Introduction to IT Security
|
|
- Ann Cummings
- 8 years ago
- Views:
Transcription
1 Marek Rychly Strathmore & Brno University of Technology, Faculty of Information Technology Enterprise Security 30 November 2015 Marek Rychly ES, 30 November / 36
2 Outline 1 Course Content Lectures, Assessments, Projects Evaluation Background on the Course 2 3 Marek Rychly ES, 30 November / 36
3 Lectures Course Content Lectures, Assessments, Projects Evaluation Background on the Course 1 (security terms/glossary, architecture, incidents, models) 2 Identity Management and Access Control (authentication and authorization, discretionary/mandatory access control, roles) 3 Database Application Security Models and Policies (security models for client-server and web-apps., system/data/user sec. policies) 4 Virtual Private Database, Security in Statistical Databases (security by views/triggers, application context, securing aggregation queries) 5 Database Security Issues and Features (transparent data encryption, inference/poly-instantiation) 6 Application Security (SQL-injection and other issues) 7 Database Auditing (data selection, manipulation, and control audits) Marek Rychly ES, 30 November / 36
4 Core Reading Materials Lectures, Assessments, Projects Evaluation Background on the Course Hassan Afyouni. Database Security and Auditing: Protecting Data Integrity and Accessibility. Cengage Learning, ISBN URL Ron Ben Natan. Implementing Database Security and Auditing. Elsevier Digital Press, ISBN URL http: // Marek Rychly ES, 30 November / 36
5 Evaluation Course Content Lectures, Assessments, Projects Evaluation Background on the Course 20% assignment (submitted to by end of year 2015) 40% project (submitted to by end of the study week, 26 Feb) 40% final exam (in the exam week, 29 February to 4 March 2016) Marek Rychly ES, 30 November / 36
6 Assignment (20%) Course Content Lectures, Assessments, Projects Evaluation Background on the Course 1 select one of relational database management systems (RDBMS), except for Oracle database (see Comparison of relational database management systems at Wikipedia) 2 for the selected RDBMS, study documentation of its database security features and possible configurations 3 provide a summary 1 of the database security features and possible configurations of the selected RDBMS that were discussed in the first three lectures of this course (identity management, access control, supported security models and policies) 1 any external sources you use in your text must be properly cited Marek Rychly ES, 30 November / 36
7 Project (40%) Course Content Lectures, Assessments, Projects Evaluation Background on the Course 1 describe goals and objectives of db. security in a sample company (a made up company which needs to manage confidential data) 2 design identity management, secure data storage and access control solution for the company (security model, policies, user management, roles, profiles, rights, etc.) 3 design auditing plans to support database security in the company (entities, actions, and users to audit, audit trail storage) 4 provide SQL scripts implementing the above mentioned security measures in a local instance of Oracle RDBMS (create profiles, roles, users, tables and views in a virtual private database of encrypted data, audit functionality, etc.) Marek Rychly ES, 30 November / 36
8 Prior Knowledge and Skills Lectures, Assessments, Projects Evaluation Background on the Course The course does not require any prior knowledge or skill except for those covered by the ADES course. However, the following may help you to understand the lectures: 1 operation system design principles (process and memory management, authentication and authorization, etc.) 2 basics of computer networking (IP network, protocols, etc.) 3 general awareness of the current IT security news (common vulnerabilities and exposures, security patches, etc.) 4 ability to use Oracle database and (PL/)SQL (schema, system catalogue, access management, etc.) Marek Rychly ES, 30 November / 36
9 Database Security Course Content Definition (Database security) The mechanisms that protect the database against intentional or accidental threats. Definition (Threat) Any situation or event, whether intentional or accidental, that may adversely affect a system and consequently the organization. 1 A database represents an essential corporate resource. (should be properly secured using appropriate controls) 2 Securing the database includes controlling physical, personal and organizational security. (i.e., securing products/components, people, processes in the organization) Marek Rychly ES, 30 November / 36
10 Fundamental Questions for Information Security What are you trying to protect or maintain? (important assets to protect) What are your business objectives and what do you need to accomplish and support these objectives? (required technologies or solutions to support the business) Are your objectives compatible with your security architecture? What risks are associated with inadequate security? What are the implications of not implementing security? Will you introduce new risks not covered by the current security? How do you reduce that risks? What is your tolerance for risk? (inspired by Overview of Network Security, Cisco) Marek Rychly ES, 30 November / 36
11 Information Security Conceptual Architecture (adopted from Information Security: A Conceptual Architecture Approach, Oracle ) Marek Rychly ES, 30 November / 36
12 Confidentiality, Integrity, Availability (CIA) and Non-repudiation Protecting information systems from loss of Confidentiality ensure that information is not made available or disclosed to unauthorized entities, individuals or processes. Integrity protect the accuracy and completeness of information. Availability keep information accessible and usable when an authorized entity demands access. Non-repudiation provide an undeniable proof that an alleged event or action actually happened or was carried out by a particular entity in a particular origin. (adopted from ISO IEC Translated into Plain English, Praxiom Research Group Limited) Marek Rychly ES, 30 November / 36
13 Defence in Depth (aka Castle/Onion Approach) multiple layers of security controls (defence) (placed throughout an IT system from its public interface to internal data storage) compromising outside layers do not cause significant damage (there is no such thing as a perfect security layer, method, or product) buy an organization time to detect and respond to an attack (adopted from Defense in Depth: Best Practices for Securing a Teradata Data Warehouse ) Marek Rychly ES, 30 November / 36
14 Authentication, Authorization and Accounting (AAA) Authentication is the verification of a user credentials. (a way to restrict future actions to specific users with the valid credentials) Can challenge the user for something they know (a password), something they have (a token), or something they are (biometrics). Authorization is the verification that an action is allowed. (determines which resources and operations the user is entitled to use and how; must occur after the successful authentication of the user) Accounting is the process of keeping track of the user s activity. (for auditing, billing, cost allocation, trend analysis, capacity planning, etc.) Marek Rychly ES, 30 November / 36
15 Vulnerability Assessment and Patch Management VA tools to make inventory, audit, and to compare utilized systems with known flaws and vulnerabilities. Vulnerability Notes Database, Carnegie Mellon University (CERT) Common Vulnerabilities and Exposures (CVE), NVD-US Open Sourced Vulnerability Database, Open Security Foundation PM to apply critical patch updates correcting vulnerabilities. (e.g., Critical Patch Updates, Security Alerts and Third Party Bulletin by Oracle) Hardening to reduce the surface of vulnerability in a system. (a single-function lightweight system is more secure than a multi-purpose one) by disabling unnecessary services, closing network ports by removal of unnecessary software, modules, etc. by locking unused user-names or logins by using well-established secure configurations and frameworks (PIE, PaX, SELinux, isa_harden Windows Server Policy, etc.) Marek Rychly ES, 30 November / 36
16 Intrusion Detection and Prevention Systems (IDPS) IDPS to address threats within the perimeter and internal network. (identify and log malicious activity, attempt to block/stop it, and report it) Firewalls provide a first, but not perfect, layer of defence (IPS). (they usually work as packet-filters, are shallow in terms of what they look at) Network based and host based intrusion detection systems. (to detect an attack in network and on individual hosts) by detection of statistical anomalies (statistical anomaly-based) by checking signatures of protected assets (signature-based) by running honey-pots to attract possible attackers (appears to be a legitimate system but is actually isolated and monitored) Marek Rychly ES, 30 November / 36
17 Information Security Auditing and Monitoring Auditing is one of the most important security techniques. (no security without audit, no need to audit without the need for security) (adopted from IBM Guardium ) Marek Rychly ES, 30 November / 36
18 Defect, Vulnerability, Threat, Attack,... defects are vulnerabilities that can be exploited for attacks attacks are comprised of multiple steps, of attack vector an attack is feasible for a threat to traverse a boundary by interacting with an attack surface which possess a vulnerability the attack results into an exploitation that have a negative impact on business objectives involving business assets risk is defined by a probability of the exploitation and its resulting impact (adopted from John Steven: Threat Modeling Vocabulary, Cigital ) Marek Rychly ES, 30 November / 36
19 Attack: Tool, Vulnerability, Action, Target, Result (adopted from A common language for computer security incidents ) Marek Rychly ES, 30 November / 36
20 Attack as Security Incident (adopted from A common language for computer security incidents ) Marek Rychly ES, 30 November / 36
21 Database security has to be enforced on all levels. (people, applications, network, operating system, DBMS, data files, data) Data requires highest level of protection. (they should be in the core layer protected by the Defence in Depth approach) All layers (security access points) should be secured. (adopted from Afyouni, H.: Database Security and Auditing, Protecting Data Integrity and Accessibility ) Marek Rychly ES, 30 November / 36
22 Database Security Methodology (adopted from Afyouni, H.: Database Security and Auditing, Protecting Data Integrity and Accessibility ) Marek Rychly ES, 30 November / 36
23 Database Security Model (adopted from Afyouni, H.: Database Security and Auditing, Protecting Data Integrity and Accessibility ) Marek Rychly ES, 30 November / 36
24 Database Security Model: Authentication Choose an appropriate (strong) authentication option. (by a password stored encrypted in a db. server; by a token held by a user, including PKI; by a third party service, e.g., Kerberos, LDAP, operating sys., etc.) Understand who gets system administration privileges. (privileges may be defined outside of db. server, e.g., at the operating system level, so each OS administrator may easily act as db. administrator) Choose, promote and verify the use of strong passwords. (mixed-case letters, numbers, punctuation marks, minimal length, without dictionary words, different password for each account/service, etc.) Implement account lockout after failed login attempts. (forever/for a particular period, increasing delays between the failed attempts, etc.; lock a source of an attack, not the attacked account, to prevent a DoS attack) Create and enforce password profiles. (to defined a password lifetime, reuse, lockout, verification function, etc.) Marek Rychly ES, 30 November / 36
25 Password Strength (credit: xkcd.com, R. Munroe) Marek Rychly ES, 30 November / 36
26 Database Security Model: Authorization Three dimensions: the authorization of a particular subject to perform a particular action on a particular object. the subject: a user, a group of users (a role) the action is an authorization type (read, update, create, etc.) the authorization object: a single or group of objects, or an entire db. Choose an appropriate access control model (ACM). Mandatory Access Control (MAC) subjects and objects labelled (Biba: read up & write down; Bell-LaPadula: write up & read down) Role Based Access Control (RBAC) subjects authorized by roles (role is a position an individual fills in an organization) Discretionary Access Control (DAC) (a user can set security level settings of his/her objects for other users) Rule Based Access Control (RBAC or RB-RBAC) (dynamically assign roles to users based on particular criteria, e.g., to allow access to objects during certain hours of the day only) Control usage of the ACM by security policies and procedures. (who can control and who must approve the access control settings) Marek Rychly ES, 30 November / 36
27 Database Security Model: Encryption All passwords stored in a database must be encrypted. (a one-way-only/hash encryption is preferred, passwords cannot be stolen) Also other data with critical confidentiality should be encrypted. encrypted at the application level and than stored in a database (can be processed by an application/db. client and users while cannot be indexed and processed at the database level by a DBMS) encrypted at the database level and than stored in database files (can be processed by a DBMS and authorized users while protected from unauthorized access at the operating system level) encrypted at the operating system level only (can be read by an attacker who breaks into the operating system hosting a DBMS, directly, without an access to the database) A DBMS should support transparent data encryption (TDE) to encrypt data at the database level. Marek Rychly ES, 30 November / 36
28 Data Redaction and Data Encryption (adopted from Oracle Advanced Security ) (adopted from Transparent Data Encryption, Oracle ) Marek Rychly ES, 30 November / 36
29 Database Security Model: Audit Record audit trails for particular user activities. for received queries (i.e., SELECT statements) for Data Manipulation and Definition Lang. statements (DML&DDL) (i.e., INSERT, UPDATE, DELETE, CREATE, ALTER, and DROP statements) for Data Control Language statements (DCL) (i.e., GRANT and REVOKE statements) for database events (e.g., login, logout, checkpoint, etc.) for errors occurred (especially for security errors, such as bad login, insufficient privilege, etc.) DBMS must enable an administrator to set and configure auditing. by setting TRIGGERs on audited entities (e.g., tables or their particular columns and rows) by an integrated audit framework (e.g., Oracle s AUDIT command and DBA_AUDIT_* system views) Marek Rychly ES, 30 November / 36
30 Components of Database Audit Environment (adopted from Afyouni, H.: Database Security and Auditing, Protecting Data Integrity and Accessibility ) Marek Rychly ES, 30 November / 36
31 The security concepts will be demonstrated on Oracle DBMS. (an enterprise-level object-relational database management system) You can download and install Oracle Database 11g Express Ed.. Or you can download and run Oracle Enterprise Data Quality VM in VirtualBox. In both cases, you can connect and manage databases by means of Oracle SQL Developer tool. Marek Rychly ES, 30 November / 36
32 Summary Summary Database security is a part of. Confidentiality, integrity, availability, and non-repudiation. Authentication, authorization, and accounting/auditing. Defect, vulnerability, threat, attack, incident,... In the next lecture: Identity Management and Access Control (authentication and authorization, discretionary/mandatory access control, roles) Marek Rychly ES, 30 November / 36
33 Thanks Thank you for your attention! Marek Rychly Marek Rychly ES, 30 November / 36
Identity Management and Access Control
and Access Control Marek Rychly mrychly@strathmore.edu Strathmore University, @ilabafrica & Brno University of Technology, Faculty of Information Technology Enterprise Security 7 December 2015 Marek Rychly
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationBM482E Introduction to Computer Security
BM482E Introduction to Computer Security Lecture 7 Database and Operating System Security Mehmet Demirci 1 Summary of Lecture 6 User Authentication Passwords Password storage Password selection Token-based
More informationDatabase Application Security Models and Policies
Database Application Security Models and Policies Marek Rychly mrychly@strathmore.edu Strathmore University, @ilabafrica & Brno University of Technology, Faculty of Information Technology Enterprise Security
More informationImplementing Database Security and Auditing
Implementing Database Security and Auditing A guide for DBAs, information security administrators and auditors Ron Ben Natan ELSEVIER DIGITAL PRESS Amsterdam Boston Heidelberg London New York Oxford P
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationDatabase Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com
Database Auditing: Best Practices Rob Barnes, CISA Director of Security, Risk and Compliance Operations rbarnes@appsecinc.com Verizon 2009 Data Breach Investigations Report: 285 million records were compromised
More informationSecurity and Control Issues within Relational Databases
Security and Control Issues within Relational Databases David C. Ogbolumani, CISA, CISSP, CIA, CISM Practice Manager Information Security Preview of Key Points The Database Environment Top Database Threats
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationDATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS
DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS Manying Qiu, Virginia State University, mqiu@vsu.edu Steve Davis, Clemson University, davis@clemson.edu ABSTRACT People considering improvements in database
More informationTop 10 Database. Misconfigurations. mtrinidad@appsecinc.com
Top 10 Database Vulnerabilities and Misconfigurations Mark Trinidad mtrinidad@appsecinc.com Some Newsworthy Breaches From 2011 2 In 2012.. Hackers carry 2011 momentum in 2012 Data theft, hacktivism, espionage
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationModule II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University
Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions
More informationORACLE DATABASE SECURITY. Keywords: data security, password administration, Oracle HTTP Server, OracleAS, access control.
ORACLE DATABASE SECURITY Cristina-Maria Titrade 1 Abstract This paper presents some security issues, namely security database system level, data level security, user-level security, user management, resource
More informationSECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)
SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E) 2 LECTURE OUTLINE Threats and countermeasures Access control mechanisms SQL s grant and revoke Role of views 3 THREATS What are the threats? Loss of integrity
More informationNixu SNS Security White Paper May 2007 Version 1.2
1 Nixu SNS Security White Paper May 2007 Version 1.2 Nixu Software Limited Nixu Group 2 Contents 1 Security Design Principles... 3 1.1 Defense in Depth... 4 1.2 Principle of Least Privilege... 4 1.3 Principle
More informationDefense In-Depth to Achieve Unbreakable Database Security
Defense In-Depth to Achieve Unbreakable Database Security Qiang Lin, Ph.D Abstract Enterprises realize that sole reliance on generic security mechanisms does not provide the protection they need for their
More informationNSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs
Mandatory Knowledge Units 1.0 Core2Y 1.1 Basic Data Analysis The intent of this Knowledge Unit is to provide students with basic abilities to manipulate data into meaningful information. 1.1.1 Topics Summary
More informationDatabase Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG
Database Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Table of Contents Chapter 1 Introduction... 4 1.1 Objective... 4 1.2 Prerequisites of this Guideline...
More informationMySQL Security: Best Practices
MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationDemystified CONTENTS Acknowledgments xvii Introduction xix CHAPTER 1 Database Fundamentals CHAPTER 2 Exploring Relational Database Components
Acknowledgments xvii Introduction xix CHAPTER 1 Database Fundamentals 1 Properties of a Database 1 The Database Management System (DBMS) 2 Layers of Data Abstraction 3 Physical Data Independence 5 Logical
More informationOverview. Edvantage Security
Overview West Virginia Department of Education (WVDE) is required by law to collect and store student and educator records, and takes seriously its obligations to secure information systems and protect
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationChapter 8 A secure virtual web database environment
Chapter 8 Information security with special reference to database interconnectivity Page 146 8.1 Introduction The previous three chapters investigated current state-of-the-art database security services
More informationOracle Database Security
breaking through barriers to progress By Raman Jathar an award winning '2004 Future 50 Company' 18650 W. Corporate Drive Suite 120 Brookfield, WI 53045 262.792.0200 Database Security Lately, database security
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationDatabase Security and Auditing: Leading Practices. Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc.
Database Security and Auditing: Leading Practices Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc. Getting to Know Database Threats and Vulnerabilities Key Objectives Understand
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationOracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions
Oracle Database 11g: Security Release 2 In this course, students learn how they can use Oracle Database features to meet the security, privacy and compliance requirements of their organization. The current
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationProtecting Sensitive Data Reducing Risk with Oracle Database Security
Protecting Sensitive Data Reducing Risk with Oracle Database Security Antonio.Mata.Gomez@oracle.com Information Security Architect Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database
More information8 Steps to Holistic Database Security
Information Management White Paper 8 Steps to Holistic Database Security By Ron Ben Natan, Ph.D., IBM Distinguished Engineer, CTO for Integrated Data Management 2 8 Steps to Holistic Database Security
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationControls for the Credit Card Environment Edit Date: May 17, 2007
Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit
More informationSECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationChapter 10. Cloud Security Mechanisms
Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationPreliminary Course Syllabus
Preliminary Course Syllabus Designing Security for Microsoft SQL Server 2005 Elements of this syllabus are subject to change. Key Data Product #: 1917 Course #: 2787A Number of Days: 2 Format: Instructor-Led
More informationD50323GC20 Oracle Database 11g: Security Release 2
D50323GC20 Oracle Database 11g: Security Release 2 What you will learn In this course, you'll learn how to use Oracle Database features to meet the security, privacy and compliance requirements of their
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationW H IT E P A P E R. Salesforce CRM Security Audit Guide
W HITEPAPER Salesforce CRM Security Audit Guide Contents Introduction...1 Background...1 Security and Compliance Related Settings...1 Password Settings... 2 Audit and Recommendation... 2 Session Settings...
More informationEUCIP - IT Administrator. Module 5 IT Security. Version 2.0
EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single
More informationDatabase Security & Auditing
Database Security & Auditing Jeff Paddock Manager, Enterprise Solutions September 17, 2009 1 Verizon 2009 Data Breach Investigations Report: 285 million records were compromised in 2008 2 Agenda The Threat
More informationSecuring the Data Center
Security Securing the Data Center Part I Data Center Security Model Yohay, Shachaf, Spring 2015 Intelligence Business Grid Computing Compute Cloud Computing Networks Storage Information provided in these
More informationCopyright 2013, Oracle and/or its affiliates. All rights reserved.
1 Security Inside-Out with Oracle Database 12c Denise Mallin, CISSP Oracle Enterprise Architect - Security The following is intended to outline our general product direction. It is intended for information
More informationHow To Secure A Database From A Leaky, Unsecured, And Unpatched Server
InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions Agenda Any questions unresolved? The Guardium Architecture Integration with Existing Infrastructure Summary Any questions
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationSecuring Data in Oracle Database 12c
Securing Data in Oracle Database 12c Thomas Kyte http://asktom.oracle.com/ Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationSecurity + Certification (ITSY 1076) Syllabus
Security + Certification (ITSY 1076) Syllabus Course: ITSY 1076 Security+ 40 hours Course Description: This course is targeted toward an Information Technology (IT) professional who has networking and
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationCourse: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
More informationQuestion Name C 1.1 Do all users and administrators have a unique ID and password? Yes
Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more
More informationGuidelines for Website Security and Security Counter Measures for e-e Governance Project
and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online
More informationComprehensive Approach to Database Security
Comprehensive Approach to Database Security asota@hotmail.com NYOUG 2008 1 What will I discuss today Identify Threats, Vulnerabilities and Risk to Databases Analyze the drivers for Database Security Identify
More informationDesigning Security for Microsoft SQL Server 2005
Designing Security for Microsoft SQL Server 2005 Course 2787 Two Days Hands-On, Instructor-Led Introduction This two-day instructor-led course enables database administrators who work with enterprise environments
More informationStephen Coty Director, Threat Research
Emerging threats facing Cloud Computing Stephen Coty Director, Threat Research Cloud Environments 101 Cloud Adoption is Gaining Momentum Cloud market revenue will increase at a 36% annual rate Analyst
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationOracle Database 11g: Security Release 2
Oracle University Contact Us: 1.800.529.0165 Oracle Database 11g: Security Release 2 Duration: 5 Days What you will learn In this course, you'll learn how to use Oracle Database features to meet the security,
More informationHow To Protect A Data Warehouse From Attack
Data Warehousing > Database Security Features in Teradata Database By: Jim Browning and Adriaan Veldhuisen Table of Contents Executive Summary 2 Introduction 3 Teradata Solutions Methodology 4 Teradata
More informationCTS2134 Introduction to Networking. Module 8.4 8.7 Network Security
CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationWelcome to Information Systems Security (503009)
Welcome to (503009) Nguyen Thi Ai Thao Faculty of Computer Science & Engineering HCMC University of Technology thaonguyen@cse.hcmut.edu.vn Course Outline Week Lectures 1 Information systems security: basic
More informationMitigating Risks and Monitoring Activity for Database Security
The Essentials Series: Role of Database Activity Monitoring in Database Security Mitigating Risks and Monitoring Activity for Database Security sponsored by by Dan Sullivan Mi tigating Risks and Monitoring
More informationITM661 Database Systems. Database Security and Administration
ITM661 Database Systems Database Security and Administration Outline Introduction to Database Security Issues Types of Security Threats to databases Database Security and DBA Access Protection, User Accounts,
More informationVirtualization System Security
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationObtaining Value from Your Database Activity Monitoring (DAM) Solution
Obtaining Value from Your Database Activity Monitoring (DAM) Solution September 23, 2015 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy Corporation
More informationOracle Database Security. Nathan Aaron ICTN 4040 Spring 2006
Oracle Database Security Nathan Aaron ICTN 4040 Spring 2006 Introduction It is important to understand the concepts of a database before one can grasp database security. A generic database definition is
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationCommon Cyber Threats. Common cyber threats include:
Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...
More informationCHAPTER - 3 WEB APPLICATION AND SECURITY
CHAPTER - 3 WEB APPLICATION AND SECURITY 3.1 Introduction Web application or Wepapp is the general term that is normally used to refer to all distributed web-based applications. According to the more technical
More informationTHE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS
THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationSkoot Secure File Transfer
Page 1 Skoot Secure File Transfer Sharing information has become fundamental to organizational success. And as the value of that information whether expressed as mission critical or in monetary terms increases,
More informationNovaTech NERC CIP Compliance Document and Product Description Updated June 2015
NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationThis chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How
This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How Network Security Is Breached Network Security Policy
More informationHow does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1
How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management
More informationa) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)
MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file
More informationMaking Database Security an IT Security Priority
Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationDeveloping the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009
Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in
More informationCopyright 2013, Oracle and/or its affiliates. All rights reserved.
1 Solutions for securing and auditing Oracle database Edgars Ruņģis Technology Consultant Why Are Databases Vulnerable? 80% of IT Security Programs Don t Address Database Security Forrester Research Enterprises
More informationGUIDE TO SYBASE SECURITY
GUIDE TO SYBASE SECURITY nileshb@nii.co.in Company: Network Intelligence India Pvt. Ltd. http://www.nii.co.in Date: 31 st January 2003 Guide to Sybase Security Introduction: This article provides a detailed
More informationIDENTITY MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
IDENTITY MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More information