IoT & SCADA Cyber Security Services

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "IoT & SCADA Cyber Security Services"

Transcription

1 IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087, Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 4, 60 Edward St, Brisbane, QLD 4000 T:

2 Table of Contents 1 Overview Offer of Professional Services Skills and Experience Services IoT Cyber Security Assessment ICS/SCADA Cyber Security Assessment Pricing Page 2 of 12

3 1 Overview RIoT Solutions offers a range of cyber security services to meet clients digital technology needs. Specifically, these relate to IoT (Internet of Things) technologies and SCADA (Supervisory Control and Data Acquisition) systems. As technology solutions are designed and implemented for IoT projects, there is a requirements for security assessments that are performed by an independent 3 rd party organisation specialising in cyber security, with an appropriately qualified resources. The purpose of this document is to outline the approach and proposed services that RIoT Solutions recommends, and to assist organisations in understanding the scope of the work and effort required to achieve the desired business outcomes. 1.1 Offer of Professional Services RIoT Solutions offers the following key cyber security services to enable organisations to attain the desired outcomes listed in the previous section. The services are packaged and available on a fixed-scope fee basis. Further aspects of each service are listed in section 2: Services IoT Systems Service Description Deliverables IoT Cyber Security Assessment (High-level) Review overall security against key IOT vulnerability categories in: OWASP IoT Top 10 Provide a report with: - Identified vulnerabilities, and the resulting risks - Prioritised list of recommendations for risk mitigations IoT Cyber Security Assessment (Detailed) IoT Security Vulnerability Testing Review overall security design and the elements of a Protection Architecture for IoT, utilising Cloud Security Alliance (CSA) reference: Security Guidance for Early Adopters of the IoT Perform vulnerability testing of the supporting infrastructure (devices, hosts, networks and services) of the target IoT solution Identify, and where safe to do so, exploit vulnerabilities to confirm risk Provide a report with: - Identified security architecture issues, vulnerabilities, and the resulting risks, plus rating against CSA s list of recommended security controls - Prioritised list of recommendations for addressing security architecture weaknesses Provide a report with: - Identified technical vulnerabilities, sample attack / exploitation steps, and the resulting risks - Identified effective security controls Page 3 of 12

4 exposure - Prioritised list of recommendations for risk mitigations Table 1: Professional Services Security Assessments of IoT Systems SCADA Systems Service Description Deliverables SCADA Cyber Security Operations Review SCADA Security Vulnerability Assessment Review the current state of SCADA cyber security operations against industry best practice guidelines: NIST Framework for Improving Critical Infrastructure Cybersecurity Perform an independent testing of nominated SCADA network segments Provide a report showing: - How management of cyber security risks compares to best practice - Recommendations for addressing any identified gaps Provide a report with: - Identified technical vulnerabilities - Sample attack / exploitation steps (if permitted), and the resulting risks - Identified effective security controls - Prioritised list of recommendations for risk mitigations Table 2: Professional Services Security Assessments of SCADA Systems Note: the services above do not constitute a finite, locked service scope offering this initial service range had been put together without the known aspects of the scale and complexity of the targeted IoT or SCADA systems. RIoT Solutions can customise the services, or add additional ones, depending on specific requirements. 1.2 Skills and Experience Our experience covers all areas of cyber security and risk assessments of critical infrastructure consisting of potentially fragile network-connected systems such as Real-Time SCADA and other devices deployed within healthcare, transportation and energy supply industries. We are one of the few organisations that offer resources with ICS/SCADA security specific training and certification RIoT Solutions consultants have attained the Certified SCADA Security Architect (CSSA) qualification, attended a diverse range of ICS security focused training courses and conferences in Europe and USA, and have provided critical infrastructure security assessment services to many Queensland organisations that operate and/or build critical infrastructure systems. Page 4 of 12

5 2 Services The proposed cyber security services are specifically tailored to the unique characteristics of IoT and ICS/SCADA solutions. Sections 2.1 and 2.2 detail the approach and methodologies of each service offering. 2.1 IoT Cyber Security Assessment Assuring the security of each component within an IoT system is imperative in order to prevent malicious actors from gaining unauthorised access to, or the ability to tamper with, systems and data that form the IoT solution. Since a typical IoT solution will introduce large quantities of new devices and/or embedded components throughout an organization, it is highly likely that this will lead to an increase of potential cyber security risks within the IoT solution s deployment, and where connected to enterprise or ICS/SCADA systems it might also introduce additional risks of the IoT solution being used as an attack vector into an organisation s other critical assets. RIoT Solutions offers the following levels of cyber security assessment services, to allow organisations to select the most appropriate option for a particular requirement and budgeted funds for each unique solution requiring a security review: High-level Assessment Detailed Assessment Security Vulnerability Testing High-level Assessment Service scope: Review overall security of the target IoT solution against list of the 10 key vulnerability categories specified in the OWASP Internet of Things Top 10 Project The Open Web Application Security Project (OWASP) is not-for-profit organisation focused on improving the security of software. Since 2003, it has been providing applications security testing and design guidance, and in 2014, OWASP compiled an IoT dedicated list: IoT Top 10. Whilst it is intended only as a high-level guidance for reviewing IoT security, it was designed to cover all attack surface areas, in order to get a good, high-level assessment of overall security. The IoT Top 10 categories are: Rank Title I-1 Insecure Web Interface I-2 Insufficient Authentication/Authorization I-3 Insecure Network Services I-4 Lack of Transport Encryption Page 5 of 12

6 I-5 Privacy Concerns I-6 Insecure Cloud Interface I-7 Insecure Mobile Interface I-8 Insufficient Security Configurability I-9 Insecure Software/Firmware I-10 Poor Physical Security Table 3: Top 10 IoT Vulnerabilities (OWASP 2014) Objectives: Evaluate the target IoT solution for security weaknesses, map the main attack surface areas for any IoT device, communication network and back-end systems, in order to provide guidance on how to avoid or mitigate vulnerabilities within each component. Key benefits: Improve security of systems designed and implemented Identify and remediate key security vulnerabilities before solutions go live Demonstrate to clients that technology solutions are designed and delivered with systems & data security in mind Allow organisations to design and deploy (or at least recommend) compensating controls where vulnerabilities cannot be patches or removed, especially given the fact that many IoT devices have very little or no in-built security features. Deliverables: Provide a detailed report, clearly documenting any vulnerabilities and resulting risks, and showing the remediation recommendations. The report will also highlight all areas where best practice recommendations are already being met. Constraints: A comprehensive testing against every single category. For example, extended testing of the Insecure Web Interface of a complex IoT data analytics platform could involve an in-depth testing against OWASP Top 10 for web application security such engagements usually take more than five days Detailed Assessment Service Scope: Review overall security design and applicable details of the target IoT solution against guidance for the secure implementation of IoT-based systems, specified in Cloud Security Alliance (CSA) Security Guidance for Early Adopters of the Internet of Things Page 6 of 12

7 The CSA is an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. It maintains Working Groups across 28 domains of Cloud Security. One of the groups is the Internet of Things Working Group that conducts research into best practices for securing IoT implementations. The Security Guidance for Early Adopters of the IoT outlines the current challenges to secure IoT deployments, and seeks to address them via suggested Recommended Security Controls, tailored to IoT-specific characteristics. The CSA key recommended security controls are: Analyse privacy impacts to stakeholders (e.g. data capture at points of collection, processing, transport and storage) Apply a Secure Systems Engineering approach to architecting and deploying a new IoT System (e.g. threat modelling, secure development, and secure supply chain) Implement layered security protections to defend IoT assets (at the Network, Application, Device, Physical and Human layers) Implement data protection best-practices to protect sensitive information (data identification, classification and security) Define lifecycle controls for IoT devices (plan, deploy, manage, monitor and detect, remediate) Define and implement an authentication/authorization framework for the organisation s IoT Deployments (the authentication method will depend on the constraints of the device) Define and implement a logging/audit framework for the organisation s IoT ecosystem (what events and metadata to log, and to where). CSA have tailored these controls to IoT-specific characteristics to allow early adopters of the IoT to mitigate many of the risks associated with this new technology. Objectives: Evaluate the target IoT solution for security architecture weaknesses, document resulting risks, and provide rating against CSA s list of recommended security controls. Provide guidance on how to avoid or mitigate vulnerabilities within each IoT architecture component. Key benefits: Improve security of systems designed and implemented Identify and remediate key security vulnerabilities and security architecture weaknesses before solutions go live Page 7 of 12

8 Demonstrate to clients that technology solutions are designed and delivered with systems & data security in mind Allow organisations to design and deploy (or at least recommend) compensating controls where vulnerabilities cannot be patches or removed. Deliverables: Provide a detailed report documenting the identified security architecture issues, vulnerabilities, the resulting risks, and rating against CSA s list of recommended security controls. Include a prioritised list of recommendations for addressing security architecture weaknesses. Constraints: As per the previously listed constraints for the High-level assessment service, extended review of all aspects of the IOT solution s application-layer, unless it is requested as an additional service focused on application security testing and design review Security Vulnerability Testing Service Scope: Perform an independent security testing of the supporting infrastructure (devices, hosts, networks and services) of the target IoT solution, in the context of an unauthenticated, anonymous user Where applicable, login with provided test user account with low privileges, to check for weak access restrictions to sensitive data, systems and management interfaces for authenticated users. Objectives: Identify and document any risks to the target IoT solution, posed by a potential attacker connected to any of the IoT solution components, and/or by an authenticated low-privilege user Provide guidance on how to avoid or mitigate vulnerabilities within each component. Key benefit: Identification and ensuing reduction of risks within designed and/or implemented IoT solution environment. Deliverables: Provide a detailed report documenting Identified technical vulnerabilities, sample attack / exploitation steps, and the resulting risks. Document any effective security controls where identified, and include a prioritised list of recommendations for risk mitigations. Page 8 of 12

9 Constraints: High-intensity automated vulnerability scanning and other aggressive testing methods (e.g. Denial of Service attacks, brute-force password guessing, etc.), due to potential impact on live environments. For any systems or components that are deemed too critical and potentially fragile, RIoT Solutions will work closely with the customer in order to come up with an alternative, safe testing approach, such as hands-off security review (e.g. an off-line review of system configuration files and documentation), or testing a spare system(s) in a LAB environment. 2.2 ICS/SCADA Cyber Security Assessment RIoT Solutions offers the following two types of cyber security assessment services, to allow organisations to select the most appropriate option for a particular requirement and budgeted funds for each unique SCADA environment requiring a security review: Cyber Security Operations Review Security Vulnerability Assessment. The Cyber Security Operations Review service utilises passive, off-line review methods for ascertaining the security posture of the target SCADA system, and such poses no risk to systems and data in production environments. The Security Vulnerability Assessment service includes testing activities that utilise network level connections to nominated (and approved) parts of the target SCADA system. Whilst RIoT Solutions takes appropriate precautions and our customised testing methodology takes inherent risks of testing time-critical systems operations of ICS/SCADA into consideration, some risks cannot be completely eliminated. Therefore, whenever possible, active cyber security testing should be performed on a backup or offline systems. If there are any components of the target SCADA system deemed critical and potentially fragile (e.g. a legacy system with known performance and/or stability issues), RIoT Solutions will work closely with customers in order to come up with an alternative, safe testing approach, such as hands-off security review (e.g. an off-line review of system configuration files and documentation), or testing a spare system in a LAB environment SCADA Cyber Security Operations Review Scope: Review the current state of the target SCADA systems cyber security operation against industry best practice guidelines RIoT Solutions proposes to utilise the following well established best practice framework that is appropriate for Industrial Control Systems / SCADA systems: NIST Framework for Improving Critical Infrastructure Cybersecurity Page 9 of 12

10 The National Institute of Standards and Technology (NIST) Framework is technology neutral and relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. The Framework is a risk-based approach to managing cybersecurity risk, and its core consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond and Recover. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization s management of cybersecurity risk. Objectives: Enable organisations to determine their current cyber security capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cyber security programs. Identify and prioritize actions for reducing cyber security risk, and align policy, business, and technological approaches to managing that risk. Key benefits: Enable organisations to apply the principles and best practices of risk management to improving the security and resilience of their Operation Technology network(s). Deliverables: Provide a detailed report outlining how management of cyber security risks within the target SCADA system compares to best practice (NIST guidelines), and include recommendations for addressing any identified gaps. Constraints: A detailed compliance type audit, as this would have high cost and time implications, whilst providing limited benefits SCADA Security Vulnerability Assessment Scope: Perform an independent testing of nominated SCADA network segments, in the context of an unauthenticated, anonymous user. All testing is conditional on approval of an agreed testing plan and applicable restrictions and precautions, if any testing targets are in production environments. Login with provided test user account with low privileges, to check for weak access restrictions to SCADA management and monitoring systems for authenticated users (privilege escalation, overly permissive access to internal resources, etc.) Page 10 of 12

11 Objectives: Identify and document any risks to the target SCADA system, posed by an authenticated low-privilege user, and by a potential attacker connected to the SCADA network and/or identified external network connection entry points. Key benefit: Identification and ensuing reduction of risks within a SCADA environment Verification of restrictions applicable to configuration of role-based security controls, for non-administrative and non-privileged user accounts on the SCADA network. Deliverables: Provide a detailed report documenting Identified technical vulnerabilities, and the resulting risks. Document any effective security controls where identified, and include a prioritised list of recommendations for risk mitigations. Where SCADA components vulnerability confirmation testing was permitted, document the steps an attacker might take. Regarding evidence, ensure the approach does not put the target system at risk (e.g. use screen shots of accessible system administration interfaces, but do not alter any settings and/or data). Constraints: High-intensity automated vulnerability scanning and other aggressive testing methods (e.g. exhaustive network port scans, Denial of Service attacks, brute-force password guessing, etc.) due to potential impact on live environments. Page 11 of 12

12 3 Pricing The proposed services are offered at a fixed price, and can be consumed individually in any order that fits the organisation s requirements. Due to the unknown scale and complexity of the IoT or SCADA targets, the assessment effort estimates are based on our previous work on small to medium size sites. For example, SCADA Vulnerability Testing of one Control Centre and network connected devices on few remote field sites (where travel to sites was not required) usually takes a minimum of 7 days IoT Systems Service IoT Cyber Security Assessment (High-level) $ 8,250 IoT Cyber Security Assessment (Detailed) $ 11,550 IoT Security Vulnerability Testing $ 8,250 Table 4: Investment IoT Cyber Security Services SCADA Systems Service SCADA Cyber Security Operations Review $ 8,250 SCADA Security Vulnerability Testing $ 11,550 Table 5: Investment SCADA Cyber Security Services Price (excl. GST) Price (excl. GST) Page 12 of 12

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to

More information

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a

More information

Cyber Defense Operation Center (CDOC) Ensuring that Experts are allways watching

Cyber Defense Operation Center (CDOC) Ensuring that Experts are allways watching (CDOC) Ensuring that Experts are allways watching Data Sheet Introduction CyberHat CDOC is an intelligent security operation center; which combines cutting edge technologies and innovative processes ensuring

More information

Corporate Security Research and Assurance Services

Corporate Security Research and Assurance Services Corporate Security Research and Assurance Services We Keep Your Business In Business Obrela Security Industries mission is to provide Enterprise Information Security Intelligence and Risk Management Services

More information

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Penetration Testing Services. Demonstrate Real-World Risk

Penetration Testing Services. Demonstrate Real-World Risk Penetration Testing Services Demonstrate Real-World Risk Penetration Testing Services The best way to know how intruders will actually approach your network is to simulate a real-world attack under controlled

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.

More information

WEB APPLICATION SECURITY TESTING GUIDELINES

WEB APPLICATION SECURITY TESTING GUIDELINES WEB APPLICATION SECURITY TESTING GUIDELINES 1 These guidelines were developed to support the Web Application Security Standard. Please refer to this standard for additional information and/or clarification

More information

Adaptive Threat and Risk Framework for Securing IoT in Healthcare

Adaptive Threat and Risk Framework for Securing IoT in Healthcare Adaptive Threat and Risk Framework for Securing IoT in Healthcare Building Elements for Next Generation Security Operations AT&T Security Solutions 2015 AT&T Intellectual Property. All rights reserved.

More information

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing

More information

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity. Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July

More information

AN OVERVIEW OF VULNERABILITY SCANNERS

AN OVERVIEW OF VULNERABILITY SCANNERS AN OVERVIEW OF VULNERABILITY SCANNERS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole

More information

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments. Security solutions White paper Acquire a global view of your organization s security state: the importance of security assessments. April 2007 2 Contents 2 Overview 3 Why conduct security assessments?

More information

Certified Identity and Security Technologist (CIST) Overview & Curriculum

Certified Identity and Security Technologist (CIST) Overview & Curriculum Overview Identity management and security technologies are increasingly needed to address the growing needs of businesses to counter threats, meet requirements, and mitigate risks. According to recent

More information

UIIPA - Security Risk Management. June 2015

UIIPA - Security Risk Management. June 2015 UIIPA - Security Risk Management June 2015 1 Introduction Tim Hastings, Chief Information Security Officer State of Utah - Department of Technology Services Tim Hastings has more than 16 years of experience

More information

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's: Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services

More information

External Penetration Assessment and Database Access Review

External Penetration Assessment and Database Access Review External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management

More information

TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering

More information

How to build a security assessment program. Dan Boucaut

How to build a security assessment program. Dan Boucaut How to build a security assessment program Dan Boucaut Agenda 1 Problem statement 2 Business case 3 How to avoid creating more problems Problem statement Security assessments are hard, costly and may take

More information

LOGIIC Remote Access. Final Public Report. June 2015 1 LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

LOGIIC Remote Access. Final Public Report. June 2015 1 LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION LOGIIC Remote Access June 2015 Final Public Report Document Title LOGIIC Remote Monitoring Project Public Report Version Version 1.0 Primary Author A. McIntyre (SRI) Distribution Category LOGIIC Approved

More information

THE BLUENOSE SECURITY FRAMEWORK

THE BLUENOSE SECURITY FRAMEWORK THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program

More information

NIST Guidelines for Secure Shell and What They Mean for Your Organization

NIST Guidelines for Secure Shell and What They Mean for Your Organization NIST Guidelines for Secure Shell and What They Mean for Your Organization Table of Contents Introduction 3 SSH: A refresher 3 A secure yet vulnerable control 3 A widespread risk throughout the enterprise

More information

PATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region

PATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region PATCH MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Top 20 Critical Security Controls

Top 20 Critical Security Controls Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need

More information

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75 Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.

More information

Internet of Things Security Companion to the CIS Critical Security Controls (Version 6)

Internet of Things Security Companion to the CIS Critical Security Controls (Version 6) Internet of Things Security Companion to the CIS Critical Security Controls (Version 6) October 2015 Internet of Things Security Companion to the CIS Critical Security Controls (Ver. 6) Introduction...

More information

Document ID. Cyber security for substation automation products and systems

Document ID. Cyber security for substation automation products and systems Document ID Cyber security for substation automation products and systems 2 Cyber security for substation automation systems by ABB ABB addresses all aspects of cyber security The electric power grid has

More information

R&D Security Training. Based on materials from OWASP

R&D Security Training. Based on materials from OWASP R&D Security Training Based on materials from OWASP Agenda Reasons for IT Security The web application security challenge 10 Most Critical Risks (OWASP Top 10) Security Development Lifecycle (SDL) Security

More information

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

Enterprise Security Architecture

Enterprise Security Architecture Enterprise Architecture -driven security April 2012 Agenda Facilities and safety information Introduction Overview of the problem Introducing security architecture The SABSA approach A worked example architecture

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

G-Cloud IV Services Service Definition Accenture Cloud Security Services

G-Cloud IV Services Service Definition Accenture Cloud Security Services G-Cloud IV Services Service Definition Accenture Cloud Security Services 1 Table of contents 1. Scope of our services... 3 2. Approach... 3 3. Assets and tools... 4 4. Capabilities... 5 5. Expected Outcomes...

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

White Paper Strengthening Information Assurance in Healthcare

White Paper Strengthening Information Assurance in Healthcare White Paper Strengthening Information Assurance in Healthcare Date: April, 2011 Provided by: Concurrent Technologies Corporation (CTC) 100 CTC Drive Johnstown, PA 15904-1935 wwwctccom Business Point of

More information

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

Penetration testing systems since 1989

Penetration testing systems since 1989 Pantone 641C Pantone 377C Penetration testing systems since 1989 Enex TestLab offers fully independent, cost effective and flexible penetration testing services. Our prices are compelling just ask but

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff

More information

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Adobe ColdFusion Secure Profile Web Application Penetration Test July 31, 2014 Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Chicago Dallas This document contains and constitutes the

More information

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing

More information

Four Top Emagined Security Services

Four Top Emagined Security Services Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security

More information

SCADA Security Training

SCADA Security Training SCADA Security Training 1-Day Course Outline Wellington, NZ 6 th November 2015 > Version 3.1 web: www.axenic.co.nz phone: +64 21 689998 page 1 of 6 Introduction Corporate Background Axenic Ltd Since 2009,

More information

Best Practices for Secure, Privacy, Preserving Mobile Networks: A NIST Perspective

Best Practices for Secure, Privacy, Preserving Mobile Networks: A NIST Perspective Best Practices for Secure, Privacy, Preserving Mobile Networks: A NIST Perspective Donna F. Dodson Chief Cybersecurity Advisor National Institute of Standards and Technology donna.dodson@nist.gov A Little

More information

EA-ISP-012-Network Management Policy

EA-ISP-012-Network Management Policy Technology & Information Services EA-ISP-012-Network Management Policy Owner: Adrian Hollister Author: Paul Ferrier Date: 01/04/2015 Document Security Level: PUBLIC Document Version: 1.00 Document Ref:

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

DoD Strategy for Defending Networks, Systems, and Data

DoD Strategy for Defending Networks, Systems, and Data DoD Strategy for Defending Networks, Systems, and Data November 13, 2013 Department DoDD of Defense Chief Information Officer DoD Strategy for Defending Networks, Systems, and Data Introduction In July

More information

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ. 0844 586 0040 intouch@digitalpathways.co.uk www.digpath.co.

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ. 0844 586 0040 intouch@digitalpathways.co.uk www.digpath.co. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ 0844 586 0040 intouch@digitalpathways.co.uk Security Services Menu has a full range of Security Services, some of which are also offered as a fully

More information

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis An analogue approach to a digital world What foundations is CDCAT built on?

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

IoT Potential Risks and Challenges

IoT Potential Risks and Challenges IoT Potential Risks and Challenges GRIFES / GITI / EPFL Alumni Conference, Lausanne, May 7 th, 2015 Stefan Schiller, HP ESP Fortify Solution Architect D/A/CH IoT Potential Risks and Challenges Agenda IDC

More information

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review The security threat landscape is constantly changing and it is important to periodically review a business

More information

Caretower s SIEM Managed Security Services

Caretower s SIEM Managed Security Services Caretower s SIEM Managed Security Services Enterprise Security Manager MSS -TRUE 24/7 Service I.T. Security Specialists Caretower s SIEM Managed Security Services 1 Challenges & Solution Challenges During

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary

More information

23.9.2015. Kangas Cybersecurity strategy

23.9.2015. Kangas Cybersecurity strategy Kangas Cybersecurity strategy Vision of Kangas Smart Kangas Life and living at Kangas is convenient, easy and safe. Kangas is resource-wise and it is attractive place of work. Security and safety measures

More information

Vulnerability Management

Vulnerability Management Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

Security aspects of e-tailing. Chapter 7

Security aspects of e-tailing. Chapter 7 Security aspects of e-tailing Chapter 7 1 Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2 Players in e-tailing

More information

Guideline on Vulnerability and Patch Management

Guideline on Vulnerability and Patch Management CMSGu2014-03 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Vulnerability and Patch Management National Computer Board

More information

Industrial Security Solutions

Industrial Security Solutions Industrial Security Solutions Building More Secure Environments From Enterprise to End Devices You have assets to protect. Control systems, networks and software can all help defend against security threats

More information

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness Wayne A. Wheeler The Aerospace Corporation GSAW 2015, Los Angeles, CA, March 2015 Agenda Emerging cyber

More information

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Certified Identity and Access Manager (CIAM) Overview & Curriculum Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management

More information

IT Security Testing Services

IT Security Testing Services Context Information Security T +44 (0)207 537 7515 W www.contextis.com E gcloud@contextis.co.uk IT Security Testing Services Context Information Security Contents 1 Introduction to Context Information

More information

Cybersecurity Health Check At A Glance

Cybersecurity Health Check At A Glance This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not

More information

BEST PRACTICES RESEARCH

BEST PRACTICES RESEARCH 2013 Frost & Sullivan 1 We Accelerate Growth Market Leadership Award Vulnerability Management Global, 2013 Frost & Sullivan s Global Research Platform Frost & Sullivan is in its 50th year of business with

More information

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013 2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

More information

Facing Information Security Challenges

Facing Information Security Challenges AKTINA Event Information Security & Cloud Challenges March 17, 2016 Facing Information Security Challenges ISACA Cyprus Chapter Paschalis Pissarides CRISC, CISM, CISA Immediate Past President (2010-2014)

More information

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Extreme Networks Security Analytics G2 Vulnerability Manager

Extreme Networks Security Analytics G2 Vulnerability Manager DATA SHEET Extreme Networks Security Analytics G2 Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution HIGHLIGHTS Help prevent security breaches by discovering

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

NEC Managed Security Services

NEC Managed Security Services NEC Managed Security Services www.necam.com/managedsecurity How do you know your company is protected? Are you keeping up with emerging threats? Are security incident investigations holding you back? Is

More information

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief RSA Solution Brief RSA envision Platform Real-time Actionable Information, Streamlined Incident Handling, Effective Measures RSA Solution Brief The job of Operations, whether a large organization with

More information

NCCIC CYBER INCIDENT SCORING SYSTEM OVERVIEW

NCCIC CYBER INCIDENT SCORING SYSTEM OVERVIEW NCCIC CYBER INCIDENT SCORING SYSTEM OVERVIEW Many incident taxonomies and classification schemes provide excellent guidance within the scope of a single enterprise s security operations center (SOC). However,

More information

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Before the U.S. House Oversight and Government Reform Committee Hearing on Agency Compliance with the Federal Information

More information

NERC CIP Version 3. Solution Brief. NERC CIP Version 3. EventTracker Enterprise v7.x. Publication Date: Aug 12, 2014

NERC CIP Version 3. Solution Brief. NERC CIP Version 3. EventTracker Enterprise v7.x. Publication Date: Aug 12, 2014 Publication Date: Aug 12, 2014 Solution Brief EventTracker Enterprise v7.x EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical solutions that

More information

Is your business prepared for Cyber Risks in 2016

Is your business prepared for Cyber Risks in 2016 Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division

More information

Strategic Plan On-Demand Services April 2, 2015

Strategic Plan On-Demand Services April 2, 2015 Strategic Plan On-Demand Services April 2, 2015 1 GDCS eliminates the fears and delays that accompany trying to run an organization in an unsecured environment, and ensures that our customers focus on

More information