Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Management prepared by Dean Hipwell, CISSP

Published byJeffery Phillips Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Management prepared by Dean Hipwell, CISSP"— Presentation transcript:

1 Security Management prepared by Dean Hipwell, CISSP
ISSA - Sacramento Valley Security Top Lists prepared by Dean Hipwell, CISSP References:

2 OWASP Top 10 Web Application Security Risks for 2010
Security Management OWASP Top 10 Web Application Security Risks for 2010 Source: A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

3 SANS Top Cyber Security Risks
Security Management SANS Top Cyber Security Risks Source: Priority One: Client-side software that remains unpatched. Priority Two: Internet-facing web sites that are vulnerable. Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms. Rising numbers of zero-day vulnerabilities

4 SANS Top 20 Critical Security Controls - Version 3.0
Security Management SANS Top 20 Critical Security Controls - Version 3.0 Source: 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5: Boundary Defense 6: Maintenance, Monitoring, and Analysis of Audit Logs 7: Application Software Security 8: Controlled Use of Administrative Privileges 9: Controlled Access Based on the Need to Know 10: Continuous Vulnerability Assessment and Remediation

5 SANS Top 20 Critical Security Controls - Version 3.0
Security Management SANS Top 20 Critical Security Controls - Version 3.0 Source: 11: Account Monitoring and Control 12: Malware Defenses 13: Limitation and Control of Network Ports, Protocols, and Services 14: Wireless Device Control 15: Data Loss Prevention 16: Secure Network Engineering 17: Penetration Tests and Red Team Exercises 18: Incident Response Capability 19: Data Recovery Capability 20: Security Skills Assessment and Appropriate Training to Fill Gaps

6 SANS Top 25 Most Dangerous Software Errors
Security Management SANS Top 25 Most Dangerous Software Errors Source: Insecure Interaction Between Components CWE ID Name CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434 Unrestricted Upload of File with Dangerous Type CWE-352 Cross-Site Request Forgery (CSRF) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

7 SANS Top 25 Most Dangerous Software Errors
Security Management SANS Top 25 Most Dangerous Software Errors Source: Risky Resource Management CWE ID Name CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-494 Download of Code Without Integrity Check CWE-829 Inclusion of Functionality from Untrusted Control Sphere CWE-676 Use of Potentially Dangerous Function CWE-131 Incorrect Calculation of Buffer Size CWE-134 Uncontrolled Format String CWE-190 Integer Overflow or Wraparound

8 SANS Top 25 Most Dangerous Software Errors
Security Management SANS Top 25 Most Dangerous Software Errors Source: Porous Defenses CWE ID Name CWE-306 Missing Authentication for Critical Function CWE-862 Missing Authorization CWE-798 Use of Hard-coded Credentials CWE-311 Missing Encryption of Sensitive Data CWE-807 Reliance on Untrusted Inputs in a Security Decision CWE-250 Execution with Unnecessary Privileges CWE-863 Incorrect Authorization CWE-732 Incorrect Permission Assignment for Critical Resource CWE-327 Use of a Broken or Risky Cryptographic Algorithm CWE-307 Improper Restriction of Excessive Authentication Attempts CWE-759 Use of a One-Way Hash without a Salt

9 Au-DSD Top 35 Mitigation Strategies (Part 1)
Security Management Au-DSD Top 35 Mitigation Strategies (Part 1) Source: Ranking Strategy 1 Patch applications within 2 days for high risk vulnerabilities. 2 Patch O/S within 2 days for high risk vulnerabilities. 3 Minimize the number of local admins. Assign separate accounts. 4 Application white-listing: Prevent unauthorized programs. 5 HIDS/HIPS: Identify anomalous behavior. 6 content filtering: Allow only authorized attachments. 7 Block spoofed . 8 User education. 9 Web content filtering. 10 Web domain white-listing. 11 Web domain white-listing for HTTP/SSL. 12 Workstation inspection of Microsoft Office files.

10 Au-DSD Top 35 Mitigation Strategies (Part 2)
Security Management Au-DSD Top 35 Mitigation Strategies (Part 2) Source: Ranking Strategy 13 Application-based workstation firewall: block incoming traffic. 14 Application-based workstation firewall: prevent outgoing traffic. 15 Network segregation. 16 Multi-factor authentication. 17 Randomized local admin passphrases. (Prefer domain groups) 18 Enforce strong passphrases. 19 Border gateway using an IPv6-capable firewall. 20 Data Execution Prevention. 21 Antivirus software with up to date signatures. 22 Non-persistent virtualized trusted operating environment. 23 Centralized and time-synchronized logging: network traffic. 24 Centralized and time-synchronized logging: computer events.

11 Au-DSD Top 35 Mitigation Strategies (Part 3)
Security Management Au-DSD Top 35 Mitigation Strategies (Part 3) Source: Ranking Strategy 25 Standard O/S with unneeded functions disabled. 26 Application hardening: disable unneeded features. 27 Restrict access to NetBOIS features. 28 Server hardening. 29 Removable and portable media control. 30 TLS encryption between servers. 31 Disable LanMan password support and cached credentials. 32 Block attempts to access web sites by their IP address instead of by their domain name. 33 NIDS/NIPS: Identify anomalous traffic. 34 Gateway blacklisting to block access to known malicious domains. 35 Full network traffic capture to perform post-incident analysis.

Download ppt "Security Management prepared by Dean Hipwell, CISSP"

Similar presentations

SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Geneva, Switzerland, 15-16 September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.

Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Controls for Information Security

Controls for Information Security
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Similar presentations

Ads by Google