Regulatory Compliance and Least Privilege Security
|
|
- Egbert Harrell
- 8 years ago
- Views:
Transcription
1 Regulatory Compliance and Least Privilege Security Page 1 of 11
2 Contents Regulatory Compliance and Least Privilege Security 3 Whitepaper 4 About the author 4 Introduction 4 Risks associated with administrative access 6 Least privilege security 7 Privilege Guard Overview 7 Privilege Guard Benefits 8 Mapping regulatory compliance requirements 8 to least privilege security Payment Card Industry Data Security Standard 8 (PCI DSS) v 1.2 Government Connect (United Kingdom) 8 Implementing Least Privileged Security for 8 regulatory compliance Application Control 8 Avecto Privilege Guard 8 Conclusion 8 About Avecto 9 Page 2 of 11
3 This whitepaper discusses the concept of least privilege security for personal computers, why it s needed to meet requirements set out by regulatory bodies and how to overcome problems in its implementation. Regulatory Compliance and Least Privilege Security Whitepaper As the requirement to comply with industry and government regulations, such as PCI DSS and Government Connect (or FDDC in the States), becomes more established; securing data as it passes through personal computer systems is crucial to satisfy auditors, and ensure that security breaches don t result in expensive data loss. Russell Smith It s common practice for employees to log in to Windows PCs with administrative privileges to carry out everyday tasks, dramatically increasing the risk that malware, such as viruses and key loggers that steal passwords and sensitive information, can install without the user s knowledge. While it s often considered that antivirus software and firewalls provide enough protection to block malware on PCs, these solutions are regularly thwarted and are only effective if part of a defense-in-depth security strategy. This whitepaper discusses the concept of least privilege security for personal computers, why it s needed to meet requirements set out by regulatory bodies and how to overcome problems in its implementation. Author Russell Smith Dip HE, MCSE, MCP About the author Russell Smith is author of Least Privilege Security for Windows 7, Vista and XP published by PACKT, Contributing Editor for Microsoft Best Practices at CDW s Biztech Magazine and a regular contributor to leading industry journal Windows IT Professional. Russell holds a Dip HE from the University of London and is a Microsoft Certified Systems Engineer (MCSE). With over 10 years experience securing and managing Windows Server systems for Fortune Global 500 companies and SMEs, Russell is also an experienced trainer. You can contact Russell at rms@russell-smith.net. Page 3 of 11
4 Introduction When an employee logs in to a PC with administrative privileges, they can change system-wide settings that affect all users of the device and block management software, antivirus and policy settings. Russell Smith FDDC, PCI DSS, Government Connect, SOX and HIPAA are primarily intended to protect sensitive information from unauthorized access, uphold data integrity and prevent data leakage. A lot of attention is focused on securing assets in the data center; ensuring employees only have access to necessary files and server resources. In scenarios where terminal applications are deployed and data is never transferred from server to client, the risk of sensitive information being compromised is reduced. Many server applications require the transfer of data to client operating systems, whether installed on physical devices or as part of a Virtual Desktop Infrastructure (VDI). This enables offline access in the case of notebook computers or improves performance by utilizing the processing power of the client device. To comply with data protection mandates, it s essential to ensure that sensitive information stored on client devices cannot be compromised or accessed by unauthorized users. Risks associated with administrative access Organizations shouldn t rely on users to make decisions about PC security that can affect sensitive data and weaken the resilience of a network. Most users are neither qualified to make calls on PC security nor concerned about the wider implications a bad security choice may have on the company. PCs are an important part of information systems, and security decisions should be made by system administrators or dedicated security teams. When an employee logs in to a PC with administrative privileges, they can change system-wide settings that affect all users of the device and block management software, antivirus and policy settings configured by the IT department designed to protect the machine. Employees with administrative privileges can access the local data of other users of the PC, unless it is encrypted. The risk of critical Windows vulnerabilities being exploited is significantly increased if users log in with administrative accounts, removing an important layer of defense while updates are being tested for deployment. Programs that run on users desktops, started intentionally or not, do so with the same privileges as the logged in user. If the account has administrative privileges, malware has full access to data stored on the PC and the ability to modify the operating system for the purposes of disrupting normal operation (denial of service), attack other PCs and servers on the network or Page 4 of 11
5 steal information. Malware can run automatically without a user s knowledge, via Internet browser or other application exploits, and is often downloaded or started accidentally from removable media, such as CDs or USB drives. One infected PC can be enough to disrupt service for all devices connected to a network, and at worst, compromise servers and other PCs. Corporate Network Server Office worker 1 Malware evades antivirus and exploits user s privileges to infect PC. Corporate Firewall Internet Sensitive Documents Application Data Home 2 Sensitive server data is transferred to an internet bot without the user s knowledge. Antivirus Software Internet bot captures data as malware calls home. Home worker Network Traffic Passwords 1 2 Malware evades antivirus and exploits user s privileges to infect notebook. Data caches from the company server is transferred to an internet bot without the user s knowledge. Least privilege security Least privilege security is the act of granting users only the rights necessary to carry out their job. Least privileged user accounts, sometimes abbreviated to LUA or standard user account, help to mitigate the risks associated with administrative accounts, which are intended for use in scenarios where changes to critical system configuration need to be made. The use of LUAs not only decreases the risk of data loss and unauthorized access, but improves productivity and reduces costs through better manageability. While the Principle of Least Privilege Security has always been implemented in Unix-based operating systems, and to a certain extent on Windows Servers, early versions of Windows for home PCs didn t include any concept of security, and the absence of a built-in SU command (Switch User) in Windows NT, which allows users to conveniently change from one user account to another, meant that programmers adopted bad practice and developed applications that required administrative privileges to run. Page 5 of 11
6 More recent versions of Windows (Vista and Windows 7), include a set of technologies under the umbrella of User Account Control (UAC), and are designed to encourage the adoption of applications that work without the need for administrative privileges. The first user account created in Vista and Windows 7 is a Protected Administrator (PA). PAs run with standard user privileges unless consent is explicitly given by the user to grant a process administrative access to the system. The default UAC setting in Windows 7 allows certain built-in processes to silently elevate to administrative privileges without requiring consent. This functionality was added to appease complaints that UAC prompts appeared too frequently in Windows Vista. Protected Administrator accounts provide home users and small businesses with many of the benefits of true standard user accounts that in the past were only found in organizations with managed IT infrastructures. UAC is a user-driven technology and doesn t provide organizations with any means of dynamically assigning privileges to standard users without giving employees access to an administrator account. Mapping regulatory compliance requirements to least privilege security The most commonly implemented regulations can be divided into two categories: those that explicitly demand the use of least privilege security on PCs (PCI DSS, FDCC and Government Connect) and those that suggest it (SOX and HIPAA). In the latter case, auditors interpret the regulations as to require least privilege. Payment Card Industry Data Security Standard (PCI DSS) v 1.2 The current version of PCI DSS, for businesses that process or store credit card data, contains a directive in Requirement 7: Restrict access to cardholder data by business need to know that specifically requires the use of least privilege user accounts: Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities Assignment of privileges to individuals based on job classification and function. Federal Desktop Core Configuration (FDCC) Page 6 of 11
7 The US government s FDCC mandate states that federal employees must log in to PCs with standard user privileges. Government Connect (United Kingdom) The US government s FDCC mandate states that federal employees must log in to PCs with standard user privileges. Russell Smith Government Connect is a scheme that provides local authorities in the UK with secure and accredited connections to central government and other local authority networks via the Government Connect Secure Extranet (GCSX). The GCSX Connect Code of Connection (CoCo) is a list of security controls and is a mandatory requirement for connection to GCSX. CoCo is reassessed annually. 4.2 Configuration: The execution of unauthorized software is prevented. 4.3 Configuration: Organizations have in place a configuration control process which prevents unauthorized changes to the standard build of network devices and hosts (this includes both clients and servers) Protective Monitoring: Audit logs recording user activities, exceptions and information security events are available to be produced to assist in investigations and access control monitoring Web Enabled Applications: The web browser and other web-enabled applications, such as media players do not run in the context of a privileged user. Controls 4.2, 4.3 and 18.1 are impossible to enforce if users log in with administrative privileges. Additionally, if control 13.2 is fulfilled using the Windows Event Log, users with administrative rights could delete audit logs, wiping out evidence that might be used in investigations and monitoring. Sarbanes Oxley (SOX) and Health Insurance Portability and Accountability Act (HIPAA) Due to the high-level nature of the SOX and HIPAA directives, COBIT (Control Objectives for Information and Related Technology) is generally used as the standard by which the technical aspects of the regulations are audited. DS 5.3 Identity Management - Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. DS 5.4 User Account Management - Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges. Page 7 of 11
8 DS 5.7 Protection of Security Technology - Make security-related technology resistant to tampering. DS 5.9 Malicious Software Prevention, Detection and Correction - Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam). Least privilege security can be used to achieve compliance of these four Deliver and Support (DS) controls. DS 5.3 talks about business needs, which rarely require users to have administrative access to PCs. DS 5.7 covers security-related technology, which includes antivirus software and event logs on PCs that can be tampered with if users have administrative privileges. Lastly, least privilege is an effective preventative measure that protects against malware. Implementing Least Privileged Security for regulatory compliance UAC in Vista and Windows 7 includes many improvements that make it easier to work without administrative privileges and helps overcome many of the problems faced when removing administrative privileges. Microsoft also has a free tool called the Application Compatibility Toolkit (ACT) that can be used to deploy fixes for applications not compatible with LUA. Though removing administrative privileges from users accounts is simple from a technical perspective, it can result in a series of problems: Applications that no longer start or don t function correctly. Users no longer able to install approved programs without intervention from the helpdesk. Users may not be able to install ActiveX controls or other internet browser plugins. Common configuration tasks, such as changing the time zone, may be blocked. Patches and updates must be provisioned using a software distribution system such as Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM). Devices that don t have drivers available on Windows Update or are not pre-staged by system administrators cannot be installed by standard users. Helpdesk staff may need additional training to support PCs where users log in with standard user accounts. Despite the enhancements brought by UAC, Windows XP is still widely deployed and was not designed with least privilege security in mind. UAC doesn t provide the flexibility and Page 8 of 11
9 agility required by many organizations to quickly respond to changing demands or afford practical working environments for anything more than basic scenarios. Application control Beyond removing administrative privileges from users, application whitelists determine which programs users are permitted to run. Applications not included on a whitelist are blocked. This greatly reduces the risk of malware or unauthorized programs running in the context of the user s account. The ability to whitelist approved applications is important, as traditional antivirus solutions prove less effective and malware evolves to target users without administrative privileges. Windows XP Professional and Vista (Business, Enterprise and Ultimate editions only) include Software Restriction Policies (SRP) that can block or allow programs identified by criteria such as file path or digital certificate. Windows 7 Professional (logging only), Enterprise and Ultimate editions have AppLocker, the replacement for SRP, and gives system administrators more control in the hope that the technology will see better uptake. Avecto Privilege Guard Privilege Guard enables standard users to run applications or processes with additional privileges as determined by a system administrator. Unlike UAC, onscreen prompts can be suppressed or customized, and a secondary account is not required. A client-side component, implemented as a user-mode service, and server-based Group Policy settings are used to assign processes extra privileges on-the-fly based on multiple criteria. System administrators can remove administrative rights from user accounts with confidence in the knowledge that should additional privileges be required, Privilege Guard provides the functionality to quickly and easily elevate privileges for specific processes by modifying the security token for the given process only. System administrators can control privileges assigned to the following objects: Executables Control Panel Applets Management Console (MMC) snap-ins Windows Installer Packages (.msi files) Windows Scripting Host (WSH), PowerShell scripts and batch (.bat) files Registry Editor (.reg) files ActiveX controls (matched by URL or CLSID) Page 9 of 11
10 Privilege Guard also provides system administrators with Application Templates that allow Windows functions to be quickly located and granted additional privileges as required. For example, you can give notebook users additional flexibility by allowing them to configure Clear Type using the built-in tuner or manage settings for offline files. With the help of Privilege Guard, system administrators can avoid many of the common issues involved when implementing least privilege security, ensuring that: Line-of-business applications continue to work correctly. Users can change configuration required for everyday tasks. ActiveX controls and approved software can be installed without helpdesk intervention Device Manager can be run to install device drivers. Notebook users can modify the time zone in Windows XP. System administrators can customize messages users see when a Privilege Guard policy is activated, optionally requiring the user to specify a reason for launching the process and/ or provide their password. Privilege Guard policy use is also recorded in the Windows Event Log as standard. Privilege Guard provides enterprises with a uniform system for application control across PCs running Windows XP and later, allowing administrators to define program whitelists from a central location. Conclusion Least privilege security is a critical component in any regulatory compliance project. Microsoft s efforts to reduce the reliance on administrative privileges and improve application compatibility with standard user accounts with User Account Control has been successful, put pain points still persist for organizations looking to remain flexible but remove administrative privileges from users. Restricting users privileges is an effective means of protecting PCs against malware, unwanted changes to standard system images and curbing software piracy. Efficiency gains and a reduction in helpdesk calls also help reduce IT costs and make organizations more competitive. Additional technologies compliment Microsoft s free tools to provide users with secure but flexible systems and help organizations achieve compliance without limiting productivity or the ability to respond quickly to changing business needs. Page 10 of 11
11 About Avecto Avecto is a pioneer in least privilege management, helping organizations to deploy secure and compliant desktops and servers. With its innovative Privilege Guard technology, organizations can now empower all Windows based desktop and server users with the privileges they require to perform their roles, without compromising the integrity and security of their systems. Customers of all sizes rely on Avecto to reduce operating expenses and strengthen security across their Windows based environments. Our mission is to enable our customers to lower operating costs and improve system security by implementing least privilege. Avecto is building a worldwide channel of partners and system integrators and is headquartered in Manchester, UK. For more information, visit Hobart House, 3 Oakwater Avenue, Cheadle Royal Business Park, Cheadle SK8 3SR United Kingdom T +44 (0) E Page 11 of 11
Regulatory Compliance and Least Privilege Security
Regulatory Compliance and Least Privilege Security Whitepaper As the requirement to comply with industry and government regulations, such as PCI DSS and Government Connect (or FDDC in the States), becomes
More informationCompliance series Guide to meeting requirements of USGCB
Compliance series Guide to meeting requirements of USGCB avecto.com Contents Introduction to USGCB 2 > From FDCC to USGCB 3 > USGCB settings and standard user accounts 3 > Application compatibility 4 >
More informationApplying the Principle of Least Privilege to Windows 7
1 Applying the Principle of Least Privilege to Windows 7 2 Copyright Notice The information contained in this document ( the Material ) is believed to be accurate at the time of printing, but no representation
More informationMCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationLeast Privilege in the Data Center
Least Privilege in the Data Center avecto.com avecto.com 1 Introduction Removing excess administrator privileges is considered to be one of the most essential risk mitigation strategies for organizations
More informationViewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn
4 0 0 T o t t e n P o n d R o a d W a l t h a m, M A 0 2 4 5 1 7 8 1. 8 1 0. 4 3 2 0 w w w. v i e w f i n i t y. c o m Viewfinity Privilege Management Integration with Microsoft System Center Configuration
More informationRunning A Fully Controlled Windows Desktop Environment with Application Whitelisting
Running A Fully Controlled Windows Desktop Environment with Application Whitelisting By: Brien M. Posey, Microsoft MVP Published: June 2008 About the Author: Brien M. Posey, MCSE, is a Microsoft Most Valuable
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationChapter 1: Your relationship with risk
ebook C-level guide to defense in depth Chapter 1: Your relationship with risk Russell Smith, Windows Security Expert Contents Synopsis 3 About the author 4 Your relationship with risk 5 The psychology
More informationChapter 2: The hidden flaws in Windows
ebook C-level guide to defense in depth Chapter 2: The hidden flaws in Windows Sami Laiho, MVP Windows Expert Contents Synopsis 3 About the author 4 The hidden flaws in Windows 5 Getting rid of administrative
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationImplementing Windows Security with Group Policy by Derek Melber MCSE, MVP
1 Implementing Windows Security with Group Policy by Derek Melber MCSE, MVP 2 Copyright Notice The information contained in this document ( the Material ) is believed to be accurate at the time of printing,
More informationHow to use Alertsec to Enable SOX Compliance for Your Customers
How to use Alertsec to Enable SOX Compliance for Your Customers Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints Contents Executive Summary...
More informationHow to Use Windows Firewall With User Account Control (UAC)
Keeping Windows 8.1 safe and secure 14 IN THIS CHAPTER, YOU WILL LEARN HOW TO Work with the User Account Control. Use Windows Firewall. Use Windows Defender. Enhance the security of your passwords. Security
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationCloudCheck Compliance Certification Program
CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or
More informationSecurity and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation robnotto@microsoft.com
Security and Compliance Robert Nottoli Principal Technology Specialist Microsoft Corporation robnotto@microsoft.com DISCLAIMER FOR DOCUMENTATION REGARDING PRE-RELEASED SOFTWARE This document supports a
More informationWindows Phone 8 Security Overview
Windows Phone 8 Security Overview This white paper is part of a series of technical papers designed to help IT professionals evaluate Windows Phone 8 and understand how it can play a role in their organizations.
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationOctober 2014. Application Control: The PowerBroker for Windows Difference
Application Control: The PowerBroker for Windows Difference October 2014 1 Table of Contents Introduction... 4 The Default-Deny Approach to Application Control... 4 Application Control s Dependence on
More informationWindows Least Privilege Management and Beyond
CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationBest Practices for DanPac Express Cyber Security
March 2015 - Page 1 Best Practices for This whitepaper describes best practices that will help you maintain a cyber-secure DanPac Express system. www.daniel.com March 2015 - Page 2 Table of Content 1 Introduction
More informationSystem Security Policy Management: Advanced Audit Tasks
System Security Policy Management: Advanced Audit Tasks White Paper October 6, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that
More informationTop Five Ways to Protect Your Network. A MainNerve Whitepaper
A MainNerve Whitepaper Overview The data security challenges within the business world have never been as challenging as they are today. Not only must organizations providers comply with stringent State
More informationWindows 7. Qing Liu Qing.Liu@chi.frb.org Michael Stevens Michael.Stevens@chi.frb.org
Windows 7 Qing Liu Qing.Liu@chi.frb.org Michael Stevens Michael.Stevens@chi.frb.org 1 Overview 1. Financial Institution s Preliminary Steps 2. User Interface 3. Data Protection 4. User and Group Changes
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationIntegrated Threat & Security Management.
Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationCompliance series Guide to the NIST Cybersecurity Framework
Compliance series Guide to the NIST Cybersecurity Framework avecto.com In this paper, Avecto looks at the role least privilege security and application control play in the National Institute of Standards
More informationSeven for 7: Best practices for implementing Windows 7
Seven for 7: Best practices for implementing Windows 7 The early reports are in, and it s clear that Microsoft s Windows 7 is off to a fast start thanks in part to Microsoft s liberal Windows 7 beta program
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationDriveLock and Windows 7
Why alone is not enough CenterTools Software GmbH 2011 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
More informationUsing WMI Scripts with BitDefender Client Security
Using WMI Scripts with BitDefender Client Security Whitepaper Copyright 2009 BitDefender; Table of Contents 1. Introduction... 3 2. Key Benefits... 4 3. Available WMI Script Templates... 5 4. Operation...
More informationTrend Micro OfficeScan 11.0. Best Practice Guide for Malware
Trend Micro OfficeScan 11.0 Best Practice Guide for Malware Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned
More informationAre You in Control? MaaS360 Control Service. Services > Overview MaaS360 Control Overview
Services > Overview MaaS360 Control Overview Control Over Endpoints Ensure that patches and security software on laptops and distributed PCs are always up to date. Restart applications automatically. Block
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationWEB SECURITY. Oriana Kondakciu 0054118 Software Engineering 4C03 Project
WEB SECURITY Oriana Kondakciu 0054118 Software Engineering 4C03 Project The Internet is a collection of networks, in which the web servers construct autonomous systems. The data routing infrastructure
More informationSecureAge SecureDs Data Breach Prevention Solution
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationCountermeasures against Spyware
(2) Countermeasures against Spyware Are you sure your computer is not infected with Spyware? Information-technology Promotion Agency IT Security Center http://www.ipa.go.jp/security/ 1. What is a Spyware?
More informationDevice Hardening, Vulnerability Remediation and Mitigation for Security Compliance
Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationHow To Secure Your System From Cyber Attacks
TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital
More informationInsightCloud. www.insightcloud.com. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?
What is InsightCloud? InsightCloud is a web portal enabling Insight customers to purchase and provision a wide range of Cloud services in a straightforward and convenient manner. What is SaaS? Software
More informationStep-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses
Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses 2004 Microsoft Corporation. All rights reserved. This document is for informational purposes only.
More informationSpyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc.
Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References
More informationWHITEPAPER. Compliance: what it means for databases
WHITEPAPER Compliance: what it means for databases Introduction Compliance is the general term used to describe the efforts made by many (typically larger) organizations to meet regulatory standards. In
More informationPCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
More informationPCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationMicrosoft Corporation. Status: Preliminary documentation
Microsoft Corporation Status: Preliminary documentation Beta content: This guide is currently in beta form. The AppLocker team greatly appreciates you reviewing the document and looks forward to receiving
More informationLectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003
Lectures 9 Advanced Operating Systems Fundamental Security Computer Systems Administration TE2003 Lecture overview At the end of lecture 9 students can identify, describe and discuss: Main factors while
More informationManaging Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform
Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World
More informationWindows 7, Enterprise Desktop Support Technician
Windows 7, Enterprise Desktop Support Technician Course Number: 70-685 Certification Exam This course is preparation for the Microsoft Certified IT Professional (MCITP) Exam, Exam 70-685: Pro: Windows
More informationSecure Remote Control Security Features for Enterprise Remote Access and Control
Secure Remote Control Security Features for Enterprise Remote Access and Control Good communication is vital to any company, large or small. Many departments within companies are utilizing different platforms
More information1. Thwart attacks on your network.
An IDPS can secure your enterprise, track regulatory compliance, enforce security policies and save money. 10 Reasons to Deploy an Intrusion Detection and Prevention System Intrusion Detection Systems
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationK7 Business Lite User Manual
K7 Business Lite User Manual About the Admin Console The Admin Console is a centralized web-based management console. The web console is accessible through any modern web browser from any computer on the
More informationPreparing Your Personal Computer to Connect to the VPN
Preparing Your Personal Computer to Connect to the VPN (Protecting Your Personal Computer Running Windows) Using the VPN to connect your computer to the campus network is the same as bringing your computer
More information70-685: Enterprise Desktop Support Technician
70-685: Enterprise Desktop Support Technician Course Introduction Course Introduction Chapter 01 - Identifying Cause and Resolving Desktop Application Issues Identifying Cause and Resolving Desktop Application
More informationComplementing Vaulting Technologies in the Data Center
Complementing Vaulting Technologies in the Data Center avecto.com Contents Introduction 2 The traditional method of vaulting technologies 3 Limitations of the PIM approach to server security 4 The Solution:
More informationLaws, regulations and compliance: Top tips for keeping your data under your control
Laws, regulations and compliance: Top tips for keeping your data under your control The challenge of complying with a growing number of frequently changing government, industry and internal regulations
More informationVirtualization Impact on Compliance and Audit
2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance
More informationAvecto Privilege Guard Empowers Intouch Employees While Safeguarding Security.
I N T O U C H S O L U T I O N S Avecto Case Study Avecto Privilege Guard Empowers Intouch Employees While Safeguarding Security. Boosts productivity and enables employees to focus on their work Enhances
More informationProtecting personally identifiable information: What data is at risk and what you can do about it
Protecting personally identifiable information: What data is at risk and what you can do about it Virtually every organization acquires, uses and stores personally identifiable information (PII). Most
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationInspection of Encrypted HTTPS Traffic
Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1 Table of Contents
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationAVeS Cloud Security powered by SYMANTEC TM
Protecting your business from online threats should be simple, yet powerful and effective. A solution that secures your laptops, desktops, and servers without slowing down your systems and distracting
More informationNew Zealand National Cyber Security Centre
Unclassified New Zealand National Cyber Security Centre Application Whitelisting With Microsoft Applocker June 2012 V1.0.5 Application Whitelisting with Microsoft Applocker Cyber Security Plan As outlined
More informationDocument ID. Cyber security for substation automation products and systems
Document ID Cyber security for substation automation products and systems 2 Cyber security for substation automation systems by ABB ABB addresses all aspects of cyber security The electric power grid has
More informationBest Practices for PC Lockdown and Control Policies. By Dwain Kinghorn
4 0 0 T o t t e n P o n d R o a d W a l t h a m, M A 0 2 4 5 1 7 8 1. 8 1 0. 4 3 2 0 w w w. v i e w f i n i t y. c o m Best Practices for PC Lockdown and Control Policies By Dwain Kinghorn TABLE OF CONTENTS
More informationCourse overview. CompTIA A+ Certification (Exam 220 902) Official Study Guide (G188eng verdraft)
Overview This 5-day course is intended for those wishing to qualify with. A+ is a foundation-level certification designed for IT professionals with around 1 year's experience whose job role is focused
More informationRemote Vendor Monitoring
` Remote Vendor Monitoring How to Record All Remote Access (via SSL VPN Gateway Sessions) An ObserveIT Whitepaper Daniel Petri March 2008 Copyright 2008 ObserveIT Ltd. 2 Table of Contents Executive Summary...
More informationStudent Tech Security Training. ITS Security Office
Student Tech Security Training ITS Security Office ITS Security Office Total Security is an illusion security will always be slightly broken. Find strategies for living with it. Monitor our Network with
More informationTop five strategies for combating modern threats Is anti-virus dead?
Top five strategies for combating modern threats Is anti-virus dead? Today s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce.
More informationThe True Story of Data-At-Rest Encryption & the Cloud
The True Story of Data-At-Rest Encryption & the Cloud by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800 500 3167 twitter.com/firehost
More informationHow SUSE Manager Can Help You Achieve Regulatory Compliance
White Paper Server How SUSE Manager Can Help You Achieve Regulatory Compliance Table of Contents page Why You Need a Compliance Program... 2 Compliance Standards: SOX, HIPAA and PCI... 2 What IT Is Concerned
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationFor Businesses with more than 25 seats. www.eset.com
For Businesses with more than 25 seats www.eset.com ESET Endpoint Protection Standard Whether your business is just starting or Simple and Straightforward established, there are a few things you expect
More informationSecurity Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background
Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function,
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationTowards a Comprehensive Internet Security Strategy for SMEs
Internet Security Strategy for SMEs Small and medium-sized enterprises (SMEs) need a comprehensive Internet security strategy to be able to protect themselves from myriad web-based threats. Defining and
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationBYOD Guidance: BlackBerry Secure Work Space
GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.
More informationAvoiding the Top 5 Vulnerability Management Mistakes
WHITE PAPER Avoiding the Top 5 Vulnerability Management Mistakes The New Rules of Vulnerability Management Table of Contents Introduction 3 We ve entered an unprecedented era 3 Mistake 1: Disjointed Vulnerability
More informationSmartDraw Installation Guide
SmartDraw Installation Guide System Requirements Your computer must meet these requirements in order to run SmartDraw: Windows Vista, XP or 2000 256MB RAM 3GB free hard disk space Installation Options
More informationEndpoint Security Management
Endpoint Security Management LANDESK SOLUTION BRIEF Protect against security threats, malicious attacks and configuration vulnerabilities through strong endpoint security control and maintenance. Protect
More information