NERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements
|
|
- Tyler Gregory
- 8 years ago
- Views:
Transcription
1 NERC CIP Ports & Services Part 2: Complying With NERC CIP Documentation Requirements White Paper FoxGuard Solutions, Inc. November 2014
2 Defining Ports And Services In part 2 of our Ports and Services white paper we will discuss the NERC CIP definition of the term ports and services, and how to comply with NERC CIP documentation requirements. For a review of what ports and services are, refer to the NERC CIP Ports and Services White Paper Part 1: The Apartment Building Analogy. What Ports And Services Means To NERC CIP Forget what you may already know about ports and services. What we are interested in is the definition of the term as it applies to NERC CIP compliance. More specifically, how those terms are used for audit. The term ports and services, is subtly different in the common IT usage than in the OT environment. A clear understanding of these differences in accordance with NERC CIP will make the process of being complaint much easier. The term ports and services, is subtly different in the common IT usage than in the OT Environment. The Guidelines and Technical Basis from NERC CIP-007-5, clears away a lot of possible confusion. The Guideline states that the SDT intends for the entity to know what network accessible ports and associated services are accessible on their assets. 1 This NERC CIP clarification limits the ports to listening ports and their respective services. Other ports in use can vary wildly, and while their use may have some bearing on security, their operation is better covered by an Intrusion Detection System (IDS), and is not within the spirit of this particular requirement. The Importance of Listening Ports One of the difficulties in addressing ports and services requirements, is when common and less specific IT definitions are applied which can cause confusion. These IT style definitions dilute the effectiveness, by diverting resources to documenting and managing network connections that do not have anywhere near the cost/benefit ratio of listening ports and their associated services. The term listening is very specific, and can be used to identify which ports the NERC CIP requirement refers to. The requirement states the entity should know whether they are needed for that Cyber Asset s function and disable or restrict access to all other ports. 2 1 As of the time of writing this document is available here. %20System%20Security%20Management&jurisdiction=null 2 See NERC CIP under Guidelines and Technical Basis Requirement R1: (page 51) 2
3 While there is much debate about security versus compliance, this compliance requirement, while not all-encompassing by any means, is a relatively affordable and effective security measure. Services that cannot be executed provide little opportunity for exploit. It doesn t address exploiting the services you actually use, and isn t effective if the computer system is already compromised, but it can be very effective in preventing a compromise. The NERC CIP R1.1 requirement, is about attack surface area, as stated in the Guidelines and Technical Basis section. It does not verify that the service running on a port hasn t been modified (there is no file hash check requirement), but that is not the purpose of this requirement. It s not about forensics of compromised computers. Other Connection Types Established connections are very different from listening ports. They do not play a role in initial attack surface area and should be removed when creating ports and services documentation. While documentation for established connections is not required, if producing such documentation is necessary, it already exists. This documentation should be available either on the listening port of the local computer or for the listening port on the other end of the connection. That is, the listening machine should have the documentation describing the reason that a listening port was available to establish the connection. This same reasoning applied for other states like CLOSE_WAIT and TIME_WAIT. This requirement does not apply to any non-listening TCP ports. Otherwise, you would have to document every possible listening port on every device in the plant associated with every ephemeral port on the current device. Even if this were possible in practice, it is not useful when discussing attack surface area. As we have seen, it is obvious the requirement isn t about forensics of compromised computers, as there is no mention of verifying the associated services haven t had their executables modified. Only Done Once The core security value of this NERC CIP requirement, shutting down any unnecessary ports, only needs to be done once. 3 At this point, hopefully many of your devices already have this done by the vendor before they arrive at your site. Any remaining ports and associated services needed for operation must be documented. 3 NERC CIP R1.1 3
4 So what is left to do? Monitoring devices, to make sure ports aren t added any time a relevant change is made to the system. That is the only time it should be necessary to document additional listening ports and services. The checks and verification may happen more frequently 4, but the actual documentation for the port and service reasoning is only done once at the beginning or when a service is added. Listening Later Services that are not current listening but may be listening at other times, must also be documented. Any service expected to run at any time on a computer must be documented. This means that using a scan of a running computer to develop documentation baseline can lead to problems and inaccurate reporting. Problems can arise using a scan instead of documentation to create the baseline. An example of this might occur if there was a port that was listening only on Wednesdays (say during backup), that is not included in your ports and service documentation that you built from the listening ports captured on a Monday. In that case, your NERC CIP ports and services audit may show this port open, but not documented, resulting in a compliance issue. The more likely reason that a new listening port may appear would be if you installed additional software on the computer in question. Installing antivirus software for instance may create additional listening ports and associated services, requiring additional ports and services documentation. Documenting RPC Ports and Services Remote Procedure Call (RPC) ports can change each time a computer is rebooted. This requires a little careful documentation and is another reason why just a scan of a running machine can be misleading. While RPC port numbers can change whenever the computer reboots, they will only appear in the RPC range. You can use the following commands, to find out which ports are in the RPC range: netsh int ipv4 show dynamicport tcp netsh int ipv4 show dynamicport udp (Be aware that for this paper we are not addressing IPV6 specifically, though the techniques are very similar.) When you document RPC ports and services, instead of documenting the actual 4 NERC CIP R2.1 Monitor at least once every 35 calendar days Document and investigate detected unauthorized changes 4
5 port number, document that it is an RPC service, and the range of ports where it may appear. You would collect this information from the netsh commands issued on a command line. How to be Compliant Now that we understand the NERC CIP definition of ports and services, it simplifies our compliance process. Begin by asking your vendors for ports and services documentation. Scanning a machine should not reveal any additional ports, but fewer ports are generally not an issue, assuming that the service is only active intermittently. You do not want to document ports that are not actually used at some point on the system. A summary of Microsoft Windows ports and services can be found on Microsoft s website 5. Your computer will likely have several other ports and services from additional vendors software. The goal is to document and verify listening ports, their associated services, and document their required function or disable/restrict access to them. The process must then be repeated for UDP ports. The Windows 7 Approach Let s look at the ports that happen to be open at the moment, remembering that the final documentation must include any port that could be open at any time. netstat -oan Depending on the function of the computer, there may be between 50 to 500 line items or more, most of which are not relevant to us. Use the following command to find only TCP listening ports. netstat -oan find LISTEN Once you have performed the action above, let s take a moment to interpret the column data. To save you a lot of unnecessary hardship, let s begin by reviewing the fourth column of the netstat command output first. The fourth column is primarily used to show the address of another computer for a non-listening port. As we are not interested in the non-listening ports, remove everything that does not have LISTENING in this column. Anything else is not a listening TCP port. Next, divide the second column into two sections; those that beginning with and those that begin with anything else. Throw away any port numbers that begin with The port numbers that begin with , mean that the only connections 5 5
6 allowed to this port are from the local machine itself. The only way these ports could be used to attack the machine, is if the machine is already compromised. If you would like to be more conservative with the compliance process, keep the ports and document them as well. There should only be a small number of these ports. Let s assume that you are not using IPv6 on your network. If Ipconfig does not show any IPv6 address, they should be unreachable. To completely disable IPv6, follow the Microsoft Knowledge Base article. Unfortunately, some IPv6 items will still appear in the netstat reports, even after IPv6 has been disabled. Like the fourth column, the third column should also be ignored. The third column is the Foreign Address, and is most likely all :0. The fifth column is where you find the Process Identification Number PID. These are the services of the NERC CIP ports and services requirement. Services You will also need to identify the service associated with the port for your NERC CIP documentation. To find the associated service in Windows 7, use the following command. Netstat -boan The output from this command is very similar to that of netstat -oan, except that after every listening port on lines by themselves, the service name and associated executable may be listed. Once you have completed this process, you must now go back and perform the same steps for all UDP ports as there is no concept of listening for UDP connections. The term UDP is specific to TCP style connections. Difficulties There are some difficulties in mapping services to ports for compliance documentation. In particular netstat boan will return Cannot obtain ownership information instead of the service and process name in some instances. This commonly happens for PID 4, SYSTEM. Use the following command to lookup additional information about a particular PID (in this example PID 4). 6
7 Tasklist /FI PID eq 4 In some cases the same process (executable) is used to provide different services, for example inetinfo.exe on Windows XP, the service associated with the port isn t listed in the netstat boan report. In those cases the tasklist command can provide additional information about which services that process provides so that you can document the operational purpose for having the port open. Tasklist /SVC This command will list all of the services associated with the process so that you can select the appropriate match. The difficulty here is that netstat will provide all the listening ports and process PID, and tasklist will provide the lists of services that a process provides, but there is no direct mapping between which service is provided on which port (for processes/pids/executables that provide multiple services). Vendor documentation and configuration information for the particular software in question may be necessary to sufficiently resolve this. For computers that have multiple IP interfaces (physical or logical), take care to document on which interface the port and associated service should appear. It is not uncommon for there to be different services provided to those different interfaces. Operational Purpose Now that you have a list of ports and their associated service, you must define the operational purpose for having that port and service listening. This is the reason the port and service is used at your location. For example, if you have documented that inetinfo.exe has an http (web) server open on port 80 on the 1 st Ethernet interface on your computer, the operational purpose might be The data historian function of this computer is operated using this http (web) interface. This is why you must identify the service associated with the port number. The port number alone does not provide sufficient information to document your operational purpose. 7
8 Verifying Ports For compliance make sure you have documented all the required ports and services, or have shut them down. Remember to look at the ports and services requirement documentation from your vendor and to properly document the ports that might not currently be listening, but could arise in specific circumstances. This process should be repeated after every significant change 6 - if there is a new port or service afterward, it must be documented. You are also required to monitor at least once every 35 calendar days 7 for changes to your listening ports (CIP R2.1) Firewall As Mitigation A host-based firewall rule, which restricts access to a running service, is the same as shutting down that service. The Guidelines and Technical Basis section of NERC CIP section 1.1 states that the SDT intends that the control be on the device itself, or positioned in a non-bypassable manner. The guideline goes on to state that using other external firewalls does not substitute for this requirement. If a host-based firewall is used as your mitigation for an open port, be sure to document it. Not For Detecting A Malware Infection Ports and services requirements in CIP are not intended to describe forensics investigations after a successful attack. These requirements focus on preparation, and defense before an attack. The NERC CIP ports and services requirements shouldn t be construed as an attempt to discover and recover from malware. These requirements do not ask the user to verify that the process or executable associated with a port and service has not been secretly (maliciously) modified. That would require some type of validation of a hash of the software that opened the port. 6 I m using the NERC CIP term here for just to make suggestions for when to check for changes. a significant change shall, at a minimum, include implementation of security patches, cumulative service packs, vendor releases, and version upgrades of operating systems, applications, database platforms, or other third-party software or firmware. 7 The SDT s intent of R2 is to require automated monitoring of the BES Cyber System. However, the SDT understands that there may be some Cyber Assets where automated monitoring may not be possible. 8
9 Also, keep in mind a successful root-kit style attack will frequently hide open ports and services from the operating system itself. A netstat command will not show the malicious port being open. This also falls under a forensics investigation, which is not part of the NERC CIP requirements. Malware may also hide an executable, so even if you attempted to verify a service program, the executable presented on disk may not be the same as the one executing under its name in memory. Disabling ports and services has a great value for preventing infections from malware, but the NERC CIP ports and service requirements shouldn't be construed as an attempt to discover and recover from a previous malware infection. DNS (On Windows) A DNS server is supposed to open ports 53 UDP and 53 TCP. The Windows DNS server also seems to open port 53 UDP and 53 TCP on the local loopback address (IPv4) and [::1](IPv6). Theoretically, these ports can only accept requests from the same computer so they shouldn t be an issue, but, additional documentation might be prudent for compliance purposes. Some versions of DNS on Windows will open a lot of additional UDP listening ports. DNS.exe on Windows Server 2008 R2 with security update MS08-037, will allocate by default 2,501 random UDP listening ports as a precaution against a DNS spoofing attack 8. It also opens 2,501 IPv6 UDP ports. Ports used by Microsoft DNS is not sufficiently documented by Microsoft. These open ports can change each time the service is restarted, and are not necessarily contiguous. While these are not RPC ports, the concept is similar, and it is a known and documented action for the DNS server. These ports and port ranges must be identified and documented, to cover the specified number of open DNS ports in this range. The DNS server also opens one RPC TCP listening port on IPv4 and IPv6 for DNS management 9, these (2) can be documented as regular RPC ports and services. 8 Configuring the Socket Pool, Microsoft Windows 9 9
10 This has been a technical overview of some of the tools and techniques useful when preparing for a NERC CIP audit that includes logically network accessible ports. We have covered ways to reduce the workload involved by carefully reviewing the requirements and items to watch for proper documentation. About FoxGuard Solutions FoxGuard Solutions develops innovative programs and services to improve the cybersecurity and compliance posture of industrial control systems in critical infrastructure markets. To reduce the likelihood of system downtime related to cyber incidents, FoxGuard provides assistance with patch validation and distribution, software updating, and system hardening for control system devices. Additionally, FoxGuard offers research and development services, engineering services, and field implementation services to support these programs. Author Monta Elkins, Security Architect at FoxGuard Solutions Monta joined the FoxGuard team in A security researcher and consultant, he was formerly Security Architect for Rackspace, and the first ISO for Radford University. He is the author and instructor of the Defense against Dark Arts hands-on, hacker tools and technique classes. Contact Information To learn more about ports and services auditing, contact a FoxGuard Solutions representative. requestinfo@foxguardsolutions.com 10
NERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationTechnology Solutions for NERC CIP Compliance June 25, 2015
Technology Solutions for NERC CIP Compliance June 25, 2015 2 Encari s Focus is providing NERC CIP Compliance Products and Services for Generation and Transmission Utilities, Municipalities and Cooperatives
More informationDeveloping A Successful Patch Management Process
Developing A Successful Patch Management Process White Paper FoxGuard Solutions, Inc. August 2014 Introduction Almost every day, new vulnerabilities are discovered and disclosed to software vendors, who
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationNERC CIP-007 v. 5 Patch Management: Factors for Success
Cyber Security Compliance Industrial Computing NERC CIP-007 v. 5 Patch Management: Factors for Success A Presentation By: EnergySec FoxGuard Solutions NRG It s Interactive Please submit your questions
More informationDecrease your HMI/SCADA risk
Decrease your HMI/SCADA risk Key steps to minimize unplanned downtime and protect your organization. Are you running your plant operations with serious risk? Most industrial applications lack recommended
More informationAn overwhelming majority of IaaS clouds leverage virtualization for their foundation.
1 2 3 An overwhelming majority of IaaS clouds leverage virtualization for their foundation. 4 With the use of virtualization comes the use of a hypervisor. Normally, the hypervisor simply provisions resources
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationNovaTech NERC CIP Compliance Document and Product Description Updated June 2015
NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC
More informationNotable Changes to NERC Reliability Standard CIP-010-3
C L AR I T Y AS S U R AN C E R E S U LT S M I D W E S T R E LIAB I L I T Y ORGAN I Z AT I ON Notable Changes to NERC Reliability Standard CIP-010-3 Cyber Security Configuration Change Management and Vulnerability
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationStandard CIP 007 3 Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationG/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy
For Public Use G/On Basic Best Practice Reference Guide Version 6 Make Connectivity Easy 2006 Giritech A/S. 1 G/On Basic Best Practices Reference Guide v.6 Table of Contents Scope...3 G/On Server Platform
More informationSIMPLIFYING THE PATCH MANAGEMENT PROCESS
SIMPLIFYING THE PATCH MANAGEMENT PROCESS www.icsupdate.com Monta Elkins Security Architect FoxGuard Solutions melkins@foxguardsolutions.com SIMPLIFYING THE PATCH MANAGEMENT PROCESS 2 SIMPLIFYING THE PATCH
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationAlberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5
A. Introduction 1. Title: 2. Number: 3. Purpose: To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise
More informationDocument ID. Cyber security for substation automation products and systems
Document ID Cyber security for substation automation products and systems 2 Cyber security for substation automation systems by ABB ABB addresses all aspects of cyber security The electric power grid has
More informationUnit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.
Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014 UNIT 3 RESEARCH PROJECT 2
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationMedical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00
Medical Device Security Health Imaging Digital Capture Security Assessment Report for the Kodak Capture Link Server V1.00 Version 1.0 Eastman Kodak Company, Health Imaging Group Page 1 Table of Contents
More informationUNCLASSIFIED. BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23)
BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23) March 2007 This page intentionally left blank. March 2007 Foreword The BlackBerry Enterprise Server Isolation in a Microsoft
More informationAgenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007
Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation =
More information1 Scope of Assessment
CIT 380 Project Network Security Assessment Due: April 30, 2014 This project is a security assessment of a small group of systems. In this assessment, students will apply security tools and resources learned
More informationMedical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1
Medical Device Security Health Imaging Digital Capture Security Assessment Report for the Kodak CR V4.1 Version 1.0 Eastman Kodak Company, Health Imaging Group Page 1 Table of Contents Table of Contents
More informationRemote Connection to Your Computers
Remote Connection to Your Computers Page 1 Accessing files while you re on the go When you are at home or in the office, your ipad or iphone connects to your network wirelessly. And because it is part
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationThis session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.
The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com
More informationSecurity Advice for Instances in the HP Cloud
Security Advice for Instances in the HP Cloud Introduction: HPCS protects the infrastructure and management services offered to customers including instance provisioning. An instance refers to a virtual
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationCyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies
Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationWindows XP End-of-Life Handbook for Upgrade Latecomers
s Why Windows XP End-of-Life Handbook for Upgrade Latecomers s Why Introduction Windows XP end of life is April 8, 2014. Do you have Windows XP systems but can t upgrade to Windows 7 or Windows 8, or can
More informationProtecting Critical Infrastructure
Protecting Critical Infrastructure SCADA Network Security Monitoring March 20, 2015 Table of Contents Introduction... 4 SCADA Systems... 4 In This Paper... 4 SCADA Security... 4 Assessing the Security
More informationCyber security measures in protection and control IEDs
Cyber security measures in protection and control IEDs K. Hagman 1, L.Frisk 1, J. Menezes 1 1 ABB AB, Sweden krister.hagman@se.abb.com Abstract: The electric power grids and power systems are critical
More informationGE Measurement & Control. Cyber Security for NERC CIP Compliance
GE Measurement & Control Cyber Security for NERC CIP Compliance GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,
More informationIDS or IPS? Pocket E-Guide
Pocket E-Guide IDS or IPS? Differences and benefits of intrusion detection and prevention systems Deciding between intrusion detection systems (IDS) and intrusion prevention systems (IPS) is a particularly
More informationDiebold Security Analysis of ATM Operating and Application Systems Using the Center for Internet Security Scoring Tool
Diebold Security Analysis of ATM Operating and Application Systems Using the Center for Internet Security Scoring Tool TP-821129-001B PD 6099 Document History Document Number Date Remarks TP-821129-001A
More informationCodes of Connection for Devices Connected to Newcastle University ICT Network
Code of Connection (CoCo) for Devices Connected to the University s Author Information Security Officer (Technical) Version V1.1 Date 23 April 2015 Introduction This Code of Connection (CoCo) establishes
More informationOfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010
OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010 What is Trend Micro OfficeScan? Trend Micro OfficeScan Corporate Edition protects campus networks from viruses, Trojans, worms, Web-based
More informationAlberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1
A. Introduction 1. Title: 2. Number: 3. Purpose: To prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements
More informationNetwork Incident Report
To submit copies of this form via facsimile, please FAX to 202-406-9233. Network Incident Report United States Secret Service Financial Crimes Division Electronic Crimes Branch Telephone: 202-406-5850
More informationComputer Viruses: How to Avoid Infection
Viruses From viruses to worms to Trojan Horses, the catchall term virus describes a threat that's been around almost as long as computers. These rogue programs exist for the simple reason to cause you
More informationKaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management. www.kaseya.com
Kaseya White Paper Endpoint Security Fighting Cyber Crime with Automated, Centralized Management www.kaseya.com To win the ongoing war against hackers and cyber criminals, IT professionals must do two
More informationISP Best Practices. Addressing a DDoS Attack on a Host. Hervey Allen Network Startup Resource Center
ISP Best Practices Addressing a DDoS Attack on a Host Hervey Allen Network Startup Resource Center June 28, 2010 PacNOG 7 Conference Pago Pago, American Samoa Distributed Denial of Service Attack Summary
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationGE Measurement & Control. Cyber Security for Industrial Controls
GE Measurement & Control Cyber Security for Industrial Controls Contents Overview...3 Cyber Asset Protection (CAP) Software Update Subscription....4 SecurityST Solution Options...5 Centralized Account
More informationWhy Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.
Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks
More informationThe Real State of WiFi Security in the Connected Home August 25, 2015
The Real State of WiFi Security in the Connected Home August 25, 2015 1 Abstract Analyzing real-world data can teach us about the state of security in the connected home. RouterCheck, a tool for testing
More informationAutoDownload: SQL Server and Network Trouble Shooting
AutoDownload: SQL Server and Network Trouble Shooting AutoDownload uses Microsoft s SQL Server database software. Since 2005 when AutoDownload was first released Microsoft have also released new versions
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationUnderstanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them
Lab Exercises Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Review Questions 1) In class, we made the distinction between a front-door attack and
More informationGE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance
GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security
More informationINDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION
INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer
More informationUnderstanding and evaluating risk to information assets in your software projects
Understanding and evaluating risk to information assets in your software projects ugh.. what a mouthful Dana Epp Windows Security MVP Who am I? Microsoft Windows Security MVP Information Security Professional
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More informationGE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems
GE Measurement & Control Top 10 Cyber Vulnerabilities for Control Systems GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used
More informationTHE WINDOWS AZURE PROGRAMMING MODEL
THE WINDOWS AZURE PROGRAMMING MODEL DAVID CHAPPELL OCTOBER 2010 SPONSORED BY MICROSOFT CORPORATION CONTENTS Why Create a New Programming Model?... 3 The Three Rules of the Windows Azure Programming Model...
More informationSAFEGUARDING YOUR HOMEOWNERS ASSOCIATION AND COMMON AREAS
SAFEGUARDING YOUR HOMEOWNERS ASSOCIATION AND COMMON AREAS March 2011 www.cybersecurityguy.com 1 2 SAFEGUARDING YOUR HOMEOWNER'S ASSOCIATION AND COMMON AREAS Many Homeowner Associations provide security
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationFirewalls Overview and Best Practices. White Paper
Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not
More informationWindows Operating Systems. Basic Security
Windows Operating Systems Basic Security Objectives Explain Windows Operating System (OS) common configurations Recognize OS related threats Apply major steps in securing the OS Windows Operating System
More information8 Steps for Network Security Protection
8 Steps for Network Security Protection cognoscape.com 8 Steps for Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because
More informationBest Practices for Cyber Security Testing. Tyson Jarrett Compliance Risk Analyst, Cyber Security
Best Practices for Cyber Security Testing Tyson Jarrett Compliance Risk Analyst, Cyber Security 2 About Me Master s Degree Information Systems Cyber Security Reviewed 1562 CIP CMEP items CIP Analyst 4
More informationDevice Hardening, Vulnerability Remediation and Mitigation for Security Compliance
Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies
More informationWhite Paper. The Ten Features Your Web Application Monitoring Software Must Have. Executive Summary
White Paper The Ten Features Your Web Application Monitoring Software Must Have Executive Summary It s hard to find an important business application that doesn t have a web-based version available and
More informationSecurity Auditing in a Virtual Environment
Security Auditing in a Virtual Environment Security auditing considerations within a Virtual Environment Increasing and widespread use of the virtual platform can be seen as a direct response by enterprises
More information8 Steps For Network Security Protection
8 Steps For Network Security Protection 8 Steps For Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because of their
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationInformation Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100
Information Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100 Course Description: Introduction to Cybersecurity is designed to provide students the basic concepts and terminology
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationOlav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord
Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, 28.09.2015 CASE: Implementation of Cyber Security for Yara Glomfjord Implementation of Cyber Security for Yara Glomfjord Speaker profile Olav Mo ABB
More informationRecommended Practice Case Study: Cross-Site Scripting. February 2007
Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber
More informationThe first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.
CIPS Overview Introduction The reliability of the energy grid depends not only on physical assets, but cyber assets. The North American Electric Reliability Corporation (NERC) realized that, along with
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationBSM for IT Governance, Risk and Compliance: NERC CIP
BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................
More informationIntroduction to Operating Systems
Introduction to Operating Systems It is important that you familiarize yourself with Windows and Linux in preparation for this course. The exercises in this book assume a basic knowledge of both of these
More informationDesktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI
Desktop Security Overview and Technology Guidance Michael Ramsey Network Specialist, NC DPI Desktop Security Best practices for both the technical type and the typical user Defensive Layering Top Vulnerabilities
More informationDescription: Objective: Attending students will learn:
Course: Introduction to Cyber Security Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: In 2014 the world has continued to watch as breach after breach results in millions of
More informationMedical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.
Medical Device Security Health Imaging Digital Capture Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0 Page 1 of 9 Table of Contents Table of Contents... 2 Executive Summary...
More informationWhy The Security You Bought Yesterday, Won t Save You Today
9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About
More informationKEY STEPS FOLLOWING A DATA BREACH
KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,
More informationRL Solutions Hosting Service Level Agreement
RL Solutions Hosting Service Level Agreement April 2012 Table of Contents I. Context and Scope... 1 II. Defined Terms... 1 III. RL Solutions Responsibilities... 2 IV. Client Responsibilities... 4 V. The
More informationHands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities
Objectives After reading this chapter and completing the exercises, you will be able to: Describe vulnerabilities of Windows and Linux operating systems Identify specific vulnerabilities and explain ways
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationNetwork Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from www.chrissanders.org
1.pcap - File download Network Security: Workshop Dr. Anat Bremler-Barr Assignment #2 Analyze dump files Solution Taken from www.chrissanders.org Downloading a file is a pretty basic function when described
More informationMalicious Software Prevention for NERC CIP-007 Compliance: Protective Controls for Operating Systems and Supporting Applications
Malicious Software Prevention for NERC CIP-007 Compliance: Protective Controls for Operating Systems and Supporting Applications Matthew E. Luallen, Founder, Cybati / Past Co- Founder of Encari Paul J.
More informationCyber Protection for Building Automation and Energy Management Systems
Cyber Protection for Building Automation and Energy Management Systems IT and Network Operations Managers Perspective PROTECT YOUR INVESTMENT Reinforcing the Integrity of Enterprise Networks The intersection
More information