Survivability From a Sow s Ear: The Retrofit Security Requirement. 1 Introduction: the Survivability Imperative
|
|
- Shanna Shelton
- 8 years ago
- Views:
Transcription
1 Survivability From a Sow s Ear: The Retrofit Security Requirement Crispin Cowan and Calton Pu Department of Computer Science and Engineering Oregon Graduate Institute of Science & Technology (crispin@cse.ogi.edu) Abstract This paper considers the survivability requirement for production operating systems that underlie typical information systems. Since economic incentives give competitive advantages to imperfect and therefore insecure software, it seems inevitable to consider retrofitting some form of security to existing systems. This approach has long been anathema in the security community. We outline the pragmatic alternative of retrofitting security to achieve information survivability. 1 Introduction: the Survivability Imperative This paper makes the case for increasing operating system survivability by retrofitting a form of security to software systems that were not designed to be secure. A reader from the security community may consider this statement unorthodox. After examining the alternatives, we conclude that most other possibilities are even less likely to achieve the goal of widespread deployment of highly survivable information systems. We consider operating system survivability to be a necessary building block of information survivability. Operating system survivability per se is not specific to any particular domain of information processing. Rather, it comprises cross-cutting issues that affect all domains of information survivability. If an application s host operating systems fails to survive, then the application will also fail to survive. This paper pertains to issues involving the survivability of host operating systems, and by transitivity also the survivability of the information systems that run on them. Broadly speaking, the survivability imperative is that the information infrastructure should survive attacks. While attacks can take many forms (including the dread back hoe attack :-) we consider only computer security attacks. To achieve high survivability of the information infrastructure, many of the systems in that infrastructure must be able to survive security attacks. How then can host systems survive computer security attacks? The attacks must somehow be prevented from succeeding. Section 2 discusses the approach of using high security systems, which by dint of rigorous engineering, are not vulnerable to security attacks. Section 2 also discusses the costs of high security systems, which have the unfortunate effect of making them not economically viable. Section 3 discusses the alternative: retrofitting existing common systems, which are not secure and thus are vulnerable, with a a semblance of security such that they can survive attack. 1
2 2 The Cost of Security: Too High to Pay The traditional security approach applies a high degree of rigor to system design and implementation. This preserves system security by stopping all potential attacks, and consequently increases system survivability. A highly secure design provides for precise specification of who may access what, preventing an attacker from gaining unintended privileges by exploiting bugs in the access specifications. A highly secure implementation similarly prevents an attacker from gaining unintended privileges by exploiting bugs in the implementation, regardless of access specifications. High security systems can survive security attacks because they contain few (if any) security vulnerabilities. But the rigor required to remove all or most of the vulnerabilities comes at a high price in terms of development and maintenance, which the commercial marketplace appears to be unwilling to pay. Most customers, and consequently most vendors, have chosen the low cost alternative where imperfection is tolerated, producing security weaknesses. Current production operating systems are becoming increasingly dominated by admittedly imperfect but low cost systems. Decades of security research show that completely securing a system is difficult, requiring near perfection in the implementation. Ordinary system debugging is relatively simple, because it is only needed to the point where users are rarely troubled by bug manifestations. Security is different: if security bugs exist in the security perimeter and the attackers learn of the bugs, then the attackers can cause the bugs to manifest at will by deploying a security attack. Thus security requires not just making bug manifestation rare, but rather eliminating bugs from the security perimeter. Debugging is often viewed as the most costly phase of software development. The last few remaining bugs are the most expensive to excise, because they are the most subtle to make manifest. Removing bugs can also introduces new bugs, making it even more difficult to render a system bugfree. Thus the goal of a bug-free security perimeter can be exceptionally difficult to achieve. The imperative to develop products on internet time further squeezes precious debugging time from the development cycle, making future products even less likely to be survivable. Secure systems can be built if enough resources are brought to bear, and especially if security is a primary goal. However, the difficulties of securing a system slows down development efforts relative to those in which security is a lesser concern. The result is systems that are less optimized, less featureful, and later to market. The debugging process also needs to be repeated for each software maintenance cycle. Since modern operating systems are under constant development due to market pressure for new functionality, slowdown in each product cycle becomes fatal very quickly. The result is that most vendors choose not to emphasize correctness. This is a rational decision, borne not out of recklessness, but rather from a clear understanding of most customer s desires. Software customers appear to be insensitive to a tolerable degree of imperfection in their software, preferring new features over correctness. Consider the calls to Microsoft s support line [2,10, 11 ]: most calls request help on how to do some particular task, 5% of calls request some new feature, and less than 1% of calls are to report bugs. Advertisements, where software vendors promote their products, compare features, and occasionally speed, but rarely correctness. Even ads for security products rarely mention correctness. In fact, the standard software disclaimer makes it clear that bugs should be expected by consumers. 2
3 Since correctness is hard to achieve, and seems to offer little competitive advantage in the market place, it seems unlikely that vendors will produce correct software in quantity, or for long periods of time. As long as feature lists, time-to-market, and a little bit of performance matter more to customers than correctness, systems with a tolerable number of bugs (as defined by the majority of consumers) will be a normal state of affairs. Such systems are unlikely to be highly survivable. 3 The Remaining Alternative: Post-hoc Security Existing systems are buggy by choice, and therefore not secure and not survivable against attack. The main response of the survivability imperative is to retrofit some security features onto existing systems. Unfortunately, the security community has long known that it is not feasible to add security post hoc, because it requires reviewing the entire system with the degree of diligence that would have been required to secure system in the first place. Furthermore, the finished product will have made irreversible design and implementation decisions that compromise security for expedience, making it more difficult to secure an existing system than to build it securely from the start. We can ease the burden of retrofitting security onto existing systems by exploring the requirement differences between survivability and security. Security requires that the system preserves integrity, privacy, and continuation of service in the presence of attacks, i.e. attacks must be stopped completely. Survivability, in contrast, requires only that the system survive attacks to some degree, preserving integrity, privacy, and continuation of service to the maximum extent possible. We propose a general approach to the problem of retrofitting survivability. We exclude surviving attacks to which the system is not vulnerable, because that is precisely the security problem. Rather, we consider techniques to allow a system to survive an attack that exploits a vulnerability in the current system implementation. We call this security bug tolerance [5]. Security bug tolerance does not seek to identify and eliminate vulnerabilities. Rather, it seeks to minimize the degree of vulnerability implied by a security bug. Akin to classical fault tolerance, security bug tolerance minimizes exposure by replicating security checks within the system. An attacker may exploit a vulnerability resulting from a bug in the implementation, but because of additional security checks, the attacker does not gain very much additional privileges, and likely trips an intrusion alert, preventing additional exploitation of vulnerabilities. Wrappers [1, 12, 13] are a prominent form of security bug tolerance that adapts existing programs by making their vulnerabilities more difficult to exploit, enhancing their survivability. A wrapper is a program wrapped around a program suspected of having bugs. The wrapper filters input intended for the subject program, passing only the safe data to the subject program. We have identified several other forms of security bug tolerance. They adapt an existing vulnerable program or system to make vulnerabilities more difficult to exploit, or to limit the potential damage in the event of a successful attack. We have classified these security bug tolerance techniques along two dimensions, as shown in Table 1: what is adapted, and how it is adapted. What is either the program s interface or its implementation, and how is either a permutation or a restriction of the adapted piece of software. The classification scheme is further developed elsewhere [5]. Our research has focused on interface and implementation restrictions. For instance, the Stack- Guard compiler [6, 4] is a tool for automatically installing implementation restrictions within the executable code of a program. These restrictions prevent the program from performing operations 3
4 Interface Restrictions Wrappers [1, 12, 13] Permutation Deception Tool Kit [3] Random code or data layout [7] that are clearly not part of the program s intended behavior, such as changing the return address of a currently executing program, or altering a function pointer in a type-unsafe way. They can be thought of as specializations of the more general notion of type safety, which is also an implementation restriction. These restrictions are specialized to preserve performance and transparency for legacy programs written in C, which does not readily support type checking. 4 Summary Creating systems secure enough to resist attack is sufficiently difficult and expensive that most customers choose not to purchase them. As a direct result, security is not a high priority for most vendors, and most systems in use in the information infrastructure are vulnerable to attack. To make the information infrastructure survivable, we must develop tools and techniques that can adapt existing vulnerable systems with a form of retrofit security that will make them able to resist attack. References Firewalls Table 1: Implementation Array bounds checking [8, 9] Stackguard [6] [1] AUSCERT. overflow_wrapper.c Wrap Programs to Prevent Command Line Argument Buffer Overrun Vulnerabilities. ftp://ftp.auscert.org.au/pub/ auscert/tools/overflow_wrapper, May [2] Klaus Brunnstein. Mr. Bill Gates: MS Software Essentially Bug-free. comp.risks 17.43, October [3] Fred Cohen. The Deception Toolkit. comp.risks 19.62, March all.net/dtk.html. [4] Crispin Cowan, Steve Beattie, Ryan Day, Calton Pu, and Perry Wagle. Protecting Systems from Stack Smashing Attacks with StackGuard. Submitted for review, June [5] Crispin Cowan, Calton Pu, and Heather Hinton. Death, Taxes, and Imperfect Software: Surviving the Inevitable. In Proceedings of the New Security Paradigms Workshop, September To appear. [6] Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In 7th USENIX Security Conference, San Antonio, TX, January [7] Stephanie Forrest, Anil Somayaji, and David. H. Ackley. Building Diverse Computer Systems. In HotOS-VI, May [8] Reed Hastings and Bob Joyce. Purify: Fast Detection of Memory Leaks and Access Errors. In Proceedings of the Winter USENIX Conference,
5 [9] Richard Jones and Paul Kelly. Bounds Checking for C. phjk/boundschecking.html, July [10] Nathan Myers. FOCUS Magazine Interview with Bill Gates: Microsoft Code Has No Bugs. [11] Unknown. Interview with Bill Gates. FOCUS, (43): , October [12] Wietse Venema. TCP WRAPPER: Network Monitoring, Access Control, and Booby Traps. In Proceedings of the Third Usenix UNIX Security Symposium, pages 85 92, Baltimore, MD, September ftp://ftp.win.tue.nl/pub/security/ tcp_wrapper.ps.z. [13] Joe Zbiciak. wrapper.c Generic Wrapper to Prevent Exploitation of suid/sgid Programs. Bugtraq mailing list, May im14u2c/wrapper/. 5
Post Hazardary Security Enhancement, Advantages of Adaptation
The Cracker Patch Choice: An Analysis of Post Hoc Security Techniques 1 Crispin Cowan, Heather Hinton, Calton Pu, and Jonathan Walpole crispin@wirex.com, http://immunix.org/ WireX Communications, Inc.
More informationInternational Journal of Computer Science and Network (IJCSN) Volume 1, Issue 5, October 2012 www.ijcsn.org ISSN 2277-5420. Bhopal, M.P.
Prevention of Buffer overflow Attack Blocker Using IDS 1 Pankaj B. Pawar, 2 Malti Nagle, 3 Pankaj K. Kawadkar Abstract 1 PIES Bhopal, RGPV University, 2 PIES Bhopal, RGPV University, 3 PIES Bhopal, RGPV
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system
More informationOPEN SOURCE SECURITY
OPEN SOURCE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationHONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region
HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationEnhancing Cyber Security for the Warfighter
INTRODUCTION 115 Chapter 8 Enhancing Cyber Security for the Warfighter Sean R. Finnegan A key element of current and future U.S. warfighter capabilities is and will be the information systems being integrated
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationWhy should I care about PDF application security?
Why should I care about PDF application security? What you need to know to minimize your risk Table of contents 1: Program crashes present an opportunity for attack 2: Look for software that fully uses
More informationManaged Security Services
New Environment for IT Outsourcing www.mayerbrownrowe.com Managed Security issues have never been more important than they are now. Companies must ensure that their systems are secure to be able to use
More informationHardware Support For Self-Healing Software Services
Hardware Support For Self-Healing Software Services Stelios Sidiroglou Michael E. Locasto Angelos D. Keromytis Department of Computer Science, Columbia University in the City of New York {stelios,locasto,angelos}@cs.columbia.edu
More informationNetwork Security Threat Matrix May 2004
May 2004 By Lawrence Allhands BlueMotorcycle Consulting 650/704-4821 2830 Flores #18 San Mateo, CA 94403 http://www.bluemotorcycle.com Abstract Know your enemy If you know the enemy and know yourself,
More informationDefining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose
More informationSecurity Patch Management
The knowledge behind the network. Security Patch Management By Felicia M. Nicastro Senior Network Systems Consultant International Network Services Security Patch Management March 2003 INS Whitepaper 1
More informationA REVIEW OF METHODS FOR SECURING LINUX OPERATING SYSTEM
A REVIEW OF METHODS FOR SECURING LINUX OPERATING SYSTEM 1 V.A.Injamuri Govt. College of Engineering,Aurangabad, India 1 Shri.injamuri@gmail.com Abstract This paper is focused on practical securing Linux
More informationThe Advantages of Block-Based Protocol Analysis for Security Testing
The Advantages of Block-Based Protocol Analysis for Security Testing Dave Aitel Immunity,Inc. 111 E. 7 th St. Suite 64, NY NY 10009, USA dave@immunitysec.com February, 4 2002 Abstract. This paper describes
More informationConsiderations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.
Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationWhy Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.
Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks
More informationEffective Patch Management: How to make the pain go away. Adam Shostack adam@informedsecurity.com
Effective Patch Management: How to make the pain go away Adam Shostack adam@informedsecurity.com Overview Why patch? Why is patching so painful? What can make it easier? Thinking about risk management
More informationKeywords: 2013, IJARCSSE All Rights Reserved Page 451
Volume 3, Issue 9, September 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Vulnerability
More informationProcedure of Secure Development Tool Adoption Study
Procedure of Secure Development Tool Adoption Study Introduction This study is designed for us to better understand how developers adopt secure development tools and why some developers refuse to use these
More informationAutomated Faultinjection Series - Risk Management and Implementation
HEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications Christof Fetzer, Zhen Xiao AT&T Labs Research 180 Park Avenue Florham Park, N.J. 07932 christof, xiao @research.att.com
More informationFirewalls Overview and Best Practices. White Paper
Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not
More informationWHITE PAPER. Security Testing For Financial Institutions
WHITE PAPER Security Testing For Financial Institutions www.ixiacom.com 915-1784-01 Rev. C, January 2014 2 Table of Contents Introduction... 4 The Need for Security Testing... 6 Security Threats... 6 Client
More informationOn Ubiquitous Network Security and Anomaly Detection *
On Ubiquitous Network Security and Anomaly Detection * Colin Van Dyke Çetin K. Koç Electrical & Computer Engineering Oregon State University {vandyke,koc}@ece.orst.edu Abstract As networking trends move
More informationSecuring Database Servers. Database security for enterprise information systems and security professionals
Securing Database Servers Database security for enterprise information systems and security professionals Introduction: Database servers are the foundation of virtually every Electronic Business, Financial,
More informationEnterprise software risk reduction
Enterprise software risk reduction Danny Lieberman dannyl@software.co.il www.software.co.il August 2006 ABSTRACT Operational risk is the risk of loss resulting from inadequate or failed internal processes,
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security
More informationCountermeasure for Detection of Honeypot Deployment
Proceedings of the International Conference on Computer and Communication Engineering 2008 May 13-15, 2008 Kuala Lumpur, Malaysia Countermeasure for Detection of Honeypot Deployment Lai-Ming Shiue 1, Shang-Juh
More informationOpen Source Digital Forensics Tools
The Legal Argument 1 carrier@cerias.purdue.edu Abstract This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a
More informationOverview. Edvantage Security
Overview West Virginia Department of Education (WVDE) is required by law to collect and store student and educator records, and takes seriously its obligations to secure information systems and protect
More informationSecurity Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada
Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada ITSB-96 Last Updated: March 2015 1 Introduction Patching operating systems and applications is one of the
More informationMalware and Attacks Further reading:
Malware and Attacks Further reading: Dwan B., The Malapropisms of Malware, Computer Fraud & Security, Volume 2004, Number 3 (2004), pp. 13-16 Bradbury, D., The metamorphosis of malware writers, Computers
More informationUNCLASSIFIED Version 1.0 May 2012
Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice
More informationInternet Firewall Tutorial A White Paper January 2005
Internet Firewall Tutorial A White Paper January 2005 The Mansion, Bletchley Park Milton Keynes MK3 6EB, UK Tel: 01908 276650 Fax: 01908 276699 http://www.ipcortex.co.uk/ About the Author Rob Pickering
More informationInformation Security Technology?...Don t Rely on It A Case Study in Social Engineering
The following paper was originally published in the Proceedings of the Fifth USENIX UNIX Security Symposium Salt Lake City, Utah, June 1995. Information Security Technology?...Don t Rely on It A Case Study
More informationEugene Tsyrklevich. Ozone HIPS: Unbreakable Windows
Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military
More informationPENETRATION TESTING GUIDE. www.tbgsecurity.com 1
PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a
More informationECE 578 Term Paper Network Security through IP packet Filtering
ECE 578 Term Paper Network Security through IP packet Filtering Cheedu Venugopal Reddy Dept of Electrical Eng and Comp science Oregon State University Bin Cao Dept of electrical Eng and Comp science Oregon
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More information- Table of Contents -
- Table of Contents - 1 INTRODUCTION... 1 1.1 TARGET READERS OF THIS DOCUMENT... 1 1.2 ORGANIZATION OF THIS DOCUMENT... 2 1.3 COMMON CRITERIA STANDARDS DOCUMENTS... 3 1.4 TERMS AND DEFINITIONS... 4 2 OVERVIEW
More informationLA TROBE UNIVERSITY SEMESTER TWO EXAMINATION PERIOD. Unit Code: CSE3ENS Paper No: 1/1 CAMPUS AW BE BU MI SH ALLOWABLE MATERIALS
RESTRICTED USE LA TROBE UNIVERSITY SEMESTER TWO EXAMINATION PERIOD 2011 Student ID: Seat Number: Unit Code: CSE3ENS Paper No: 1/1 Unit Name: Paper Name: Reading Time: Writing Time: Encryption and Network
More informationN-Variant Systems. Slides extracted from talk by David Evans. (provenance in footer) http://www.cs.virginia.edu/evans/sdwest
1 N-Variant Systems Slides extracted from talk by David Evans (provenance in footer) 2 Inevitability of Failure Despite all the best efforts to build secure software, we will still fail (or have to run
More informationThe Advantages of a Firewall Over an Interafer
FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection
More informationData collection mechanisms for intrusion detection systems
Data collection mechanisms for intrusion detection systems Eugene Spafford Diego Zamboni Center for Education and Research in Information Assurance and Security 1315 Recitation Building Purdue University
More informationFrequent Denial of Service Attacks
Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as
More informationSecuring Endpoints without a Security Expert
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Securing Endpoints without a Security Expert sponsored by Introduction to Realtime Publishers by Don Jones, Series
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationSecurity Event Management. February 7, 2007 (Revision 5)
Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationDATA CENTER IPS COMPARATIVE ANALYSIS
DATA CENTER IPS COMPARATIVE ANALYSIS Security 2014 Thomas Skybakmoen, Jason Pappalexis Tested Products Fortinet FortiGate 5140B, Juniper SRX 5800, McAfee NS- 9300, Sourcefire 8290-2 Data Center Overview
More informationEffective Intrusion Detection
Effective Intrusion Detection A white paper by With careful configuration and management, intrusion detection systems can make a valuable contribution to IT infrastructure security s Global network of
More informationDbvisit Standby Disaster Recovery Solution
The Smart Alternative Dbvisit Standby Disaster Recovery Solution Avisit Solutions Limited and Dbvisit Software Limited 2011 page 1 of 9 Table of Contents Executive Summary... 3 Dbvisit Standby Product
More informationNetwork Security Landscape
Cole p01.tex V3-07/28/2009 3:46pm Page 1 Network Security Landscape COPYRIGHTED MATERIAL IN THIS PART Chapter 1 State of Network Security Chapter 2 New Approaches to Cyber Security Chapter 3 Interfacing
More informationLinux Kernel. Security Report
Linux Kernel Security Report September 25 Authors: Andy Chou, Bryan Fulton and Seth Hallem Coverity has combined two years of analysis work carried out in a commercial setting at Coverity with four years
More informationDecision Support for Intrusion Detection Data Collection
Decision Support for Intrusion Detection Data Collection Ulf E. Larson, Stefan Lindskog, Dennis K. Nilsson, and Erland Jonsson Department of Computer Science and Engineering, Chalmers University of Technology,
More informationWhite paper Reaping Business Value from a Hybrid Cloud Strategy
White paper Fujitsu Hybrid Cloud Services White paper Reaping Business Value from a Hybrid Cloud Strategy How to embrace a hybrid cloud model to maximize the benefits of public and private cloud services
More informationA Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention
A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention John Wilander and Mariam Kamkar Dept. of Computer and Information Science, Linköpings universitet johwi, marka @ida.liu.se
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 39 System Security Welcome
More informationnwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
More informationThe Spectrum of Data Integration Solutions: Why You Should Have Them All
HAWTIN, STEVE, Schlumberger Information Systems, Houston TX; NAJIB ABUSALBI, Schlumberger Information Systems, Stavanger, Norway; LESTER BAYNE, Schlumberger Information Systems, Stavanger, Norway; MARK
More informationHost/Platform Security. Module 11
Host/Platform Security Module 11 Why is Host/Platform Security Necessary? Firewalls are not enough All access paths to host may not be firewall protected Permitted traffic may be malicious Outbound traffic
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationNASCIO 2015 State IT Recognition Awards
NASCIO 2015 State IT Recognition Awards Title: State of Georgia Private Security Cloud Implementation Category: Cybersecurity Contact: Mr. Calvin Rhodes CIO, State of Georgia Executive Director, GTA calvin.rhodes@gta.ga.gov
More informationNETWORK FUNCTIONS VIRTUALIZATION. The Top Five Virtualization Mistakes
WHITE PAPER www.brocade.com NETWORK FUNCTIONS VIRTUALIZATION The Top Five Virtualization Mistakes Virtualization is taking the IT world by storm. After years of IT build-out, virtualization suddenly fixes
More informationVulnerability Assessment of SAP Web Services By Crosscheck Networks
TM Vulnerability Assessment of SAP Web Services By Crosscheck Networks Introduction As SAP s Web Services-enabled NetWeaver platform begins to form the fabric of IT infrastructure
More informationinside: THEME ISSUE: SECURITY edited by Rik Farrow THE MAGAZINE OF USENIX & SAGE November 2000 volume 25 number 7
THE MAGAZINE OF USENIX & SAGE November 2000 volume 25 number 7 { THEME ISSUE: SECURITY edited by Rik Farrow # NESSUS: THE FREE NETWORK SECURITY SCANNER inside: & The Advanced Computing Systems Association
More informationChapter 15 Operating System Security
Operating Systems: Internals and Design Principles Chapter 15 Operating System Security Eighth Edition By William Stallings System Access Threats System access threats fall into two general categories:
More informationUserLock vs Microsoft CConnect
UserLock vs Microsoft White paper This document reviews how Microsoft and ISDecisions UserLock achieve logon management, and focuses on the concurrent connections restriction features provided by these
More informationAn Integrated CyberSecurity Approach for HEP Grids. Workshop Report. http://hpcrd.lbl.gov/hepcybersecurity/
An Integrated CyberSecurity Approach for HEP Grids Workshop Report http://hpcrd.lbl.gov/hepcybersecurity/ 1. Introduction The CMS and ATLAS experiments at the Large Hadron Collider (LHC) being built at
More informationAn Attack Simulator for Systematically Testing Program-based Security Mechanisms
An Attack Simulator for Systematically Testing Program-based Security Mechanisms Ben Breech Computer and Info Sciences University of Delaware Newark, DE 19716 breech@cis.udel.edu Mike Tegtmeyer Army Research
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationwww.pandasecurity.com 100% Malware-Free E-mail: A Guaranteed Approach
100% Malware-Free E-mail: A Guaranteed Approach 2 100% Malware-Free E-mail: A Guaranteed Approach Panda Security's Mail Filtering Managed Service Guarantees Clean E-mail Table of Contents Table of Contents...
More informationCS 392/681 - Computer Security. Module 16 Vulnerability Analysis
CS 392/681 - Computer Security Module 16 Vulnerability Analysis Course Policies and Logistics Homework 5 due tonight Homework 6 posted Read Chapter 23 11/13/2003 Module 16 - Vulnerability Analysis 2 Some
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 40 Firewalls and Intrusion
More informationStar System. 2004 Deitel & Associates, Inc. All rights reserved.
Star System Apple Macintosh 1984 First commercial OS GUI Chapter 1 Introduction to Operating Systems Outline 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 Introduction What Is an Operating System?
More informationWHITEPAPER. Nessus Exploit Integration
Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information
More informationG/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy
For Public Use G/On Basic Best Practice Reference Guide Version 6 Make Connectivity Easy 2006 Giritech A/S. 1 G/On Basic Best Practices Reference Guide v.6 Table of Contents Scope...3 G/On Server Platform
More informationDeveloping Secure Software, assignment 1
Developing Secure Software, assignment 1 During development of software, faults and flaws are introduced either from the implementation or from the design of the software. During runtime these faults and
More informationTHE THREE ASPECTS OF SOFTWARE QUALITY: FUNCTIONAL, STRUCTURAL, AND PROCESS
David Chappell THE THREE ASPECTS OF SOFTWARE QUALITY: FUNCTIONAL, STRUCTURAL, AND PROCESS Sponsored by Microsoft Corporation Our world runs on software. Every business depends on it, every mobile phone
More informationHow To Detect A Buffer Overflow Vulnerability In Binary Code
Buffer Overflow Vulnerability Detection in the Binary Code Shehab Gamal El-Dien, Reda Salama, Ahmed Eshak shehab@ispofegypt.com, redasalama@hotmail.com, a_issac@sakhr.com Al-Azhar University, Faculty of
More informationStatic Checking of C Programs for Vulnerabilities. Aaron Brown
Static Checking of C Programs for Vulnerabilities Aaron Brown Problems 300% increase in reported software vulnerabilities SetUID programs Run with full access to the system Required to gain access to certain
More informationData on Kernel Failures and Security Incidents
Data on Kernel Failures and Security Incidents Ravishankar K. Iyer (W. Gu, Z. Kalbarczyk, G. Lyle, A. Sharma, L. Wang ) Center for Reliable and High-Performance Computing Coordinated Science Laboratory
More informationTop virtualization security risks and how to prevent them
E-Guide Top virtualization security risks and how to prevent them There are multiple attack avenues in virtual environments, but this tip highlights the most common threats that are likely to be experienced
More informationGoogle Apps Engine. G-Jacking AppEngine-based applications. Presented 30/05/2014. For HITB 2014 By Nicolas Collignon and Samir Megueddem
Google Apps Engine G-Jacking AppEngine-based applications Presented 30/05/2014 For HITB 2014 By Nicolas Collignon and Samir Megueddem Introduction to GAE G-Jacking The code The infrastructure The sandbox
More informationAssumption Busters Workshop - Cloud Computing
Assumption Busters Workshop - Cloud Computing Background: In 2011, the U.S. Federal Cyber Research Community conducted a series of four workshops designed to examine key assumptions that underlie current
More informationDAS, NAS or SAN: Choosing the Right Storage Technology for Your Organization
DAS, NAS or SAN: Choosing the Right Storage Technology for Your Organization New Drivers in Information Storage Data is unquestionably the lifeblood of today s digital organization. Storage solutions remain
More informationNetwork Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering
Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute
More informationIncident Response Team Responsibilities
Scope Any incidents that originate from, are directed towards, or transit Department of Earth and Planetary Sciences controlled computer or network resources will fall under the purview of this Incident
More informationCyberspace Security Issues and Challenges
Cyberspace Security Issues and Challenges Manu Malek, Ph.D. Department of Computer Science Stevens Institute of Technology mmalek@stevens.edu MSU Seminar, 10/06/03 M. Malek 1 Outline Security status Security
More informationBackground. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.
Microsoft s Enhanced Mitigation Experience Toolkit (EMET) is an enhancement to the Windows operating system that stops broad classes of malware from executing. EMET implements a set of anti-exploitation
More informationVisualizing Information Flow through C Programs
Visualizing Information Flow through C Programs Joe Hurd, Aaron Tomb and David Burke Galois, Inc. {joe,atomb,davidb}@galois.com Systems Software Verification Workshop 7 October 2010 Joe Hurd, Aaron Tomb
More informationFEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More information