Security Management prepared by Dean Hipwell, CISSP

Slides:



Advertisements
Similar presentations
SEC835 OWASP Top Ten Project.
Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Controls for Information Security
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
OWASP Zed Attack Proxy Project Lead
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
A Security Review Process for Existing Software Applications
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,
Software Security Testing Vinay Srinivasan cell:
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
COMP1321 Digital Infrastructures Richard Henson University of Worcester April 2013.
Chapter 2 Securing Network Server and User Workstations.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Securing Java Applications
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.
Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
SANS Top 25 Most Dangerous Programming Errors Catagory 1: Insecure Interaction Between Components These weaknesses are related to insecure ways.
Information Security tools for records managers Frank Rankin.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
ITU-T CYBEX standards for cybersecurity information dissemination and exchange Youki Kadobayashi, Ph.D. NICT Japan / Rapporteur, ITU-T SG17 Q.4 ITU-T SG17.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
COMP2322 Networks in Organisations Richard Henson University of Worcester April 2016.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Critical Security Controls
Chapter 7: Identifying Advanced Attacks
TOPIC: Web Security (Part-4)
Security Standard: “reasonable security”
Cyber Protections: First Step, Risk Assessment
Implementing and Auditing the Critical Controls
How to Mitigate the Consequences What are the Countermeasures?
Implementing Client Security on Windows 2000 and Windows XP Level 150
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

Security Management prepared by Dean Hipwell, CISSP ISSA - Sacramento Valley Security Top Lists prepared by Dean Hipwell, CISSP References: www.OWASP.org www.SANS.edu www.dsd.gov.au

OWASP Top 10 Web Application Security Risks for 2010 Security Management OWASP Top 10 Web Application Security Risks for 2010 Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

SANS Top Cyber Security Risks Security Management SANS Top Cyber Security Risks Source: http://www.sans.org/top-cyber-security-risks/ Priority One: Client-side software that remains unpatched. Priority Two: Internet-facing web sites that are vulnerable. Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms. Rising numbers of zero-day vulnerabilities

SANS Top 20 Critical Security Controls - Version 3.0 Security Management SANS Top 20 Critical Security Controls - Version 3.0 Source: http://www.sans.org/critical-security-controls/ 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5: Boundary Defense 6: Maintenance, Monitoring, and Analysis of Audit Logs 7: Application Software Security 8: Controlled Use of Administrative Privileges 9: Controlled Access Based on the Need to Know 10: Continuous Vulnerability Assessment and Remediation

SANS Top 20 Critical Security Controls - Version 3.0 Security Management SANS Top 20 Critical Security Controls - Version 3.0 Source: http://www.sans.org/critical-security-controls/ 11: Account Monitoring and Control 12: Malware Defenses 13: Limitation and Control of Network Ports, Protocols, and Services 14: Wireless Device Control 15: Data Loss Prevention 16: Secure Network Engineering 17: Penetration Tests and Red Team Exercises 18: Incident Response Capability 19: Data Recovery Capability 20: Security Skills Assessment and Appropriate Training to Fill Gaps

SANS Top 25 Most Dangerous Software Errors Security Management SANS Top 25 Most Dangerous Software Errors Source: http://www.sans.org/top25-software-errors/ Insecure Interaction Between Components CWE ID Name CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434 Unrestricted Upload of File with Dangerous Type CWE-352 Cross-Site Request Forgery (CSRF) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

SANS Top 25 Most Dangerous Software Errors Security Management SANS Top 25 Most Dangerous Software Errors Source: http://www.sans.org/top25-software-errors/ Risky Resource Management CWE ID Name CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-494 Download of Code Without Integrity Check CWE-829 Inclusion of Functionality from Untrusted Control Sphere CWE-676 Use of Potentially Dangerous Function CWE-131 Incorrect Calculation of Buffer Size CWE-134 Uncontrolled Format String CWE-190 Integer Overflow or Wraparound

SANS Top 25 Most Dangerous Software Errors Security Management SANS Top 25 Most Dangerous Software Errors Source: http://www.sans.org/top25-software-errors/ Porous Defenses CWE ID Name CWE-306 Missing Authentication for Critical Function CWE-862 Missing Authorization CWE-798 Use of Hard-coded Credentials CWE-311 Missing Encryption of Sensitive Data CWE-807 Reliance on Untrusted Inputs in a Security Decision CWE-250 Execution with Unnecessary Privileges CWE-863 Incorrect Authorization CWE-732 Incorrect Permission Assignment for Critical Resource CWE-327 Use of a Broken or Risky Cryptographic Algorithm CWE-307 Improper Restriction of Excessive Authentication Attempts CWE-759 Use of a One-Way Hash without a Salt

Au-DSD Top 35 Mitigation Strategies (Part 1) Security Management Au-DSD Top 35 Mitigation Strategies (Part 1) Source: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm Ranking Strategy 1 Patch applications within 2 days for high risk vulnerabilities. 2 Patch O/S within 2 days for high risk vulnerabilities. 3 Minimize the number of local admins. Assign separate accounts. 4 Application white-listing: Prevent unauthorized programs. 5 HIDS/HIPS: Identify anomalous behavior. 6 E-mail content filtering: Allow only authorized attachments. 7 Block spoofed e-mail. 8 User education. 9 Web content filtering. 10 Web domain white-listing. 11 Web domain white-listing for HTTP/SSL. 12 Workstation inspection of Microsoft Office files.

Au-DSD Top 35 Mitigation Strategies (Part 2) Security Management Au-DSD Top 35 Mitigation Strategies (Part 2) Source: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm Ranking Strategy 13 Application-based workstation firewall: block incoming traffic. 14 Application-based workstation firewall: prevent outgoing traffic. 15 Network segregation. 16 Multi-factor authentication. 17 Randomized local admin passphrases. (Prefer domain groups) 18 Enforce strong passphrases. 19 Border gateway using an IPv6-capable firewall. 20 Data Execution Prevention. 21 Antivirus software with up to date signatures. 22 Non-persistent virtualized trusted operating environment. 23 Centralized and time-synchronized logging: network traffic. 24 Centralized and time-synchronized logging: computer events.

Au-DSD Top 35 Mitigation Strategies (Part 3) Security Management Au-DSD Top 35 Mitigation Strategies (Part 3) Source: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm Ranking Strategy 25 Standard O/S with unneeded functions disabled. 26 Application hardening: disable unneeded features. 27 Restrict access to NetBOIS features. 28 Server hardening. 29 Removable and portable media control. 30 TLS encryption between email servers. 31 Disable LanMan password support and cached credentials. 32 Block attempts to access web sites by their IP address instead of by their domain name. 33 NIDS/NIPS: Identify anomalous traffic. 34 Gateway blacklisting to block access to known malicious domains. 35 Full network traffic capture to perform post-incident analysis.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.