2016 DATA PROTECTION CONFERENCE. Break-away session II

Similar documents
Data protection. Protecting personal data in online services: learning from the mistakes of others

Adobe Systems Software Ireland Ltd

IT asset disposal for organisations

Passing PCI Compliance How to Address the Application Security Mandates

Security Controls for the Autodesk 360 Managed Services

Ways. to Shore Up. Security. Your. ABSTRACT: By Trish Crespo

Auditing the Security of an SAP HANA Implementation

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Securing PostgreSQL From External Attack

Data Protection Act Guidance on the use of cloud computing

(WAPT) Web Application Penetration Testing

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Nithan Sannappa Senior Attorney, Division of Privacy and Identity Protection, Federal Trade Commission

Kentico CMS security facts

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Office of Inspector General

How To Protect Your Data From Being Stolen

Basics of Internet Security

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

Web Application Penetration Testing

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Integrating Web Application Security into the IT Curriculum

Sitefinity Security and Best Practices

SQL Server Security "The Hackers Goldmine

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Data Protection Act Bring your own device (BYOD)

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES

White Paper. BD Assurity Linc Software Security. Overview

Penetration Testing for iphone Applications Part 1

CMPT 471 Networking II

Security Whitepaper: ivvy Products

Thick Client Application Security

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Installing and configuring Microsoft Reporting Services

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

A practical guide to IT security

Cloud Software Services for Schools

IT HEALTHCHECK TOP TIPS WHITEPAPER

OWASP Top Ten Tools and Tactics

Cloud Software Services for Schools

Penetration Testing Report Client: Business Solutions June 15 th 2015

How To Manage Web Content Management System (Wcm)

Security and Vulnerability Testing How critical it is?

UPSTREAMCONNECT SECURITY

December P Xerox App Studio 3.0 Information Assurance Disclosure

March

MIGRATIONWIZ SECURITY OVERVIEW

MySQL Security: Best Practices

Application Security Testing

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Top 7 Tips for Better Business Continuity

8070.S000 Application Security

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

KEY STEPS FOLLOWING A DATA BREACH

5 Simple Steps to Secure Database Development

A Decision Maker s Guide to Securing an IT Infrastructure

Presented By: Bryan Miller CCIE, CISSP

PCI Compliance Considerations

The Top Web Application Attacks: Are you vulnerable?

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

R 143 CYBERSECURITY RECOMMENDATION FOR MEDIA VENDORS SYSTEMS, SOFTWARE & SERVICES

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Uptime Infrastructure Monitor. Installation Guide

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

WHITEPAPER. Nessus Exploit Integration

Computer Security. Draft Exam with Answers

Omniquad Exchange Archiving

Standard: Web Application Development

Practical Guidance for Auditing IT General Controls. September 2, 2009

Lotus Domino Security

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Locking down a Hitachi ID Suite server

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

DIVISION OF INFORMATION SECURITY (DIS)

Digital Signatures on iqmis User Access Request Form

Multi Factor Authentication API

PrintFleet Enterprise 2.2 Security Overview

The Security Behind Sticky Password

Oracle Database 11g: Security. What you will learn:

Privacy in mobile apps

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

How To Protect A Web Application From Attack From A Trusted Environment

Office of Transportation Vetting and Credentialing Screening Gateway and Document Management System Privacy Impact Assessment

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Five PCI Security Deficiencies of Retail Merchants and Restaurants

Manipulating Microsoft SQL Server Using SQL Injection

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Five PCI Security Deficiencies of Restaurants

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

PrintFleet Enterprise Security Overview

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, Integration Guide IBM

Transcription:

2016 DATA PROTECTION CONFERENCE Break-away session II

DATA PROTECTION & THE ONLINE ENVIRONMENT: An IT Security Practitioner s Perspective With references and Inspiration from: Information Commissioners Office, UK Protecting personal data in online services: learning from the mistakes of others May 2014 Whitepaper

Who am I? Presented By: Desmond Israel (LLB BSC CASP CCNSP QCS-VM) Enterprise IT Security Practitioner Executive Director & Consulting Partner Information Security Architects Ltd 8 Lomo Adawu Street, La Accra, Ghana desmond@isa.com.gh +233233333163

What we mostly do.

An idea of what we should do. What the DPA says Software security updates SQL injection Unnecessary services Decommissioning of software or services Password storage Configuration of SSL or TLS Inappropriate locations for processing data Default credentials

Where the law aligns.. The Data Protection Act 2012 Centered on eight (8) principles for good information handling Give specific rights to data subjects Provides obligations for data subjects and processors We focus on the 7 th principle intended to informed about appropriate safeguard measures to protect personal data. Online services is our focus.

1 What s up with software updates Software updates policy for all software used for processing personal data. Cover OS, apps, libs and dev frameworks in policy There may be good reasons not to apply all available updates as soon as possible. Your policy can take into account these reasons. When there is no compelling reason to delay, you should apply security updates as soon as is practical.

2 The SQL Injection dose Be aware of all of your assets that might be vulnerable to SQL injection. Can affect applications that pass user input into a DB. [E.g Web sites/apps] Presents a high risk of compromising significant amounts of personal data. Must have high priority for prevention, detection and remediation.

The SQL Injection dose 2 Happens from coding flaws coders (develop and maintain codes). You will need to rely on to prevent SQL injection or fix SQL injection flaws if they are found. Independent security testing (penetration testing, vulnerability assessment, or code review, as appropriate). Do this before the application goes live. It is good practice to periodically test live applications. When remediating an SQL injection flaw, use parameterised queries where possible, and ensure that all similar input locations are also checked and remediated.

3 Unnecessary services? Really? Completely decommission any service that is not necessary. Avoid high risk services such as telnet, ftp, smtp etc Ensure that services intended for local use only are not made publicly-available. Use periodic port-scanning to check for unnecessary services which have been inadvertently enabled. Maintain a list of which services should be made available. Periodically review the list to see whether any services have become unnecessary, and restrict or decommission them as appropriate.

Retiring software & services 4 Be aware of all the components of a service so that you can make sure they are all decommissioned. Make a record of any temporary services which you will eventually need to disable. Thoroughly check that the decommissioning procedure has actually succeeded. Use systematic tools such as port scanners to do this where possible. Do not forget to arrange for proper disposal of any hardware, as appropriate. Refer the ICO guidance on IT disposal it helps a lot.

5 Password storage do it well Don t store passwords in plain text, nor in decryptable form. Use a hash function. Only store the hashed values. Hash functions with appropriate strength to make offline brute-force attacks difficult. Use salting to make offline brute-force attacks less effective. Periodically review the strength of the hash function. keep up to date with advances in computing power, use password hashing scheme with a configurable work factor(kdf). Use a combination of password strength requirements and user-education. Have a plan of action in case of a password breach.

6 Cyphering online traffic.. SSL Ensure that personal data (and sensitive information generally) is transferred using SSL or TLS where appropriate. Use SSL or TLS for all data transfer in order to reduce complexity. Any included content such as images, javascript or CSS should also be provided over SSL or TLS in order to avoid 'mixed content' warnings. Ensure that SSL or TLS is set up to provide encryption of adequate strength. Ensure that every SSL or TLS service uses a valid certificate, and schedule renewal of all certificates before they expire to ensure the services remain secure. Obtain an Extended Validation (EV) certificate if assurance of identity is of particular importance. Do not encourage users to ignore SSL or TLS security warnings.

6

7 Inappropriate data processing Ensure testing or staging environments are segregated from the production environment. Segmenting network according to function and in accordance with your data protection policies. Network architecture accounts for functions such as backups and business continuity. Policies for how, when and where personal data will be processed. Consider all the services you are running, how they are accessible, and whether they comply with your policies. Ensure any web servers are exposing only the intended content. Where necessary, apply specific access restrictions. Do not rely merely on obscurity to prevent access.

Default credentials.. Huh? 8 Change any default credentials as soon as possible. When changing default credentials, remember to follow good practice on password choice. Ensure that credentials are not hard-coded into any of your software. Ensure that credentials are not transmitted in plain text.

THANK YOU FOR STAYING Try me. desmond@isa.com.gh +233233333163

DEMOS & QUESTIONS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information