This presentation isn t intended to be comprehensive, but hopefully we ll expose you to some new options or new ways of thinking about Threat
|
|
- Osborne Freeman
- 8 years ago
- Views:
Transcription
1 1
2 2
3 3
4 4
5 This presentation isn t intended to be comprehensive, but hopefully we ll expose you to some new options or new ways of thinking about Threat Modeling. 5
6 Security people don t all agree on the definitions for Risk, Threat, Vulnerability or what Risk Management, Threat Management and Threat Modeling are. These are my definitions. Another way of describing Risk Management is Information Security Program. 6
7 7
8 Threat Models are done primarily for the benefit of the development team. They are used to address possible issues in the design to prevent vulnerabilities from being introduced. There is a lot of information out there on Threat Modeling and a lot of different views and approaches. I encourage you to search the web and read as many of the different views on Threat Modeling as you can. I m going to share with you the names of some products that can help in this area, I will show you one particular product I really like, and will end with a demonstration of how to add threat modeling activities into standard UML model-driven design with common tools. 8
9 Regardless of the specific methodology employed or tools used, these are basic activities that should be part of a complete Threat Modeling process. 9
10 Web systems like Archer & Rsam Graphical systems like MS Threat Modeling Tool, MyAppSecurity Threat Modeler, Prevari Technology Risk Manager 10
11 You can produce attack trees with many common diagramming tools like Visio, or Mind Mapping tools like FreeMind. The root of the tree is one specific type of compromise and the branches and nodes of the tree list all the possible ways you can think of to perform the compromise. 11
12 Whatever approach you use to create a Threat Model, you probably want to have some method of ranking the severity of a given threat. This way you can determine how to prioritize resolution. 12
13 STRIDE describes the type of vulnerability, DREAD describes the level of risk 13
14 14
15 Minimal, Low, Moderate, High, Critical or 1-25 Probability: Best Guess. One of the problems with this approach. 15
16 There are other systems out there like this one. The elements are different but the concept is the same. For each threat, each element gets a score and they are added up, not always taking the average. 16
17 17
18 18
19 Mature as in its been around for many years and there have been many releases. Not so mature, in my opinion, in terms of functionality. 19
20 The tool requires the completion of 3 tasks before a completed threat model can be turned into a report. The tasks are shown at the bottom left. The first task consists of drawing a basic diagram of the system to be evaluated. MS has gone for the ultra-simplified approach to system modeling, as you can see here. The only elements that can be depicted in the diagram are the ones shown in the stencil. This type of diagram is called a Data Flow Diagram (DFD). 20
21 The 2 nd task, which MS calls analysis requires certifying that either no issues exist for each STRIDE element or documenting the ones that do. In this app, analysis is really done by the user. They supply a library of common threats, but not common impacts, controls, etc.???? 21
22 The 3 rd task is to document things that are not directly part of the application but that affect it. 22
23 The final task performs the actual analysis by creating reports listing all of the issues and any mitigating controls that have been documented. 23
24 24
25 This modeling application takes a more friendly and visually pleasing approach. Each function has its own icon as opposed to TMT where every function has the same icon. The app comes with a library of pre-defined icons/functions and allows the user to create their own. There are pre-made templates and icon/function sets for different types of apps such as Banking, ecommerce, Social, etc. Due to time constraints I cannot show a complete model or flow through the application, but I do want to show a few elements of the app and a model to give you an idea of how this works. 25
26 As previously mentioned, one key ingredient for a good threat modeling application is that it must have a library of (at least) common threats, mitigating controls, & data elements. The controls and classifications of data elements should be drawn from organization security policies, which are represented in this application as Rules. This application, like others in the space also works off of a database of common questions that the user answers to determine which threats exist based on implemented functionality and presence or not of required mitigating controls. This application comes with an extensive library, and can be completely customized. 26
27 When you start to create a Threat Model in this app, one of the first things you do is indicate which data elements the system uses. The available data elements are predefined in the library, along with their data classification, per organizational security policy. 27
28 Continue building the model by answering questions about the controls to be implemented in the system. Questions come from the library and serve to enforce policy. The answers are used as inputs to the threat model. 28
29 A further step involves indicating which data elements are used by each specific component. In this screenshot User Name and Password are assigned to the Login component. 29
30 Once a component is defined with its data elements and technical controls, a list of applicable rules/policies gets added to the properties of the component. This screenshot shows rules/policies to apply to the Login component. 30
31 Once the model is complete, you can use different views to look at the risks from different perspectives. This screenshot shows only components susceptible to SQL Injection. 31
32 This view shows all threats for one specific component (Login) along with their current risk level. The Status and Comments field are used by developers as they respond to the findings. 32
33 This is a view that shows a list of all threats to all components and the mitigating factors. The application has much more functionality, including being able to produce reports like TMT. For the sake of time however, we must move on. 33
34 This is my preferred approach and one that I share with my clients. Most approaches to threat modeling, including the ones just seen in the two modeling apps, as well as all of the applications that work on the Q&A forms approach are, in my opinion, all missing something very pertinent. They all focus on finding technical threats to particular system components, which is good, but there is something else they should be looking at. Can you guess what it is? 34
35 How the app or components of the app will be used! So, like we always should do when doing any UML model-driven design, we start with Use Cases! 35
36 then we figure out how the use cases can be subverted and we add Mis-use or Abuse Cases from the Attacker s point of view. Note that I am focusing on threats related to fraud here but it could easily be any type of info-security threat. For the sake of simplicity, this model has only one type of attacker, but in reality we typically have to account for multiple types of attackers. I usually go with External Fraudster, Internal Fraudster and Customer Fraudster. 36
37 These mis-use cases must now be seen as extended use cases that the design must solve for. 37
38 My preferred CASE tool, but there are others. (Computer Aided Software Engineering) 38
39 We started with Use Cases, next, let s take a look at some other design models. We are now looking at a simple, but authentic Communication Model for a login process. Note that the validatecredentials() function uses ID and PW as parameters. Note now on the right, in the Project Browser window in this design tool, what should look like a pretty standard list of models to anyone who does model-driven design with UML. With one possible exception: the Security Model. Let s look at it. Notice that there are 3 packages or sub-sections to the Security Model Controls, Data Elements, and Threats. 39
40 Let s look at the Controls. In this model we have a bunch of packages of security controls shown as components. In the Communication Model we saw that there was an authentication function that used ID and Password 40
41 by viewing the properties of the ID/Password control component, we can see that there are Security requirements regarding how ID/Password components must be implemented 41
42 and there are details about how the component is actually implemented. How did these get there? Model driven architecture is usually done by working off of standard templates, or project files, and then modifying them for the system being designed. The Security Model I m showing you would be part of the base model or project file used by every project. The Requirements for each security control will be present in the model, and are based on organizational policy (or best practice). When applicable, the Parameters for a particular security component will also be available but their values will have to be filled in. Through process, it is the Architect s responsibility to fill in these values and make any changes to any of the details of any used control if there will be deviation from policy. The Architect can also note why there is deviation on one of the other tabs of this window. Controls listed which are not used in any way by the project are simply deleted from the model. 42
43 Moving on, here we see a simple Component diagram and a list of data elements associated with a specific component 43
44 Here we see how data classifications are a property of the data element. Remember, these are created in a base model and inherited by every project. 44
45 Here in the Threats section of the Security model we see an unfinished Threat Tree. 45
46 Now this may be all nice for Architects, designers, those versed in UML and those who have access to a tool like this. But what about others in an organization that are part of the Security process? In my experience, most of my clients personnel who perform the actual risk assessment like to, or are required to work with Word documents. In most cases, the final report or Risk Assessment for a particular system or project is presented and stored as a Word document. EA allows you to export all or parts of your model to Word (and a variety of other formats). This is a simple export of the Security Model only, with no customization. With a bit of customization the report would look a lot snazzier. In any case, a security consultant or risk analyst looking at this would be able to easily understand the security aspects of this system or project. Remember, none of the text in this document is typed and formatted by hand, it is all exported from the models in the EA project. 46
47 47
48 The point of this presentation was to make you aware of some of the approaches out there that you may want to try. 48
49 49
E-Commerce Threat Model using ThreatModeler
Table of Contents Introduction:... 2 Web Application details:... 3 Building a Threat Model Diagram:... 4 Cool Car Company Example:... 5 Managing and Analyzing Threats:... 6 Example:... 6 Identify Data
More informationA Practical Approach to Threat Modeling
A Practical Approach to Threat Modeling Tom Olzak March 2006 Today s security management efforts are based on risk management principles. In other words, security resources are applied to vulnerabilities
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationDesign Authorization Systems Using SecureUML
Design Authorization Systems Using SecureUML By Rudolph Araujo & Shanit Gupta, Foundstone Professional Services February 2005 Overview This whitepaper describes the Foundstone SecureUML template, a Microsoft
More informationTHE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.
THE 2014 THREAT DETECTION CHECKLIST Six ways to tell a criminal from a customer. Telling criminals from customers online isn t getting any easier. Attackers target the entire online user lifecycle from
More informationThreat Modeling. A workshop on how to create threat models by creating a hands-on example
Threat Modeling A workshop on how to create threat models by creating a hands-on example Introduction 2 Introduction 3 Part 1: Application- Layer Attacks A brief primer on some web application attacks
More informationEntire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com
Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to
More informationSecurity Testing. How security testing is different Types of security attacks Threat modelling
Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making
More informationMobile Testing in a Fast Paced World
Mobile Testing in a Fast Paced World Shaminder Rai VP, Product Development at MBA Focus Session: Strategies Risk Based Testing Give me time to test in 10 easy steps! Mobile Security Testing Give me
More informationWeb Application Remediation. OWASP San Antonio. March 28 th, 2007
Web Application Remediation OWASP San Antonio March 28 th, 2007 Agenda Introduction The Problem: Vulnerable Web Applications Goals Example Process Overview Real World Issues To Address Conclusion/Questions
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationUser Manual. COBA Server Manager ID UM.L82342.2012
ID UM.L82342.2012 User Manual User Manual 2 (15) Index 4 1. General Information... 5 2. Users & Permissions... 8 2.1 Users... 8 2.2 Roles...10 2.3 Permissions...12 2.4 Quick Create Users...13 3. Services...14
More informationTime Monitoring Tool Software Requirements Specifications. Version <1.0>
Time Monitoring Tool Software Requirements Specifications Version Revision History Date Version Description Author First version Martin Robillard Page 2 of 18 Table of Contents
More information1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.
Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is
More informationQlik Sense Enabling the New Enterprise
Technical Brief Qlik Sense Enabling the New Enterprise Generations of Business Intelligence The evolution of the BI market can be described as a series of disruptions. Each change occurred when a technology
More informationFORMS. Electronic management system of document flows and optimization of organizational processes
FORMS Electronic management system of document flows and optimization of organizational processes What does it do for You? Increases efficiency of working with documents and optimizes organizational processes
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More informationIntland s Medical Template
Intland s Medical Template Traceability Browser Risk Management & FMEA Medical Wiki Supports compliance with IEC 62304, FDA Title 21 CFR Part 11, ISO 14971, IEC 60601 and more INTLAND codebeamer ALM is
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationInformation Systems Security
Information Systems Security Lecture 4: Security Engineering Prof. Dr. Christoph Karg Aalen University of Applied Sciences Department of Computer Science 11.10.2015 Learning Objective Learning Objective
More informationVirtual Private Network (VPN)
Virtual Private Network (VPN) Creating a Virtual Private Network (VPN) environment and using it to connect machines to each other is another way of accessing Roll Call remotely. A VPN establishes a secure
More informationHow to Develop Cloud Applications Based on Web App Security Lessons
Applications Based on Before moving applications to the public cloud, it is important to implement security practices and techniques. This expert E-Guide provides guidance on how to develop secure applications
More informationKnow your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.
Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models 2012 Security Compass inc. 2 1
More informationBASIC DRUPAL TRAINING. Getting Started with Digital Commons
BASIC DRUPAL TRAINING Getting Started with Digital Commons Contents Overview... 2 Log in to Staging Site... 2 Explore the Editing Environment... 4 Make a Simple Edit to an Existing Page... 5 Create a New
More informationBPEL. A Step by Step Guide: Model-Driven Generation with. Enterprise Architect. T his document will teach you how to use the Business Process
BPEL A Step by Step Guide: Model-Driven Generation with Enterprise Architect T his document will teach you how to use the Business Process Modeling Notation (BPMN 1.1) as a visual approach to producing
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationINTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:
INTRODUCTION: You can extract data (i.e. the total cost report) directly from the Truck Tracker SQL Server database by using a 3 rd party data tools such as Excel or Crystal Reports. Basically any software
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationRequirements Management
MS Excel / Word, and ReqIF Export / Import and Round-trip Medical & Automotive Requirements and Risk (FMEA, IEC 62304, IEC 61508, ISO 26262...) Enterprise Architect and Atlassian JIRA integration Requirements
More informationThreat Modeling: The Art of Identifying, Assessing, and Mitigating security threats
Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Mohamed Ali Saleh Abomhara University of Agder mohamed.abomhara@uia.no Winter School in Information Security, Finse May
More informationWhy should I back up my certificate? How do I create a backup copy of my certificate?
Why should I back up my certificate? You should always keep a backup copy of your ACES Business Certificate on a location external to your computer. Since it s stored locally on your computer, in the Windows
More informationAPNS Certificate generating and installation
APNS Certificate generating and installation Quick Guide for generating and installing an Apple APNS Certificate Version: x.x MobiDM Quick Guide for APNS Certificate Page 1 Index 1. APPLE APNS CERTIFICATE...
More informationwww.modelingconcepts.com A Quick Chat about SOMF Capabilities Page1 Service-Oriented Modeling Framework (SOMF) Building Attribution Models
Page1 www.modelingconcepts.com A Quick Chat about SOMF Capabilities Constructing a Service-Oriented Attribution Model Training material for architects, business analysts, system analysts, software developers,
More informationAuthor: Ryan J Adams. Overview. Central Management Server. Security. Advantages
Author: Ryan J Adams Overview In this paper we will look at Central Management Server and how it can help you manage a disperse environment. We will look at the requirements for setting up a CMS, the advantages
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationA PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT
A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT Chandramohan Muniraman, University of Houston-Victoria, chandram@houston.rr.com Meledath Damodaran, University of Houston-Victoria, damodaranm@uhv.edu
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationUser s Guide. Version 2.1
Content Management System User s Guide Version 2.1 Page 1 of 51 OVERVIEW CMS organizes all content in a tree hierarchy similar to folder structure in your computer. The structure is typically predefined
More informationSecurity Bank of California Internet Banking Security Awareness
Security Bank of California Internet Banking Security Awareness INTRODUCTION Fraudsters are using increasingly sophisticated and malicious techniques to thwart existing authentication controls and gain
More informationTDDC88 Lab 2 Unified Modeling Language (UML)
TDDC88 Lab 2 Unified Modeling Language (UML) Introduction What is UML? Unified Modeling Language (UML) is a collection of graphical notations, which are defined using a single meta-model. UML can be used
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationCSOS Certificate Support Guide. Version: 1.1 Published: October 1, 2006 Publisher: CSOS Certification Authority
Version: 1.1 Published: October 1, 2006 Publisher: CSOS Certification Authority Document Revision History Version # Revision Sections Summary of Changes Initials Date Affected 1.0 4/27/2006 All Version
More informationBUSINESS ONLINE BANKING QUICK GUIDE For Company System Administrators
BUSINESS ONLINE BANKING QUICK GUIDE For Company System Administrators Introduction At Mercantil Commercebank, we are committed to safeguarding your identity online with the best technology available. This
More informationTeamViewer 9 Manual Management Console
TeamViewer 9 Manual Management Console Rev 9.2-07/2014 TeamViewer GmbH Jahnstraße 30 D-73037 Göppingen www.teamviewer.com Table of Contents 1 About the TeamViewer Management Console... 4 1.1 About the
More informationAdministration: Users and Roles
Last Update: September 2011 Release 7.5 Administration: Users and Roles This lesson is specifically designed for administrators responsible for user security settings in the Astra Schedule system. Astra
More informationMobile E-Commerce: Friend or Foe? A Cyber Security Study
Research February 2015 Mobile E-Commerce: Friend or Foe? A A J.Gold Associates Research Report Many consumers now interact with the Internet primarily through mobile devices, avoiding traditional PC devices
More informationdobe Acrobat XI Pro Digital Signatures
dobe Acrobat XI Pro Digital Signatures Intermediate Adobe Acrobat XI Pro is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. To view a copy of this
More information2/24/2010 ClassApps.com
SelectSurvey.NET Training Manual This document is intended to be a simple visual guide for non technical users to help with basic survey creation, management and deployment. 2/24/2010 ClassApps.com Getting
More informationAdding Questions, Polls and Surveys
Page1 Adding Questions, Polls and Surveys If you need to gauge viewer comprehension of presented material, ask for an opinion, or have viewer s rank or rate select items, you ll use Brainshark questions,
More informationSecurity in the Sauce Labs Cloud. Practices and protocols used in Sauce s infrastructure and Sauce Connect
Security in the Sauce Labs Cloud Practices and protocols used in Sauce s infrastructure and Sauce Connect Table of Contents page 2 page 4 page 6 page 8 page 9 page 10 page 11 Overview I. Sauce Labs Data
More informationAPPLICATION THREAT MODELING
APPLICATION THREAT MODELING APPENDIX PROCESS FOR ATTACK SIMULATION AND THREAT ANALYSIS Marco M. Morana WILEY Copyrighted material Not for distribution 1 2 Contents Appendix process for attack simulation
More informationCampusIT Helpdesk Manual
CampusIT Helpdesk Manual CampusIT provide a support service for the QuercusPlus product. A call logging system is integrated into the support service to ensure high levels of customer service and fast,
More informationEnhanced Security for Online Banking
Enhanced Security for Online Banking MidSouth Bank is focused on protecting your personal and account information at all times. As instances of internet fraud increase, it is no longer sufficient to use
More informationThreat Modeling Architecting & Designing with Security in Mind OWASP. The OWASP Foundation http://www.owasp.org. Venkatesh Jagannathan
Threat Modeling Architecting & Designing with Security in Mind Venkatesh Jagannathan -Chennai Chapter Leader venki@owasp.org heyvenki@gmail.com Copyright The Foundation Permission is granted to copy, distribute
More informationIntellect Platform - The Workflow Engine Basic HelpDesk Troubleticket System - A102
Intellect Platform - The Workflow Engine Basic HelpDesk Troubleticket System - A102 Interneer, Inc. Updated on 2/22/2012 Created by Erika Keresztyen Fahey 2 Workflow - A102 - Basic HelpDesk Ticketing System
More informationThreat Modelling (Web)Apps Myths and Best Practices OWASP 7.11.2012. The OWASP Foundation http://www.owasp.org. Matthias Rohr
Threat Modelling (Web)Apps Myths and Best Practices Matthias Rohr 7.11.2012 www.matthiasrohr.de mail@matthiasrohr.de Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationSession 9: Module 4 - Infoview Reports Part 1
Description Introduction Overview Session 9: Module 4 - Infoview Reports Part 1 Text SCRIPT Welcome to Session 9: Module 4 of the HuBERT On-Demand Training Sessions presented by the MN Department of Health
More informationSTABLE & SECURE BANK lab writeup. Page 1 of 21
STABLE & SECURE BANK lab writeup 1 of 21 Penetrating an imaginary bank through real present-date security vulnerabilities PENTESTIT, a Russian Information Security company has launched its new, eighth
More informationSecurity in the Sauce Labs Cloud
SAUCE LABS REPORT Security in the Sauce Labs Cloud Practices and protocols used in Sauce s infrastructure and Sauce Connect Overview It s impossible to deny that in this day and age internet security should
More informationBeyond passwords: Protect the mobile enterprise with smarter security solutions
IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive
More informationProject 2: Penetration Testing (Phase II)
Project 2: Penetration Testing (Phase II) CS 161 - Joseph/Tygar November 17, 2006 1 Edits If we need to make clarifications or corrections to this document after distributing it, we will post a new version
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationTeam Foundation Server 2010, Visual Studio Ultimate 2010, Team Build 2010, & Lab Management Beta 2 Installation Guide
Page 1 of 243 Team Foundation Server 2010, Visual Studio Ultimate 2010, Team Build 2010, & Lab Management Beta 2 Installation Guide (This is an alpha version of Benjamin Day Consulting, Inc. s installation
More informationVisual Studio.NET Database Projects
Visual Studio.NET Database Projects CHAPTER 8 IN THIS CHAPTER Creating a Database Project 294 Database References 296 Scripts 297 Queries 312 293 294 Visual Studio.NET Database Projects The database project
More informationBMC Remedy Service Desk: Incident Management 7.6.00 User s Guide
BMC Remedy Service Desk: Incident Management 7.6.00 User s Guide October 2010 BMC Remedy Service Desk: Incident Management 7.6.00 1 Contents Chapter 1 Introducing BMC Remedy Incident Management... 3 Getting
More informationUP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab
UP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab Description The objective of this course is to introduce students to the various concepts of 3rd party patching. Students will
More informationSocial Network Security. Frank K. F. Chow Vice-Chairperson Professional Information Security Association (PISA)
Social Network Security Frank K. F. Chow Vice-Chairperson Professional Information Security Association (PISA) How Do We Communicate Today? I can write you a letter by snail mail. I can write you a letter
More informationGetting software security Right
Getting software security Right Haiyun Xu, Theodoor Scholte April 24 2015 Table of contents 2 I 23 1. Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design
More informationHave you ever done something the long way and then
Quick Web Development Using JDeveloper 10g Use the Struts controller. Generate the Java Server Page. Run the application. In a short period of time, you ll learn how to quickly develop an application using
More informationTABLE OF CONTENTS. Terms of Use
Terms of Use All the materials and/or graphics contained in the IceTheme template folders MUST be used ONLY with the IT Tribune Template from IceTheme.com TABLE OF CONTENTS 1. Introduction... 3 2. Installing
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationHow do I contact someone if my question is not answered in this FAQ?
Help Where may I find the answers to my Internet Banking questions? How do I contact someone if my question is not answered in this FAQ? Enrolling How do I enroll in Internet Banking? Logging In How do
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationSmallBiz Dynamic Theme User Guide
SmallBiz Dynamic Theme User Guide Table of Contents Introduction... 3 Create Your Website in Just 5 Minutes... 3 Before Your Installation Begins... 4 Installing the Small Biz Theme... 4 Customizing the
More informationEditor Manual for SharePoint Version 1. 21 December 2005
Editor Manual for SharePoint Version 1 21 December 2005 ii Table of Contents PREFACE... 1 WORKFLOW... 2 USER ROLES... 3 MANAGING DOCUMENT... 4 UPLOADING DOCUMENTS... 4 NEW DOCUMENT... 6 EDIT IN DATASHEET...
More informationSecurity Trends. The Case for Intelligence-Driven Security. Copyright 2013 EMC Corporation. All rights reserved.
Security Trends The Case for Intelligence-Driven Security 1 Attack Surface and Threat Environment ¼ ZETTABYTE 2 40-60? ZETTABYTES ZETTABYTES 2007 2013 2020 Digital Content 2 Attack Surface and Threat Environment
More informationKentico CMS security facts
Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the
More informationWeb Application Security Considerations
Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute
More informationMac Information. How to share files with Apple s MobileMe service
Mac Information How to share files with Apple s MobileMe service Introduction: With MobileMe, Apple s internet services, you can place files online for others to download. This saves your colleague time
More informationThreat Modeling. Deepak Manohar
Threat Modeling Deepak Manohar Outline Motivation Past Security Approaches Common problems with past security approaches Adversary s perspective Vs Defender s perspective Why defender s perspective? Threat
More informationPerforming a Web Application Security Assessment
IBM Software Group Performing a Web Application Security Assessment 2007 IBM Corporation Coordinate the Time of the Audit Set up a time window with the application owner Inform your security team Inform
More informationMobile, Cloud, Advanced Threats: A Unified Approach to Security
Mobile, Cloud, Advanced Threats: A Unified Approach to Security David Druker, Ph.D. Senior Security Solution Architect IBM 1 Business Security for Business 2 Common Business Functions Manufacturing or
More informationPublishing Reports in Tableau
Requesting Tableau System Access... 2 Terms and Definitions... 2 License Levels... 2 User Rights... 2 Permissions... 2 Viewer... 3 Interactor... 3 Editor... 3 Publisher... 3 Project Leader... 4 Custom...
More informationSIS Support Help Desk Center. SharePoint & Ticket System Overview
SIS Support Help Desk Center SharePoint & Ticket System Overview Table of Contents LOGGING INTO THE SIS SUPPORT SHAREPOINT... 3 LOGGING OUT OF THE SIS SUPPORT SHAREPOINT... 5 LOGGING INTO THE HELP DESK
More informationRFG Secure FTP. Web Interface
RFG Secure FTP Web Interface Step 1: Getting to the Secure FTP Web Interface: Open your preferred web browser and type the following address: http://ftp.raddon.com After you hit enter, you will be taken
More informationAEGEE Podio Guidelines
AEGEE Podio Guidelines EUROPEAN STUDENTS FORUM Contains What is Podio?... 3 Podio vs Facebook... 3 Video Tutorial Podio Basics... 3 Podio for AEGEE-Europe... 3 How to get it?... 3 Getting started... 4
More informationArchitectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.
Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission
More informationDATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS
DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS Manying Qiu, Virginia State University, mqiu@vsu.edu Steve Davis, Clemson University, davis@clemson.edu ABSTRACT People considering improvements in database
More informationTransferring data safely
Transferring data safely Secure drop-box users guide INTRODUCTION You ve been registered to make use of a secure web-based drop-box in order to safely exchange data across the Internet between yourself
More informationThe introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.
1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood
More informationSetting up an MS SQL Server for IGSS
Setting up an MS SQL Server for IGSS Table of Contents Table of Contents...1 Introduction... 2 The Microsoft SQL Server database...2 Setting up an MS SQL Server...3 Installing the MS SQL Server software...3
More informationAuthoring for System Center 2012 Operations Manager
Authoring for System Center 2012 Operations Manager Microsoft Corporation Published: November 1, 2013 Authors Byron Ricks Applies To System Center 2012 Operations Manager System Center 2012 Service Pack
More informationNetwork Security and Vulnerability Assessment Solutions
Network Security and Vulnerability Assessment Solutions Unified Vulnerability Management It s a known fact that the exponential growth and successful exploitation of vulnerabilities create increasingly
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationManagers Your guts - Our glory. j.dowley@hotmail.com
Password Managers Your guts - Our glory Jeff Dowley j.dowley@hotmail.com Overview Password managers Meant to aid you in keeping track of the dozens or even hundreds of passwords you may have Most browsers
More informationBest Practices, Procedures and Methods for Access Control Management. Michael Haythorn
Best Practices, Procedures and Methods for Access Control Management Michael Haythorn July 13, 2013 Table of Contents Abstract... 2 What is Access?... 3 Access Control... 3 Identification... 3 Authentication...
More information