NIST Guidelines for Secure Shell and What They Mean for Your Organization
|
|
- Jacob O’Connor’
- 7 years ago
- Views:
Transcription
1 NIST Guidelines for Secure Shell and What They Mean for Your Organization
2 As part of an ongoing effort to help organizations strengthen security, the National Institute of Standards and Technology (NIST) recently issued a set of potential guidelines for the use of Secure Shell (SSH) in automated access management. These draft guidelines are intended to provide organizations with a set of best practices to secure remote access that is established using SSH. These guidelines put forth recommendations regarding SSH key management, access control, session monitoring, auditing and more. SSH: A refresher SSH is a protocol used to enable secure access to remote systems. SSH relies on a pair of cryptographic keys to authenticate users and applications to root, administrative and other system accounts. Thanks to its ease of use and reliability, SSH has become frequently used by system administrators to access privileged accounts on remote machines, and it is commonly used in automated IT processes to secure application-to-application communications, such as file transfers and automated backups. A secure yet vulnerable control While the SSH protocol itself provides a secure communications channel, unmanaged SSH keys can introduce several vulnerabilities into an otherwise secure system. The greatest challenge associated with the SSH protocol is that there is no inherent way to see or manage the keys used for authentication. As a result, SSH keys are frequently created and distributed throughout an organization, but without any record, it is difficult to track and control their use. To compound this risk, the keys, which are completely out of the view and control of IT, never expire. Consequently, SSH keys can provide backdoor access for authorized and unauthorized users to critical systems, and IT security teams may never know. A widespread risk throughout the enterprise In a typical enterprise environment, there could be hundreds or even thousands of unsecured, unmanaged SSH keys used to authenticate to privileged administrative and root accounts. However, unlike privileged passwords, these keys are not typically part of any IT security plan. There is no way to monitor who has access to what, or even where the keys exist across an organization. As a result, basic security measures, such as the termination of unused accounts or the automatic rotation of account credentials, are not typically applied to SSH keys. Therefore, unhappy employees or malicious attackers can exploit these unsecured privileged credentials to gain widespread access to a multitude of systems and the sensitive data on these systems without ever being detected. According to a recent report by the Ponemon Institute, the majority of organizations today are neither securing nor managing SSH keys. Worse, as a result, fifty-one percent of organizations surveyed in the report have already experienced an SSH key-related compromise. 1 1 Ponemon 2014 SSH Security Vulnerability Report. Ponemon Institute. CyberArk Software Ltd. cyberark.com 2
3 Security controls help to reduce risk As noted in the abstract of the NIST guidelines, the effective management of SSH-based access requires proper provisioning, termination and monitoring processes. In its draft proposal, NIST has provided very specific guidelines on security controls for SSH-based access management. Some of the major areas that require controls include: Account management Access enforcement Least privilege Auditing and monitoring Risk assessment Identification and authentication Through its proposed guidelines, NIST has begun encouraging organizations to start treating SSH keys like the privileged credentials they truly are. These proposed controls recognize the sensitivity of SSH keys and compel organizations to better secure and manage these keys. By following the proposed NIST guidelines, organizations can get a head start on becoming compliant, mitigate the risk of unauthorized access to critical systems, and better secure their sensitive data. The sections below look at each of the above categories and highlight how CyberArk solutions can help organizations implement these security controls. NIST Control Area: Account Management NIST Controls: AC-2 controls #d, #g, #j, #k CyberArk Solutions: CyberArk SSH Key Manager, CyberArk Discovery and Audit To prevent unauthorized users from accessing sensitive or regulated information, NIST recommends that organizations proactively secure, manage and monitor the use of SSH keys that provide access to privileged accounts. Proposed guidelines related to account management include: Ensure that users only have access to the SSH keys needed for their role. Track the usage of keys to gain an audit trail of who accessed what and when. Rotate shared SSH keys as soon as a user leaves the authorized group. Continuously ensure that SSH keys are compliant with organizational policy. With CyberArk solutions, organizations can set policies to grant users access to SSH keys based on their existing role and access rights. Security teams can then track and audit the usage of the SSH keys to see exactly who accessed what and when. To ensure that these credentials do not remain static, policies can be configured to rotate SSH key pairs according to a master schedule or when needed, on-demand. The CyberArk Discovery and Audit tool, which finds and locates SSH keys across the IT environment, can be run to locate SSH keys and easily pinpoint which keys are compliant with organizational policy and which require attention. CyberArk Software Ltd. cyberark.com 3
4 NIST Control Area: Access Enforcement NIST Controls: AC-3 AC-3 control enhancement #3, AC-17 CyberArk Solutions: CyberArk SSH Key Manager, CyberArk Application Identity Manager A critical security measure is the control of access to enterprise systems, whether they are servers, virtual machines, operating systems, databases or applications. Any compromise at any level could result in serious consequences. As a result, the NIST recommended best practices in this area include: Create and enforce approval policies for SSH key-based access. Prevent users from propagating access rights by installing new private keys. Lock down authorized keys files so that users are unable to install their public keys on unauthorized target systems. CyberArk SSH Key Manager allows security personnel to grant access to SSH keys based on role. Organizations can define which credentials each user or user group is permitted to view or access. Organizations are then able to protect access to these credentials, as well as hide all unauthorized credentials from a user s view. Automated workflows can be configured to allow users to request one-time access to SSH keys with elevated privileges as needed for specific business reasons. Additionally, CyberArk Application Identity Manager enables organizations to remove locally stored SSH keys from applications and application servers and instead store them securely in a digital vault, thus preventing unauthorized users from compromising these keys and using them to propagate access across the environment. When used together, CyberArk SSH Key Manager and CyberArk Application Identity Manager can significantly reduce the risk of unauthorized access to private SSH keys. By securely storing private user and application SSH keys, organizations can control access to these keys, strengthen their security posture and become compliant with NIST recommendations. NIST Control Area: Least Privilege NIST Controls: AC-6, AC-6 control enhancement #2, #3, #4, #5, #7, #10 CyberArk Solutions: CyberArk Discovery and Audit, CyberArk SSH Key Manager, CyberArk On-Demand Privileges Manager Privileged accounts are at the heart of most data breaches, so it s important to control SSH keys based on what type of access each user is granted. Privileges and access rights should be limited to only those required for a user s role or function to provide the highest degree of security. Therefore, in this area, NIST recommends the following: Continuously monitor the SSH key inventory and trust relationships between keys. Restrict what commands may be run with each SSH key. Only grant privileged SSH access if a task cannot be done using a non-privileged account. Prevent unauthorized users from accessing private keys that grant access to privileged accounts. Remove private SSH keys from local machines and frequently rotate key pairs. Lockdown the authorized keys files to prevent users from adding their own public keys without approval. CyberArk Discovery and Audit enables organizations to inventory SSH keys, trust relationships and orphan keys. For maximum effectiveness, the tool can be run at regular intervals to monitor the key inventory over time. Once discovered, the keys can be removed from local machines and centrally stored in the digital vault. SSH Key Manager enables organizations to restrict privileges at the key level and granularly control who has access to what keys, thus enforcing least privilege. Automated key rotation and distribution helps organizations streamline security processes, comply with requirements and improve their security postures, all without burdening the IT team. Additionally, CyberArk On-Demand Privileges Manager enables organizations to limit privileges at the individual account level while still allowing users to escalate privileges for specified business purposes in accordance with policy. CyberArk Software Ltd. cyberark.com 4
5 NIST Control Area: Auditing and Monitoring NIST Controls: AU-E, SI-4, CM-3, CM-5 CyberArk Solutions: CyberArk SSH Key Manager, CyberArk Privileged Session Manager, CyberArk Privileged Threat Analytics Continuous auditing of privileged account access helps organizations ensure that the processes for provisioning, lifecycle management and key termination are being followed and enforced. Similarly, ongoing monitoring of privileged user activity helps organizations detect unauthorized activities, commands or changes to critical systems. To effectively monitor and audit the use of both SSH keys and SSH session activity, NIST recommends that organizations: Track the use of SSH keys, including who used the private key and what target system was accessed with that key. Proactively prevent systems administrators from modifying SSH keys and files. Monitor for changes to authorized keys files and configuration files. Monitor SSH key-based authentication activity to ensure that connections only occur between trusted systems CyberArk SSH Key Manager works with CyberArk Privileged Session Manager to track the use of SSH keys and monitor user activity during SSH sessions. With these tools for monitoring and auditing, organizations can detect unauthorized SSH access, unauthorized changes to SSH key files and other unauthorized configuration changes. In addition, CyberArk Privileged Threat Analytics can monitor privileged account access to detect suspicious, anomalous SSH connections between systems. Combined, CyberArk technology provides a complete audit trail of SSH access, as well as detailed, searchable session audit logs that can accelerate forensics investigations. NIST Control Area: Risk Assessment NIST Controls: CA-2, RA-3 CyberArk Solutions: CyberArk Discovery and Audit Security and risk assessments help organizations identify vulnerabilities and weaknesses that employees or attackers could exploit. Environments that use SSH keys for authentication often have several linked systems that can all subsequently be compromised if an attacker were to compromise a single private key. To address this vulnerability, organizations should assess their environments, look for unnecessary relationships between systems, and take steps to better segregate their environment and reduce the risk of an SSH key compromise. To effectively understand an SSH environment and make a plan to mitigate risks, NIST recommends: Assess the entire IT environment to locate all SSH keys. Understand trust relationships between systems, and map how lateral movement could occur using compromised SSH keys. Determine which users, systems or applications have access to which keys. Make an actionable plan to remove unnecessary keys from users and systems. CyberArk Discovery and Audit enables organizations to locate privileged accounts and SSH keys throughout the IT environment, gain insight into trust relationships between users and systems, and map which systems can be exploited by attackers to move laterally through the organization. Using this information, organizations can fully understand their privileged account vulnerabilities and create a clear plan to remediate risks and remove unnecessary access. CyberArk Software Ltd. cyberark.com 5
6 NIST Control Area: Identity and Authentication NIST Controls: IA-2, IA-3, IA-5, IA-5 control enhancement #7, IA-8, PS-4, SC-23 CyberArk Solutions: CyberArk SSH Key Manager, CyberArk Application Identity Manager, CyberArk Enterprise Password Vault To easily identify who is doing what, it s important to ensure that each user has a unique SSH key and that the SSH key cannot be shared with other users. In situations when it is not possible to distribute individual keys, organizations must limit which users have access to shared keys, control access to those keys, and monitor who is accessing the keys. Organizations must also be sure to rotate shared key pairs as soon as a user within an authorized user group leaves. Regardless of whether key pairs are used by individuals or shared within groups, it is important that organizations do not rely on static SSH keys for authentication. Instead, organizations should proactively rotate all key pairs to limit the risk of unauthorized access using SSH keys. Further, to ensure that organizations are cognizant of all the credentials used within their environments, NIST also highlights the importance of finding and removing hard-coded passwords used within applications and scripts, as these credentials can easily be accessed and used to prorogate unauthorized access. To support the above goals, NIST recommends the following: Assign SSH keys on an individual user or system basis, and enforce policies that prohibit the sharing, copying, or moving of private keys. Ensure that shared SSH key pairs are rotated as soon as a user leaves the group. Proactively rotate all key pairs on a regular basis to eliminate static keys. Prohibit automated access that relies on hard-coded passwords. CyberArk SSH Key Manager can tie both shared and non-shared SSH keys to individual user identities, allowing for the controlled management of private key information within the context of a corporate identity policy. It is designed to securely store, rotate, and control access to SSH keys to prevent unauthorized access to privileged accounts. In addition, it can limit the lifetime of a key by automatically managing key rotation. This solution also integrates with Active Directory and other identity and access management solutions to ensure that keys are appropriately decommissioned in the event of an employee s termination. On the hard-coded credential side, CyberArk Application Identity Manager can remove embedded passwords and locally stored SSH keys that are used to facilitate automated application processes and securely store these privileged credentials in a digital vault. Using CyberArk Enterprise Password Vault or SSH Key Manager, organizations can secure, manage and rotate these credentials from a single platform in accordance with organizational policy. Bringing a new level of security By following the carefully detailed NIST guidelines and using CyberArk solutions, organizations can now bring SSH key security and management into their broader security plans. With these measures in place, no longer will unprotected SSH keys pose an underlying threat to critical systems and data. With CyberArk solutions, companies can discover and identify the thousands of SSH keys within their organizations, and then proactively secure, manage and control access to them. Monitoring and auditing, along with continual assessments, help to identify new vulnerabilities as they develop and ensure ongoing security. Using CyberArk solutions, organizations can build a comprehensive privileged account security strategy that equally secures, manages, and monitors privileged passwords and SSH keys all from a single, unified platform. By using an integrated platform to secure all privileged accounts and credentials, organizations can address compliance requirements and strengthen their security postures while streamlining IT security process. CyberArk Software Ltd. cyberark.com 6
7 About CyberArk CyberArk is the trusted expert in privileged account security because of its track record of innovation and security expertise. CyberArk s Privileged Account Security solutions have been organically developed from the ground up, designed to meet the needs of even the largest, most complex organizations. CyberArk provides a comprehensive, tightly integrated, end-toend solution that protects all privileged accounts, whether they are on-premises or in the cloud. In addition, the entire CyberArk suite of products is built on a single integrated platform, providing organizations with a high degree of flexibility, scalability, and usability. Companies can deploy a single infrastructure and expand the solution cost effectively as budgeting and funds allow. With CyberArk solutions, organizations can secure, manage, monitor and control access to all their privileged credentials, including both passwords and SSH keys, as well as gain the reporting capabilities necessary to prove compliance with audit requirements. CyberArk solutions enable organizations to strengthen their security postures while confidently addressing NIST guidelines for secure automated access. To learn more about CyberArk, visit CyberArk Software Ltd. cyberark.com 7
8 All rights reserved. This document contains information and ideas, which are proprietary to Cyber-Ark Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of Cyber-Ark Software Ltd by Cyber-Ark Software Ltd. All rights reserved.
Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits
A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide
More informationSecuring Remote Vendor Access with Privileged Account Security
Securing Remote Vendor Access with Privileged Account Security Table of Contents Introduction to privileged remote third-party access 3 Do you know who your remote vendors are? 3 The risk: unmanaged credentials
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationPass-the-Hash. Solution Brief
Solution Brief What is Pass-the-Hash? The tools and techniques that hackers use to infiltrate an organization are constantly evolving. Credential theft is a consistent concern as compromised credentials
More informationLeveraging Privileged Identity Governance to Improve Security Posture
Leveraging Privileged Identity Governance to Improve Security Posture Understanding the Privileged Insider Threat It s no secret that attacks on IT systems and information breaches have increased in both
More informationIBM Security Privileged Identity Manager helps prevent insider threats
IBM Security Privileged Identity Manager helps prevent insider threats Securely provision, manage, automate and track privileged access to critical enterprise resources Highlights Centrally manage privileged
More informationComplying with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 An Assessment of Cyber-Ark's Solutions
Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 An Assessment of Cyber-Ark's Solutions z September 2011 Table of Contents EXECUTIVE SUMMARY... 3 CYBER-ARK
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationCyberArk Privileged Threat Analytics. Solution Brief
CyberArk Privileged Threat Analytics Solution Brief Table of Contents The New Security Battleground: Inside Your Network...3 Privileged Account Security...3 CyberArk Privileged Threat Analytics : Detect
More informationManaging Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform
Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World
More informationNext Generation Jump Servers for Industrial Control Systems
Next Generation Jump Servers for Industrial Control Systems Isolation, Control and Monitoring - Learn how Next Generation Jump Servers go beyond network separation to protect your critical infrastructure
More informationStrengthen security with intelligent identity and access management
Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers
More informationThe 10 Pains of UNIX Security. Learn How Privileged Account Security Solutions are the Right Painkiller
Learn How Privileged Account Security Solutions are the Right Painkiller Table of Contents Introduction: Control Access, Empower Team 3 The 10 Pains of UNIX Security 4 Pain No.1: Protecting the Keys to
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationWhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program
WhiteHat Security White Paper Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program October 2015 The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information
More informationPrivilege Gone Wild: The State of Privileged Account Management in 2015
Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationSecure Shell User Keys and Access Control in PCI-DSS Compliance Environments
A Secure Shell Key Management White Paper Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments Emerging trends impacting PCI-DSS compliance requirements in secure shell deployments
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationLeveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP
P a g e 1 Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP December 24, 2015 Coalfire Systems, Inc. www.coalfire.com 206-352- 6028 w w w. c o
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationPrivilege Gone Wild: The State of Privileged Account Management in 2015
Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...
More informationSolving the Security Puzzle
Solving the Security Puzzle How Government Agencies Can Mitigate Today s Threats Abstract The federal government is in the midst of a massive IT revolution. The rapid adoption of mobile, cloud and Big
More informationSecurity issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers
Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers Agenda Introductions The rise of machine-based identities
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationAddressing the United States CIO Office s Cybersecurity Sprint Directives
RFP Response Addressing the United States CIO Office s Cybersecurity Sprint Directives How BeyondTrust Helps Government Agencies Address Privileged Account Management and Improve Security July 2015 Addressing
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector
ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationHow can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?
SOLUTION BRIEF Content Aware Identity and Access Management May 2010 How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward? we can CA Content
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationWhite paper. Implications of digital certificates on trusted e-business.
White paper Implications of digital certificates on trusted e-business. Abstract: To remain ahead of e-business competition, companies must first transform traditional business processes using security
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationwith Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief
RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking
More informationThe CyberArk Privileged Account Security Solution. A complete solution to protect, monitor, detect, alert and respond to privileged accounts
The CyberArk Privileged Account Security Solution A complete solution to protect, monitor, detect, alert and respond to privileged accounts Table of Contents The Privileged Account a Real, Pervasive, Threat...3
More informationSecureGRC TM - Cloud based SaaS
- Cloud based SaaS Single repository for regulations and standards Centralized repository for compliance related organizational data Electronic workflow to speed up communications between various entries
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationIDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience
IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationPowerBroker for Windows Desktop and Server Use Cases February 2014
Whitepaper PowerBroker for Windows Desktop and Server Use Cases February 2014 1 Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 4 Sample Regulatory
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationDatabase Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com
Database Auditing: Best Practices Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com Verizon 2009 Data Breach Investigations Report: 285 million records were compromised
More informationHow to Achieve Operational Assurance in Your Private Cloud
How to Achieve Operational Assurance in Your Private Cloud As enterprises implement private cloud and next-generation data centers to achieve cost efficiencies and support business agility, operational
More informationIs Your Identity Management Program Protecting Your Federal Systems?
Is Your Identity Management Program Protecting Your Federal Systems? With the increase in integrated, cloud and remote technologies, it is more challenging than ever for federal government agencies to
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationPassword Management Evaluation Guide for Businesses
Password Management Evaluation Guide for Businesses White Paper 2016 Executive Summary Passwords and the need for effective password management are at the heart of the rise in costly data breaches. Various
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More informationSecurity Self-Assessment Tool
Security Self-Assessment Tool State Agencies Receiving FPLS Information, 7/15/2015 Contents Overview... 2 Access Control (AC)... 3 Awareness and Training (AT)... 8 Audit and Accountability (AU)... 10 Security
More informationChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL Server www.securityfirstcorp.com 29811 Santa Margarita Pkwy Rancho Santa Margarita, CA 92688 888-884-7152 CONTENTS Database Security Issues 3 Balancing Database Security
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationReal-Time Security for Active Directory
Real-Time Security for Active Directory Contents The Need to Monitor and Control Change... 3 Reducing Risk and Standardizing Controls... 3 Integrating Change Monitoring... 4 Policy Compliance... 4 The
More informationQTS Leverages HyTrust to Build a FedRAMP Compliant Cloud
CASE STUD QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud The technology and expertise provided by HyTrust dramatically simplified the process of preparing for our FedRAMP certification. HyTrust
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationHow To Monitor Your Entire It Environment
Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................
More informationSECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD
SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD www.wipro.com Table of Contents Executive Summary 03 Introduction 03 Challanges 04 Solution 05 Three Layered Approach to secure BYOD 06 Conclusion
More informationThe Essential Security Checklist. for Enterprise Endpoint Backup
The Essential Security Checklist for Enterprise Endpoint Backup IT administrators face considerable challenges protecting and securing valuable corporate data for today s mobile workforce, with users accessing
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationAdopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.
Security solutions To support your IT objectives Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services. Highlights Balance effective security with
More information10 Hidden IT Risks That Might Threaten Your Law Firm
(Plus 1 Fast Way to Find Them) Your law firm depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine
More informationdefending against advanced persistent threats: strategies for a new era of attacks agility made possible
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationHow To Manage A Privileged Account Management
Four Best Practices for Passing Privileged Account Audits October 2014 1 Table of Contents... 4 1. Discover All Privileged Accounts in Your Environment... 4 2. Remove Privileged Access / Implement Least
More informationTable of Contents. Application Vulnerability Trends Report 2013. Introduction. 99% of Tested Applications Have Vulnerabilities
Application Vulnerability Trends Report : 2013 Table of Contents 3 4 5 6 7 8 8 9 10 10 Introduction 99% of Tested Applications Have Vulnerabilities Cross Site Scripting Tops a Long List of Vulnerabilities
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationSTATE OF ARIZONA Department of Revenue
STATE OF ARIZONA Department of Revenue Douglas A. Ducey Governor September 25, 2015 David Raber Director Debra K. Davenport, CPA Auditor General Office of the Auditor General 2910 North 44 th Street, Suite
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationSecurity Control Standard
Department of the Interior Security Control Standard Security Assessment and Authorization January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior,
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationWHITE PAPER. Managed Security. Five Reasons to Adopt a Managed Security Service
WHITE PAPER Managed Security Five Reasons to Adopt a Managed Security Service Introduction Cyber security presents many organizations with a painful dilemma. On the one hand, they re increasingly vulnerable
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationPrivileged Session Management Suite: Solution Overview
Privileged Session Management Suite: Solution Overview June 2012 z Table of Contents 1 The Challenges of Isolating, Controlling and Monitoring Privileged Sessions... 3 2 Cyber-Ark s Privileged Session
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationSecuring Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption
THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationEmbracing Microsoft Vista for Enhanced Network Security
Embracing Microsoft Vista for Enhanced Network Security Effective Implementation of Server & Domain Isolation Requires Complete Network Visibility throughout the OS Migration Process For questions on this
More informationIdentity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities
Identity and Access Management Integration with PowerBroker Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 4 BeyondTrust
More informationmodules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:
SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,
More informationPowerBroker for Windows
PowerBroker for Windows Desktop and Server Use Cases February 2014 1 Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 5 Sample Regulatory Requirements...
More informationCompliance Overview: FISMA / NIST SP800 53
Compliance Overview: FISMA / NIST SP800 53 FISMA / NIST SP800 53: Compliance Overview With Huntsman SIEM The US Federal Information Security Management Act (FISMA) is now a key element of the US Government
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationBest Practices for Information Security and IT Governance. A Management Perspective
Best Practices for Information Security and IT Governance A Management Perspective Best Practices for Information Security and IT Governance Strengthen Your Security Posture The leading information security
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationDIVISION OF INFORMATION SECURITY (DIS)
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
More informationNIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationFull-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform
Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Solution Brief Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Finding
More informationGovernance and Control of Privileged Identities to Reduce Risk
WHITE PAPER SEPTEMBER 2014 Governance and Control of Privileged Identities to Reduce Risk Merritt Maxim CA Security Management 2 WHITE PAPER: PRIVILEGED IDENTITY GOVERNANCE Table of Contents Executive
More informationIMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE
IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle
More informationMitigating Risks and Monitoring Activity for Database Security
The Essentials Series: Role of Database Activity Monitoring in Database Security Mitigating Risks and Monitoring Activity for Database Security sponsored by by Dan Sullivan Mi tigating Risks and Monitoring
More informationThe CyberArk Privileged Account Security Solution. A complete solution to protect, monitor, detect and respond to privileged accounts
The CyberArk Privileged Account Security Solution A complete solution to protect, monitor, detect and respond to privileged accounts Table of Contents The Privileged Account a Real, Pervasive, Threat...3
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationFTP is Free, but Can You Really Afford It?
STERLING COMMERCE WHITE PAPER FTP is Free, but Can You Really Afford It? A closer look at the total cost of the operation of freeware FTP Introduction File Transfer Protocol (FTP) is a widely used data-movement
More information