Secure Software Update Service (SSUS ) White Paper
|
|
- Cecilia Joseph
- 8 years ago
- Views:
Transcription
1 White Paper Secure Software Update Service (SSUS ) White Paper Author: Document Version: r03c Jeffrey Menoher Publish Date: 9/6/2013 Secure. Reliable. Fast Problem Many software updates, including operating system patches and antivirus signature update files, are obtained from trusted enclaves that are accessible across the Internet. When software must be updated on platforms that are isolated, a security problem arises because isolated Industrial Control System (ICS) networks cannot be connected to the Internet; the risk of cyber attack is too great. The problem is how to get the software update onto the isolated ICS network without incurring an unacceptable risk of cyber attack. Solution This paper describes the Secure Software Update Service (SSUS ), a software product that provides a controlled file transfer interface that restricts passage to one of three paths: 1) a predetermined set of white list files, which are verified by hash number; 2) scanning by one or more anti-malware scanning engines; or 3) both anti-malware scanning and white list verification. SSUS file transfer is machine-to-machine, eliminating vulnerabilities associated with manual transfer of portable media ( walk-net ). SSUS is specifically designed to satisfy data filter security requirements for transferring software updates across cyber-domain perimeters, and specifically addresses the security requirement for transferring approved executable software application files into isolated ICS networks. Software updates include operating system patches, antivirus signature updates, and other executable files that are particularly difficult to filter. SSUS may be implemented as a standalone software application or as an appliance integrated with DualDiode one-way data transfer technology. Keywords SSUS, DualDiode, OwlCTI, software update, OS patch, data filter, white list, manifest 38A Grove Street Suite 101 Ridgefield, CT Toll Free: P: F:
2 Table of Contents 1 Introduction The Problem The Isolated Platform Update Problem The Antivirus Update Catch-22 Problem Business Requirement The Virtues of White Lists Hash Number Authentication Secure Software Update Service SSUS Functions and Feature Summary SSUS Administration SSUS Architecture Creation of the White-List Manifest Table DualDiode Technology DualDiode Hardware SSUS Integration with Owl Hardware Summary Table of Figures Figure 1: Isolation of ICS Cyber Asset Computer Platforms... 2 Figure 2: Secure Update Transfer Gateway Concept... 3 Figure 3: Hash Number Verification Paradigm... 4 Figure 4: SSUS Concept... 5 Figure 5: SSUS Architecture Diagram... 7 Figure 6: DualDiode Card Installation... 9 Figure 7: Small Form Factor DualDiode and Server Package... 9 Figure 8: SSUS Integrated with OPDS White-Paper_SSUS_r02g.docx Page ii
3 1 Introduction This white paper identifies a software update business requirement and problem of transferring software updates and virus signature updates into a sensitive or secure network environment, and indicates how the Secure Software Update Service (SSUS) product from OwlCTI solves the problem. In addition to moving software update files, SSUS is also capable of securely moving general-purpose files. SSUS comprises a file transfer system integrated with a hash verification system that can compare the hash numbers of incoming files with a white list of hash numbers that have been pre-approved. SSUS can also submit incoming files to one or more anti-virus scan engines. SSUS is designed to integrate cleanly with existing corporate software update processes. SSUS is easy to install in existing network architectures and is easy to use. SSUS specifically addresses the security requirement for transferring approved executable software application files into isolated ICS networks. Approved executable software application files include operating system patches and anti-malware signature files that must be updated on a regular basis without introducing vulnerabilities associated with walk-net. 1.1 The Problem Protection of data from undesired and unauthorized data disclosure, interception, or alteration has been a perennial concern in the field of network security. For example, firewall and antimalware software have been developed to address security concerns for computers and networks connected to the internet and to protect them from possible cyber attacks. Despite great progress in firewall technology and malware detection methods, these solutions still suffer from a number of vulnerabilities. These vulnerabilities may be exploited through the network, or by malicious or subverted human operators; the so called insider threat problem. Software applications and operating systems, whether for direct use on a computer or embedded in other devices, often need to be installed before initial use and updated periodically during the lifetime of such computer or device. This is also true for firmware, whether running on a general-purpose computer or embedded in a special-purpose device or system. Examples of software/firmware updates include new versions (software releases) to add features, fix known problems, or support the connection and use of additional hardware or software components and subsystems. Many software updates, including operating system patches and antivirus signature update files, are obtained from trusted enclaves that are accessible across the internet. When software must be updated on platforms that are isolated, a security problem arises because isolated ICS networks cannot be connected to the internet; the risk of cyber attack is too great. The problem is how to get the software update onto the isolated ICS network without incurring an unacceptable risk of cyber attack. It is increasingly popular for software sources to publish software updates on internet servers for retrieval by end users who wish to update their platforms. However, regulatory and/or security requirements may forbid the network updating and/or the introduction of physical media into a facility where the systems requiring the install payload are located because of the sensitive or critical nature of such facility. ICS networks associated with electrical power, oil pipelines, and other Critical Infrastructures are good examples of sensitive networks that must remain isolated from the internet or other networks. White-Paper_SSUS_r02g.docx Page 1 of 10
4 1.1.1 The Isolated Platform Update Problem The following diagram, Figure 1, shows an isolated ICS network and a corporate administration network that are isolated from one another. Though secure from the perspective of denying unauthorized network access, this approach results in other operational inefficiencies and difficulties, such as severely inhibiting the flow of necessary information from the applications or devices attached to the isolated network and complicating the software update and maintenance of the applications and devices on the protected network and its computers. Figure 1: Isolation of ICS Cyber Asset Computer Platforms When an online-based approach is used in enterprise settings for software updates, it is common for payloads to be first moved from the source manufacturer or developer onto a staging server where they reside awaiting verification, testing, and installation. Administrators retrieve the payloads, or automatic routines operate to proactively provision the updates, and deliver them to other devices connected to the server s network. This network-connected automatic updating is allowed by some security policies. Alternatively, systems administration personnel access the staging server, or the manufacturer or developer source, to retrieve installation payloads on various media (CD, USB, laptop, or other portable media). This manual process is a common method allowed under company security policies. This manual carriage of portable storage media across network boundaries is popularly referred to a "walk-net". In practice, software update files are often written to portable media such as USB drives and DVDs. While the ICS network remains isolated by "air gap" using this method, the ICS network is still vulnerable to a variety of cyber attack threats that may be carried by portable media. The Stuxnet worm is a prime example of such a threat The Antivirus Update Catch-22 Problem In order to protect isolated ICS networks, a frequently-encountered security requirement states that all incoming files must be scanned with anti-virus software. There are two problems with this security requirement: 1. Anti-virus software applications have a poor track record of protecting against malicious software that has not yet been identified as such. These attacks are popularly called "zero day" attacks. Again, Stuxnet provides a useful example of a successful zero-day attack. While Stuxnet contained some code fragments from previously-identified malware, it was not detectable as malware in its most-recently-evolved form. 2. Anti-virus software applications typically block their own anti-virus signature update files, which are executable and contain virus code fragments. This creates a "Catch-22" problem White-Paper_SSUS_r02g.docx Page 2 of 10
5 for anti-virus software maintenance, and a problem maintaining security standards on isolated ICS networks. Similar problems exist for operating system patches, which are also executable, which have been known to introduce bugs as well as bug fixes, and are often blocked by perimeter access systems that enforce a non-executable-files-only security policy. 1.2 Business Requirement Let us assume that the organization that owns the ICS network also has a corporate network connected to the internet and an internal approval authority empowered to approve updates to platforms on the ICS network, as shown below in Figure 2. While read/write media may be used to deliver software updates into isolated platforms on the ICS network, this method is prone to a variety of human errors. It is far more desirable to create a trusted automated transfer method to convey software updates in the form of files while maintaining robust isolation of sensitive networks. A better method is to provide an independent authorization method that imposes a "two person" authentication process. The authorization/authentication method may be implemented using hash numbers as described below and may be supplemented with anti-virus scanning. Figure 2: Secure Update Transfer Gateway Concept 2 The Virtues of White Lists Let us assume that the source of a software update is, in fact, a trusted entity. Examples of trusted entities include security companies, such as McAfee and Symantec, and software companies that issue application updates and OS patches, such as Microsoft and Apple. If the source is trusted, then the update file may be considered pristine at its source. Furthermore, a unique authentication (hash) key may be created for the file by the source or another trusted entity. White-Paper_SSUS_r02g.docx Page 3 of 10
6 These assumptions imply that a specific list of approved files could be created for transfer into the ICS network. Such a list is usually referred to as a "white list". If a file can be verified or authenticated as a white list entry, then further security scanning such as anti-virus scanning may not be required. From these assumptions, the following transfer scenarios may be considered safe: The file passes from the trusted source to the ICS network via a trusted path that is not subject to malicious or inadvertent tampering (not as easy as it sounds). The file passes from the trusted source to a controlled-access gateway on the ICS network via an untrusted path, but is tested against an authentication (hash) key and/or scanned for viruses and malware before transfer into the ICS network. 2.1 Hash Number Authentication The following algorithm uses hash numbers to verify the integrity of a file transported across an untrusted path. It is shown below in Figure 3. This algorithm is routinely used to validate software updates downloaded from the internet. Figure 3: Hash Number Verification Paradigm Note that the reference hash numbers may be produced by the software update source organization, or by an independent (trusted) Quality Assurance testing organization. 3 Secure Software Update Service This paper describes the Owl Secure Software Update Service (SSUS), a software product that provides a controlled file transfer method that restricts transfer to a predetermined set of "white-list" files, with or without anti-virus scanning. The SSUS software filtering solution enables a secure one-way transfer of files into highly-secure ICS networks. Software updates include operating system patches and anti-virus signature updates. SSUS also permits transfer of data files (non-executables). SSUS may be implemented as a standalone software application or as an appliance integrated with DualDiode one-way data transfer technology. SSUS permits files to pass through only if White-Paper_SSUS_r02g.docx Page 4 of 10
7 they are listed on a "white list" or "manifest" of approved files that includes verifiable hash numbers, or if they pass the selected anti-virus scans, or both. This paper explains how SSUS can help maintain a resilient, current cyber-defense infrastructure while maintaining robust isolation of ICS networks in Critical Infrastructures. With Owl s SSUS, an executable or data file can be individually validated against a manifest (or white list) consisting of pre-configured hash numbers, or signatures, held within the platform. These hash numbers are provided by the file originator and certify the file s integrity. Files which produce a hash number matching an entry in the manifest are considered valid and are transferred across the DualDiode one-way link. Those files with no manifest match are denied transfer and are quarantined or deleted by the SSUS software. In addition to providing the standard anti-malware option for file validation, SSUS enables the reliable and auditable transfer of software patches and executable files, such as anti-malware signature updates, which are otherwise blocked by the most-frequently-used anti-malware filtering techniques. The SSUS is flexible, supporting multiple options for transferring a file across the security perimeter into a secure ICS network. The SSUS concept is shown below in Figure 4. Figure 4: SSUS Concept 3.1 SSUS Functions and Feature Summary SSUS is a robust, highly-scalable solution that cost-effectively addresses the need to thoroughly screen files for malware prior to transferring them across an electronic security perimeter. Owl s patented DualDiode technology enforces the electronic security perimeter, and our perimeter defense platform also serves as a central facility for file scanning. Owl s architectural White-Paper_SSUS_r02g.docx Page 5 of 10
8 approach is designed to reduce operational cost and maintenance time by deploying a centralized scan engine resource that can support hundreds of geographically-dispersed users. AV scan or manifest signature updates are applied instantly and uniformly to all users regardless of their location. The following is a summary of key features of Owl s SSUS solution: SSUS is a highly-scalable solution, deployable with any Owl platform, such as OPDS-100, OPDS-MP, and server-based EPDS solutions, or as a standalone package that can be added to an existing system. SSUS can be configured to support up to three unique scan paths: an AV scan path, a manifest path, and a combined AV scan and manifest scan path. The system can support multiple AV scan engines and allows the Security Administrator to add, delete, and update AV scan engines. SSUS supports a manifest file which can be updated by the Security Administrator. The manifest file stores the hash keys for files that are allowed to be transferred to the highsecurity domain. SSUS supports three roles: User, System Administrator, and Security Administrator. o o o The User role is allowed to log into the system and select and upload files to be scanned and transferred across the DualDiode to the higher-security domain. The System Administrator role is responsible for configuring system parameters and monitoring usage, along with adding and deleting users. The Security Administrator role sets system security parameters and monitors system logs and usage activity. The Security Administrator also has access to all files transferred through the system. SSUS can be integrated into an existing active directory. The System Administrator function has the ability to define system access privilege on a per-user basis. SSUS can be optioned with the Owl Performance Management Service (OPMS) to enhance Administrator notification of malware detection or other alert conditions. 3.2 SSUS Administration SSUS is administered according to Role Based Access Control (RBAC) that enforces separation of duties and access restrictions according to administration role type. The system supports three roles: a User role, a System Administrator role, and a Security Administrator role: From the source network, the User role is granted permission to access the system for the purpose of uploading files to be scanned. On the destination network, the User is allowed to copy scanned files that have been transferred across the electronic security perimeter to removable media. The System Administrator role configures system operation and can monitor system status. This role has the ability to add or delete users, set system configuration parameters, and view system logs. The Security Administrator role can restrict file scans and transfers to specific file classes by creating a white list of file classes. All other files types will be quarantined. In addition, the Security Administrator is able to view system status and system logs, view user activity, and access all files transferred across the security boundary by any user. White-Paper_SSUS_r02g.docx Page 6 of 10
9 3.3 SSUS Architecture Figure 5: SSUS Architecture Diagram Referring to Figure 5 above, there are three possible paths through the SSUS system: The first option allows users to transfer files only after they have gone through successful examination by one or more anti-malware engines. SSUS allows a Security Administrator to update AV scan signatures available for the anti-malware engines, ensuring protection against the latest known threats. Future capability will be to support automatic updates. A second option is based on white list filtering of files, ensuring that only previouslyapproved files or file classes are transferred across the security perimeter. This option or data path involves the calculation of a file hash (signature) for each file the user intends to transfer. The file s hash must match a corresponding hash in the manifest or the file will be blocked from transferring. If no match is found, the incident will be logged and the file will be quarantined or deleted. The manifest file is managed by a trusted administrator, ensuring tight control over which files are transferred. Strict RBAC on SSUS ensures that only authorized administrators can manipulate the manifest contents. The third option leverages the security benefits of both options by first scanning the file with the latest anti-malware examination and then checking if the file s hash matches a hash in the manifest. White-Paper_SSUS_r02g.docx Page 7 of 10
10 Additional security is enforced by Owl s Remote File Transfer Service (RFTS), which manages all file transfers as well as manifest updates within SSUS. Hash signatures are placed in the manifest by RFTS via a dedicated TCP port. Files sent by a properly-authenticated user and destined for the secure ICS network are moved to SSUS by RFTS. Once the files are transferred across the DualDiode one-way link, Owl RFTS or other file transfer protocols (such as FTP) may be used to transport the files to their destination on the secure ICS network. This example uses Owl s Secure Network Transfer System (SNTS) to move the files across the DualDiode. 3.4 Creation of the White-List Manifest Table The customer creates an Owl file manifest table: The customer defines the files that are allowed to be transferred. The file manifest table is sent to the Owl Send Server using RFTS. The file manifest table is stored on the Owl Send Server. The file manifest table supports the following hash values: MD5-SHA160 SHA224-SHA256 SHA384-SHA512 Example: File Name ( v5i32.exe) Hash Value (5B0E88F4E5F8CEAC5D1E485430EC6C2B) Source ( 4 DualDiode Technology Among other advantages, one-way data transfers deny the possibility of network probing for vulnerability, a prelude for cyber attacks. When one-way data transfer security policy is rendered in hardware, it is physically impossible to send messages of any kind in the reverse direction. Physical one-way links cannot be hacked with software and are used by the US Department of Defense (DoD) and Intelligence Community (IC) for isolating their high-security networks. Hardware-enforced data diodes are considered the most secure. The US National Institute of Standards and Technology (NIST) provides a specific security control (AC-4.7) that describes hardware-enforced, one-way information flow control as a threat-mitigation method. 4.1 DualDiode Hardware DualDiode hardware comprises a pair of one-way communication cards that are specifically engineered to transfer data in one direction only. The Send-Only card is installed in the Send Host Server platform and the Receive-Only card is installed in the Receive Host Server platform as shown below in Figure 6. The two cards (and the two platforms) communicate through a single optical fiber that connects the communication cards. White-Paper_SSUS_r02g.docx Page 8 of 10
11 Figure 6: DualDiode Card Installation Once cards are installed in their respective host servers, the servers operate as Send and Receive communication gateways for their respective networks. Send and Receive gateway platforms may be packaged in a single 1U rack-mount enclosure as shown below in Figure 7. Figure 7: Small Form Factor DualDiode and Server Package Note that the DualDiode system comprises a hardware pipeline architecture that contains two diodes and a clear network boundary located between the diodes. Should one diode fail, the other will be unable to pass any kind of data, including malicious data; the connected networks remain isolated. DualDiode transfer systems do not lose data, and no forward error correction methods are required. Multiple levels of data integrity checking, along with inherently-high quality of service of underlying ATM technology, enable the DualDiode to move terabyte-size files consistently and without error and to move large numbers of very small files efficiently. 4.2 SSUS Integration with Owl Hardware SSUS may stand alone as a software application or may be integrated into Owl hardware platforms equipped with DualDiode technology to provide robust isolation for the ICS network. A representation of SSUS integrated with an Owl Perimeter Defense Solution (OPDS) is shown below in Figure 8. A sample SSUS system comprises the following components: An OPDS DualDiode hardware platform RFTS software application modules SNTS software application modules SSUS software application module White-Paper_SSUS_r02g.docx Page 9 of 10
12 5 Summary Figure 8: SSUS Integrated with OPDS This paper describes the Secure Software Update Service (SSUS), a software product that provides a controlled file transfer interface that restricts passage of executable software to a predetermined set of "white list" files. These files are verified by hash number. Files may also be subjected only to scanning by one or more anti-virus scan engines, and a path may be chosen that includes both anti-virus scans and hash number verification. SSUS file transfer is machine-to-machine, eliminating vulnerabilities associated with manual transfer of portable media ("walk-net"). SSUS is specifically designed to satisfy data filter security requirements for transferring software updates across cyber-domain perimeters, and specifically addresses the security requirement for transferring approved executable software application files into isolated Industrial Control System (ICS) networks. Software updates include operating system patches, anti-virus signature updates, and other executable files that are particularly difficult to filter. SSUS may be implemented as a standalone software application or as an appliance integrated with DualDiode one-way data transfer technology. E N D O F D O C U M E N T White-Paper_SSUS_r02g.docx Page 10 of 10
Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationSeven Strategies to Defend ICSs
INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take
More informationCertification Report
Certification Report EAL 2+ Evaluation of McAfee Email and Web Security Appliance Version 5.5 Patch 2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,
More information5 Steps to Advanced Threat Protection
5 Steps to Advanced Threat Protection Agenda Endpoint Protection Gap Profile of Advanced Threats Consensus Audit Guidelines 5 Steps to Advanced Threat Protection Resources 20 Years of Chasing Malicious
More informationLifecycle Solutions & Services. Managed Industrial Cyber Security Services
Lifecycle Solutions & Services Managed Industrial Cyber Security Services Around the world, industrial firms and critical infrastructure operators partner with Honeywell to address the unique requirements
More informationHow To Secure Your System From Cyber Attacks
TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationQuick Heal Exchange Protection 4.0
Quick Heal Exchange Protection 4.0 Customizable Spam Filter. Uninterrupted Antivirus Security. Product Highlights Built-in defense keeps your business communications and sensitive information secure from
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationEndpoint protection for physical and virtual desktops
datasheet Trend Micro officescan Endpoint protection for physical and virtual desktops In the bring-your-own-device (BYOD) environment, protecting your endpoints against ever-evolving threats has become
More informationDeploying Firewalls Throughout Your Organization
Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationGE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance
GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationCyber Essentials Questionnaire
Cyber Essentials Questionnaire Introduction The Cyber Essentials scheme is recommended for organisations looking for a base level Cyber security test where IT is a business enabler rather than a core deliverable.
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationHow ByStorm Software enables NERC-CIP Compliance
How ByStorm Software enables NERC-CIP Compliance The North American Electric Reliability Corporation (NERC) has defined reliability standards to help maintain and improve the reliability of North America
More informationMCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...
More informationData Sheet: Messaging Security Symantec Brightmail Gateway Award-winning messaging security for inbound protection and outbound control
Award-winning messaging security for inbound protection and outbound control Overview The delivers inbound and outbound messaging security for email and IM, with effective and accurate antispam and antivirus
More informationApplication Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions
Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions 1 Agenda What is Application Whitelisting (AWL) Protection provided by Application
More informationProven LANDesk Solutions
LANDesk Solutions Descriptions Proven LANDesk Solutions IT departments face pressure to reduce costs, reduce risk, and increase productivity in the midst of growing IT complexity. More than 4,300 organizations
More informationIndustrial Security for Process Automation
Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationXerox Next Generation Security: Partnering with McAfee White Paper
Xerox Next Generation Security: Partnering with McAfee White Paper 1 Background Today s MFPs are complex embedded systems. They contain, among other things, full scale operating systems, embedded web servers,
More informationCYBER SECURITY. Is your Industrial Control System prepared?
CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect Operation & Optimization Software Activity Schneider-Electric Challenges What challenges are there
More informationRunning A Fully Controlled Windows Desktop Environment with Application Whitelisting
Running A Fully Controlled Windows Desktop Environment with Application Whitelisting By: Brien M. Posey, Microsoft MVP Published: June 2008 About the Author: Brien M. Posey, MCSE, is a Microsoft Most Valuable
More informationKaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management. www.kaseya.com
Kaseya White Paper Endpoint Security Fighting Cyber Crime with Automated, Centralized Management www.kaseya.com To win the ongoing war against hackers and cyber criminals, IT professionals must do two
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationSecureAge SecureDs Data Breach Prevention Solution
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
More informationTABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY
IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...
More informationBest Practices for DanPac Express Cyber Security
March 2015 - Page 1 Best Practices for This whitepaper describes best practices that will help you maintain a cyber-secure DanPac Express system. www.daniel.com March 2015 - Page 2 Table of Content 1 Introduction
More informationSecurity Implications Associated with Mass Notification Systems
Security Implications Associated with Mass Notification Systems Overview Cyber infrastructure: Includes electronic information and communications systems and services and the information contained in these
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationManaged Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?
Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationHost-based Protection for ATM's
SOLUTION BRIEF:........................................ Host-based Protection for ATM's Who should read this paper ATM manufacturers, system integrators and operators. Content Introduction...........................................................................................................
More informationUNCLASSIFIED Version 1.0 May 2012
Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice
More informationUtilizing Pervasive Application Monitoring and File Origin Tracking in IT Security
4 0 0 T o t t e n P o n d R o a d W a l t h a m, M A 0 2 4 5 1 7 8 1. 8 1 0. 4 3 2 0 w w w. v i e w f i n i t y. c o m Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security
More informationDocument ID. Cyber security for substation automation products and systems
Document ID Cyber security for substation automation products and systems 2 Cyber security for substation automation systems by ABB ABB addresses all aspects of cyber security The electric power grid has
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCertification Report
Certification Report EAL 2+ Evaluation of Symantec Endpoint Protection Version 12.1.2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and
More informationTECHNICAL WHITE PAPER. Symantec pcanywhere Security Recommendations
TECHNICAL WHITE PAPER Symantec pcanywhere Security Recommendations Technical White Paper Symantec pcanywhere Security Recommendations Introduction... 3 pcanywhere Configuration Recommendations... 4 General
More informationMcAfee Security Architectures for the Public Sector
White Paper McAfee Security Architectures for the Public Sector End-User Device Security Framework Table of Contents Business Value 3 Agility 3 Assurance 3 Cost reduction 4 Trust 4 Technology Value 4 Speed
More informationAgilent Technologies Electronic Measurements Group Computer Virus Control Program
Agilent Technologies Electronic Measurements Group Computer Virus Control Program Agilent Technologies Electronic Measurements Group (EMG) recognizes the potential risk of computer virus infection that
More informationCNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:
1. Do you implement virus controls and filtering on all systems? Anti-Virus anti-virus software packages look for patterns in files or memory that indicate the possible presence of a known virus. Anti-virus
More informationOwl Products Help Manage Medical Information Security in Compliance with HIPAA Regulations
Owl Products Help Manage Medical Information Security in Compliance with HIPAA Regulations Abstract: Owl Computing Technologies offers a secure one-way data transfer system that provides significant security
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationCorreLog Alignment to PCI Security Standards Compliance
CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationHow To Audit The Mint'S Information Technology
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
More informationAll Data Diodes Are Not Equal
White Paper All Data Diodes Are Not Equal Author: Jeffrey Menoher Document Version: r03c Publish Date: 9/6/2013 Secure. Reliable. Fast Abstract This paper describes various implementations of physical
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationCIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System
CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationMANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.
More informationMcAfee Web Gateway Administration Intel Security Education Services Administration Course Training
McAfee Web Gateway Administration Intel Security Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationSECURITY PLATFORM FOR HEALTHCARE PROVIDERS
SECURITY PLATFORM FOR HEALTHCARE PROVIDERS Our next-generation security platform prevents successful cyberattacks for hundreds of hospitals, clinics and healthcare networks across the globe. Palo Alto
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationSymantec Advanced Threat Protection: Network
Symantec Advanced Threat Protection: Network DR150218C April 2015 Miercom www.miercom.com Contents 1.0 Executive Summary... 3 2.0 Overview... 4 2.1 Products Tested... 4 2.2. Malware Samples... 5 3.0 How
More informationThe self-defending network a resilient network. By Steen Pedersen Ementor, Denmark
The self-defending network a resilient network By Steen Pedersen Ementor, Denmark The self-defending network - a resilient network What is required of our internal networks? Available, robust, fast and
More informationGuidelines for Website Security and Security Counter Measures for e-e Governance Project
and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online
More informationSOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013
SOFTWARE ASSET MANAGEMENT Continuous Monitoring September 16, 2013 Tim McBride National Cybersecurity Center of Excellence timothy.mcbride@nist.gov David Waltermire Information Technology Laboratory david.waltermire@nist.gov
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationIT Security. Securing Your Business Investments
Securing Your Business Investments IT Security NCS GROUP OFFICES Australia Bahrain China Hong Kong SAR India Korea Malaysia Philippines Singapore Sri Lanka Securing Your Business Investments! Information
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationSecuring OS Legacy Systems Alexander Rau
Securing OS Legacy Systems Alexander Rau National Information Security Strategist Sample Agenda 1 Today s IT Challenges 2 Popular OS End of Support & Challenges for IT 3 How to protect Legacy OS systems
More informationDeltaV System Cyber-Security
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
More informationDoes your Citrix or Terminal Server environment have an Achilles heel?
CRYPTZONE WHITE PAPER Does your Citrix or Terminal Server environment have an Achilles heel? Moving away from IP-centric to role-based access controls to secure Citrix and Terminal Server user access cryptzone.com
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationSecure Networks for Process Control
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
More informationPCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data
White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationV1.4. Spambrella Email Continuity SaaS. August 2
V1.4 August 2 Spambrella Email Continuity SaaS Easy to implement, manage and use, Message Continuity is a scalable, reliable and secure service with no set-up fees. Built on a highly reliable and scalable
More informationProtecting the Infrastructure: Symantec Web Gateway
Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationSecret Server Qualys Integration Guide
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
More informationDriving Company Security is Challenging. Centralized Management Makes it Simple.
Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationWHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks
WHITE PAPER The Need for Wireless Intrusion Prevention in Retail Networks The Need for Wireless Intrusion Prevention in Retail Networks Firewalls and VPNs are well-established perimeter security solutions.
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationStaying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro
Staying Secure After Microsoft Windows Server 2003 Reaches End of Life Trevor Richmond, Sales Engineer Trend Micro Windows Server 2003 End of Life- Why Care? The next big vulnerability (Heartbleed/Shellshock)
More information