A Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software

Size: px
Start display at page:

Download "A Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software"

Transcription

1 A Study of Design Measure for Minimizing Security Vulnerability in Developing Virtualization Software 1 Mi Young Park, *2 Yang Mi Lim 1, First Author Science and Technology Policy *2, Corresponding Author Duksung Women s University, Abstract As lots of users share IT resources as software, hardware, etc in cloud computing, the information security should be firstly solved. The solution of security vulnerability should be considered and built with the automatic diagnosis system prior to development of software, which can be efficiently completed through simulation of virtual test. This article catalogs vulnerabilities of security in realizing cloud computing virtualization technology according to priority and proposes a design process model for minimizing the security vulnerabilities for the construction of virtualization to practice the security vulnerabilities before software development using prioritized Security Use Case. 1. Introduction Keywords: Cloud Computing, Vulnerability, Vulnerability Scoring System Cloud computing and virtualization technology have merits of flexibility, efficiency and cost reduction as the user can utilize computing resources if necessary, which many companies are focusing on. Yet, for the realization of cloud computing technology, security problems should be solved together. Currently, security problems include malignant code and service availability infringement, information disclosure risk according to information ownership and administrative segregation, protocol vulnerability, zero day, legal and regulatory issues. In order to solve these problems, it is necessary to model security design process in software development process and go through a practice phase to minimize security vulnerability in virtualization establishment. Since software vulnerability occurs throughout the phases from an early phase of development, designing measures minimizing vulnerability at the early phase can reduce development cost and other costs and increase the reliability and security of the software [1]. Thus, this study checked and categorized it to develop the template of the security vulnerability of virtualization prior to software development and prepare security design documents based on the security requirements and produced a web-based checklist so as to make virtual practices before the development phase. This study analyzed the types and impacts of the vulnerability of the virtual machine for the template composition of the virtualization vulnerabilities, set the priority of the vulnerabilities and surveyed and organized detailed countermeasures by the degree of risk. These vulnerability priority data were designed and composed with the detailed items of the checklist so as to describe the detailed items and countermeasures and make virtual practices. 2. Relevant Research Cloud computing refers to a mode of providing the user with multiple data centers integrated with virtualization technology along with a variety of software, security and computing infrastructure on demand [2]. The thing that should be treated most importantly in the adoption of this cloud computing technology is to solve the vulnerabilities of software security. Software security vulnerabilities refer to security defects occurring due to the functional specifications of the software, design, error in the implementation of phase, booting, installation, or operational issues [3]. To solve these security defects, Cloud Security Alliance (CSA) defines seven threat factors [4,5,6]. Garthner's research proposes security guidelines for the cloud computing users [7, 8]. Nevertheless, with the security vulnerabilities, annual infringement level, diversity and the whole number of infringements are gradually increasing [9]. To solve these, attempts to design the software development process and standardize the security practice phase are increasing [10]. Until now, there is almost no standardized security practice about the overall software development. Kenneth and Gary reported the security practice for the reduction of International Journal of Advancements in Computing Technology(IJACT) Volume5, Number13, September

2 the security vulnerabilities though not the overall application practices of the software development phase as follows [11, 12]: Figure 1. Practices for the Reduction of the Security Vulnerabilities in the Software Development Phase 3. Security Vulnerability of Virtual Machine and Importance Analysis This chapter analyzed the types and impacts on the security vulnerabilities of virtual machines and researched the priority by the importance of the security vulnerabilities. These significances are used in cataloging the items on the checklist to be used in the design process of minimizing the security vulnerabilities of the virtualization to be described in Chapter 4 and used for the detailed items and countermeasures for the virtual practices. First of all, in providing the virtualization technology of cloud computing, all security vulnerabilities occurring in virtual machines in three kinds of VMware, Xen and VirtualBox were classified, and the results of damages that may occur accordingly were analyzed to measure the degree of risk. The classification of the types of vulnerability referred to Common Weakness Enumeration (CWE) [13]. Table 1 selected 20 types of security vulnerabilities occurring in the virtual machines such as VMware, Xen and Virtual Box most frequently used in companies and public institutions and researched the number of the vulnerabilities. Table 1. Analysis on the Types of Virtual Machine Vulnerabilities No. Vulnerability Type CWE VMware Xen VirtualBox 1 Permissions, Privileges, and Access Control CWE Buffer Errors CWE Resource Management Errors CWE Information Leak / Disclosure CWE Link Following CWE Sum Total Through Table 1, most frequently occurring security vulnerabilities were selected, and with these vulnerabilities, the result of the damages could be understood. These damage results were defined as the impact types due to the vulnerabilities and summarized like Table 2. Table 2. Impact Types by VM Vulnerabilities No. Vulnerability impact type based on CVE VMware Xen VirtualBox 1 Provides user account access Allows disruption of service Allows unauthorized disclosure of information Provides administrator access Allows disruption of service Unknown Allows unauthorized modification Provides unauthorized access Unknown Sum Total

3 Next, for the impacts due to the security vulnerabilities in Table 2, a valuation basis was set up to pick up the most dangerous items on rankings and the importance and priority were researched and analyzed like Table 3. Generally, in the software development process, if security vulnerabilities are found, they are reported in secret to the relevant software vendors or disclosed on the Internet. In addition, since the software vendors disclose the information about the vulnerabilities themselves and estimate the degree of risk of the vulnerabilities, the reliability of the written advice for security of each product will be reduced. This is because the calculation of the rating of the degree of risk of the security vulnerabilities has not been standardized, so a standardization policy is necessary preferentially. Thus, to secure the reliability of the calculation of the rating of the degree of risk, to set up the priority in the activity of minimizing the security vulnerabilities, the standardized policy for the degree of risk specialized in the virtualization environment was defined and to score the measurement standards of the degree of risk, open framework THE CVSS was used. Fig. 2 shows the frequently assessed items and the impact assessment items [14]. It shows that in these matrixes, the basic matrix score is delivered to the temporary matrix and the environmental matrix, and it is applied appropriately in the temporary matrix and the environmental matrix environments. Generally, in the basic and temporary matrixes, security vulnerability posting analysis is used by security solution and application companies, so that they have much more information than general users do, and accordingly, the basic matrix value is preferentially assessed and delivered to the temporary matrix and the environmental matrix. At this time, the environmental matrix is useful in assessing the security vulnerabilities of the environment fitting the user, and the preceding assessment score is reflected to receive the assessment. Table 3 describes the number of frequency according to the properties of CVSS and the relationship between the matrixes according to the properties of the impact types. Basic metrics frequency Figure 2. Emphasized Subset of Attributes from CVSS Table 3. Significance and Priority of Valuation Basis Valuation basis Significance Weight Priority Access Vector 3.1% 0.3% Access Complexity 2.6% 0.3% Authentication 40.5% 4.6% Basic metrics impact Confidentiality 20.8% 2.4% Integrity 15.5% 1.8% Availability 11.5% 1.3% Temporal Metrics frequency Utilizability tools & techniques Remediation level 6.0% 0.7% % 10.6% Report confidence 13.5% 6.5% Environmental Metrics Confidentiality requirement 64.4% 31.0%

4 impact Integrity requirement 7.2% 2.9% Availability requirement 15.3% 6.2% Collateral damage potential 25.0% 10.1% Workload scalability and reliability 52.4% 21.2% Priority-applied Security Design for Minimizing the Vulnerabilities of Virtualization This chapter describes the security design process including the priority-applied valuation basis checklist for the reduction of the security vulnerabilities in the software development phase based on the security vulnerability priority list of virtualization. The security design valuation basis is different from the general design valuation basis. The general design considers the module among the features, hours of work, procedures etc. except the security factor, so it is not proper for the security design assessment. Fig.3 is the model applying the result by the risk degree attribution using the security requirements and vulnerability list. Figure 3. The Proposed Design Model That Applies the Priority for Minimizing the Vulnerability of Virtualization The checklist testing web page for minimizing the security vulnerability of virtualization was established based on the security design model of Fig. 3. In order to design the checklist, the first page was composed for inputting the information of project for development and the information of the user who writes the relevant template. Secondly, the item for writing the misuse case which is relevant to the project was designed. Thirdly, the step for examining the input status of the case of using security by misuse case was composed. On this page, if many security use cases are inputted, then the priority input status should be examined. The priority input status as the detailed item is composed by referring the category of the virtual machine security vulnerability type analysis in Table 1, and the priority result of the upper and lower structure was examined by inputting weighting of security use case per each factor and the importance and priority assessment factor by the virtual machine vulnerability of Table 3. This content is a design section reflected by the security requirements, and the detailed scheme of the section is described in a picture. The range to test a point where this vulnerability is detected is determined on the basis of the guideline to solution in the configuration management application system based on the integrated information sharing DB. Figure 4. Steps of Design that reflects security requirements 391

5 The result shows the development of the project from the webpage which established the external review and the check list review in the process of test plans. The developed software tool should be passed through the process of practice based on the software simulation which examines the risk factor analysis and penetration state test finally after examining the result of the test. 5. Result This study developed a method of drawing out security requirements and the template according to that so as to prevent and mitigate the vulnerabilities of virtualization at an early phase of software development. The security requirements resolution method and template were developed for the prevention and mitigation of the initial vulnerability of virtualization. The security vulnerability type of virtualization technology was analyzed and the impact type was examined for the template composition. In addition, the priority was set by the importance and risk degree assessment about the security vulnerability for the upper and lower structural design of template contents, so the security vulnerability minimizing software development methodology reflecting the security requirements was suggested. The tool kit development for the security vulnerability minimizing can prepare countermeasure for the security vulnerabilities of virtualization in the cloud environment, and it can simulate the many security problems in the software development, so it is expected that it can save development cost and shorten the period of development. 6. References [1] Ministry of Information and Communication, Medium-and Long-term Information Protection Roadmap for Safe Implementation of u-korea, ICTD Report, Korea, [2] Myong Jun. Kim, Korea s Cloud Computing Strategy, IT21 Global Conference, [3] William A.Arbaugh, William L.Fithen, John McHugh, Windows of Vulnerability: A Case Study Analysis, IEEE Computer, vol. 33, pp , [4] CSA, Top Threats to Cloud Computing V1.0, Cloud Security Alliance, [5] Kichul Kim, Ok Heo, Seungjoo. Kim, A Security Evaluation Criteria for Korean Cloud Computing Service, Institute of Information Security and Cryptology, vol. 23, no. 2, pp.1-17, [6] Sunyoung Shin, Sukhyun Song, A Priority Study for Applying Public Cloud Services in Korea by Mapping the SRM with Overseas Cloud Services in the Public Sector, Internet and Information Security, vol.3, no. 3, pp.67-89, [7] Gartner, [8] J. Brodkin, Gartner: Seven Cloud Computing Security Risks, Network World, [9] Larry Bridwell, Computer Virus Prevalence Survey, ICSA Labs, [10] Honggun. Kim, The Software Security Standards for the Secure Realization of IT839 Strategy, Korea Information Security Agency, The 1st Distinguished Information Communication Standardization Paper Collection, pp , [11] Kenneth R. van Wyk, & Gary McGraw, Bridging the Gap between Software Development and Information Security, IEEE Security and Privacy, vol. 03, no. 5, pp.75-79, [12] Siv Hilde Houmb, Virginia N. L. Franqueira, Erlend A. Engum, Quantifying Security Risk Level from CVSS Estimates of Frequency and Impact, EEMCS, The Journal of Systems and Software, Elsevier, Vol.83 Issue 9, pp , [13] CWE, [14] Peter Mell, Karen A. Scarfone, Sasha Romanosky, A Complete Guide to the Common Vulnerability Scoring System, Version 2.0. Forum of Incident Response and Security Teams,

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise 1. Introduction Information security means protecting information

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Vulnerability Management

Vulnerability Management Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other

More information

6. Exercise: Writing Security Advisories

6. Exercise: Writing Security Advisories CERT Exercises Toolset 49 49 6. Exercise: Writing Security Advisories Main Objective Targeted Audience Total Duration Time Schedule Frequency The objective of the exercise is to provide a practical overview

More information

SD Elements: A Tool for Secure Application Development Management

SD Elements: A Tool for Secure Application Development Management SD Elements: A Tool for Secure Application Development Management Golnaz Elahi 1, Tom Aratyn 2, Ramanan Sivaranjan 2, Rohit Sethi 2, and Eric Yu 3 1 Department of Computer Science, University of Toronto,

More information

A Review on Zero Day Attack Safety Using Different Scenarios

A Review on Zero Day Attack Safety Using Different Scenarios Available online www.ejaet.com European Journal of Advances in Engineering and Technology, 2015, 2(1): 30-34 Review Article ISSN: 2394-658X A Review on Zero Day Attack Safety Using Different Scenarios

More information

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

Software Vulnerability Assessment

Software Vulnerability Assessment Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled

More information

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard State of Minnesota Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard Approval: Enterprise Security Office (ESO) Standard Version 1.00 Gopal Khanna

More information

Ensuring Cloud Security Using Cloud Control Matrix

Ensuring Cloud Security Using Cloud Control Matrix International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring

More information

Q: What is CVSS? Q: Who developed CVSS?

Q: What is CVSS? Q: Who developed CVSS? CVSS FAQ Q: What is CVSS? Q: Who developed CVSS? Q: What does CVSS not do? Q: What is involved in CVSS? Q: What are the details of the Base Metrics? Q: What are the details of the Temporal Metrics? Q:

More information

CDM Vulnerability Management (VUL) Capability

CDM Vulnerability Management (VUL) Capability CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Security & Trust in the Cloud

Security & Trust in the Cloud Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer

More information

An ITIL Perspective for Storage Resource Management

An ITIL Perspective for Storage Resource Management An ITIL Perspective for Storage Resource Management BJ Klingenberg, IBM Greg Van Hise, IBM Abstract Providing an ITIL perspective to storage resource management supports the consistent integration of storage

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

A Secure System Development Framework for SaaS Applications in Cloud Computing

A Secure System Development Framework for SaaS Applications in Cloud Computing A Secure System Development Framework for SaaS Applications in Cloud Computing Eren TATAR, Emrah TOMUR AbstractThe adoption of cloud computing is ever increasing through its economical and operational

More information

Assessing and Managing Security Risk in IT Systems: a Technology-independent Approach. John McCumber Software Assurance Forum October 15, 2008

Assessing and Managing Security Risk in IT Systems: a Technology-independent Approach. John McCumber Software Assurance Forum October 15, 2008 Assessing and Managing Security Risk in IT Systems: a Technology-independent Approach John McCumber Software Assurance Forum October 15, 2008 IT Risk Assessment Find out the cause of this effect, Or rather

More information

Security Risk Assessment of TeamViewer Application

Security Risk Assessment of TeamViewer Application Security Risk Assessment of TeamViewer Application Stjepan Groš Faculty of Electrical and Computing Engineering University of Zagreb Unska bb, 10000 Zagreb, Croatia E-Mail: stjepan.gros@fer.hr Abstract.

More information

ISSECO Syllabus Public Version v1.0

ISSECO Syllabus Public Version v1.0 ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

UF Risk IT Assessment Guidelines

UF Risk IT Assessment Guidelines Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe Intro to QualysGuard IT Risk & Asset Management Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe A Unified and Continuous View of ICT Security, Risks and Compliance

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 14 Risk Mitigation Objectives Explain how to control risk List the types of security policies Describe how awareness and training

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Modern Accounting Information System Security (AISS) Research Based on IT Technology

Modern Accounting Information System Security (AISS) Research Based on IT Technology , pp.163-170 http://dx.doi.org/10.14257/astl.2016. Modern Accounting Information System Security (AISS) Research Based on IT Technology Jiamin Fang and Liqing Shu Accounting Branch, Jilin Business and

More information

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot

More information

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud

Cloud Security. DLT Solutions LLC June 2011. #DLTCloud Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures. Symantec Corporation TM Symantec Product Vulnerability Management Process Best Practices Roles & Responsibilities INSIDE Vulnerabilities versus Exposures Roles Contact and Process Information Threat Evaluation

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Manage Vulnerabilities (VULN) Capability Data Sheet

Manage Vulnerabilities (VULN) Capability Data Sheet Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired

More information

Get Confidence in Mission Security with IV&V Information Assurance

Get Confidence in Mission Security with IV&V Information Assurance Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving

More information

A Comprehensive Study on Cloud Computing Standardization

A Comprehensive Study on Cloud Computing Standardization A Comprehensive Study on Cloud Computing Standardization Dr. Mukesh Chandra Negi Project Manager, Tech Mahindra Ltd, Noida, India ABSTRACT: Standard is a trust between standardization body, buyers and

More information

Data Loss Prevention Program

Data Loss Prevention Program Data Loss Prevention Program Safeguarding Intellectual Property Author: Powell Hamilton Senior Managing Consultant Foundstone Professional Services One of the major challenges for today s IT security professional

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Research Article Decision Making for the Adoption of Cloud Computing for Sensor Data: From the Viewpoint of Industrial Security

Research Article Decision Making for the Adoption of Cloud Computing for Sensor Data: From the Viewpoint of Industrial Security International Distributed Sensor Networks Volume 2015, Article ID 581563, 5 pages http://dx.doi.org/10.1155/2015/581563 Research Article Decision Making for the Adoption of Cloud Computing for Sensor Data:

More information

The Bayesian Network Methodology for Industrial Control System with Digital Technology

The Bayesian Network Methodology for Industrial Control System with Digital Technology , pp.157-161 http://dx.doi.org/10.14257/astl.2013.42.37 The Bayesian Network Methodology for Industrial Control System with Digital Technology Jinsoo Shin 1, Hanseong Son 2, Soongohn Kim 2, and Gyunyoung

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11 Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2

More information

ISMS Implementation Guide

ISMS Implementation Guide atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013 2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

More information

Security Testing and Vulnerability Management Process. e-governance

Security Testing and Vulnerability Management Process. e-governance Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

More information

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

2) Xen Hypervisor 3) UEC

2) Xen Hypervisor 3) UEC 5. Implementation Implementation of the trust model requires first preparing a test bed. It is a cloud computing environment that is required as the first step towards the implementation. Various tools

More information

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING 1. K.SURIYA Assistant professor Department of Computer Applications Dhanalakshmi Srinivasan College of Arts and Science for Womren Perambalur Mail: Surik.mca@gmail.com

More information

The Design of a Web Portal for IPTV System

The Design of a Web Portal for IPTV System The Design of a Web Portal for IPTV System Jaegeol Yim 1 and Gyeyoumg Lee 1 1 Dept. of Computer Engineering, Dongguk University at Gyeongju, Gyeongju, Gyeongbuk, Korea {yim, lky}@dongguk.ac.kr Abstract.

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Research on Situation and Key Issues of Smart Mobile Terminal Security

Research on Situation and Key Issues of Smart Mobile Terminal Security Research on Situation and Key Issues of Smart Mobile Terminal Security Hao-hao Song, Jun-bing Zhang, Lei Lu and Jian Gu Abstract As information technology continues to develop, smart mobile terminal has

More information

Vulnerability Management Policy

Vulnerability Management Policy April 13th, 2015 1.0 SUMMARY Vulnerability management is the processes and technologies that an organization utilizes to identify, assess, and remediate information technology (IT) vulnerabilities, weaknesses,

More information

Server Consolidation. Report to the Joint Legislative Oversight Committee on Information Technology

Server Consolidation. Report to the Joint Legislative Oversight Committee on Information Technology Server Consolidation Report to the Joint Legislative Oversight Committee on Information Technology Chris Estes State Chief Information Officer December 2013 This page left blank intentionally Contents

More information

Exam 1 - CSIS 3755 Information Assurance

Exam 1 - CSIS 3755 Information Assurance Name: Exam 1 - CSIS 3755 Information Assurance True/False Indicate whether the statement is true or false. 1. Antiquated or outdated infrastructure can lead to reliable and trustworthy systems. 2. Information

More information

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review

More information

Symantec's Continuous Monitoring Solution

Symantec's Continuous Monitoring Solution Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................

More information

A Survey on Security Issues and Security Schemes for Cloud and Multi-Cloud Computing

A Survey on Security Issues and Security Schemes for Cloud and Multi-Cloud Computing International Journal of Emerging Engineering Research and Technology Volume 3, Issue 5, May 2015, PP 1-7 ISSN 2349-4395 (Print) & ISSN 2349-4409 (Online) A Survey on Security Issues and Security Schemes

More information

TITLE III INFORMATION SECURITY

TITLE III INFORMATION SECURITY H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

VULNERABILITY MANAGEMENT

VULNERABILITY MANAGEMENT VULNERABILITY MANAGEMENT A White Paper Presented by: MindPoint Group, LLC 8078 Edinburgh Drive Springfield, VA 22153 (o) 703.636.2033 (f) 866.761.7457 www.mindpointgroup.com blog.mindpointgroup.com SBA

More information

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES... Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

STATE OF NEW JERSEY IT CIRCULAR

STATE OF NEW JERSEY IT CIRCULAR NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Chris Christie, Governor 300 River View E. Steven Emanuel, Chief Information Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR

More information

74. Selecting Web Services with Security Compliances: A Managerial Perspective

74. Selecting Web Services with Security Compliances: A Managerial Perspective 74. Selecting Web Services with Security Compliances: A Managerial Perspective Khaled Md Khan Department of Computer Science and Engineering Qatar University k.khan@qu.edu.qa Abstract This paper proposes

More information

Enterprise Software Management Systems by Using Security Metrics

Enterprise Software Management Systems by Using Security Metrics Enterprise Software Management Systems by Using Security Metrics Bhanudas S. Panchabhai 1, A. N. Patil 2 1 Department of Computer Science, R. C. Patel Arts, Commerce and Science College, Shirpur, Maharashtra,

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

3 Web Services Threats, Vulnerabilities, and Countermeasures

3 Web Services Threats, Vulnerabilities, and Countermeasures 3 Web Services Threats, Vulnerabilities, and Countermeasures Securing a Web service requires us to protect, as far as possible, all of its basic components, shown in Figure 3.1, and their interactions

More information

ICS-SCADA testing and patching: Recommendations for Europe

ICS-SCADA testing and patching: Recommendations for Europe ICS-SCADA testing and patching: Recommendations for Europe Adrian Pauna adrian.pauna@enisa.europa.eu European Union Agency for Network and Information Security www.enisa.europa.eu Agenda ENISA previous

More information

SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY

SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Security Threats on National Defense ICT based on IoT

Security Threats on National Defense ICT based on IoT , pp.94-98 http://dx.doi.org/10.14257/astl.205.97.16 Security Threats on National Defense ICT based on IoT Jin-Seok Yang 1, Ho-Jae Lee 1, Min-Woo Park 1 and Jung-ho Eom 2 1 Department of Computer Engineering,

More information

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of

More information

About Effective Penetration Testing Methodology

About Effective Penetration Testing Methodology 보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 5호 2008년 10월 About Effective Penetration Testing Methodology Byeong-Ho KANG 1) Abstract Penetration testing is one of the oldest methods for assessing

More information

5) Detailed description of problems/hypotheses you are planning to investigate.

5) Detailed description of problems/hypotheses you are planning to investigate. Cloud Computing/Cloud Storage Project Specification 1) List of team members. Krystal Carlton, Amir Koupaei, Cody Jenkins 2) The exact title of your project (it can be different than a corresponding project

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

A Multi-layer Tree Model for Enterprise Vulnerability Management

A Multi-layer Tree Model for Enterprise Vulnerability Management A Multi-layer Tree Model for Enterprise Vulnerability Management Bin Wu Southern Polytechnic State University Marietta, GA, USA bwu@spsu.edu Andy Ju An Wang Southern Polytechnic State University Marietta,

More information

A Design of Access Control Framework for User Identification Based on Personal Cloud

A Design of Access Control Framework for User Identification Based on Personal Cloud , pp.17-21 http://dx.doi.org/10.14257/astl.2014.49.04 A Design of Access Control Framework for User Identification Based on Personal Cloud Byung-Wook Jin and Keun-Wang Lee Department of Computer Science,

More information

ISAAC Risk Assessment Training

ISAAC Risk Assessment Training ISAAC Risk Assessment Training v2013 Information Technology Risk Management 1 Agenda Why Assess? Information Security Standards Risk Assessment Process Using ISAAC Information Technology Risk Management

More information

Improving Unstructured Data Governance. Ryan Jancaitis Product Management Symantec

Improving Unstructured Data Governance. Ryan Jancaitis Product Management Symantec Improving Unstructured Data Governance Ryan Jancaitis Product Management Symantec Agenda 1 2 3 4 Overview Data Management Data Protection and Compliance Summary Unstructured Information Growth Leads to

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Cloud Computing Dr. A. Askarunisa Professor and Head Vickram College of Engineering, Madurai, Tamilnadu, India N.Ganesh Sr.Lecturer Vickram College of Engineering, Madurai, Tamilnadu,

More information

A Software Security Assessment System Based On Analysis of

A Software Security Assessment System Based On Analysis of A Software Security Assessment System Based On Analysis of Vulnerabilities 1,2 Chenmeng Sui, 1 Yanzhao Liu, 2 Yun Liu, 1 China Information Technology Security Evaluation Center, Beijing,China,liuyz@itsec.gov.cn

More information

Security Model for VM in Cloud

Security Model for VM in Cloud Security Model for VM in Cloud 1 Venkataramana.Kanaparti, 2 Naveen Kumar R, 3 Rajani.S, 4 Padmavathamma M, 5 Anitha.C 1,2,3,5 Research Scholars, 4Research Supervisor 1,2,3,4,5 Dept. of Computer Science,

More information

McAfee Vulnerability Manager 7.0.2

McAfee Vulnerability Manager 7.0.2 McAfee Vulnerability Manager 7.0.2 The McAfee Vulnerability Manager 7.0.2 quarterly release adds features to the product without having to wait for the next major release. This technical note contains

More information

A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services

A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services Ronnie D. Caytiles and Byungjoo Park * Department of Multimedia Engineering, Hannam University

More information

DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1

DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1 DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1 Continuously Assess, Monitor, & Secure Your Information Supply Chain and Data Center Data Sheet: Security Management Is your organization able

More information

Strategies for assessing cloud security

Strategies for assessing cloud security IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary

More information

Web Application Security. Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad

Web Application Security. Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad Web Application Security Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad Take away Why web application security is very important Understanding web application security How

More information

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report 11-52 January 3, 2012

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report 11-52 January 3, 2012 SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES Audit Report 11-52 January 3, 2012 Henry Mendoza, Chair Melinda Guzman, Vice Chair Margaret Fortune Steven M. Glazer William

More information

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

SAFECode Security Development Lifecycle (SDL)

SAFECode Security Development Lifecycle (SDL) SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Review: McAfee Vulnerability Manager

Review: McAfee Vulnerability Manager Review: McAfee Vulnerability Manager S3KUR3, Inc. Communicating Complex Concepts in Simple Terms Tony Bradley, CISSP, Microsoft MVP September 2010 Threats and vulnerabilities are a way of life for IT admins.

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information