6. Application Software Security

Slides:

Advertisements

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Understand Database Security Concepts

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Payment Card Industry (PCI) Data Security Standard

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

10 Tips for keeping MCL safe 1. Set up your defenses. Do you have adequate firewalls and antivirus software to protect you from hackers who could steal.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Lecture 18 Page 1 CS 136, Spring 2014 Security Your System CS 136 Computer Security Peter Reiher June 5, 2014.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

CPT 123 Internet Skills Class Notes Internet Security Session A.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Security fundamentals Topic 10 Securing the network perimeter.

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Role Of Network IDS in Network Perimeter Defense.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Computer Security Sample security policy Dr Alexei Vernitski.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.

Lecture 18 Page 1 CS 136, Spring 2016 Securing Your System Computer Security Peter Reiher June 2, 2016.

Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

SOHO Security Recommendations. Change default user/password Of the AP/router Typical  admin – admin  root – root  root – 1234  Admin - There are web.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

September 20, 2016 How to Defend Your Organization from a Cyber Breach LTC Tim Bloechl (U.S. Army, Ret.) Director, Cyber Security Business.

Security fundamentals

Securing Your System Computer Security Peter Reiher March 16, 2017

Working at a Small-to-Medium Business or ISP – Chapter 8

Critical Security Controls

Common Methods Used to Commit Computer Crimes

Security Standard: “reasonable security”

Putting It All Together

Putting It All Together

Your Computer Wants To Ruin Your Life

Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009

Introduction to Networking

Introduction to Networking

Audit Findings: SQL Database

Information Security Session November 11, 2004

Information Security Session October 24, 2005

Chapter 27: System Security

12 STEPS TO A GDPR AWARE NETWORK

Information Security Awareness

16. Account Monitoring and Control

Cybersecurity and Cyberhygiene

Presentation transcript:

6. Application Software Security Why it’s important: Security flaws in applications are increasingly the attacker’s entry point Both commodity applications and custom in-house applications Applications offer large attack surfaces and many opportunities

Quick Wins Install and use special web-knowledgeable firewalls To look for XSS, SQL injection, etc. Install non-web application specific firewalls, where available Position these firewalls so they aren’t blinded by cryptography

7. Wireless Device Control Why it’s important: Wireless reaches outside physical security boundaries Mobile devices “away from home” often use wireless Unauthorized wireless access points tend to pop up Historically, attackers use wireless to get in and stay in

Quick Wins Know what wireless devices are in your environment Make sure they run your configuration Make sure you have administrative control of all of them With your standard tools Use network access control to know which wireless devices connect to wired network

8. Data Recovery Capability Why it’s important: Successful attackers often alter important data on your machines Sometimes that’s the point of the attack You need to be able to get it back

Quick Wins Back up all machines at least weekly More often for critical data Test restoration from backups often Train personnel to know how to recover destroyed information

9. Security Skills Assessment and Training Why it’s important: Attackers target untrained users Defenders need to keep up on trends and new attack vectors Programmers must know how to write secure code Need both good base and constant improvement

Quick Wins Assess what insecure practices your employees use and train those Include appropriate security awareness skills in job descriptions Ensure policies, user awareness, and training all match

10. Secure Configurations for Network Devices Why it’s important: Firewalls, routers, and switches provide a first line of defense Even good configurations tend to go bad over time Exceptions and changing conditions Attackers constantly look for flaws in these devices

Quick Wins Create documented configurations for these devices Periodically check actual devices against your standard configurations Turn on ingress/egress filtering at Internet connection points

11. Limitation and Control of Ports, Protocols, and Services Why it’s important: Many systems install software automatically Often in weak configurations These offer attackers entry points If you don’t need and use them, why give attackers’ that benefit?

Quick Wins Turn off unused services If no complaints after 30 days, de-install them Use host-based firewalls with default deny rules on all systems Port scan all servers and compare against known intended configuration Remove unnecessary service components

12. Controlled Use of Administrative Privileges Why it’s important: Administrative privilege gives attackers huge amounts of control The more legitimate users who have it, the more targets Phishing attacks, drive-by downloads, password guessing, etc.

Quick Wins Use automated tools to validate who has administrative privileges Ensure all admin password/phrases are long and complex Force them to change often Change all default passwords on new devices Firewalls, wireless access points, routers, operating systems, etc.

More Quick Wins Store passwords hashed or encrypted With only privileged users allowed to access them, anyway Use access control to prevent administrative accounts from running user-like programs E.g., web browsers, games, email Require different passwords for personal and admin accounts

Yet More Quick Wins Never share admin passwords Discourage use of Unix root or Windows administrator accounts Configure password control software to prevent re-use of recent passwords E.g., not used within last six months

13. Boundary Defense Why it’s important: A good boundary defense keeps many attackers entirely out Even if they get in, proper use of things like a DMZ limits damage Important to understand where your boundaries really are

Quick Wins Black list known bad sites or white list sites you need to work with Test that periodically Use a network IDS to watch traffic crossing a DMZ Use the Sender Policy Framework (SPF) to limit email address spoofing

14. Maintenance, Monitoring and Analysis of Security Logs Why it’s important: Logs are often the best (sometimes only) source of info about attack If properly analyzed, you can learn what’s happening on your machines If not, you’re in the dark

Quick Wins Ensure all machines have reasonably synchronized clocks (e.g., use NTP) Include audit log settings as part of standard configuration And check that Ensure you have enough disk space for your logs

More Quick Wins Use log retention policy to ensure you keep logs long enough Fully log all remote accesses to your machines Log all failed login attempts and failed attempts to access resources

15. Controlled Access Based on Need to Know Why it’s important: If all your machines/users can access critical data, Attacker can win by compromising anything If data kept only on protected machines, attackers have harder time

Quick Wins Put all sensitive information on separate VLANs Encrypt all sensitive information crossing the network Even your own internal network