What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Size: px
Start display at page:

Download "What IT Auditors Need to Know About Secure Shell. SSH Communications Security"

Transcription

1 What IT Auditors Need to Know About Secure Shell SSH Communications Security

2 Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources

3 What is Secure Shell? A cryptographic protocol for remote login, remote command execution, and securing file transfer. Available in open source and commercial implementations. Widely used on most systems (Unix, Linux, Mac, Windows, IBM Mainframes). It is client server application

4 Who Uses Secure Shell? Secure Shell is the tool of choice for privileged users and privileged processes: Systems administrators Contractors, IT Outsourcing Bulk file transfers Automated Processes

5 Popular Uses of Secure Shell Secure login to remote systems (replace Telnet) Secure file transfer (replace or secure FTP) Secure command execution on a remote host (replace rsh) Secure backup and copy Protocol and application tunneling (RDP) Widely used by system administrators Widely used in many automated machine to machine processes

6 Secure Shell in the Enterprise 82% OF RESPONDENTS SAID THEIR ORGANIZATION USES SECURE SHELL. 68% CONSIDER IT IMPORTANT OR CRITICAL TO THE BUSINESS

7 Replacement of legacy tools SSH replaces common connectivity and administration tools with their secure counterparts: FTP TELNET RCP SFTP SSH SCP Allows the use of variety of security algorithms and authentication methods: AES, 3DES, Blowfish etc. (variety of key sizes) Password, GSSAPI, PKI etc.

8 SSH authentication: The essentials 1) Server authentication: Server proves its identity to the client Network User (SSH Client) Host (SSH Server) 2) User authentication: Client proves user s identity to the server

9 Secure Shell Protocol Architecture The Secure Shell protocol consists of three layers: 3. SSH-CONNECT Multiplexes SSH tunnel into channels (IMAP, X11, sftp etc.) SSH-USERAUTH SSH-TRANS User authentication (passwords encrypted) Server authentication SSH client TCP/IP X11 IMAP. SSH server

10 Typical Uses for Automated Connections Automated file transfers Periodic Database Back-Ups Collecting Log Files Running system statistics/ health checks Executing remote commands, starting business processes

11 Secure Shell Security The Good: Provides confidentiality (encryption) for data transfers Enables secure systems administration Enables secure process automation (machine to machine) The Bad: Authentication keys can be an attack vector for both malicious insiders and external threats Can be used to obscure data theft Can enable other unauthorized activities

12 Secure Shell Authentication Keys A Key pair, consisting of a private and public key Private Key is an Identity Key. It validates identity of the person or process requesting login. Public Key is an Authorized Key. Establishes what level of access is granted to the holder(s) of the Private/Identity Key. Keys are used for automated processes Enables authentication for scheduled and automated file transfers and other tasks where user interaction is not possible. Interactive processes Private Public Keys are used for interactive connections Private key can be protected with a passphrase. Public

13 Generating and Adding Keys Generating a key produces two files: private key and public key To allow a connection, the source user s public key is copied to the destination user s authorized keys file on the destination server Access is allowed if the source user s home directory on the source host contains a private key that matches to a public key within the destination user s authorized keys file on the destination host Client (src_host) /home/<src_user>/.ssh Server (dest_host) /home/<dest_user>/.ssh priv pub Copy of Public Key pub 13

14 Identity Keys and Authorized Keys Identity (Private) Keys Identity keys reside on source systems (ssh clients) Identity keys are associated with a user only because they are stored in the user s home directory (or another accessible directory) Authorized (Public) Keys Authorized keys exist on destination systems (ssh servers) Define the Identity keys that are allowed to connect A user s authorized keys file contains all public keys that are allowed to connect as that user on a particular SSH server Authorized keys create a trust relationship: anyone who can provide the private key associated with a user s authorized public key is permitted to connect to the system as that user 14

15 Keys Create Trust Relationships One to One One to Many Many to Many Many to One

16 Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources

17 Uncontrolled Key Scenario Bob s office PC Production Server Bob is authorized to login as root to a production server. Bob creates an SSH key pair & adds public key as a root authorized key - provides an unaudited backdoor to bypass controls on root logins. Private key Public key Bob makes a copy of private key, installs it on his home computer. Connects from home. Bob shares his private key with Bill. Bill leaves the company, keeps the private key. Bob s home computer is hacked. Private key taken by an attacker. These risks could affect any SSH server, including mainframe systems.

18 Circumventing Jump Hosts User Logs In to Server Via Jump Host User Accesses Server & Uploads Public Key First Log In User Subsequent Log Ins User Bypasses the Jump Host and Internal Security Controls Via an SSH Key

19 Backdoors into Mainframes Mainframe z/os Data bases Transaction Processing TRUST TRUST S/370 USS TRUST MVS AS/400 Public key enables automated access for transaction processing into the IBM mainframe environment. Copy of public key moved to another user directory on USS Public key allows remote holder of the private key to login as the user on USS and access MVS, without going through RACF

20 Trust Can Propagate Lost or Stolen SSH key User

21 Abuse of Privileged Channels Malicious Insider Extracts Information Assets Through Encrypted Tunnel Information Assets? Malicious Insider Accesses Servers with Authorized Keys

22 Collapse of Separation of Duties Insiders can easily exploit poor key management controls to gain access to production, HA and back up servers What you think you have What you really have

23 Privileged Channel Risk Trusted insiders have the broadest access to the most critical data We hypothesize that many insider crimes go unreported because the organization is unaware of them, or because they decide for political reasons to handle it internally. Growing number of external business partners, services and other connections will expose critical services to new threats and attacks DATA BREACH INVESTIGATIONS REPORT A partner s lax security practices and poor governance often outside the victim s control or expertise are frequently catalysts in security incidents. -

24 The Threat is Real 24

25 The Costs are Huge

26 Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources

27 Compliance Demands Action Multiple Mandates for Secure Shell Controls ISO PCI-DSS COBIT SOX NIST HIPAA NERC FFIEC Secure Shell Has Impact Across All Domains

28 PCI Version 3 More Flexibility in implementation More Guidance on intent of requirements More Rigor in testing procedures Emphasis on Business as Usual (BAU) processes. From: Compliance as an annual event Companies fall out of compliance in between audits To: Compliance as Business as Usual Sound security practices always in effect

29 PCI Version 3 and Secure Shell Requirements pertaining to Secure Shell are pervasive across all domains PCI Requirements and Guidance focused on intent, not on technology Requirement The security mandate Intent The purpose of the mandate Guidance Where SSH Applies

30 PCI DSS 3.0 Structure Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Controls Regularly Monitor and Test Networks Maintain an Information Security Policy Install and maintain a firewall config Don t use vendor supplied defaults for passwords and security confiigs Protect Stored cardholder data Encrypt transmission of cardholder data Use and update AV software Develop and maintain secure applications and systems Restrict access to CD on need to know basis Assign a unique ID to each person with computer access Track and monitor all access to network and CD Regularly test security systems and processes Maintain a policy that addresses information security Secure Shell Has Impact Across All Domains of PCI DSS

31 From PCI Intent to Implementation There are 50 specific PCI requirements where Secure Shell has impact Requirement 6: Develop and Maintain Secure Systems and Applications Requirement 6.4: Follow change control processes and procedures for all changes to system components. Requirement 6.4.2: Separation of duties between development/test and production environments Testing Procedure 6.4.2: Observe processes and interview personnel to verify that separation of duties is in place between dev & prod. The intent of this requirement is to separate development and test functions from production functions. Scan servers and review logs to validate the same SSH keys not authorized to both dev and test Secure Shell keys used by dev must be removed before applications moved into production environments

32 Secure Shell Guidance PCI Controls Build and Maintain a Secure Network and Systems (1,2) Protect Cardholder Data (3,4) Maintain a Vulnerability Management Program (5,6) Implement Strong Access Control Measures (7,8,9) Regularly Monitor and Test Networks (10,11) Maintain an Information Security Policy (12) Secure Shell Guidance Document SSH data flows and trust relationships in and out of CDE. Establish configuration standards for SSH. Documented processes, controls and management of SSH user and host keys. Ensure only secure versions of SSH are deployed. Ensure best practices and change control for SSH use and deployment are in place. Remove keys when moving images from test to production. Review onboarding, offboarding and governance procedures over SSH authorized access to CDE for both interactive and automated use. Implement logging, monitoring and change detection mechanisms for SSH software and keys. Ensure SSH traffic scanned by IDS/IPS. The risk assessment process should consider the state of SSH key management and loss of defense in depth resulting from unmanaged SSH keys (e.g., risk of attack spread into disaster recovery systems and backup systems).

33 Current State Analysis

34 The Identity Governance Gap 20% of Identities Centralized directory services for standard end users 80% of Identities Little to no centralized management and activity monitoring over privileged users and machine based identities

35 Typical Enterprise Current State No visibility as to who has access to what Secure Shell servers No tools or methods to remove keys. Onboarding and off boarding issues No tools of methods to restrict or rotate the private keys Errors in manual key setups and maintenance

36 Security and Compliance Challenge Many organizations said that they are not monitoring & logging SSH activities Only 44% indicated that they have visibility into how many SSH keys are deployed in their environment, and what those authorizations are used for Based on real world experience, most organizations only have visibility into interactive user activities* (*Based on security audits performed by SSH Communications Security)

37 Circumventing Security In my day-to-day work, I have found that many users are frustrated by new security imperatives imposed by network managers. Although users understand the need for additional security, these restrictions cause significant bottlenecks to productivity. While these users are technically literate, network services setup and firewalls are not a normal part of their knowledgebase. This article describes the setup of a simple SSH client connecting to an AIX or Linux -based SSH server that allows a typical, technically literate individual the ability to set up, configure, and operate a flexible means of tunneling data and services over the SSH service. Users will benefit from having control of their own environment and the ability to adapt to their dayto-day needs. Administrators will benefit from reduced user requests to open ports and tighter control of their secure environments as a result.

38 Case Study: Top 5 Global Bank Over 20,000 servers on their network 1.5 million Secure Shell User Keys identified 10% or 150,000 User Keys were unknown AND ALSO HAD ROOT ACCESS No ability to monitor and enforce Secure Shell w user access Failed SOX & MAS Audit

39 Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources

40 What Auditors Need to Know The need to manage and control Secure Shell Use, configurations, and identities is pervasive across PCI DSS PCI DSS focuses on intent, not specific technologies. Auditors need understand the connection between PCI intent and how Secure Shell is used in PCI environments Customers want to comply to PCI and want better security Understand the Environment Identify Areas to Investigate Gather Information

41 Ask The Right Questions Do you use Secure Shell in your Card Holder Data Environment? Are there documented policies governing the deployment and use of Secure Shell? Do you have both interactive and automated accounts with Secure Shell access? Is Secure Shell allowed into and/or out of your network? Who has access and for what purposes? Do the configurations of sshd and authorized key files align with your policies? How do you track and manage Secure Shell software and configurations? How do you authenticate Secure Shell sessions? Do you use Secure Shell User Keys? How are the keys managed? Can users add their own keys? Do you regularly scan the environment for ssh keys? Ssh configs?

42 Focus Areas Scan the user key and ssh client server environment Review the sshd_config files Review sshd software versions Review authorized key file set ups Review firewall rules for where port 22 allowed Review network drives (NFS) set ups

43 SSH Communications Security Quick Facts: Inventors of the SSH protocol Listed: NASDAQ OMX Helsinki (SSH1V) 3,000 customers including 6 of the 10 largest US banks What We Do: Secure Shell Access Controls & Key Management Privileged Access Management Data-in-Transit Encryption SSH COMMUNICATIONS SECURITY IS THE MARKET LEADER IN DEVELOPING ADVANCED SECURITY SOLUTIONS TO MEET TODAY S BUSINESS, SECURITY AND COMPLIANCE REQUIREMENTS IN ENCRYPTED NETWORKS.

44 Resources From SSH Communications Management & Governance Products & Solutions Assessment Services Remediation Services White Papers Best Practices Guides and Videos Compliance Risk Mitigation Cost Control

45 Solution Portfolio Universal SSH Key Manager Enterprise Wide Identity and Access Management for Secure Shell. Discover, Monitor, Remediate and Manage SSH Keys and configurations CryptoAuditor Monitoring, Control and Content Awareness for Encrypted Networks Tectia SSH Secure Remote Administration, File Transfer and Application Connectivity MobileID Fast and Easy Two Factor Authentication Across the Enterprise

46 Links to Resources Or go to

47 Growing Awareness of the Problem

48 Thank You Jonathan Lewis Director of Product Marketing SSH Communications Security Lewis Bolla Regional Sales Manager SSH Communications Security

The Pitfalls of Encrypted Networks in Banking Operations Compliance Success in two industry cases

The Pitfalls of Encrypted Networks in Banking Operations Compliance Success in two industry cases The Pitfalls of Encrypted Networks in Banking Operations Compliance Success in two industry cases Elba Horta Regional Sales Manager, Southern Europe SSH Communica1ons Security elba.horta@ssh.com ENABLE,

More information

PREVENTING DATA LOSS THROUGH PRIVILEGED ACCESS CHANNELS

PREVENTING DATA LOSS THROUGH PRIVILEGED ACCESS CHANNELS A SECURITY Preventing AND Data Loss COMPLIANCE Through Privileged WHITE Access Channels PAPER PREVENTING DATA LOSS THROUGH PRIVILEGED ACCESS CHANNELS 1 TABLE OF CONTENTS: Introduction...3 The Privilege

More information

Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments

Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments A Secure Shell Key Management White Paper Secure Shell User Keys and Access Control in PCI-DSS Compliance Environments Emerging trends impacting PCI-DSS compliance requirements in secure shell deployments

More information

DMZ Gateways: Secret Weapons for Data Security

DMZ Gateways: Secret Weapons for Data Security A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security EXECUTIVE

More information

Crypto as Global Business

Crypto as Global Business Crypto as Global Business 2014 for Mika Lauhde Vice President, Government Relations and Business Development SSH Communications Security Working with Critical Government Infrastructures Member of ENISA

More information

Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers

Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers Security issues in M2M envinronments when dealing with encrypted communication channels (such as SSH) Raoul Chiesa President, Security Brokers Agenda Introductions The rise of machine-based identities

More information

TELE 301 Network Management. Lecture 16: Remote Terminal Services

TELE 301 Network Management. Lecture 16: Remote Terminal Services TELE 301 Network Management Lecture 16: Remote Terminal Services Haibo Zhang Computer Science, University of Otago TELE301 Lecture 16: Remote Terminal Services 1 Today s Focus Remote Terminal Services

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

An Overview of the Secure Shell (SSH)

An Overview of the Secure Shell (SSH) White Paper An Overview of the Secure Shell (SSH) 4848 tramway ridge dr. ne suite 101 albuquerque, nm 87111 505-332 -5700 www.vandyke.com Overview of Secure Shell... 2 Introduction to Secure Shell... 2

More information

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance

More information

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

More information

How Reflection Software Facilitates PCI DSS Compliance

How Reflection Software Facilitates PCI DSS Compliance Reflection How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance In 2004, the major credit

More information

CloudCheck Compliance Certification Program

CloudCheck Compliance Certification Program CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or

More information

Evolution from FTP to Secure File Transfer

Evolution from FTP to Secure File Transfer IPSWITCH FILE TRANSFER WHITE PAPER Evolution from FTP to Secure File Transfer www.ipswitchft.com Do you know where your organization s confidential and sensitive files were transferred today? Are you sure

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Directory and File Transfer Services. Chapter 7

Directory and File Transfer Services. Chapter 7 Directory and File Transfer Services Chapter 7 Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP over traditional authentication systems Identify major

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

DRAFT Standard Statement Encryption

DRAFT Standard Statement Encryption DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held

More information

Closing Wireless Loopholes for PCI Compliance and Security

Closing Wireless Loopholes for PCI Compliance and Security Closing Wireless Loopholes for PCI Compliance and Security Personal information is under attack by hackers, and credit card information is among the most valuable. While enterprises have had years to develop

More information

Overcoming PCI Compliance Challenges

Overcoming PCI Compliance Challenges Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the

More information

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement

More information

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks 4 Best Practices for Building PCI DSS Compliant Networks Cardholder data is a lucrative and tempting target for cyber criminals. Recent highly publicized accounts of hackers breaching trusted retailers

More information

Network Segmentation

Network Segmentation Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or

More information

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s

More information

TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering

More information

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications Overview of Banking Application Security and PCI DSS Compliance for Banking Applications Thought Paper www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process

More information

BANKING SECURITY and COMPLIANCE

BANKING SECURITY and COMPLIANCE BANKING SECURITY and COMPLIANCE Cashing In On Banking Security and Compliance With awareness of data breaches at an all-time high, banking institutions are working hard to implement policies and solutions

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity. Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July

More information

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems Page 1 of 5 Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems In July the Payment Card Industry Security Standards Council (PCI SSC) published

More information

Two Approaches to PCI-DSS Compliance

Two Approaches to PCI-DSS Compliance Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

More information

Windows Least Privilege Management and Beyond

Windows Least Privilege Management and Beyond CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

AlienVault for Regulatory Compliance

AlienVault for Regulatory Compliance AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have

More information

IT Compliance Volume II

IT Compliance Volume II The Essentials Series IT Compliance Volume II sponsored by by Rebecca Herold Addressing Web-Based Access and Authentication Challenges by Rebecca Herold, CISSP, CISM, CISA, FLMI February 2007 Incidents

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

CSP & PCI DSS Compliance on HP NonStop systems

CSP & PCI DSS Compliance on HP NonStop systems CSP & PCI DSS Compliance on HP NonStop systems July 23, 2014 For more information about Computer Security Products Inc., contact us at: 200 Matheson Blvd. West Suite 200 Mississauga, Ontario, Canada L5R

More information

IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS

More information

Exam Questions SY0-401

Exam Questions SY0-401 Exam Questions SY0-401 CompTIA Security+ Certification http://www.2passeasy.com/dumps/sy0-401/ 1. A company has implemented PPTP as a VPN solution. Which of the following ports would need to be opened

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

The Comprehensive Guide to PCI Security Standards Compliance

The Comprehensive Guide to PCI Security Standards Compliance The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00 PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)

More information

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Driving Company Security is Challenging. Centralized Management Makes it Simple. Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary

More information

DiamondStream Data Security Policy Summary

DiamondStream Data Security Policy Summary DiamondStream Data Security Policy Summary Overview This document describes DiamondStream s standard security policy for accessing and interacting with proprietary and third-party client data. This covers

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT IS THIS ebook RIGHT FOR ME? Not sure if this is the right ebook for you? Check the following qualifications to make

More information

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013 An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices The Payment Card Industry (PCI) Data Security Standard (DSS) provides an actionable framework for developing a robust payment card data security process. The Payment Application Data Security Standard

More information

Enforcing PCI Data Security Standard Compliance

Enforcing PCI Data Security Standard Compliance Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The

More information

Securing Ship-to-Shore Data Flow

Securing Ship-to-Shore Data Flow Securing Ship-to-Shore Data Flow Background on Common File Transfer Methods Today corporations, government entities, and other organizations rely on Electronic File Transfers as an important part of their

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

Network Security Administrator

Network Security Administrator Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze

More information

Database Security & Auditing

Database Security & Auditing Database Security & Auditing Jeff Paddock Manager, Enterprise Solutions September 17, 2009 1 Verizon 2009 Data Breach Investigations Report: 285 million records were compromised in 2008 2 Agenda The Threat

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Western Australian Auditor General s Report. Information Systems Audit Report

Western Australian Auditor General s Report. Information Systems Audit Report Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0 WHITE PAPER Automating Cloud Security Control and Compliance Enforcement for 3.0 How Enables Security and Compliance with the PCI Data Security Standard in a Private Cloud EXECUTIVE SUMMARY All merchants,

More information

Critical Security Controls

Critical Security Controls Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

Take Control of Identities & Data Loss. Vipul Kumra

Take Control of Identities & Data Loss. Vipul Kumra Take Control of Identities & Data Loss Vipul Kumra Security Risks - Results Whom you should fear the most when it comes to securing your environment? 4. 3. 2. 1. Hackers / script kiddies Insiders Ex-employees

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of

More information

Network/Cyber Security

Network/Cyber Security Network/Cyber Security SCAMPS Annual Meeting 2015 Joe Howland,VC3 Source: http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes Security

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage CERT Insider Threat Center April 2011 NOTICE: THIS TECHNICAL DATA IS PROVIDED PURSUANT TO GOVERNMENT CONTRACT

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

CorreLog Alignment to PCI Security Standards Compliance

CorreLog Alignment to PCI Security Standards Compliance CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

PCI Compliance 3.1. About Us

PCI Compliance 3.1. About Us PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance

More information

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566

More information

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM PCI Compliance PCI DSS v3.1 Dan Lobb CRISC Lisa Gable CISM Dan Lobb, CRISC o Introduction Dan has an MIS degree from the University of Central Florida. He began his career at Accenture and for the past

More information

How To Protect Your Data From Being Stolen

How To Protect Your Data From Being Stolen DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS

More information

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments

More information

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015. Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines

More information

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

PowerBroker for Windows

PowerBroker for Windows PowerBroker for Windows Desktop and Server Use Cases February 2014 1 Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 5 Sample Regulatory Requirements...

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information