Information Systems Security
|
|
- Arline Tate
- 8 years ago
- Views:
Transcription
1 Information Systems Security Lecture 4: Security Engineering Prof. Dr. Christoph Karg Aalen University of Applied Sciences Department of Computer Science Learning Objective Learning Objective This lecture s learning objective is an introduction to the topic of security engineering. The following questions are addressed: What is the goal of security engineering? Of which parts consists the security engineering process? Which techniques exist for threat risk modeling? What is a security policy? What does threat modeling mean? C. Karg (Information Systems Security) 4. Security Engineering 2 / 53
2 Overview Overview Security engineering definition Security engineering process Analysis phase Modeling phase Implementation phase Microsoft thread modeling process Security development life cycle Common security mechanisms C. Karg (Information Systems Security) 4. Security Engineering 3 / 53 Security Engineering Security Engineering Specialized field of engineering Goal: Build systems to remain dependable in the face of malice, error, or mischance Focus on tools, processes, and methods needed to design, implement, and test complete systems to adapt existing systems as their environment envolves Requires cross-disciplinary expertise such as Cryptography and computer security Hardware tamper-resistance Formal methods Knowledge of economics Applied psychology The law C. Karg (Information Systems Security) 4. Security Engineering 4 / 53
3 Analysis Framework Security Engineering Policy Incentives Mechanism Assurance C. Karg (Information Systems Security) 4. Security Engineering 5 / 53 Security Engineering Analysis Framework (Cont.) Interaction of four components: Policy: What are you supposed to achieve? Mechanisms: Which mechanisms (ciphers, access control, hardware tamper-resistance,... ) do you assemble to implement the policy? Assurance: How reliant is each of the deployed mechanisms? Incentives: What are the reasons that people guarding and maintaining your systems work properly? why attackers try to defeat your policy and to attack your systems? C. Karg (Information Systems Security) 4. Security Engineering 6 / 53
4 Security Engineering Process Overview Security Engineering Is An Ongoing Process Problem Improvement Requirements & Risks Assessment Adapt Verify Plan Execute Action Measurement & Validation Implementation Operational System C. Karg (Information Systems Security) 4. Security Engineering 7 / 53 Security Engineering Process Overview Phases Of The Engineering Process Application Area Requirements audit Threat Analysis Analysis Risk Assessment specify Modeling Security Policy Security Model Model Verification Priliminary Design Validation Integration Testing Security Architecture Concept Modul Testing Security Model Code Inspection maintenance of operation C. Karg (Information Systems Security) 4. Security Engineering 8 / 53
5 Security Engineering Process Prerequisites Prerequisites Application Area: Which industrial sector? Which geographic region? Which environment? Security Requirements: Technical aspects Organizational aspects Legal aspects C. Karg (Information Systems Security) 4. Security Engineering 9 / 53 Security Engineering Process Analysis Phase Structural Analysis Goal: Provide detailed information on the structure of the company and provide respective security requirements Categories: Infrastructure: Buildings, power supply, telecommunications,... IT-Infrastructure: Network Hardware components Software Organization: Corporate structure Departments Business processes C. Karg (Information Systems Security) 4. Security Engineering 10 / 53
6 Security Engineering Process Analysis Phase Threat Analysis Goal: systematically detect potential organizational, technical, and user-related reasons for threats, which may cause damage Approach: Search vulnerabilities Physical defects Software defects Analyze organizational processes Useful helpers: Penetration Testing Security Chains C. Karg (Information Systems Security) 4. Security Engineering 11 / 53 Security Engineering Process Analysis Phase Penetration Testing A penetration test consists of Password cracking attacks Attacks by recording and manipulation the network traffic Attacks by using known exploits Approach: 1. Internet research to collect publicly available information such as IP addresses 2. Usage of a port scanner to detect accessible services of an IT system 3. Usage of fingerprinting methods to detect the operating system and its version, the type of web browser, etc. 4. Identification of known exploits of the IT system 5. Usage of known exploits to get unauthorized access to the system C. Karg (Information Systems Security) 4. Security Engineering 12 / 53
7 Security Engineering Process Analysis Phase Security Chains Security chains are a tool to analyze the threats of processes within a company A security chain splits up a business or organizational process into single steps Potential threats are associated with each step of the chain Both threats of technical and non-technical kind are considered C. Karg (Information Systems Security) 4. Security Engineering 13 / 53 Security Engineering Process Analysis Phase Security Chain Example Social Engineering Sniffing Keylogger Virus Spoofing, Sniffing, DoS User System Access Authentification Place Of Work Access Control Intranet Firewall, IDS Service Content Provider Internet Server WWW, ERP Spoofing, DoS, Privacy Sniffing, DoS, Profiling Worms, DoS Security chain for a user working in the accounting department C. Karg (Information Systems Security) 4. Security Engineering 14 / 53
8 Security Engineering Process Analysis Phase Risk Assessment Formula: Risk R = S E, where S amount of damage E occurrence probability of the threat Assignment of S: Primary damage causes personnel costs, loss of production, or costs of reproduction Secondary damage loss of reputation and trust Assignment of occurrence probability E: Complexity of the attack Benefit of the attack C. Karg (Information Systems Security) 4. Security Engineering 15 / 53 Security Engineering Process Analysis Phase Threat Risk Modeling Goals Define the security requirements of an application Identify potential threats and vulnerabilities Identify a logical thought process in defining the security of a system Find bugs in the application earlier Create a documentation to be used to specify security specification and security testing procedures Provide a justification for purchasing security related hardware and software C. Karg (Information Systems Security) 4. Security Engineering 16 / 53
9 Security Engineering Process Analysis Phase Threat Modeling Systems Microsoft Threat Modeling Process Common Vulnerability Scoring System (CVSS) ( Common Weakness Scoring System (CWSS) ( OCTAVE ( C. Karg (Information Systems Security) 4. Security Engineering 17 / 53 Security Engineering Process Modeling Phase Modeling Phase A security policy describes the target state of an IT system usually as a criteria catalog It is necessary to adjust the security (target state) with the results provided by the threat analysis and risk management (current state) A security model is a scheme for specifying and enforcing security policies C. Karg (Information Systems Security) 4. Security Engineering 18 / 53
10 Security Engineering Process Modeling Phase Design Principles Fail-safe defaults: Access is denied per default. Access must be granted explicitly Complete mediation: Every access must be checked for acceptance Need to know: Each subject gets only the access rights, it needs for fulfillment of its tasks Economy of mechanism: the deployed security mechanisms must be easy to use and should be applied automatically as a matter of routine Open design: any design methods and mechanisms should be unfolded ( no security through obscurity ) C. Karg (Information Systems Security) 4. Security Engineering 19 / 53 Security Engineering Process Modeling Phase Security Policies A security policy defines the set of technical and organizational rules directives of behavior responsibilities roles, and procedures of a system or a organizational unit C. Karg (Information Systems Security) 4. Security Engineering 20 / 53
11 Security Engineering Process Modeling Phase Example: Password Policy All system-level passwords (e.g., root, NT admin) must be changed on at least a quarterly basis All user-level passwords (e.g., , web, desktop computers, etc.) must be changed at least every six month. The recommended change interval is every four month User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user Passwords must not be inserted into messages or other forms of electronic communication C. Karg (Information Systems Security) 4. Security Engineering 21 / 53 Security Engineering Process Implementation Phase Implementation Phase The implementation phase puts the modeling results into work. The security architecture is derived from the security model. It describes the security mechanisms to be deployed in order to be compliant to the model. A validation is necessary to check whether the security architecture was implemented correctly. Note: security engineering is a consecutive and iterative process. C. Karg (Information Systems Security) 4. Security Engineering 22 / 53
12 Microsoft Threat Modeling Process The Modeling Process Microsoft Threat Modeling Process Identify Security Objectives Application Overview Identify Vulnerabilities Decompose Application Identify Threats C. Karg (Information Systems Security) 4. Security Engineering 23 / 53 Microsoft Threat Modeling Process Identify Security Objectives Identify Security Objectives Categories of security objectives: Identity Does the application protect the user identity from abuse? Are there control mechanisms to ensure evidence of identity? Financial Aspects Is there a financial loss in case of the security breach of the application? How high is the risk of a financial loss? C. Karg (Information Systems Security) 4. Security Engineering 24 / 53
13 Microsoft Threat Modeling Process Identify Security Objectives Identify Security Objectives (Cont.) Reputation Is there a loss of reputation if the application is successfully attacked? Can this loss be quantified? Privacy and Regulatory Does the application protect user data? Does the user data underlie any legal policies? Availability Guarantees Has the application to fulfill a service level agreement? To what level has the application to be available? What are the penalties for being unavailable? C. Karg (Information Systems Security) 4. Security Engineering 25 / 53 Microsoft Threat Modeling Process Identify Security Objectives Application Overview And Decomposition Analyze the application design to identify components of the application data flow between the components trust boundaries High level UML diagrams are a helpful tool Decompose the application to identify the security-related modules which need to be evaluated C. Karg (Information Systems Security) 4. Security Engineering 26 / 53
14 Microsoft Threat Modeling Process Identify Threats Identify Threats Use online resources to find relevant exploits Exploit Database ( Open Source Vulnerability Database ( Check the existing exploits against the modules of your application Document the existing threats using threat graphs, or threat lists Draw attack trees to estimate the chance of a successful attack C. Karg (Information Systems Security) 4. Security Engineering 27 / 53 Microsoft Threat Modeling Process Identify Threats Threat Graph Example Attacker may be able to read other users messages User may not have logged off on a shared computer Authorization may fail, allowing unauthorized access Data validation may fail, allowing SQL injection Browser cache may contain contents of a message Implement data validation Implement authorization checks Implement anti caching HTTP headers If risk is high, use SSL C. Karg (Information Systems Security) 4. Security Engineering 28 / 53
15 Microsoft Threat Modeling Process Identify Threats Threat List Example Threat: Attacker may be able to read other user s messages Attack: 1. User may not have logged off on a shared computer 2. Data validation may fail, allowing SQL injection Implement data validation 3. Authorization may fail, allowing unauthorized access Implement authorization checks 4. Browser cache may contain contents of a message Implement anti-caching HTTP headers If risk is high, use SSL C. Karg (Information Systems Security) 4. Security Engineering 29 / 53 Microsoft Threat Modeling Process Identify Threats Attack Trees The root of the tree represents the attack goal. The internal nodes represent sub-ordinate targets. Node types OR node one of child targets is necessary to cause the threat. AND node all child targets must be fulfilled to cause threat. All pathes from leafs to the root describe different ways for a successful attack. C. Karg (Information Systems Security) 4. Security Engineering 30 / 53
16 Microsoft Threat Modeling Process Identify Threats Example: Masquerading Of A Mobile Device attack target masquerade attack decision node attack step beyond technical scope local login AND remote login valid login possession of the device without authentication login required stealing threaten owner blackmail owner appropriation AND auth token required auth data required without user s assistance with user s assistance without biometrics with biometrics forgery stealing threaten owner blackmail owner appropriation threaten owner blackmail owner forgery lost device unattended device disposed device C. Karg (Information Systems Security) 4. Security Engineering 31 / 53 Microsoft Threat Modeling Process Identify Threats Example: Risk Assessment Of An Attack Tree sniffing of a user password Risk: very high MAX spy out the unencrypted access to stored terminal input network transmission password data Risk: low Risk: very high Risk: high C. Karg (Information Systems Security) 4. Security Engineering 32 / 53
17 Microsoft Threat Modeling Process STRIDE STRIDE STRIDE is a classification scheme for threats Goal: Classify known threats according to the kinds of exploit there are used STRIDE stands for Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege C. Karg (Information Systems Security) 4. Security Engineering 33 / 53 Microsoft Threat Modeling Process STRIDE STRIDE (Cont.) Spoofing Identity Key risk of applications with multi-user-access such as databases, file servers,... Users should not be able to become any other user or get privileges of other users. Tampering with Data A user should not get unauthorized access to confidential data. The application should check data received from users. C. Karg (Information Systems Security) 4. Security Engineering 34 / 53
18 Microsoft Threat Modeling Process STRIDE STRIDE (Cont.) Repudiation Users may dispute transactions they have performed. If non-repudiation is a necessary feature, then appropriate mechanisms such as access logs or audit trails must be deployed. Information Disclosure If an attacker reveals confidential user data stored in the application, this may cause a loss of confidence and reputation. Hence, application must include strong access controls to prevent tampering and abuse of confidential data. C. Karg (Information Systems Security) 4. Security Engineering 35 / 53 Microsoft Threat Modeling Process STRIDE STRIDE (Cont.) Denial of Service An application should be checked against use of expensive resources such as processing of large files, complex computations, heavy-duty database queries,... Expensive operations should be restricted to authenticated and authorized users.. Elevation of Privilege An application with distinct user and administrator roles should ensure that a normal user cannot elevate his role to a higher privilege. C. Karg (Information Systems Security) 4. Security Engineering 36 / 53
19 Microsoft Threat Modeling Process DREAD Risk Assessment DREAD Risk Assessment DREAD is a classification scheme for quantifying the risk of a given threat. Using DREAD, threats can be compared and prioritized. DREAD stands for Damage Potential Reproducibility Exploitability Affected Discoverability C. Karg (Information Systems Security) 4. Security Engineering 37 / 53 Microsoft Threat Modeling Process DREAD Risk Assessment The DREAD Formula DREAD Formula: Risk DREAD = S DA + S RE + S EX + S AF + S DI 5 where S DA = score damage potential S RE = score reproducibility S EX = score exploitability S AF = score affected users S DA = score discoverability Note: Each score must have a value in {0, 1, 2,..., 10}. C. Karg (Information Systems Security) 4. Security Engineering 38 / 53
20 Microsoft Threat Modeling Process DREAD Risk Assessment Quantifying DREAD Categories Example Damage Potential: If a threat occurs, how much damage will be caused? 0 = Nothing 5 = Individual user data is compromised or affected 10 = Complete system or data destruction Reproducibility: How easy is it to reproduce the threat exploit? 0 = Very hard or impossible, even for administrators of the application 5 = One or two steps required be an authorized user 10 = Usage a web browser without authentification C. Karg (Information Systems Security) 4. Security Engineering 39 / 53 Microsoft Threat Modeling Process DREAD Risk Assessment Quantifying DREAD Categories Example (Cont.) Exploitability: What is needed to exploit this threat? 0 = Advanced programming and network knowledge with custom or advanced attack tools 5 = Malware exists on the Internet, or exploit is easily performed, using available attack tools 10 = Just a web browser Affected Users 0 = None 5 = Some users, but not all 10 = All users Discoverability: Usually set to 10 by convention C. Karg (Information Systems Security) 4. Security Engineering 40 / 53
21 Security Development Life Cycle Security Development Life Cycle (SDL) Process to increase the quality of software development Introduced by Microsoft Paradigms Secure by design software is designed to protect itself and the processed information against attacks Secure by default user gets minimal access rights by default Secure in deployment provision of manuals and tools that support the user in securely applying the software Communication developers shall be upfront with exploits and provide patches rapidly C. Karg (Information Systems Security) 4. Security Engineering 41 / 53 SDL Process Security Development Life Cycle C. Karg (Information Systems Security) 4. Security Engineering 42 / 53
22 Security Development Life Cycle SDL Process Phases 1. Training: Training of the software developer 2. Requirements: Identification of the security requirements and the protection targets of the software 3. Design: Identification of the essential components Definition of a software architecture Threat modeling 4. Implementation: Usage of tools to avoid vulnerabilities Code reviews C. Karg (Information Systems Security) 4. Security Engineering 43 / 53 Security Development Life Cycle SDL Process Phases (Cont.) 5. Verification: Beta testing of the fully completed software systematical search of defects (security push) 6. Release: Final security review to check whether the software is ready for the market 7. Response: Process to react on exploits fast and comprehensively C. Karg (Information Systems Security) 4. Security Engineering 44 / 53
23 Common Security Mechanisms Common Security Mechanisms User identification and authentification Management and enforcement of user permissions Auditing Recycling of common used resources Maintenance of system availability C. Karg (Information Systems Security) 4. Security Engineering 45 / 53 Common Security Mechanisms User Identification And Authentication User Identification And Authentication Goal: Defense against masquerading attacks and unauthorized access Requirements: Subjects must have an unique identifier Mandatory authentification mechanism Common authentication mechanisms: Passwords ( What you know ) Smart cards or security tokens ( What you have ) Biometric authentication ( What you are ) C. Karg (Information Systems Security) 4. Security Engineering 46 / 53
24 Common Security Mechanisms User Permissions User Permissions Goal: Prevent unauthorized access to files and other system resources. Approach: a users needs the appropriate rights to access an object. The assignment of permissions must be viewed as a dynamic process. Usually, a policy regulates which permissions are assigned to an user. Role-based approach: a user gets only the permissions which are necessary for the user s tasks. Owner Principle: only the owner of an object can modify its permissions. C. Karg (Information Systems Security) 4. Security Engineering 47 / 53 Common Security Mechanisms Enforcement Of User Permissions Enforcement Of User Permissions User permissions must be enforced to prevent unauthorized access of information and resources. Complete mediation: every access to every object must be checked. Complete mediation is difficult to implement. Implementation via file handles and file descriptors. Challenge: Removal of permissions of resources which are already in usage. C. Karg (Information Systems Security) 4. Security Engineering 48 / 53
25 Common Security Mechanisms Audits Audits Goal: Collect data to analyze computer systems after an attack, ant to prevent suspects to deny their actions A security policy regulates which data is collected Usually the following data is gathered: Authentification attempts of users Access to files, system resources, databases Logs of web servers Changes of user permissions Important: the access to the data logs must be controlled to protect the users privacy. C. Karg (Information Systems Security) 4. Security Engineering 49 / 53 Common Security Mechanisms Recycling Of Common Used Resources Recycling Of Common Used Resources Goal: Preparation of commonly used resources to prevent information leakage. Commonly used resources: Main memory of a computer Hard disks or network shares Portable storage such as USB sticks Laptops and mobile phones used as substitutes in case of a hardware defect A policy should rule how a freed resource is recycled. C. Karg (Information Systems Security) 4. Security Engineering 50 / 53
26 Common Security Mechanisms Maintenance Of System Availability Maintenance Of System Availability Goal: Prevention of Denial-Of-Service Attacks Approach: Prioritization of the importance of the deployed services The redundancy of critical hardware components improves the availability. An emergency plan defines processes to recover from an incident such as system failure or a DOS attack. C. Karg (Information Systems Security) 4. Security Engineering 51 / 53 Summary Summary Security engineering is a kind of systems engineering which focuses on security topics concerning IT systems. The development phases are analysis of the infrastructure, modeling of security policies, and deployment of a security architecture. Security Development Life is an approach to improve security in software development. Security engineering is an ongoing process. C. Karg (Information Systems Security) 4. Security Engineering 52 / 53
27 Summary References J. R. Vacca: Computer And Information Security Handbook, Morgan-Kaufman, R. J. Anderson: Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, A. Basta, W. Halton: Computer Security and Penetration Testing, Thomson, J. Slay, A. Koronios: Information Technology Security & Risk Management, Wiley, OWASP Project: Threat Risk Modeling (https: // C. Karg (Information Systems Security) 4. Security Engineering 53 / 53
Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationEntire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com
Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationThreat modeling. Tuomas Aura T-110.4206 Information security technology. Aalto University, autumn 2011
Threat modeling Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Threats Threat = something bad that can happen Given an system or product what are the threats against
More informationInformation & Communication Security (SS 15)
Information & Communication Security (SS 15) Security Engineering Dr. Jetzabel Serna-Olvera @sernaolverajm Chair of Mobile Business & Multilateral Security Goethe University Frankfurt www.m-chair.de Introduction
More informationSecurity Testing. How security testing is different Types of security attacks Threat modelling
Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making
More informationMobile Application Threat Analysis
The OWASP Foundation http://www.owasp.org Mobile Application Threat Analysis Ari Kesäniemi Nixu Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationUnderstanding and evaluating risk to information assets in your software projects
Understanding and evaluating risk to information assets in your software projects ugh.. what a mouthful Dana Epp Windows Security MVP Who am I? Microsoft Windows Security MVP Information Security Professional
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationPart I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationJort Kollerie SonicWALL
Jort Kollerie Cloud 85% of businesses said their organizations will use cloud tools moderately to extensively in the next 3 years. 68% of spend in private cloud solutions. - Bain and Dell 3 Confidential
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationREPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB
REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of
More informationCourse: Information Security Management in e-governance
Course: Information Security Management in e-governance Day 2 Session 2: Security in end user environment Agenda Introduction to IT Infrastructure elements in end user environment Information security
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationGuidelines for Website Security and Security Counter Measures for e-e Governance Project
and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online
More informationAPPLICATION THREAT MODELING
APPLICATION THREAT MODELING APPENDIX PROCESS FOR ATTACK SIMULATION AND THREAT ANALYSIS Marco M. Morana WILEY Copyrighted material Not for distribution 1 2 Contents Appendix process for attack simulation
More informationCITY OF BOULDER *** POLICIES AND PROCEDURES
CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationThreat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda
Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security
More informationThreat Modeling. 1. Some Common Definition (RFC 2828)
Threat Modeling Threat modeling and analysis provides a complete view about the security of a system. It is performed by a systematic and strategic way for identifying and enumerating threats to a system.
More informationCOSC 472 Network Security
COSC 472 Network Security Instructor: Dr. Enyue (Annie) Lu Office hours: http://faculty.salisbury.edu/~ealu/schedule.htm Office room: HS114 Email: ealu@salisbury.edu Course information: http://faculty.salisbury.edu/~ealu/cosc472/cosc472.html
More informationSection 12 MUST BE COMPLETED BY: 4/22
Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege
More informationA Practical Approach to Threat Modeling
A Practical Approach to Threat Modeling Tom Olzak March 2006 Today s security management efforts are based on risk management principles. In other words, security resources are applied to vulnerabilities
More informationWICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise
WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com Copyright WICKSoft 2007. WICKSoft Mobile Documents
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationCSC 474 Information Systems Security
CSC 474 Information Systems Security Introduction About Instructor Dr. Peng Ning, assistant professor of computer science http://www.csc.ncsu.edu/faculty/ning pning@ncsu.edu (919)513-4457 Office: Room
More informationChap. 1: Introduction
Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationWeb Application Remediation. OWASP San Antonio. March 28 th, 2007
Web Application Remediation OWASP San Antonio March 28 th, 2007 Agenda Introduction The Problem: Vulnerable Web Applications Goals Example Process Overview Real World Issues To Address Conclusion/Questions
More informationSecurity and Vulnerability Testing How critical it is?
Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and
More informationSecureAge SecureDs Data Breach Prevention Solution
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationGuidelines for Web applications protection with dedicated Web Application Firewall
Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security
More informationDatabase Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG
Database Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Table of Contents Chapter 1 Introduction... 4 1.1 Objective... 4 1.2 Prerequisites of this Guideline...
More informationFormFire Application and IT Security. White Paper
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationMicrosoft STRIDE (six) threat categories
Risk-based Security Testing: Prioritizing Security Testing with Threat Modeling This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More information10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationIntroduction to Information Security
Introduction to Information Security Chapter 1 Information Security Basics Winter 2015/2016 Stefan Mangard, www.iaik.tugraz.at What is Information Security? 2 Security vs. Safety The German word Sicherheit
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationIntroduction to Computer Security
Introduction to Computer Security (ECE 458) Vijay Ganesh Spring 2014 Online Resources, Books, Notes,... Books Introduction to Computer Security by Matt Bishop Computer Security: Art and Science by Matt
More informationThe introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.
1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood
More informationContent Teaching Academy at James Madison University
Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationCertified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison
CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationUNCLASSIFIED CPA SECURITY CHARACTERISTIC REMOTE DESKTOP. Version 1.0. Crown Copyright 2011 All Rights Reserved
18570909 CPA SECURITY CHARACTERISTIC REMOTE DESKTOP Version 1.0 Crown Copyright 2011 All Rights Reserved CPA Security Characteristics for CPA Security Characteristic Remote Desktop 1.0 Document History
More informationMCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
More informationGuide to Vulnerability Management for Small Companies
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationThreat Modeling: The Art of Identifying, Assessing, and Mitigating security threats
Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Mohamed Ali Saleh Abomhara University of Agder mohamed.abomhara@uia.no Winter School in Information Security, Finse May
More informationSECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security
More informationArchitecture. The DMZ is a portion of a network that separates a purely internal network from an external network.
Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part
More information1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services
1. Computer Security: An Introduction Definitions Security threats and analysis Types of security controls Security services Mar 2012 ICS413 network security 1 1.1 Definitions A computer security system
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationIT Compliance Volume II
The Essentials Series IT Compliance Volume II sponsored by by Rebecca Herold Addressing Web-Based Access and Authentication Challenges by Rebecca Herold, CISSP, CISM, CISA, FLMI February 2007 Incidents
More informationTop Five Ways to Protect Your Network. A MainNerve Whitepaper
A MainNerve Whitepaper Overview The data security challenges within the business world have never been as challenging as they are today. Not only must organizations providers comply with stringent State
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationBuilding a Corporate Application Security Assessment Program
Building a Corporate Application Security Assessment Program Rob Jerdonek and Topher Chung Corporate Information Security Intuit Inc. July 23, 2009 Copyright The Foundation Permission is granted to copy,
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationA Systems Engineering Approach to Developing Cyber Security Professionals
A Systems Engineering Approach to Developing Cyber Security Professionals D r. J e r r y H i l l Approved for Public Release; Distribution Unlimited. 13-3793 2013 The MITRE Corporation. All rights reserved.
More informationCONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationSecurity Goals Services
1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance;
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationF5 and Microsoft Exchange Security Solutions
F5 PARTNERSHIP SOLUTION GUIDE F5 and Microsoft Exchange Security Solutions Deploying a service-oriented perimeter for Microsoft Exchange WHAT'S INSIDE Pre-Authentication Mobile Device Security Web Application
More informationSecuring Data on Microsoft SQL Server 2012
Securing Data on Microsoft SQL Server 2012 Course 55096 The goal of this two-day instructor-led course is to provide students with the database and SQL server security knowledge and skills necessary to
More informationVulnerability Management in an Application Security World. January 29 th, 2009
Vulnerability Management in an Application Security World OWASP San Antonio January 29 th, 2009 Agenda Background A Little Bit of Theatre You Found Vulnerabilities Now What? Vulnerability Management The
More information