director sfrei@secunia.com
The Fundamental Failures of End-Point Security Stefan Frei Research Analyst Director sfrei@secunia.com Agenda The Changing Threat Environment Malware Tools & Services Why Cybercriminals Need No 0-Days
More informationEmerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA
Emerging Network Security Threats and what they mean for internal auditors December 11, 2013 John Gagne, CISSP, CISA 0 Objectives Emerging Risks Distributed Denial of Service (DDoS) Attacks Social Engineering
More informationDriving Company Security is Challenging. Centralized Management Makes it Simple.
Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary
More informationFranchise Data Compromise Trends and Cardholder. December, 2010
Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee
More informationDon t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure
Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Security studies back up this fact: It takes less than 20
More informationCybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix
Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationInfinity Acute Care System monitoring system
Infinity Acute Care System monitoring system Workstation security in a networked architecture Introduction The benefits of networked medical devices for healthcare facilities are compelling. However, the
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationSygate Secure Enterprise and Alcatel
Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise eliminates the damage or loss of information, cost of recovery, and regulatory violation due to rogue corporate computers, applications, and
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationMITIGATING LARGE MERCHANT DATA BREACHES
MITIGATING LARGE MERCHANT DATA BREACHES Tia D. Ilori Ed Verdurmen January 2014 1 DISCLAIMER The information or recommendations contained herein are provided "AS IS" and intended for informational purposes
More informationCisco Virtualization Experience Infrastructure: Secure the Virtual Desktop
White Paper Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop What You Will Learn Cisco Virtualization Experience Infrastructure (VXI) delivers a service-optimized desktop virtualization
More informationManaged Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?
Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security
More information