Look Ma No Hands: Automating Security the RightScale way. Patrick McClory Solutions Architect, RightScale
|
|
- Augusta Reed
- 8 years ago
- Views:
Transcription
1 1 Look Ma No Hands: Automating Security the RightScale way Patrick McClory Solutions Architect, RightScale
2 2 # Biggest real risks to data in the cloud? The same things as when your data were not in the cloud. Poor application security leading to Injection Poor system configurations, leading to system compromised Poor application configuration leading to application compromise Poor user habits leading to compromised credentials, that are then used to access data 2012 Verizon Data Breach Report
3 3 # Industry Group Breakdown 2012 Verizon Data Breach Report
4 4 # Reasons for Malicious Activity 2012 Verizon Data Breach Report
5 5 # Top 10 Threats 2012 Verizon Data Breach Report
6 6 # Creating a list of solid recommendations gets progressively more difficult every year we publish this report. Think about it; our findings shift and evolve over time but rarely are they completely new or unexpected. Why would it be any different for recommendations based on those findings? Sure, we could wing it and prattle off a lengthy list of to-dos to meet a quota but we figure you can get that elsewhere Verizon Data Breach Report
7 7 # 2012 Verizon Data Breach Report
8 8 # Common data exposure vectors in the cloud Data is typically exposed in the following three states: In Transit At Rest In Process
9 9 # We must protect data In Transit Why? Risk You do not want the bad guys to see or modify your data You can t guarantee the path your data will take You may have regulatory or contractual requirements to do so Sniffing along the path Modification of existing data Injection of new data Map of Internet Traffic Common Solutions Application Transport (SSL & TLS) VPN (SSL, IPSEC, PPTP, L2TP) App level data encryption (custom)
10 10 # We must protect data At Rest Why? Same as previous: You do not want unauthorized Disclosure Modification Injection Risks Intrusion into Instance/Guest exposes data on its filesystem Cloud provider access to ephemeral storage (e.g., EBS, SWIFT) Cloud provider access to other storage options (e.g., S3, CloudFiles) Common Solutions Protection offered by running operating system (Access Control Lists) *Encryption (and Key Management)* SLA and Policies/Processes of the Cloud provider
11 11 # We must protect data while In Process Why? Same as previous: You do not want unauthorized Risk Disclosure Modification Injection Data is in clear in the memory of the Instance Privileged users on a system can read memory Hypervisor has access to instance memory Common Solutions Protect the system that is processing Protect the hypervisor running the Instance Limit administrative users
12 12 # Philosophy and musings Let's take "cloud" out of it for a moment Just Good Enough Security Figure out what Secure is for you Best Practice is a red herring Standard Practice is something to consider
13 13 # 2012 Verizon Data Breach Report
14 14 # What is security automation? When I use a word, it means just what I choose it to meanneither more nor less. Humpty Dumpty So for our purposes today, automating security is about: Building instances that meet your definition of security Identifying vulnerabilities on running instances Patching those vulnerabilities
15 15 # Some Compliance References Baseline Requirements HIPAA: 45 CFR (a)(4)* ISO 27001: A , A PCI: 6.4 NIST SP800-53: CM-2, SA-2, SA-4 Vulnerability and Patch Management HIPAA: 45 CFR (a)(1)(i)(ii)(a) & (B), (5)(i)(ii)(B) ISO 27001: A , A , A PCI: 2.2, 6.1, 6.2, 6.3.2, 6.4.5, 6.5.X, 6.6, 11.2 NIST SP800-53: CM-3, CM-4, CP-10, RA-5, SA-7, SI-1, SI-2, SI-5
16 16 # Building instances that are secure Starts with application design You need to know what the systems will do, so you can build them accordingly Think about: What requirements for data in transit? What requirements for data at rest? What requirements for data in process? What services will be exposed to untrusted parties? What services will be exposed to trusted parties? What services are only used internally?
17 17 # More on how design affects OpSec What requirements for data in transit? How do you handle the key material for SSL/TLS or data encryption? Store it in on filesystem or in memory? What requirements for data at rest? Do you need runtime at reset security or off-line? If in a database, will/can you use the database security or do you have to do it at the application? If at the application layer, how do you manage keys? What requirements for data in process? Do you have to protect the data in memory/process? This requires some HEAVY lifting and technology choices
18 18 # More on how design affects OpSec What services will be exposed to untrusted parties? Will require diligence in patching and vulnerability management What services will be exposed to trusted parties? Likely less aggressive vulnerability management Monitoring: Trust but verify? What services are only used internally? In reality will require less diligence
19 19 # What you should have out of design Services/Applications that will be run on what instances OS types Applications to be used Network and applications Flows Ports, Protocols, and Directions Roles that are required
20 20 # Where RightScale shines RightScale can be used to ensure that poor system and application configurations are not what cause you to lose your data Use RightScale to: Require data to be transmitted securely Require data be stored securely Ensure systems are appropriately patched and configured to minimize exposures The core technologies are RightImages ServerTemplates RightScripts Repo s and Mirrors Security Motto: Build it secure, keep it secure!
21 21 # Hierarchy of assets ServerTemplate Application Server for IIS, Database Manager for MySQL RightScripts and Operational assets belong to this object Contains one or many Multi-Cloud Images MultiCloud Images Windows 2008r2 with IIS 7.5, Centos 6 Encapsulates many machine images of like configuration Provides a consistent experience across multiple cloud vendors Contains one or many Images/Machine Images Image Amazon AMI, Azure VHD, etc. Lowest level of objects. Represents one machine configuration in one cloud Occasionaly, Cloud-specific idiosyncrasies are managed at this level
22 22 # Build it Secure What Use Trusted Images Known Configurations Script the install and configuration Trusted Repository How Start with Multi-Cloud Images Build with ServerTemplates Modify with RightScripts Build from Frozen Repos
23 23 # Step 1: Standard images RightImages are the only ones we can vouch for Amazon has tons of available images, but we can t vouch for them Any RightScale Publisher would be a good choice An ISV based image is likely OK, but we typically do not vet them Work with professional services for specific cases/needs In reality, you should start with ServerTemplates (next) as they will have selected vetted images already
24 24 # Step 2: ServerTemplates Dynamic configuration Abstract role and behavior from cloud infrastructure Predictable deployment Cloud agnostic / portable Object-oriented programming for sysadmins
25 boot sequence 25 # Step 2: ServerTemplates (con t) Configuring servers through bundling images: Custom MySQL (CentOS 5.2) Custom MySQL (CentOS 5.4) MySQL (CentOS 5.4) MySQL (Ubuntu 8.10) MySQL (Ubuntu 8.10) 64bit Frontend Apache 1.3 (Ubuntu 8.10) Frontend Apache 2.0 (Ubuntu 9.10) - patched CMS v1.0 (CentOS 5.4) CMS v1.1 (CentOS 5.4) Configuring servers with ServerTemplates: Setup DNS and IPs A set Restore of configuration last backup directives that will install and configure Configure software MySQL on top of the base image Install MySQL Server Install monitoring My ASP appserver (windows 2008) My ASP.net (windows 2008) security update 1 My ASP.net (windows 2008) security update 8 SharePoint v4 (windows 2003) 32bit SharePoint v4 (windows 2003) 64bit SharePoint v4.5 (windows 2003) 64bit CentOS 5.2 CentOS 5.4 Base Image MultiCloudImage Very few and basic Ubuntu 8.10 Ubuntu 9.10 Win 2003 Win 2007
26 26 # ServerTemplates VS. Integrated approach that puts together all the parts needed to architect single & multi-server deployments
27 27 # Step 2.x: RightScripts RightScript is a mechanism to configure instances at boot time and to run additional scripts during the lifetime of an instance A RightScript is an executable piece of code that can be run on a server A RightScript consists of: A script (typically written in Bash, Ruby, Perl, PowerShell, and now Chef) A set of attachments that are downloaded from a storage location (e.g., S3) A set of packages that are installed using the system's package manager A set of input parameters that must be passed into the script On ServerTemplates Scripts or Recipe /var/cache/rightscale/
28 28 # Important tangent: Logging and Auditing Use ServerTemplates and RightScripts to integrate your logs into your enterprise SIEM Look to a ISV s or 3rd party SaaS SEM aggregator Not for the faint of heart!
29 29 # Step 3: Identifying vulnerabilities Out of scope of the RightScale core platform Can roll your own or use ISV s to help with this Activities Port and services scans Validate implementation meets design Nmap or typically included in Vulnerability scans Vulnerability scans SaaS services: CloudPassage*, SAINT, Rapid7, Qualys, Nessus, Build your own: SAINT, Rapid7, Qualys, Nessus, OpenVAS Application testing SaaS services are a good start: Whitehat, Vericode, HP, Manual testing is a must*: Whitehat, SystemExperts, Matasano, Aspect, * Breaks the automating part of the talk
30 30 # Step 4: Patching What Update the Operating System Update the applications Validate the configuration How You can use the same mechanism as in your enterprise *OR* Use operational RightScripts to do it for you *OR* Use a partner ISV that specializes in that service
31 31 # Patching Input form vulnerability management should drive this Apply the security updates Option 1: Apply to staging systems and run all your regression tests, then roll out Option 2: Apply directly to production systems after a cooling off period Option 3: Apply to a canary production system, wait 24 hrs, then apply en-masse Option 4: Apply directly to production systems as soon as they are released A couple points Security patches are typically well tested before released Applies well to Ubuntu, Windows, and RHEL Not so well to CentOS Upgrading the kernel is a bit touchier pvgrub is your friend
32 32 # Ubuntu Security Patching Ubuntu supports a security specific repo Need to use RightScripts attached to ServerTemplates that points security repo to latest Change the repost to point to latest sed -i "s%ubuntu_daily/.* $(lsb_release -cs)-security%ubuntu_daily/latest $(lsb_release - cs)-security%" /etc/apt/sources.list.d/rightscale.sources.list Update the list apt-get update to Update the software list Apply the updates Pin what you don t want to upgrade: /etc/apt/preferences.d/00rightscale Upgrade what you do: apt-get upgrade You need to decide if you want global updates or specific packages s
33 33 # CentOS Security Patching CentOS does not have a security specific repo Our CentOS /major repo now mirror the current is a mirror of the /5.x (i.e. latest) repo on that day Update repos to point to latest Update /etc/yum.repos.d to point to the /major version # Change /major.minor format Repo URLS to /major format sed -ri 's%centos/5.[0-9]%centos/5%' /etc/yum.repos.d/centos-*.repo # set latest or frozen date sed -ri 's/archive\/[0-9]*/archive\/latest/' /etc/yum.repos.d/centos-*.repo sed -ri 's/archive\/([0-9]* latest)/archive\/ /g' /etc/yum.repos.d/centos-*.repo Update the list yum check-update ( grep updates) Apply the updates (to specific packages)
34 34 # Security ISV s to consider (alphabetical) Centrify Account controls integration with Active Directory CloudPassage Vulnerability management Security event monitoring Firewall management TrendMicro Secure data at rest
35 35 # Recap Design it properly Build it to spec with RightImages, ServerTemplates, and RightScripts Validate configurations and identify vulnerabilities with tools Monitor with appropriate tools Patch systems ISV s are your friend!
36 36 # Crystal Ball Things that will help in the automation category NIST Security Content Automation Protocol (SCAP) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) Open Vulnerability and Assessment Language (OVAL) Extensible Configuration Checklist Description Format (XCCDF) CloudAudit (Cloud Security Alliance) Policy and attestation
37 37 # My Info patrick@rightscale.com W (mobile) Skype: patrick.mcclory.rs Twitter: patrickatrs Linked-In: Patrick McClory
38 38 # Questions? Comments?
CS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationBMC Client Management - SCAP Implementation Statement. Version 12.0
BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCloudPassage Halo Technical Overview
TECHNICAL BRIEF CloudPassage Halo Technical Overview The Halo cloud security platform was purpose-built to provide your organization with the critical protection, visibility and control needed to assure
More informationSecurity compliance automation with Red Hat Satellite
Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the
More informationTrend Micro. Advanced Security Built for the Cloud
datasheet Trend Micro deep security as a service Advanced Security Built for the Cloud Organizations are embracing the economic and operational benefits of cloud computing, turning to leading cloud providers
More informationSoftware Vulnerability Assessment
Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationWEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services
WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationFederal Desktop Core Configuration (FDCC)
Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to
More informationBuilding Energy Security Framework
Building Energy Security Framework Philosophy, Design, and Implementation Building Energy manages multiple subsets of customer data. Customers have strict requirements for regulatory compliance, privacy
More informationHow To Use A Policy Auditor 6.2.2 (Macafee) To Check For Security Issues
Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationCatapult PCI Compliance
Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult
More informationCritical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn
Critical Infrastructure Security: The Emerging Smart Grid Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn Overview Assurance & Evaluation Security Testing Approaches
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationVendor Questionnaire
Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining
More informationWhy SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?
SaaS vs. COTS Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? Unlike COTS solutions, SIMCO s CERDAAC is software that is offered as a service (SaaS). This offers several
More informationSymantec Control Compliance Suite Standards Manager
Symantec Control Compliance Suite Standards Manager Automate Security Configuration Assessments. Discover Rogue Networks & Assets. Harden the Data Center. Data Sheet: Security Management Control Compliance
More informationDecember 2015 702P00860. Xerox App Studio 3.0 Information Assurance Disclosure
December 2015 702P00860 Xerox App Studio 3.0 Information Assurance Disclosure 2014 Xerox Corporation. All rights reserved. Xerox and Xerox and Design and ConnectKey are trademarks of Xerox Corporation
More informationSecure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?
More informationINFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council
Version 1.0 Date: Author: PCI Security Standards Council Executive Summary The time to migrate is now. For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationWindows Remote Access
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationCloudPassage Halo Technical Overview
TECHNICAL BRIEF CloudPassage Halo Technical Overview The Halo cloud security platform was purpose-built to provide your organization with the critical protection, visibility and control needed to assure
More informationAPIs The Next Hacker Target Or a Business and Security Opportunity?
APIs The Next Hacker Target Or a Business and Security Opportunity? SESSION ID: SEC-T07 Tim Mather VP, CISO Cadence Design Systems @mather_tim Why Should You Care About APIs? Amazon Web Services EC2 alone
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationDatabase Security & Auditing
Database Security & Auditing Jeff Paddock Manager, Enterprise Solutions September 17, 2009 1 Verizon 2009 Data Breach Investigations Report: 285 million records were compromised in 2008 2 Agenda The Threat
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationNessus Agents. October 2015
Nessus Agents October 2015 Table of Contents Introduction... 3 What Are Nessus Agents?... 3 Scanning... 4 Results... 6 Conclusion... 6 About Tenable Network Security... 6 2 Introduction Today s changing
More informationFDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs
FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
More informationAppSentry Application and Database Security Auditing
AppSentry Application and Database Security Auditing May 2014 Stephen Kost Chief Technology Officer Integrigy Corporation About Integrigy ERP Applications Oracle E-Business Suite Databases Oracle and Microsoft
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
More informationQualys PC/SCAP Auditor
Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationAlliance Key Manager Solution Brief
Alliance Key Manager Solution Brief KEY MANAGEMENT Enterprise Encryption Key Management On the road to protecting sensitive data assets, data encryption remains one of the most difficult goals. A major
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationHow to Grow and Transform your Security Program into the Cloud
How to Grow and Transform your Security Program into the Cloud Wolfgang Kandek Qualys, Inc. Session ID: SPO-207 Session Classification: Intermediate Agenda Introduction Fundamentals of Vulnerability Management
More informationADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
More informationUnited States Trustee Program s Wireless LAN Security Checklist
United States Trustee Program s Wireless LAN Security Checklist In support of a standing trustee s proposed implementation of Wireless Access Points (WAP) in ' 341 meeting rooms and courtrooms, the following
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationPCI DSS 3.0 Compliance
A Trend Micro White Paper April 2014 PCI DSS 3.0 Compliance How Trend Micro Cloud and Data Center Security Solutions Can Help INTRODUCTION Merchants and service providers that process credit card payments
More informationE-Commerce for IT Advanced. Louis Aguila & Matt Burt
Advanced Louis Aguila & Matt Burt Class Objectives To explore Microsoft Internet Information Services (IIS) use and troubleshooting Basic E-Commerce site setup in IIS Use of Application Pools and settings
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationAbout the VM-Series Firewall
About the VM-Series Firewall Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.1 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 http://www.paloaltonetworks.com/contact/contact/
More informationVMware vcloud Air Security TECHNICAL WHITE PAPER
TECHNICAL WHITE PAPER The Shared Security Model for vcloud Air The end-to-end security of VMware vcloud Air (the Service ) is shared between VMware and the customer. VMware provides security for the aspects
More informationData Security and Healthcare
Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population
More informationSECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)
WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More informationSecurity Information and Event Management
Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Phillip H. Griffin ISSA
More informationOctober 2013 702P00860. Xerox App Studio. Information Assurance Disclosure. Version 2.0
October 2013 702P00860 Xerox App Studio Information Assurance Disclosure Version 2.0 2013 Xerox Corporation. All rights reserved. Xerox and Xerox and Design and ConnectKey are trademarks of Xerox Corporation
More informationNSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs
Mandatory Knowledge Units 1.0 Core2Y 1.1 Basic Data Analysis The intent of this Knowledge Unit is to provide students with basic abilities to manipulate data into meaningful information. 1.1.1 Topics Summary
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationAPPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationCreated By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee
Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server
More informationASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA AND PACIFIC OFFICE ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT DRAFT Second Edition June 2010 3.4H - 1 TABLE OF CONTENTS 1.
More informationREDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance
REDSEAL NETWORKS SOLUTION BRIEF Proactive Network Intelligence Solutions For PCI DSS Compliance Overview PCI DSS has become a global requirement for all entities handling cardholder data. A company processing,
More informationHow To Test For Security On A Network Without Being Hacked
A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few
More informationTHE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two
More informationwithout the fixed perimeters of legacy security.
TECHNICAL BRIEF The Halo cloud security platform was purpose-built to provide your organization with the critical protection, visibility and control needed to assure cloud security without the fixed perimeters
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationAWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II
AWS Security CJ Moses Deputy Chief Information Security Officer Security is Job Zero! Overview Security Resources Certifications Physical Security Network security Geo-diversity and Fault Tolerance GovCloud
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationInformation Security Office
Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix
More informationWEB APPLICATION VULNERABILITY STATISTICS (2013)
WEB APPLICATION VULNERABILITY STATISTICS (2013) Page 1 CONTENTS Contents 2 1. Introduction 3 2. Research Methodology 4 3. Summary 5 4. Participant Portrait 6 5. Vulnerability Statistics 7 5.1. The most
More informationCloud and Data Center Security
solution brief Trend Micro Cloud and Data Center Security Secure virtual, cloud, physical, and hybrid environments easily and effectively introduction As you take advantage of the operational and economic
More informationSCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference
SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security
More informationMcAfee Public Cloud Server Security Suite
Installation Guide McAfee Public Cloud Server Security Suite For use with McAfee epolicy Orchestrator COPYRIGHT Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766,
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationHigh-Availability in the Cloud Architectural Best Practices
1 High-Availability in the Cloud Architectural Best Practices Josh Fraser, VP Business Development, RightScale Brian Adler, Sr. Professional Services Architect 2 # RightScale World s #1 cloud management
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationManaging Cloud Computing Risk
Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationXerox Mobile Print Cloud
September 2012 702P00860 Xerox Mobile Print Cloud Information Assurance Disclosure 2012 Xerox Corporation. All rights reserved. Xerox and Xerox and Design are trademarks of Xerox Corporation in the United
More informationCloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs
Cloud Computing In a Post Snowden World Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs Guy Wiggins Director of Practice Management Kelley Drye & Warren
More informationFrom Rivals to BFF: WAF & VA Unite OWASP 07.23.2009. The OWASP Foundation http://www.owasp.org
From Rivals to BFF: WAF & VA Unite 07.23.2009 Brian Contos, Chief Security Strategist Imperva Inc. brian.contos@imperva.com +1 (650) 832.6054 Copyright The Foundation Permission is granted to copy, distribute
More informationPierianDx - Clinical Genomicist Workstation Software as a Service FAQ s
PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s Network Security Please describe the preferred connection method(s) between the PierianDx network and a healthcare organization s
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More information