MobileSecure, Inc. Windows CE Hardening Black Hat 2003
|
|
- Lindsey Dawson
- 7 years ago
- Views:
Transcription
1 MobileSecure, Inc. Windows CE Hardening Black Hat 2003 Copyright 2002 Mobile Secure, Inc. All Rights Reserved 1
2 Your Speaker Josh Daymont is the CTO at MobileSecure, Inc. Security research resulted in a number of published advisories A leading Windows CE security expert Co-created the ISS X-Force Copyright 2002 Mobile Secure, Inc. All Rights Reserved 2
3 Agenda Overview of Windows CE Security Assets, Threats, and Vulns Uses for Windows CE Security in different environments Building a Secure WinCE OS Introduction to Hardening PocketPC 2002 Q&A Copyright 2002 Mobile Secure, Inc. All Rights Reserved 3
4 Overview The Assets Privileged access to the device Routine access to the device Device data Network resources Peripherals such as a cellphone, modem, industrial tool, or bluetooth device Copyright 2002 Mobile Secure, Inc. All Rights Reserved 4
5 Overview The Threats Worms Malicious groups or individuals Viruses Spammers Copyright 2002 Mobile Secure, Inc. All Rights Reserved 5
6 The Vulnerabilities Includes existing vulnerability types Malformed packet attacks Buffer overflows & format string attacks Resource consumption and DOS Web application and browser attacks Authentication spoofing & session hijacking Traditional wireless attacks Interception Jamming Copyright 2002 Mobile Secure, Inc. All Rights Reserved 6
7 The Vulnerabilities Windows CE introduces new attacks Flash attacks Reset attacks & other hardware specific problems Lack of a security subsystem enables universal user spoofing Kernel privilege escalation Personal area network (PAN) vulnerabilities Telephony attacks (SMS, GPRS) Copyright 2002 Mobile Secure, Inc. All Rights Reserved 7
8 Uses for Windows CE PDAs Smartphones Home Appliances (Wash/Dryer etc) Ultra small servers Surveillance equipment Automobile control systems Copyright 2002 Mobile Secure, Inc. All Rights Reserved 8
9 Security Requirements PDAs & SmartPhones Additional requirements include security for attached telephony hardware. Bluetooth services must have passwords Disable infrared file transmission Only synchronize your device with a trusted desktop Use network security software if possible VPNs are important for mobile devices Copyright 2002 Mobile Secure, Inc. All Rights Reserved 9
10 Servers Windows CE supports a number of server applications IIS for CE SQL Server for CE 2.0 A resident intrusion prevention system is a must Copyright 2002 Mobile Secure, Inc. All Rights Reserved 10
11 IIS For CE Basic Authentication allows multiple users but only one global password Do not use basic authentication NTLM Authentication allows domain passwords Perform domain authentication only over a VPN Copyright 2002 Mobile Secure, Inc. All Rights Reserved 11
12 Building a Secure WinCE OS WinCE is built using Platform Builder from Microsoft Several CE components should be examined carefully by CE OEM customers ActiveSync Internet Browser Bluetooth and IRDA Trusted Environment Copyright 2002 Mobile Secure, Inc. All Rights Reserved 12
13 Building a Secure WinCE OS Components continued TCP/IP Filesystems MSMQ IIS SNMP SQLServer FTPd & Telnetd Copyright 2002 Mobile Secure, Inc. All Rights Reserved 13
14 Building a Secure WinCE OS -- ActiveSync ActiveSync is used to automatically transfer files from a device to a server over a direct physical link over the internet No confidentiality of transferred data Authentication depends on screen-lock password Can be brute forced Man in the middle attack possible Copyright 2002 Mobile Secure, Inc. All Rights Reserved 14
15 Building a Secure WinCE OS -- Browser Use PIE rather than traditional IE PIE s reduced functionality will limit exposure to new vulnerabilities Consider removing VBScript Keep browser enabled ActiveX controls to an absolute minimum Copyright 2002 Mobile Secure, Inc. All Rights Reserved 15
16 Building a Secure WinCE OS Bluetooth & IRDA Both these modules rely on OBEX Always turn off automatic receives Ensure Bluetooth uses passwords Bluetooth passwords may not hold out against a determined attacker IRDA has no native authentication Copyright 2002 Mobile Secure, Inc. All Rights Reserved 16
17 Building a Secure WinCE OS Trusted Environment The trusted environment allows the WinCE kernel to restrict what code is allowed to run based on an OEM supplied function The trusted environment can be circumvented if not implemented correctly The key weakness of the trusted environment lies in the ability of user code to execute within the context of the kernel For now, always assume anything running in usermode has complete access to kernel memory Disable Full Kernel Mode! Copyright 2002 Mobile Secure, Inc. All Rights Reserved 17
18 Building a Secure WinCE OS TCP/IP Be sure to disable IP routing by default What networks will the device communicate over Cellular/GPRS & PPP WiFi (802.11) & Ethernet (802.3) Force as much encryption as possible Copyright 2002 Mobile Secure, Inc. All Rights Reserved 18
19 Building a Secure WinCE OS Filesystems Consider adding rudimentary file ACLs to your OS if needed Based on application accessing as opposed to user Consider adding encryption here Alternative would be through a 3 rd party application Copyright 2002 Mobile Secure, Inc. All Rights Reserved 19
20 Building a Secure WinCE OS MSMQ The MSMQ management ISAPI extension should be disabled for devices with IIS Be very careful about leaving this in MSMQ is a large heavyweight system of the type that typically breeds vulnerabilities Ask yourself if you really need MSMQ on a particular device Copyright 2002 Mobile Secure, Inc. All Rights Reserved 20
21 Building a Secure WinCE OS IIS WinCE typically uses IIS for remote administration or status display This can be dangerous especially because WinCE lacks many native security features that IIS traditionally relies on WinCE may operate over hostile wireless networks that allow increased opportunities for sniffing and man in the middle IIS should operate only over SSL for almost all applications Copyright 2002 Mobile Secure, Inc. All Rights Reserved 21
22 Building a Secure WinCE OS IIS Avoid NTLM authentication over wireless For basic authentication everyone has the same password! Make virtual directory access controls as restricted as possible Treat IIS usernames as though they were passwords Never store a username outside the registry Restrict non-administrator usernames to view only and no scripting Copyright 2002 Mobile Secure, Inc. All Rights Reserved 22
23 Building a Secure WinCE OS IIS This protection exists only for IIS and the underlying files themselves are unprotected Other ways to access files Physical access Faulty server side code Copyright 2002 Mobile Secure, Inc. All Rights Reserved 23
24 Building a Secure WinCE OS SNMP Best practice: Never use SNMP If you must Use very hard to guess community names Try to never give anyone write access Turn authentication traps on Always use the PermittedManagers registry setting Copyright 2002 Mobile Secure, Inc. All Rights Reserved 24
25 Building a Secure WinCE OS SQL Server SQL Server for CE has no network logins Can use replication Can use Remote Data Access (RDA) Almost always used with IIS SQL Injection still applies Consider the sensitivity of the data stored Is the device physically secure? Copyright 2002 Mobile Secure, Inc. All Rights Reserved 25
26 Building a Secure WinCE OS FTPd & Telnetd Never use FTPd if you need security Implement something yourself instead FTPd authentication options are similar to IIS Except no encryption Limited file security for anonymous logins Anonymous access should always be disabled anyway Copyright 2002 Mobile Secure, Inc. All Rights Reserved 26
27 Building a Secure WinCE OS -- FTPd & Telnetd Telnetd provides less security than Ftpd No encryption Similar authentication No access controls No chrooting Copyright 2002 Mobile Secure, Inc. All Rights Reserved 27
28 Building a Secure WinCE OS Summary Microsoft has delegated to responsibility for WinCE security to the OEM customer OEMs must include security professionals in the OS design and implementation process Most OEMs seem to be skipping security within CE as of today It is impossible to build a secure WinCE OS out of the box Copyright 2002 Mobile Secure, Inc. All Rights Reserved 28
29 How to Harden CE For Windows CE users who license a production copy of CE from an OEM customer How to harden depends significantly on what the OEM has provided This section is geared primarily towards PocketPC 2002 Copyright 2002 Mobile Secure, Inc. All Rights Reserved 29
30 How to Harden CE: General NEVER use ActiveSync over an unencrypted network Do not accept beamed documents Start -> Settings -> Connections -> Beam Use a VPN whenever possible Enable the PIN for any cellular telephone Start -> Settings -> Personal -> Phone Make regular backups If you don t have backup software pre-installed you can purchase a solution for $10 Copyright 2002 Mobile Secure, Inc. All Rights Reserved 30
31 How to Harden CE: Authentication Require a logon password Start -> Settings -> Password Change to prompt period from 1 hour to something around 5 minutes Password will be required for synchronization Use improved password protection such as that available from MobileGuard whenever posible Use a PocketPC security solution such as MobileGuard for increased password security Beware: check device lockout period Password stored in registry key as a hash Copyright 2002 Mobile Secure, Inc. All Rights Reserved 31
32 How to Harden CE: Authentication PPP passwords used on the device are stored in plaintext registry entries Consider the risks before storing internet passwords Copyright 2002 Mobile Secure, Inc. All Rights Reserved 32
33 Exploit Example IE Exploit Sample Backdoors Copyright 2002 Mobile Secure, Inc. All Rights Reserved 33
34 Summary & Conclusions Windows CE is a useful and feature rich solution for embedded or mobile devices Security is still a concern but the problem can be solved Pay special attention to the environment in which the device will be operated The material discussed in this presentation can be covered in detail through a MobileSecure consulting engagement Copyright 2002 Mobile Secure, Inc. All Rights Reserved 34
35 Q&A Copyright 2002 Mobile Secure, Inc. All Rights Reserved 35
Windows Remote Access
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
More informationSECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)
WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More informationApplication Intrusion Detection
Application Intrusion Detection Drew Miller Black Hat Consulting Application Intrusion Detection Introduction Mitigating Exposures Monitoring Exposures Response Times Proactive Risk Analysis Summary Introduction
More informationNetwork Security. 1 Pass the course => Pass Written exam week 11 Pass Labs
Network Security Ola Lundh ola.lundh@hh.se Schedule/ time-table: landris.hh.se/ (NetwoSec) Course home-page: hh.se/english/ide/education/student/coursewebp ages/networksecurity cisco.netacad.net Packet
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationNETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationMy FreeScan Vulnerabilities Report
Page 1 of 6 My FreeScan Vulnerabilities Report Print Help For 66.40.6.179 on Feb 07, 008 Thank you for trying FreeScan. Below you'll find the complete results of your scan, including whether or not the
More informationNetworking: EC Council Network Security Administrator NSA
coursemonster.com/uk Networking: EC Council Network Security Administrator NSA View training dates» Overview The EC-Council's NSA certification looks at network security from a defensive view. The NSA
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationCYBERTRON NETWORK SOLUTIONS
CYBERTRON NETWORK SOLUTIONS CybertTron Certified Ethical Hacker (CT-CEH) CT-CEH a Certification offered by CyberTron @Copyright 2015 CyberTron Network Solutions All Rights Reserved CyberTron Certified
More informationToday s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, 2009. Concepts.
Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, 2009 1 Today s Topics Concepts Case Study Sound Security Strategy 2 1 Security = Culture!! Security is a BUSINESS
More informationLotus Domino Security
An X-Force White Paper Lotus Domino Security December 2002 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Introduction Lotus Domino is an Application server that provides groupware
More informationCertified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison
CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation
More informationWICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise
WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents
More informationCertified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led
Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led Course Description This class will immerse the student into an interactive environment where they will
More informationUnderstanding Security Testing
Understanding Security Testing Choosing between vulnerability assessments and penetration testing need not be confusing or onerous. Arian Eigen Heald, M.A., Ms.IA., CNE, CISA, CISSP I. Introduction Many
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationCEH Version8 Course Outline
CEH Version8 Course Outline Module 01: Introduction to Ethical Hacking Information Security Overview Information Security Threats and Attack Vectors Hacking Concepts Hacking Phases Types of Attacks Information
More informationVPN Overview. The path for wireless VPN users
VPN Overview The path for wireless VPN users First, the user's computer (the blue computer) connects to an access point in the uiuc-wireless-net network and is assigned an IP address in that range (172.21.0.0
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationE-BUSINESS THREATS AND SOLUTIONS
E-BUSINESS THREATS AND SOLUTIONS E-BUSINESS THREATS AND SOLUTIONS E-business has forever revolutionized the way business is done. Retail has now a long way from the days of physical transactions that were
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationContents Introduction xxvi Chapter 1: Understanding the Threats: E-mail Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers
Contents Introduction xxvi Chapter 1: Understanding the Threats: E-mail Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers 1 Introduction 2 Essential Concepts 3 Servers, Services, and Clients 3
More informationCopyright http://support.oracle.com/
Primavera Portfolio Management 9.0 Security Guide July 2012 Copyright Oracle Primavera Primavera Portfolio Management 9.0 Security Guide Copyright 1997, 2012, Oracle and/or its affiliates. All rights reserved.
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationGateway Apps - Security Summary SECURITY SUMMARY
Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference
More informationWEB SECURITY. Oriana Kondakciu 0054118 Software Engineering 4C03 Project
WEB SECURITY Oriana Kondakciu 0054118 Software Engineering 4C03 Project The Internet is a collection of networks, in which the web servers construct autonomous systems. The data routing infrastructure
More informationAbout Microsoft Windows Server 2003
About Microsoft Windows Server 003 Windows Server 003 (WinK3) requires extensive provisioning to meet both industry best practices and regulatory compliance. By default the Windows Server operating system
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More information31 Ways To Make Your Computer System More Secure
31 Ways To Make Your Computer System More Secure Copyright 2001 Denver Tax Software, Inc. 1. Move to more secure Microsoft Windows systems. Windows NT, 2000 and XP can be made more secure than Windows
More informationWindows Server 2008/2012 Server Hardening
Account Policies Enforce password history 24 Maximum Password Age - 42 days Minimum Password Age 2 days Minimum password length - 8 characters Password Complexity - Enable Store Password using Reversible
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationHalf Bridge mode }These options are all found under Misc Configuration
Securing Your NB1300 - Once connected. There are eleven areas that need your attention to secure your NB1300 from unauthorised access - these areas or features are; Physical Security Admin Password User
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationUSM IT Security Council Guide for Security Event Logging. Version 1.1
USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate
More informationSession Hijacking Exploiting TCP, UDP and HTTP Sessions
Session Hijacking Exploiting TCP, UDP and HTTP Sessions Shray Kapoor shray.kapoor@gmail.com Preface With the emerging fields in e-commerce, financial and identity information are at a higher risk of being
More informationEUCIP - IT Administrator. Module 5 IT Security. Version 2.0
EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single
More informationHow To Secure An Rsa Authentication Agent
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
More informationF-Secure Mobile Security for Business. Getting Started Guide
F-Secure Mobile Security for Business Getting Started Guide F-Secure Mobile Security for Business TOC 3 Contents Chapter 1: F-Secure Mobile Security Portal...5 Overview...6 Administrator access levels...6
More informationby New Media Solutions 37 Walnut Street Wellesley, MA 02481 p 781-235-0128 f 781-235-9408 www.avitage.com Avitage IT Infrastructure Security Document
Avitage IT Infrastructure Security Document The purpose of this document is to detail the IT infrastructure security policies that are in place for the software and services that are hosted by Avitage.
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationBlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist
BlackBerry Enterprise Service version.2 preinstallation and preupgrade checklist Verify that the following requirements are met before you install or upgrade to BlackBerry Enterprise Service version.2.
More informationDetailed Description about course module wise:
Detailed Description about course module wise: Module 1: Basics of Networking and Major Protocols 1.1 Networks and its Types. 1.2 Network Topologies 1.3 Major Protocols and their Functions 1.4 OSI Reference
More informationMCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationPINsafe Multifactor Authentication Solution. Technical White Paper
PINsafe Multifactor Authentication Solution Technical White Paper Abstract PINsafe is a flexible authentication solution that offers a wide range of authentication models. The use of the patented one-time
More informationInternal Penetration Test
Internal Penetration Test Agenda Time Agenda Item 10:00 10:15 Introduction 10:15 12:15 Seminar: Web Application Penetration Test 12:15 12:30 Break 12:30 13:30 Seminar: Social Engineering Test 13:30 15:00
More informationLinksys E2000 Wireless-N Router Configuration Guide
Linksys E2000 Wireless-N Router Configuration Guide Revision 1.1 Copyright 2012 Maretron, LLP All Rights Reserved Maretron, LLP 9014 N. 23 rd Ave #10 Phoenix, AZ 85021-7850 http://www.maretron.com Maretron
More informationWho is Watching You? Video Conferencing Security
Who is Watching You? Video Conferencing Security Navid Jam Member of Technical Staff March 1, 2007 SAND# 2007-1115C Computer and Network Security Security Systems and Technology Video Conference and Collaborative
More informationIBM Protocol Analysis Module
IBM Protocol Analysis Module The protection engine inside the IBM Security Intrusion Prevention System technologies. Highlights Stops threats before they impact your network and the assets on your network
More informationCourse Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)
Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationSystem Security Policy Management: Advanced Audit Tasks
System Security Policy Management: Advanced Audit Tasks White Paper October 6, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that
More informationTHREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application
THREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application E.Bertino 1, D.Bruschi 2, S.Franzoni 2, I.Nai-Fovino 2, S.Valtolina 2 1 CERIAS, Purdue University, West Lafayette, IN,
More informationModule 1: Introduction to Designing Security
Module 1: Introduction to Designing Security Table of Contents Module Overview 1-1 Lesson 1: Overview of Designing Security for Microsoft Networks 1-2 Lesson 2: Introducing Contoso Pharmaceuticals: A Case
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationEthical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours
Ethical Hacking and Information Security Duration Detailed Module Foundation of Information Security Lecture with Hands On Session: 90 Hours Elements of Information Security Introduction As technology
More informationa) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)
MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file
More informationProfessional Penetration Testing Techniques and Vulnerability Assessment ...
Course Introduction Today Hackers are everywhere, if your corporate system connects to internet that means your system might be facing with hacker. This five days course Professional Vulnerability Assessment
More informationThe Shift to Wireless Data Communication
The Shift to Wireless Data Communication Choosing a Cellular Solution for Connecting Devices to a WWAN Dana Lee, Senior Product Manager dana.lee@moxa.com Recent developments in the wireless and industrial
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationNSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs
Mandatory Knowledge Units 1.0 Core2Y 1.1 Basic Data Analysis The intent of this Knowledge Unit is to provide students with basic abilities to manipulate data into meaningful information. 1.1.1 Topics Summary
More informationAustin Peay State University
1 Austin Peay State University Identity Theft Operating Standards (APSUITOS) I. PROGRAM ADOPTION Austin Peay State University establishes Identity Theft Operating Standards pursuant to the Federal Trade
More informationWhen a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.
Ethical Hacking and Countermeasures Course Description: This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems.
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationClick Studios. Passwordstate. Installation Instructions
Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior
More informationMicrosoft Dynamics GP Release
Microsoft Dynamics GP Release Workflow Installation and Upgrade Guide February 17, 2011 Copyright Copyright 2011 Microsoft. All rights reserved. Limitation of liability This document is provided as-is.
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationComputer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON
Introduction to Computer Security International Edition Michael T. Goodrich Department of Computer Science University of California, Irvine Roberto Tamassia Department of Computer Science Brown University
More informationBelarc Advisor Security Benchmark Summary
Page 1 of 5 The license associated with the Belarc Advisor product allows for free personal use only. Use on multiple computers in a corporate, educational, military or government installation is prohibited.
More informationNessus scanning on Windows Domain
Nessus scanning on Windows Domain A little inside information and Nessus can go a long way By Sunil Vakharia sunilv@phreaker.net Version 1.0 4 November 2003 About this paper This paper is not a tutorial
More informationExecutive Summary and Purpose
ver,1.0 Hardening and Securing Opengear Devices Copyright Opengear Inc. 2013. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on
More informationBasic Security Considerations for Email and Web Browsing
Basic Security Considerations for Email and Web Browsing There has been a significant increase in spear phishing and other such social engineering attacks via email in the last quarter of 2015, with notable
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationWindows Attack - Gain Enterprise Admin Privileges in 5 Minutes
Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes Compass Security AG, Daniel Stirnimann Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel +41 55-214 41 60 Fax +41
More informationDatabase Security Guide
Institutional and Sector Modernisation Facility ICT Standards Database Security Guide Document number: ISMF-ICT/3.03 - ICT Security/MISP/SD/DBSec Version: 1.10 Project Funded by the European Union 1 Document
More informationHACKING RELOADED. Hacken IS simple! Christian H. Gresser cgresser@nesec.de
HACKING RELOADED Hacken IS simple! Christian H. Gresser cgresser@nesec.de Agenda About NESEC IT-Security and control Systems Hacking is easy A short example where we currently are Possible solutions IT-security
More informationFundamentals of Network Security - Theory and Practice-
Fundamentals of Network Security - Theory and Practice- Program: Day 1... 1 1. General Security Concepts... 1 2. Identifying Potential Risks... 1 Day 2... 2 3. Infrastructure and Connectivity... 2 4. Monitoring
More informationHacking Database for Owning your Data
Hacking Database for Owning your Data 1 Introduction By Abdulaziz Alrasheed & Xiuwei Yi Stealing data is becoming a major threat. In 2012 alone, 500 fortune companies were compromised causing lots of money
More informationSSL VPN Technology White Paper
SSL VPN Technology White Paper Keywords: SSL VPN, HTTPS, Web access, TCP access, IP access Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its implementation and
More informationSummary of the SEED Labs For Authors and Publishers
SEED Document 1 Summary of the SEED Labs For Authors and Publishers Wenliang Du, Syracuse University To help authors reference our SEED labs in their textbooks, we have created this document, which provides
More informationBlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide
BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2 Administration Guide Published: 2010-06-16 SWDT487521-1041691-0616023638-001 Contents 1 Overview: BlackBerry Enterprise
More informationEnterprise Mobility Report 10/2014. Creation date: 31.10.2014. Vlastimil Turzík, Edward Plch
10/2014 Creation date: 31.10.2014 Author: Vlastimil Turzík, Edward Plch Content Content... 2 Introduction... 4 Interesting Articles... 4 95% of companies challenged by BYOD security... 4 ios... 4 Vulnerability...
More informationGO!Enterprise MDM Device Application User Guide Installation and Configuration for Android
GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android GO!Enterprise MDM for Android, Version 3.x GO!Enterprise MDM for Android 1 Table of Contents GO!Enterprise MDM
More informationDATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0
DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS
More informationSSL VPN Evaluation Guide. Criteria for Choosing the Right SSL VPN
Evaluation Guide SSL VPN Evaluation Guide Criteria for Choosing the Right SSL VPN May 2011 SSL VPN Evaluation Guide Access. Security. Delivery. Introduction Remote connectivity is crucial for enterprise
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationNetwork Defense Specialist. Course Title: Network Defense Specialist: Securing and Troubleshooting Network Operating Systems
Course Title: Network Defense Specialist: Securing and Troubleshooting Network Operating Systems Page 1 of 12 Course Description The Network Defense Series from EC-Council Press is comprised of 5 books
More informationThreats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1
Threats and Attacks Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to:
More informationClick Studios. Passwordstate. Installation Instructions
Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior
More informationFigure 9-1: General Application Security Issues. Application Security: Electronic Commerce and E-Mail. Chapter 9
Figure 9-1: General Application Application Security: Electronic Commerce and E-Mail Chapter 9 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Executing Commands with the Privileges
More information