Presentation on theme: "Security Management prepared by Dean Hipwell, CISSP"— Presentation transcript:
1 Security Management prepared by Dean Hipwell, CISSP ISSA - Sacramento ValleySecurity Top Listsprepared byDean Hipwell, CISSPReferences:
2 OWASP Top 10 Web Application Security Risks for 2010 Security ManagementOWASP Top 10 Web Application Security Risks for 2010Source:A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards
3 SANS Top Cyber Security Risks Security ManagementSANS Top Cyber Security RisksSource:Priority One:Client-side software that remains unpatched.Priority Two:Internet-facing web sites that are vulnerable.Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms.Rising numbers of zero-day vulnerabilities
4 SANS Top 20 Critical Security Controls - Version 3.0 Security ManagementSANS Top 20 Critical Security Controls - Version 3.0Source:1: Inventory of Authorized and Unauthorized Devices2: Inventory of Authorized and Unauthorized Software3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches5: Boundary Defense6: Maintenance, Monitoring, and Analysis of Audit Logs7: Application Software Security8: Controlled Use of Administrative Privileges9: Controlled Access Based on the Need to Know10: Continuous Vulnerability Assessment and Remediation
5 SANS Top 20 Critical Security Controls - Version 3.0 Security ManagementSANS Top 20 Critical Security Controls - Version 3.0Source:11: Account Monitoring and Control12: Malware Defenses13: Limitation and Control of Network Ports, Protocols, and Services14: Wireless Device Control15: Data Loss Prevention16: Secure Network Engineering17: Penetration Tests and Red Team Exercises18: Incident Response Capability19: Data Recovery Capability20: Security Skills Assessment and Appropriate Training to Fill Gaps
6 SANS Top 25 Most Dangerous Software Errors Security ManagementSANS Top 25 Most Dangerous Software ErrorsSource:Insecure Interaction Between ComponentsCWE IDNameCWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')CWE-434Unrestricted Upload of File with Dangerous TypeCWE-352Cross-Site Request Forgery (CSRF)CWE-601URL Redirection to Untrusted Site ('Open Redirect')
7 SANS Top 25 Most Dangerous Software Errors Security ManagementSANS Top 25 Most Dangerous Software ErrorsSource:Risky Resource ManagementCWE IDNameCWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')CWE-494Download of Code Without Integrity CheckCWE-829Inclusion of Functionality from Untrusted Control SphereCWE-676Use of Potentially Dangerous FunctionCWE-131Incorrect Calculation of Buffer SizeCWE-134Uncontrolled Format StringCWE-190Integer Overflow or Wraparound
8 SANS Top 25 Most Dangerous Software Errors Security ManagementSANS Top 25 Most Dangerous Software ErrorsSource:Porous DefensesCWE IDNameCWE-306Missing Authentication for Critical FunctionCWE-862Missing AuthorizationCWE-798Use of Hard-coded CredentialsCWE-311Missing Encryption of Sensitive DataCWE-807Reliance on Untrusted Inputs in a Security DecisionCWE-250Execution with Unnecessary PrivilegesCWE-863Incorrect AuthorizationCWE-732Incorrect Permission Assignment for Critical ResourceCWE-327Use of a Broken or Risky Cryptographic AlgorithmCWE-307Improper Restriction of Excessive Authentication AttemptsCWE-759Use of a One-Way Hash without a Salt
9 Au-DSD Top 35 Mitigation Strategies (Part 1) Security ManagementAu-DSD Top 35 Mitigation Strategies (Part 1)Source:RankingStrategy1Patch applications within 2 days for high risk vulnerabilities.2Patch O/S within 2 days for high risk vulnerabilities.3Minimize the number of local admins. Assign separate accounts.4Application white-listing: Prevent unauthorized programs.5HIDS/HIPS: Identify anomalous behavior.6content filtering: Allow only authorized attachments.7Block spoofed .8User education.9Web content filtering.10Web domain white-listing.11Web domain white-listing for HTTP/SSL.12Workstation inspection of Microsoft Office files.
10 Au-DSD Top 35 Mitigation Strategies (Part 2) Security ManagementAu-DSD Top 35 Mitigation Strategies (Part 2)Source:RankingStrategy13Application-based workstation firewall: block incoming traffic.14Application-based workstation firewall: prevent outgoing traffic.15Network segregation.16Multi-factor authentication.17Randomized local admin passphrases. (Prefer domain groups)18Enforce strong passphrases.19Border gateway using an IPv6-capable firewall.20Data Execution Prevention.21Antivirus software with up to date signatures.22Non-persistent virtualized trusted operating environment.23Centralized and time-synchronized logging: network traffic.24Centralized and time-synchronized logging: computer events.
11 Au-DSD Top 35 Mitigation Strategies (Part 3) Security ManagementAu-DSD Top 35 Mitigation Strategies (Part 3)Source:RankingStrategy25Standard O/S with unneeded functions disabled.26Application hardening: disable unneeded features.27Restrict access to NetBOIS features.28Server hardening.29Removable and portable media control.30TLS encryption between servers.31Disable LanMan password support and cached credentials.32Block attempts to access web sites by their IP address instead of by their domain name.33NIDS/NIPS: Identify anomalous traffic.34Gateway blacklisting to block access to known malicious domains.35Full network traffic capture to perform post-incident analysis.