Website Hardening HUIT IT Security | Sep 30 2011.

Slides:



Advertisements
Similar presentations
Innovating Since 1998 Direct EDJE, we make A World of Difference Direct Response Order Management Software A Proven Solution Since.
Advertisements

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Controls – What Works
Information Security Policies and Standards
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Computer Security: Principles and Practice
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
IBM Security Network Protection (XGS)
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.
Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
General Awareness Training
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Dell Connected Security Solutions Simplify & unify.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Information Security Standards 2015 Update IIPS Security Standards Committee Roderick Brower - Chair.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Defining your requirements for a successful security (and compliance
OIT Security Operations
BruinTech Vendor Meet & Greet December 3, 2015
Cybersecurity - What’s Next? June 2017
Team 1 – Incident Response
Critical Security Controls
Patch Management Patch Management Best Practices
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Standard: “reasonable security”
Secure Software Confidentiality Integrity Data Security Authentication
Securing the Network Perimeter with ISA 2004
Leverage What’s Out There
Introduction to the Federal Defense Acquisition Regulation
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Speaker’s Name, SAP Month 00, 2017
I have many checklists: how do I get started with cyber security?
Determined Human Adversaries: Mitigations
Digital Certificates HUIT IT Security | May
Healthcare Cloud Security Stack for Microsoft Azure
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Information Security Awareness
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
Determined Human Adversaries: Mitigations
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
<offer name> with Microsoft 365 Business Secure Deployment
Counter APT Counter APT HUNT operations combine best of breed endpoint detection response technology with an experienced cadre of cybersecurity experts.
Presentation transcript:

Website Hardening HUIT IT Security | Sep

Agenda: Introduction Anatomy of an Attack Recommendations Q & A Demos

3 Sep HUIT Security | Website Hardening Introduction Citation Breadcrumb

4 Sep HUIT Security | Website Hardening Introduction Content is the cornerstone of information management. The web delivers content, and the model for serving content has progressed from onsite hosting, to managed hosting and is continuing to cloud computing. With this evolution comes new challenges to protecting both institutional reputation and data. Attackers have shifted their focus from infrastructure resources, to exploiting application code itself. A holistic strategy is critical. Citation Breadcrumb

5 Sep HUIT Security | Website Hardening Introduction A new breed of attacker is focusing on these “soft” targets. These attackers seek to gain a widespread audience for their agenda and use anyone leaving themselves open to compromised as a platform to spread their message. “Cyber-Hacktivists” with personal, political or other motivation have proven adept enough at their craft to gather their share of recent headlines. Citation Breadcrumb

6 Sep HUIT Security | Website Hardening Introduction In the light of several recent web application compromises across campus, we would like to share some specific recommendations and best practices resulting from our investigation into those compromises; and these suggestions complement existing hardening guidance. Citation Breadcrumb

7 Sep HUIT Security | Website Hardening Anatomy of an Attack Before we dive in to the details. Chris Fahey will take us through an attack. Citation Breadcrumb

8 Sep HUIT Security | Website Hardening Recommendations Introduction As web application attacks continue to increase in frequency, we must work to integrate a thorough approach to security throughout the delivery stack. It has been our experience that the guidance for hardening networks and hosts also offers a framework for approaching web application security. Everyone can benefit from immediate proactive measures in advance of any eventual compromise. Citation Breadcrumb

9 Sep HUIT Security | Website Hardening Recommendations In general: Build and integrate security into the application Assess and remediate vulnerabilities and risks Implement strong access control measures Leverage controls in the web server and application framework Log use and Monitor Document and maintain policies and procedures Raise awareness and educate Citation Breadcrumb

10 Sep HUIT Security | Website Hardening Recommendations The below suggestions complement existing controls: Risk Management and Compliance Host hardening Network hardening User education and awareness -You’ve been hacked – now what? Image goes here Citation Breadcrumb

11 Recommendations RecommendationBenefit Effort to Implement Availability Remind staff of password policies Prevent cracking passwords. Limit the scope of a compromise to a single site. LowImmediate: Eureka! Security Confirm computers have basic security protections in place. Protect computers against malicious software. LowImmediate: Inspect computers to verify patching is enabled and antivirus is installed Scan web applications for security vulnerabilities. Reduce the risk of a security vulnerability being exploited resulting in a compromise. ModerateImmediate: via the IT Security Code Analysis service

12 Recommendations RecommendationBenefit Effort to Implement Availability Configure SSL on the web site. Encrypt sessions via SSL to reduce the risk of purloining login credentials. LowImmediate Limit access to the web administration interface to only secure, trusted IP addresses. Allow only the VPN server access to the web server. ModerateImmediate HUIT can provision a VPN, VPN client to be installed on computers and staff trained Replace administrator passwords with digital password vault. Manage credentials with elevated privileges to prevent passwords from being cracked. ModerateFebruary 2012

13 Recommendations RecommendationBenefit Effort to Implement Availability Perform an IT Risk Assessment of web application Ensure security controls exist to comply with the University’s Enterprise Information Security Policy. LowImmediate via the IT Security Consulting service Monitor network traffic to the web site. Proactively detect, suspicious activity and notify the support team for a timely response. ModerateNear term Collaborate with HUIT Cyber Security Content auditingLog changes to content and notify support team for a timely response. DifficultLong term

14 Recommendations RecommendationBenefit Effort to Implement Availability Monitor web site for malicious code and notify if detected. 24 x 7 x 365 monitoring by an external vendor to proactively detect malicious application code running on web site and notify support team for a timely response. ModerateNear term Evaluate several vendors, subscribe to best service HUIT Security | Website Hardening

15 Sep HUIT Security | Website Hardening Q & A The objective of Risk Management: Mitigate Remediate Transfer, or Accept Image goes here Citation Breadcrumb

16 Sep HUIT Security | Website Hardening IT Security Contact Info Helpdesk at x  These slides will be on Citation Breadcrumb

17 Sep HUIT Security | Website Hardening Demos Password Vaults Tenable Hailstorm Citation Breadcrumb

Esmond KaneEsmond Kane | Website Hardening September 30, 2011 Thank you.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.