OSSEC in the Enterprise
|
|
- Avis Wade
- 8 years ago
- Views:
Transcription
1 OSSEC in the Enterprise Open Source Log Management, Analysis and Intrusion Detection Rochester Security Summit October 29, 2009 Michael Starks, CISSP, CISA, GSNA
2 Agenda What is OSSEC? Log Analysis Integrity Monitoring Rootkit Detection Policy Monitoring Alerting Active Response OSSEC WebUI Why OSSEC? Risks & Countermeasures Enterprise Considerations Demo Questions
3 What is OSSEC? OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Source:
4 What is OSSEC? Put another way... OSSEC is security software that looks for bad stuff on the actual host
5 Multi-Platform Works on Windows and most Unix-like systems
6 Centrally Managed Client/server architecture Almost everything can be managed from the OSSEC manager Restart agents Start integrity checks Tune rules Block attacks
7 Single Installation Manager and agent on one machine
8 Distributed Centralized manager and distributed agents
9 Distributed Multiple managers and multiple agents
10 Redundant Fail over to one or more managers
11 Flexible and Extensible Easily add support for custom applications Integrate with commercial SIEMs Analyze logs on existing syslog servers
12 Secure by Default Privilege separated processes Chroot where possible Secure programming practices Encrypted message transport using IP restrictions and replay prevention
13 Supported Community IRC: #OSSEC on Freenode Mailing lists: ossec-list Commercial Trend Micro OSSEC Host-Based Intrusion Detection Guide ossec-dev
14 Fast and Efficient Analyze millions of events per day...in real-time...using commodity hardware
15 Extensive Application Support Dozens of decoders and hundreds of rules out of the box Unix Pam, sshd (OpenSSH), Solaris telnetd, Samba, Su, Sudo, Proftpd, Pure-ftpd, vsftpd, Microsoft FTP server, Solaris ftpd, Imapd, Postfix, Sendmail, vpopmail, Microsoft Exchange, Apache, IIS5, IIS6, Horde IMP, Iptables, IPF. PF, Netscreen, Cisco PIX/ASA/FWSM, Snort, Cisco IOS, Nmap, Symantec AV, Arpwatch, Named, Squid, Windows event logs, VMWare
16 Free Open source Budget friendly
17 Log Analysis The heart of OSSEC
18 LIDS Log-based Intrusion Detection Not a log management tool Analyzes (but does not store) every log
19 A Slight Detour What if the attacker deletes the logs? Will you have all the pieces of the puzzle? Robust log management strategies help OSSEC do its job
20 Log Management Corporate policy should define the need for logging
21 Log Management Corporate standards should define system audit settings, such as: What to audit Frequency of log rotation Log format Method of communication
22 Log Management Logs should, wherever possible, be converted from a proprietary format to a standardized and normalized format (e.g. syslog)
23 Log Management Logs should be centralized and stored on a hardened, purpose-specific server, with no unnecessary or unrelated services running
24 Log Management Systems should be synchronized with a common, trusted time source
25 Log Management Logs contain sensitive information and should be encrypted in transit wherever possible
26 Log Management A copy of each log should be available both locally and centrally In the event of a compromise, the trusted log server can be compared with the local logs
27 Log Management Logs should be maintained online and archived offline according to regulatory or policy requirements
28 Log Management Access to logs should be on a need-to-know and least-privileged basis
29 Log Management Access to logs should always be read-only
30 Log Flow Through OSSEC Tree-like structure Alert Analysis Decode Pre-decode Log enters system
31 Log Enters System Secure (encrypted) Insecure (syslog) Localhost
32 Pre-Decoding and Decoding Extracts individual parts of the log and places them into buckets Useful later on when writing rules b o B user src_ip id ns v o g. a url
33 SSHd Log Pre-Decoded Extracts known fields from logs (e.g. time) Compiled in for efficiency Log comes in as: Apr 14 17:32:06 hostname sshd[1025]: OSSEC pre-decodes it as: time/date -> Apr 14 17:32:06 hostname -> hostname program_name -> sshd Pre-decoded
34 SSHd Log Fully Decoded Log comes in as: Apr 14 17:32:06 hostname sshd[1025]: Accepted password for root from port 1618 ssh2 OSSEC decodes it as: time/date -> Apr 14 17:32:06 hostname -> hostname program_name -> sshd log -> Accepted password for root from port... srcip -> user -> root Pre-decoded Decoded
35 SSHd Log Decoder Will there be a test? <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="sshd-success"> <parent>sshd</parent> <prematch>^accepted</prematch> <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex> <order>user, srcip</order> </decoder>
36 Analysis (Rules) Rules are also called signatures Simple XML files on the manager Independent of original log format
37 Two Types of Rules Atomic: single event Bob mistyped his password once Composite: multiple events across logs Bob mistyped his password 3,561 times in 3 minutes on 16 different systems
38 That Looks Suspicious I know Bob forgets his password, but...
39 Rules Rules pick up where decoders leave off Instead of writing rules for raw logs, they can be written to normalized data (e.g. Bob is a user ) Data flows through the tree until a rule matches or doesn't match
40 Rules Severity-based: levels 0 (low) to 15 (high) Nest multiple rules for granular control Rule groups further normalize data web_scan firewall_drop account_changed...
41 Simplest Rule If the log was decoded as SSHd, generate rule 111 Not very useful yet <rule id = "111" level = "5"> <decoded_as>sshd</decoded_as> <description>logging every decoded sshd message</description> </rule>
42 Dependent Rule If rule 111 matched and the log contains Failed Password set the severity (level) to 7 and the group to authentication_failed <rule id= 122 level= 7 > <if_sid>111</if_sid> <match>^failed password</match> <description>failed password attempt</description> <group>authentication_failed</group> </rule>
43 nd 2 Dependent Rule If rule 122 matched and it's that pesky Bob Raise the severity (level) to 12 <rule id= 133 level= 12 > <if_sid>122</if_sid> <user>bob</user> <description>that pesky Bob again</description> </rule>
44 In Other Words Put another way... Record all events decoded as SSHd Alert at level 7 on every authentication failure If the user is Bob, raise the alert level to 12
45 Wait a Minute What if Bob has 3,561 login failures again?
46 Wait a Minute What if his login failures aren't just through SSH?
47 Revised Rule Thoughts Alert me if Bob has a few authentication failures in a short time, from anywhere, but don't flood me with alerts
48 Revised Rule for Bob Let's try that last rule again <rule id= 133 level= 12 frequency= 10 timeframe= 300 ignore= 60 > <if_matched_group>authentication_failed</if_matched _group> <user>bob</user> <description>bob is acting up</description> </rule>
49 Rule Examples Other interesting rules
50 Attack Followed by Account <group name="syslog,elevation_of_privilege,"> <rule id="40501" level="15" timeframe="300" frequency="2"> <if_group>adduser</if_group> <if_matched_group>attacks</if_matched_group> <description>attacks followed by the addition of an user.</description> </rule> </group>
51 Really Long URL <rule id="31115" level="13" maxsize="2900"> <if_sid>31100</if_sid> <description>url too long. Higher than allowed on most browsers. Possible attack.</description> <group>invalid_access,</group> </rule>
52 Multiple Windows Errors <rule id="18154" level="10" frequency="$ms_freq" timeframe="240"> <if_matched_sid>18103</if_matched_sid> <description>multiple Windows error events.</description> </rule>
53 Windows Application Installed <rule id="18147" level="5"> <if_sid>18101</if_sid> <id>^11707</id> <options>alert_by_ </options> <description>application Installed.</description> </rule>
54 Windows Audit Policy Changed <rule id="18113" level="8"> <if_sid>18104</if_sid> <id>^612 ^643 ^4719 ^4907 ^4912</id> <description>windows Audit Policy changed.</description> <group>policy_changed,</group> </rule>
55 Virus Found, Not Removed <rule id="7504" level="12"> <if_sid>7500</if_sid> <regex>$mcafee_virus</regex> <group>virus</group> <description>mcafee Windows AV - Virus detected and not removed.</description> </rule>
56 Integrity Monitoring Keeping a Known Good State
57 File Integrity SHA-1 and MD5 of critical system files and registry keys Performed in real-time or on a schedule Auto-ignores files that change too often
58 File Integrity Also checks owner, group, permissions Hashes forwarded to manager for safe keeping (excellent for forensics) Use the full power of rules to manage alerts (e.g. alert only on changes outside patch window)
59 World Writable File OSSEC HIDS Notification Oct 21 12:02:27 Received From: hostname->syscheck Rule: fired (level 7) -> "World Writable File" Portion of the log(s): Integrity checksum changed for: '/etc/httpd/conf/httpd.conf' Permissions changed from 'rw ' to 'rw-r--rw-' --END OF NOTIFICATION
60 No Longer World Writable OSSEC HIDS Notification Oct 21 12:05:11 Received From: hostname->syscheck Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)." Portion of the log(s): Integrity checksum changed for: '/etc/httpd/conf/httpd.conf' Permissions changed from 'rw-r--rw-' to 'rw ' --END OF NOTIFICATION
61 Agentless Integrity Periodic diff of firewalls and routers Checksum and diff of remote 'nix systems It's nice to know something changed, but what? Agentless check of /etc/password shows what changed
62 Agentless Alerts OSSEC HIDS Notification May 14 16:32:20 Received From: (ssh_pixconfig_diff) Rule: 555 fired (level 7) -> "Integrity checksum for agentless device changed." Portion of the log(s): ossec: agentless: Change detected: 206a207 > port-object eq c557...
63 Rootkit Detection Exposing the Hidden
64 Unix Rootkit Detection Signature and anomaly-based Signatures automatically sent to agents Can be run stand-alone
65 Signature Method Signatures for Adore, Knark, LOC, etc Attempt to stats, fopen and opendir each specified file Some rootkits don't fully hide themselves
66 Anomaly Method Detects known and unknown rootkits Files in /dev which aren't device files Unusual files (hidden directories, files owned by root which are world-writable)
67 Anomaly Method Running processes hidden from ps Listening ports hidden from netstat Promiscuous interfaces hidden from ifconfig
68 Rootcheck Alert OSSEC HIDS Notification Oct 06 17:45:17 Received From: XXXX->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/yyyy.com/httpdocs/language/lang_english/ /.log'. /... --END OF NOTIFICATION Source:
69 Windows Rootkit Detection Not as advanced as Unix-based detection Alternate data streams (Files hidden within files)
70 Policy Monitoring Detect Insecure Conditions
71 Policy Monitoring Is your system configured securely? Identify situation which can lead to a breach Benchmark system against CIS standard or create your own
72 Policy Monitoring File, registry setting, or process exists or does not exist Combine values with logical AND/OR Is anti-virus installed but not running?
73 Policy Monitoring Has the host firewall been disabled? Is LanMan authentication allowed? *Does not alert by default
74 Alerting Getting Notified
75 Alerting , syslog and database output Built-in flood protection Send alerts to different teams based on granular rules, severity or group
76 Alerting On second thought, maybe it wasn't Bob who tried to login to his account Someone should get a page if this happens again
77 Can't Miss the Game What if it's the weekend and I'm watching the game?
78 Alerting That someone should be Henry, the Jr. Security Analyst What a wonderful opportunity for professional development
79 Alerting Create another rule without restricting it to Bob, which will only fire on the weekends <rule id= 144 level= 12 frequency= 10 timeframe= 300 ignore= 60 > <if_matched_group>authentication_failed</if_matched _group> <weekday>saturday,sunday</weekday> <description>multiple Weekend Authentication Failures</description> </rule>
80 Alerting Followed by an alert configuration is ossec.conf < _alerts> <rule_id>144</rule_id> <format>sms</format> </ _alerts>
81 Alerting Syslog or database output easily integrated with commercial SIEMs Use OSSEC for the analysis Use the SIEM GUI for advanced correlation
82 Rule Examples Other interesting alerts
83 Excessive Events OSSEC HIDS Notification Oct 21 04:31:50 Received From: hostname->/var/log/httpd/error_log Rule: 11 fired (level 8) -> "Excessive number of events (above normal)." Portion of the log(s): The average number of logs between 4:00 and 5:00 is 936. We reached 1218.
84 First-Time Login OSSEC HIDS Notification Oct 22 11:24:34 Received From: hostname->/var/log/secure Rule: fired (level 4) -> "First time user logged in." Portion of the log(s): Oct 22 11:24:33 hostname sshd[2998]: Accepted password for kevin_mitnick from port ssh2
85 First Sudo Attempt OSSEC HIDS Notification Oct 22 11:27:49 Received From: hostname->/var/log/secure Rule: 5403 fired (level 4) -> "First time user executed sudo." Portion of the log(s): Oct 22 11:27:49 hostname sudo: kevin_mitnick : user NOT in sudoers ; TTY=pts/1 ; PWD=/ ; USER=root ; COMMAND=/bin/su -
86 Active Response Preventing Breaches
87 Active Response Attackers follow common patterns 1. Reconnaissance 2. Scan 3. Exploit OSSEC can often prevent breaches by detecting attacks in the early stages
88 Active Response Not an IPS, but effective
89 Active Response Time-based security implementation Protection time should be greater than the sum of detection time, plus reaction time (D+R)>P This is good!
90 Active Response If severity > 6, add the attacker's IP to the host firewall for 10 minutes Or the perimeter firewall... Or disable an account... Or shut down the system...
91 Active Response Execute responses on the manager, one particular agent, a firewall or everywhere Worldwide?
92 OSSEC WebUI A Face to OSSEC
93 Benefits of GUIs GUI interfaces allow you to see trends and patterns over time FTP account gets locked out every day at 4:15 AM What alerts does OSSEC think aren't worthy of an ?
94 OSSEC WebUI
95 OSSEC WebUI
96 OSSEC WebUI
97 Other GUI Options Other options include: Splunk OSSIM Picviz
98 Why OSSEC?
99 PCI DSS Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
100 PCI DSS Review logs for all system components at least daily......note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6
101 Closing the NIDs Circle Network-based IDS Only half the picture
102 Closing the NIDs Circle Host-based IDS The other half
103 Closing the NIDs Circle Network and Host-based IDS A new level of insight into your environment
104 Closing the NIDs Circle Of course, OSSEC reads NIDs logs
105 Forensics Everything is forwarded to the manager for analysis and possible storage Attackers like to delete logs
106 Policy Compliance How do you know your systems are still hardened? Are admins logging in with unique accounts? Is anti-virus running?
107 Keep Employees Honest Insider threats cost companies millions per year Employees who know their activities are monitored tend to be more honest
108 Budget OSSEC can be used for free
109 Risks & Countermeasures
110 Mass Deployment Deploying large amounts of agents is challenging Each agent uses a unique key How can a single package be created?
111 Active Response Attackers who know Active Response is in use may try to use that to their advantage IPs can be spoofed, thereby triggering an incorrect response
112 Alert Flooding You have 6,972 new messages! Will you read them all?
113 Log Injection Attacker uses poorly written regular expressions to bypass rules ftp Welcome to labs ossec candy FTP service. Name ( :root): lala] FAIL LOGIN: Client Normal Log Mon Jun 2 21:05: [pid 1448] [myuser] FAIL LOGIN: Client Log Injection Mon Jun 2 21:06: [pid 1452] [lala] FAIL LOGIN: Client ] FAIL LOGIN: Client
114 Risk Countermeasures flooding By default, OSSEC will only send 12 alerts per hour, queuing the rest until the next hour Active Response Response timeout IP whitelists Log Injection Tight regular expressions
115 Enterprise Considerations
116 Define the Problem What problem are you trying to solve? What are your primary drivers? What are the obstacles?
117 Codify in Policy Explicitly state the need in policy
118 Set Requirements Requirements are a measure of success
119 Define the Scope Will you monitor all systems? What is the budget? What is the time-frame?
120 Make a Desicion Is OSSEC a good fit? Don't design a solution looking for a problem!
121 Plan, Do, Check, Act Plan your OSSEC rollout Do the actual rollout Check the requirements against the rollout Act on the lessons learned
122 Demo
123 Summary OSSEC can add a new level of insight into your environment Only use OSSEC if it fits a need If you do use OSSEC, contribute your decoders, rules and lessons learned back to the community!
124 Questions?
125 Acknowledgements Daniel B. Cid, OSSEC creator Trend Micro Rochester Security Summit OSSEC Aucert presentation
126 Image Credits Agenda: Question mark: Tree: Vintage Mac: Rubber band ball: Padlock: Fast car: Cardboard box: Jumping man: Camera lid: Buckets: Ruler: Bob: OSSEC WUI: Road sign: The following images were used under fair use provisions of US copyright and trademark law: Logos: Windows, Tux, FreeBSD, PCI and AIX OSSEC WebUI screenshots
127 Image Credits Files in basket: Potato: Paper stack: Old phone: Little guy and stop sign: Fence: Clock: Retro TV: Sunglasses: Happy face: Thumb print: Fist: Money symbol: Crowd: Red cross:
128 Text Credits Attacking Log Analysis Tools, Daniel B. Cid: OSSEC at AusCERT, Daniel B Cid:
129 Presentation License This presentation is licensed under the Creative Commons AttributionNoncommercial-Share Alike 3.0 license. The license does not extend to images, which hold their own copyrights attributed to various authors. You are free: to Share to copy, distribute and transmit the work to Remix to adapt the work Under the following conditions: Attribution You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Noncommercial You may not use this work for commercial purposes. Share Alike If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. With the understanding that: Waiver Any of the above conditions can be waived if you get permission from the copyright holder. Other Rights In no way are any of the following rights affected by the license: Your fair dealing or fair use rights; Apart from the remix rights granted under this license, the author's moral rights; Rights other persons may have either in the work itself or in how the work is used, such as publicity or privacy rights. Notice For any reuse or distribution, you must make clear to others the license terms of this work.
Log Analysis using OSSEC
Log Analysis using OSSEC Daniel B. Cid dcid@ossec.net Agenda Defining LIDS (Log-Based IDS) OSSEC Overview Installation demo Log decoding and analysis with OSSEC Writing decoders Writing rules Examples
More informationLog Analysis using OSSEC
Log Analysis using OSSEC Daniel B. Cid dcid@ossec.net Agenda OSSEC Overview Installation demo Log decoding and analysis with OSSEC Writing decoders Writing rules Examples of rules and alerts in the real
More informationHost Level IDS CSC 790 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2015
Host Level IDS CSC 790 WAKE FOREST U N I V E R S I T Y Department of Computer Science Fall 2015 IDS Categories Based on Events (as a reminder) IDS can be categorized based on the use of event streams Anomaly
More informationHost Based Intrusion Detection
Host Based Intrusion Detection Simple Menu Driven Installation OSSEC HIDS v2.4 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have
More informationOSSEC: non solo log analysis. Roberto Cecchini - GARR
OSSEC: non solo log analysis - GARR Meccanismi di protezione Firewall Network Intrusion Detection/Prevention Host Intrusion Detection file integrity check funziona anche se l'accesso è stato regolare non
More informationPassive Logging. Intrusion Detection System (IDS): Software that automates this process
Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationCorreLog Alignment to PCI Security Standards Compliance
CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationURL: http://crosswire.org/~jmarsden/talks/hardening-ubuntu/hardening-ubuntu.html
Hardening Ubuntu Date: 12 Mar 2011 Author: Jonathan Marsden jmarsden@fastmail.fm URL: http://crosswire.org/~jmarsden/talks/hardening-ubuntu/hardening-ubuntu.html Contents Introduction The BASICS (the bare
More informationWorking with Rules. Solutions in this chapter: Introducing Rules. Understanding the OSSEC HIDS Analysis Process. Predecoding Events.
Chapter 4 Working with Rules Solutions in this chapter: Introducing Rules Understanding the OSSEC HIDS Analysis Process Predecoding Events Decoding Events Understanding Rules Working with Real World Examples
More informationPCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents
PCI DSS Best Practices with Snare Enterprise InterSect Alliance International Pty Ltd Page 1 of 9 About this document The PCI/DSS documentation provides guidance on a set of baseline security measures
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationSecret Server Qualys Integration Guide
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationSolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements
SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements SolarWinds Security Information Management in the Payment Card
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationOSSEC. Intrusion detection and response System and log analysis of Drupal sites and servers
OSSEC Intrusion detection and response System and log analysis of Drupal sites and servers Looked at your logs recently? Client site, November 2012 33.44.55.66 - - [04/Nov/2012:05:48:59 +1100] "POST http://www.example.com/?q=fckeditor%2fxss
More informationPayment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)
Payment Card Industry Data Security Standard (PCI / DSS) InterSect Alliance International Pty Ltd Page 1 of 12 Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance
More informationWhite Paper. PCI Guidance: Microsoft Windows Logging
PCI Guidance: Microsoft Windows Logging Table of Contents Introduction...3 This white paper was written by: Cayce Beames, CISSP, QSA, Technical Practice Director, Strategic Services, Intel Security Preparation
More informationSecurity Power Tools
Security Power Tools nmap: Network Port Scanner nmap is a network port scanner. Its main function is to check a set of target hosts to see which TCP and UDP ports have servers listening on them. Since
More informationTo read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com.
AlienVault the Future of Security Information Management Meet AlienVault OSSIM, a complex security system designed to make your life simpler. JERAMIAH BOWLING Security Information Management (SIM) systems
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationToday s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, 2009. Concepts.
Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, 2009 1 Today s Topics Concepts Case Study Sound Security Strategy 2 1 Security = Culture!! Security is a BUSINESS
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationHost Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)
Host Hardening (March 21, 2011) Abdou Illia Spring 2011 CERT Report on systems vulnerabilities Source: CERT Report @ http://www.kb.cert.org/vuls/bymetric 2 OS Vulnerability test Source: http://www.omninerd.com/articles/2006_operating_system_vulnerabilit
More informationMySQL Security: Best Practices
MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationFor more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa.
Global Partner Management Notice Subject: Visa Data Security Alert Malicious Software and Internet Protocol Addresses Dated: April 10, 2009 Announcement: The protection of account information is a responsibility
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationCampus. Impact. UC Riversidee Security Tools. Security Tools. of systems
Security Tools (SecTools) UCR's implementationn of a security dashboard (nominally designated SecTools) is a wonderfully flexible and useful framework for viewing current security incidents and for gaining
More informationSB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298
California State Senate Bill 1386 / Assembly Bill 1298 InterSect Alliance International Pty Ltd Page 1 of 8 Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty
More informationCimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred
DETECT All changes across your IT environment With coverage for your servers, network devices, critical workstations, point of sale systems, and more, CimTrak has your infrastructure covered. CimTrak provides
More informationOSSIM. Open Source Security Information Management. Brian E. Lavender. Sac State. CSC 250, Spring 2008. Final Project
Open Source Security Information Management Sac State CSC 250, Spring 2008 Final Project 2008 1 Table of Contents Introduction...2 How Functions...2 Installation...5 Initial Configuration Steps...6 Creating
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationRule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)
Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationComputer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 13, Dec. 6, 2010 Auditing Security Audit an independent review and examination
More informationJK0 015 CompTIA E2C Security+ (2008 Edition) Exam
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
More informationInformation Security Measures and Monitoring System at BARC. - R.S.Mundada Computer Division B.A.R.C., Mumbai-85
Information Security Measures and Monitoring System at BARC - R.S.Mundada Computer Division B.A.R.C., Mumbai-85 Information Security Approach Secure Network Design, Layered approach, with SPF and Application
More informationSecurity Best Practices Overview
Software Version, page 1 Cisco Modeling Labs Client, page 1 Cisco Modeling Labs Server, page 2 Linux-based Operating System, page 2 OpenStack Security Overview, page 3 Software Version The recommendations
More informationAssuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices
The Payment Card Industry (PCI) Data Security Standard (DSS) provides an actionable framework for developing a robust payment card data security process. The Payment Application Data Security Standard
More informationOWASP Logging Project - Roadmap
OWASP Logging Project - Roadmap SUMMARY Why log?... 2 What is commonly logged?... 2 What are security logs?... 2 What are the most common issues with logging?... 2 What are the common functions of a log
More informationREPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB
REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of
More informationCloudPassage Halo Technical Overview
TECHNICAL BRIEF CloudPassage Halo Technical Overview The Halo cloud security platform was purpose-built to provide your organization with the critical protection, visibility and control needed to assure
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationAlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts
AlienVault Unified Security Management (USM) 4.x-5.x Deploying HIDS Agents to Linux Hosts USM 4.x-5.x Deploying HIDS Agents to Linux Hosts, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. AlienVault,
More informationpresents: NitroSecurity Intrusion Prevention Overview for OSSIR (Groupe SUR) Marc Berlow, Cressida France
presents: NitroSecurity Intrusion Prevention Overview for OSSIR (Groupe SUR) Marc Berlow, Cressida France January 11, 2005 Cressida Int l Company History Created by Systems Administration and Security
More informationCloudPassage Halo Technical Overview
TECHNICAL BRIEF CloudPassage Halo Technical Overview The Halo cloud security platform was purpose-built to provide your organization with the critical protection, visibility and control needed to assure
More informationHow To Protect Your Network From Attack From Outside From Inside And Outside
IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationPCI Compliance in Multi-Site Retail Environments
TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help
More informationAlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationTeleran PCI Customer Case Study
Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure
More informationHost-based Protection for ATM's
SOLUTION BRIEF:........................................ Host-based Protection for ATM's Who should read this paper ATM manufacturers, system integrators and operators. Content Introduction...........................................................................................................
More informationPCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.
PCI Compliance Can Make Your Organization Stronger and Fitter Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc. Today s Agenda PCI DSS What Is It? The Regulation 6 Controls 12 Requirements
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationINTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEM INTRUSION DETECTION AND PREVENTION using SAX 2.0 and WIRESHARK Cain & Abel 4.9.35 Supervisor Dr. Akshai Kumar Aggarwal Director School of Computer Sciences University of Windsor
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationJK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA
JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationSecret Server Splunk Integration Guide
Secret Server Splunk Integration Guide Table of Contents Meeting Information Security Compliance Mandates: Secret Server and Splunk SIEM Integration and Configuration... 1 The Secret Server Approach to
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationHacking Database for Owning your Data
Hacking Database for Owning your Data 1 Introduction By Abdulaziz Alrasheed & Xiuwei Yi Stealing data is becoming a major threat. In 2012 alone, 500 fortune companies were compromised causing lots of money
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationMake a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.
CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files
More informationFederated Network Security Administration Framework
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 2, Issue. 3, March 2013,
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationWhy The Security You Bought Yesterday, Won t Save You Today
9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About
More informationNetwork Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting
Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order
More informationSystem Security Guide for Snare Server v7.0
System Security Guide for Snare Server v7.0 Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct,
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationLOG MANAGEMENT: BEST PRACTICES
LOG MANAGEMENT: BEST PRACTICES TABLE OF CONTENTS Why Log Management?...2 Which Logs Should Be Collected?...3 Log Management Challenges...5 Automated Log Management...7 Summary...8 LOG MANAGEMENT: BEST
More informationBUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports
BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security
More informationwww.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing
More informationBreach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
More informationOpen Source Security Tool Overview
Open Source Security Tool Overview Presented by Kitch Spicer & Douglas Couch Security Engineers for ITaP 1 Introduction Vulnerability Testing Network Security Passive Network Detection Firewalls Anti-virus/Anti-malware
More informationApplication Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1
Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1 This document supports the version of each product listed and supports all subsequent versions until the document
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationSecurity Event Management. February 7, 2007 (Revision 5)
Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationAlert Logic Log Manager
whitepaper Alert Logic Log Manager Configuring Log Sources for Best Practice Reports CONTENTS Introduction 1 Best Practice Reports in Log Manager 2 Active Directory 2 Databases 2 Network Devices 2 Windows
More informationSecurity Correlation Server Quick Installation Guide
orrelogtm Security Correlation Server Quick Installation Guide This guide provides brief information on how to install the CorreLog Server system on a Microsoft Windows platform. This information can also
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More information