This document summarizes Marco Ermini's presentation on achieving PCI-DSS compliance through network security implementations. The presentation discusses using network-based approaches to meet various PCI-DSS requirements, including using network security scanners to verify password security, patch management, and system hardening. It also addresses using intrusion detection/prevention systems, web application firewalls, and database activity monitors to help meet encryption, access control, and logging requirements.
Best practices in NIPS - Brighttalk - January 2010EQS Group
Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.
The document summarizes the components, purpose, and strategies of a security policy for T.Z.A.S.P. Mandal's Pragati College. It discusses the need for security policies to protect data, networks, and computing resources. The key components outlined include access policies, privacy policies, and guidelines for acceptable use, purchasing, authentication, availability, and violation reporting. Strategies discussed are host security, user authentication, password protection, firewalls, demilitarized zones, and encryption. The purpose is to inform users of security requirements and provide a baseline for compliance.
Importance of Using Firewall for Threat ProtectionHTS Hosting
Do you want to learn about firewalls and their importance in protecting the data and files from viruses, malware, and hackers? If yes, then this brief information is ideal for you to expand your knowledge about firewalls and encourage you to install one to protect your data and other files from malware.
This document discusses computer networks and network security. It defines what a network is and its components. It describes the benefits of networks and different network types and topologies. It then defines network security and discusses common security threats. It outlines techniques to secure networks such as firewalls, intrusion detection systems, encryption, and identity services. The document stresses the importance of network security and provides tips to enhance security.
Dr. Eric Cole - 30 Things Every Manager Should KnowNuuko, Inc.
The document outlines 30 questions that every manager should ask about their organization's network security. It covers topics such as network architecture, firewalls, intrusion detection systems, wireless security, encryption, backups, disaster recovery, patching, and monitoring. The questions are meant to help managers track and validate the security of their network and systems.
The document outlines objectives for day 1 of a training on network security and hacking techniques, including hardening Linux and Windows 2000 systems, analyzing software vulnerabilities and attacking techniques, and discussing elements of network security like confidentiality, integrity, availability, and models for access control. It also provides details on installation and configuration of Linux operating systems for network security.
The document discusses network security and provides information on various types of network security measures. It defines network security as an organization's strategy to secure all network traffic and assets by managing access to the network. It also describes 14 common types of network security, including antivirus software, firewalls, email security, mobile device security, and network access control. The types are defined in 1-2 sentences each. The document aims to provide an overview of network security for organizations to protect their networks and reputation from increasing cyber threats.
Best practices in NIPS - Brighttalk - January 2010EQS Group
Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.
The document summarizes the components, purpose, and strategies of a security policy for T.Z.A.S.P. Mandal's Pragati College. It discusses the need for security policies to protect data, networks, and computing resources. The key components outlined include access policies, privacy policies, and guidelines for acceptable use, purchasing, authentication, availability, and violation reporting. Strategies discussed are host security, user authentication, password protection, firewalls, demilitarized zones, and encryption. The purpose is to inform users of security requirements and provide a baseline for compliance.
Importance of Using Firewall for Threat ProtectionHTS Hosting
Do you want to learn about firewalls and their importance in protecting the data and files from viruses, malware, and hackers? If yes, then this brief information is ideal for you to expand your knowledge about firewalls and encourage you to install one to protect your data and other files from malware.
This document discusses computer networks and network security. It defines what a network is and its components. It describes the benefits of networks and different network types and topologies. It then defines network security and discusses common security threats. It outlines techniques to secure networks such as firewalls, intrusion detection systems, encryption, and identity services. The document stresses the importance of network security and provides tips to enhance security.
Dr. Eric Cole - 30 Things Every Manager Should KnowNuuko, Inc.
The document outlines 30 questions that every manager should ask about their organization's network security. It covers topics such as network architecture, firewalls, intrusion detection systems, wireless security, encryption, backups, disaster recovery, patching, and monitoring. The questions are meant to help managers track and validate the security of their network and systems.
The document outlines objectives for day 1 of a training on network security and hacking techniques, including hardening Linux and Windows 2000 systems, analyzing software vulnerabilities and attacking techniques, and discussing elements of network security like confidentiality, integrity, availability, and models for access control. It also provides details on installation and configuration of Linux operating systems for network security.
The document discusses network security and provides information on various types of network security measures. It defines network security as an organization's strategy to secure all network traffic and assets by managing access to the network. It also describes 14 common types of network security, including antivirus software, firewalls, email security, mobile device security, and network access control. The types are defined in 1-2 sentences each. The document aims to provide an overview of network security for organizations to protect their networks and reputation from increasing cyber threats.
It's 2012 and My Network Got Hacked - Omar Santossantosomar
Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like
these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network.
Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.
This document provides an overview of a computer and network security course. It discusses what topics will and won't be covered, including security threats, protocols, cryptography, and practical security issues but not advanced cryptography or computer networks. It also defines key security concepts like the CIA triad of confidentiality, integrity and availability. Additional topics covered include security attacks, services, and mechanisms like encryption, authentication, access control and intrusion detection.
This document provides an overview of a computer and network security course. It discusses what topics will and won't be covered, including security threats, protocols, cryptography, and practical security issues but not advanced cryptography or computer networks. It also defines key security concepts like the CIA triad of confidentiality, integrity and availability. Additional topics covered include security attacks, services, and mechanisms like encryption, authentication, access control and intrusion detection.
Network security is important to protect systems from attacks. Firewalls act as the first line of defense, blocking unauthorized incoming and outgoing network traffic based on security rules. Different types of firewalls operate at different layers of the OSI model and provide varying levels of security. No single security measure can guarantee protection, so a defense-in-depth approach using firewalls along with other tools like intrusion detection systems is recommended.
The document discusses 5 common mistakes organizations make when deploying intrusion detection systems (IDS).
1. Not ensuring the IDS can see all network traffic by improperly planning its infrastructure placement.
2. Deploying an IDS but not reviewing the alerts it generates, diminishing its value as a detection system.
3. Deploying an IDS that generates alerts but having no response policy or understanding of normal vs anomalous activity.
4. Being overwhelmed by a high volume of alerts without properly tuning the IDS to the environment.
5. Not accepting the inherent limitations of signature-based IDS to detect new exploits without updated signatures.
This document discusses network hacking techniques. It describes ARP spoofing attacks, including generating spoofed ARP replies to redirect traffic. It also discusses sniffing attacks, session hijacking, and tools used for these attacks like Ettercap and Dsniff. Detection methods are outlined, though the document notes most older operating systems lacked detection. Hypothetical detection applications are proposed to track ARP entries and identify spoofing.
Honeypots for Cloud Providers - SDN World CongressVallie Joseph
1. Cloud providers face new security challenges with software-defined networking and network function virtualization technologies, as virtualized network appliances can now be remotely accessed and hacked.
2. Honeypots can help by diverting attacks to isolated, monitored systems, collecting valuable attacker data without risk to real systems. Analytics of honeypot data can reveal attack patterns to predict future threats.
3. Pairing honeypots with cloaking technologies provides layered defenses, and honeypot data analytics could enable new "security as a service" offerings from cloud providers.
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.
This document discusses several types of computer security risks and methods to reduce risks. It describes common computer crimes like software piracy, hacking, and computer sabotage using malware. It also discusses how these risks affect personal privacy and intellectual property. Finally, it provides recommendations for protecting systems through physical access restrictions, passwords, firewalls, encryption, backups, and RAID technology to safeguard data integrity and availability.
Certified Information Systems Security Professional (cissp) Domain “access co...master student
The document discusses access control, which is the first domain of the CISSP certification. It defines CISSP and provides an overview of the 10 domains. It then discusses definitions of access control, different types of attacks, and methodologies for access control including administrative, technical, and physical controls. Identification and authentication methods are also explained such as passwords, biometrics, and single sign-on. The document concludes by reiterating the goal of access control is to protect resources from unauthorized access.
This document provides an overview of intrusion detection and data loss prevention. It discusses the challenges of data loss and how data loss prevention (DLP) addresses them. DLP helps organizations discover where sensitive data is located, monitor how it is being used, and protect it from leaving the network without authorization. The presentation outlines how DLP works and provides examples of how DLP can be used to fix exposed data, protect intellectual property and customer information, and continuously reduce security risks.
The document discusses network security and its goals of confidentiality, integrity, and availability. It defines network security as rules and configurations to protect computer networks and data using software and hardware technologies. The three goals of network security are outlined as preventing disclosure of sensitive information, protecting systems from modification, and ensuring systems are accessible when needed. Security administration involves policies, standards, guidelines and procedures to support security policies and accomplish security tasks.
This document describes the software requirements and specifications for building network intrusion detection and prevention systems using Snort and Iptables. It outlines the system requirements including the operating system, firewall, and servers needed. It then describes the key tools used - Snort for intrusion detection, BASE for analyzing Snort alerts, Wireshark for packet analysis, Iptables for firewall rules, and scripting for automation. Finally, it provides an overview of the web development tools used to create interfaces for managing rule sets.
Network Attack and Intrusion Prevention System Deris Stiawan
(1) The document discusses network attack and intrusion prevention systems. It describes how intrusion prevention systems (IPS) aim to detect and block threats in online traffic in real-time, beyond just detecting threats like intrusion detection systems (IDS).
(2) Feature extraction from network traffic is important for IPS to analyze without being overwhelmed by raw data. The document examines relevant features to monitor and criteria for deciding what is important to track.
(3) Experimental testing is needed to evaluate IPS performance. The document outlines stages for training systems, testing methodsologies, and resuming test results. This helps IPS avoid unexpected outcomes and ensures continuous monitoring.
This document provides an overview of intrusion detection systems (IDS) and Snort, an open source network-based IDS. It discusses the basic requirements, types (network-based, host-based, distributed), and approaches of IDS. It then focuses on Snort, describing its modes of operation, packet sniffing capabilities, and network intrusion detection. Key terms related to IDS are also defined. The document aims to introduce readers to IDS and Snort for monitoring network traffic and detecting intrusions and threats.
The document discusses the Mako System, a managed services platform for broadband networking, and how it helps businesses achieve and maintain PCI DSS compliance for accepting credit card payments. The Mako System provides appliances and a central management platform that addresses all PCI network security requirements. It monitors POS networks, controls terminal connectivity, and ensures only authorized communication with payment gateways. Using the Mako System reduces costs and support needs compared to traditional networking solutions for PCI compliance.
The document discusses pixel pitch, which is the distance between pixels on a display screen. A lower pixel pitch means higher pixel density and resolution. Pixel pitch is important for LED displays and determines the minimum viewing distance before images appear pixelated. The optimal pixel pitch depends on factors like intended content, viewing distance and duration, and tolerance for pixelation. A higher pixel pitch is less costly but has a closer minimum viewing distance. Understanding pixel pitch helps ensure displays meet needs for clarity and sharpness based on their application and audience.
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
It's 2012 and My Network Got Hacked - Omar Santossantosomar
Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like
these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network.
Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.
This document provides an overview of a computer and network security course. It discusses what topics will and won't be covered, including security threats, protocols, cryptography, and practical security issues but not advanced cryptography or computer networks. It also defines key security concepts like the CIA triad of confidentiality, integrity and availability. Additional topics covered include security attacks, services, and mechanisms like encryption, authentication, access control and intrusion detection.
This document provides an overview of a computer and network security course. It discusses what topics will and won't be covered, including security threats, protocols, cryptography, and practical security issues but not advanced cryptography or computer networks. It also defines key security concepts like the CIA triad of confidentiality, integrity and availability. Additional topics covered include security attacks, services, and mechanisms like encryption, authentication, access control and intrusion detection.
Network security is important to protect systems from attacks. Firewalls act as the first line of defense, blocking unauthorized incoming and outgoing network traffic based on security rules. Different types of firewalls operate at different layers of the OSI model and provide varying levels of security. No single security measure can guarantee protection, so a defense-in-depth approach using firewalls along with other tools like intrusion detection systems is recommended.
The document discusses 5 common mistakes organizations make when deploying intrusion detection systems (IDS).
1. Not ensuring the IDS can see all network traffic by improperly planning its infrastructure placement.
2. Deploying an IDS but not reviewing the alerts it generates, diminishing its value as a detection system.
3. Deploying an IDS that generates alerts but having no response policy or understanding of normal vs anomalous activity.
4. Being overwhelmed by a high volume of alerts without properly tuning the IDS to the environment.
5. Not accepting the inherent limitations of signature-based IDS to detect new exploits without updated signatures.
This document discusses network hacking techniques. It describes ARP spoofing attacks, including generating spoofed ARP replies to redirect traffic. It also discusses sniffing attacks, session hijacking, and tools used for these attacks like Ettercap and Dsniff. Detection methods are outlined, though the document notes most older operating systems lacked detection. Hypothetical detection applications are proposed to track ARP entries and identify spoofing.
Honeypots for Cloud Providers - SDN World CongressVallie Joseph
1. Cloud providers face new security challenges with software-defined networking and network function virtualization technologies, as virtualized network appliances can now be remotely accessed and hacked.
2. Honeypots can help by diverting attacks to isolated, monitored systems, collecting valuable attacker data without risk to real systems. Analytics of honeypot data can reveal attack patterns to predict future threats.
3. Pairing honeypots with cloaking technologies provides layered defenses, and honeypot data analytics could enable new "security as a service" offerings from cloud providers.
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.
This document discusses several types of computer security risks and methods to reduce risks. It describes common computer crimes like software piracy, hacking, and computer sabotage using malware. It also discusses how these risks affect personal privacy and intellectual property. Finally, it provides recommendations for protecting systems through physical access restrictions, passwords, firewalls, encryption, backups, and RAID technology to safeguard data integrity and availability.
Certified Information Systems Security Professional (cissp) Domain “access co...master student
The document discusses access control, which is the first domain of the CISSP certification. It defines CISSP and provides an overview of the 10 domains. It then discusses definitions of access control, different types of attacks, and methodologies for access control including administrative, technical, and physical controls. Identification and authentication methods are also explained such as passwords, biometrics, and single sign-on. The document concludes by reiterating the goal of access control is to protect resources from unauthorized access.
This document provides an overview of intrusion detection and data loss prevention. It discusses the challenges of data loss and how data loss prevention (DLP) addresses them. DLP helps organizations discover where sensitive data is located, monitor how it is being used, and protect it from leaving the network without authorization. The presentation outlines how DLP works and provides examples of how DLP can be used to fix exposed data, protect intellectual property and customer information, and continuously reduce security risks.
The document discusses network security and its goals of confidentiality, integrity, and availability. It defines network security as rules and configurations to protect computer networks and data using software and hardware technologies. The three goals of network security are outlined as preventing disclosure of sensitive information, protecting systems from modification, and ensuring systems are accessible when needed. Security administration involves policies, standards, guidelines and procedures to support security policies and accomplish security tasks.
This document describes the software requirements and specifications for building network intrusion detection and prevention systems using Snort and Iptables. It outlines the system requirements including the operating system, firewall, and servers needed. It then describes the key tools used - Snort for intrusion detection, BASE for analyzing Snort alerts, Wireshark for packet analysis, Iptables for firewall rules, and scripting for automation. Finally, it provides an overview of the web development tools used to create interfaces for managing rule sets.
Network Attack and Intrusion Prevention System Deris Stiawan
(1) The document discusses network attack and intrusion prevention systems. It describes how intrusion prevention systems (IPS) aim to detect and block threats in online traffic in real-time, beyond just detecting threats like intrusion detection systems (IDS).
(2) Feature extraction from network traffic is important for IPS to analyze without being overwhelmed by raw data. The document examines relevant features to monitor and criteria for deciding what is important to track.
(3) Experimental testing is needed to evaluate IPS performance. The document outlines stages for training systems, testing methodsologies, and resuming test results. This helps IPS avoid unexpected outcomes and ensures continuous monitoring.
This document provides an overview of intrusion detection systems (IDS) and Snort, an open source network-based IDS. It discusses the basic requirements, types (network-based, host-based, distributed), and approaches of IDS. It then focuses on Snort, describing its modes of operation, packet sniffing capabilities, and network intrusion detection. Key terms related to IDS are also defined. The document aims to introduce readers to IDS and Snort for monitoring network traffic and detecting intrusions and threats.
The document discusses the Mako System, a managed services platform for broadband networking, and how it helps businesses achieve and maintain PCI DSS compliance for accepting credit card payments. The Mako System provides appliances and a central management platform that addresses all PCI network security requirements. It monitors POS networks, controls terminal connectivity, and ensures only authorized communication with payment gateways. Using the Mako System reduces costs and support needs compared to traditional networking solutions for PCI compliance.
The document discusses pixel pitch, which is the distance between pixels on a display screen. A lower pixel pitch means higher pixel density and resolution. Pixel pitch is important for LED displays and determines the minimum viewing distance before images appear pixelated. The optimal pixel pitch depends on factors like intended content, viewing distance and duration, and tolerance for pixelation. A higher pixel pitch is less costly but has a closer minimum viewing distance. Understanding pixel pitch helps ensure displays meet needs for clarity and sharpness based on their application and audience.
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
Realex Payments is a PCI DSS compliant online payments provider that processes billions in payments annually. They aim to simplify PCI compliance for businesses through their hosted payment solutions. Realex claims they can help businesses reduce PCI audit costs by up to 70% and reduce total PCI requirements by up to 96% by using a hosted payment page that is already PCI compliant. They provide a case study of a customer, allpay, who was able to reduce their PCI overheads by 70% after partnering with Realex.
The document discusses upgrading Snort from an intrusion detection system (IDS) to an intrusion prevention system (IPS) to provide active network traffic control. An IDS operates in detection mode only using port mirroring, while an IPS requires original traffic and can actively block threats. The document provides instructions for configuring Snort in inline mode between two network segments using two network cards and iptables rules to redirect traffic. It notes that Snort IPS provides transparent control and flexibility through multiple queues and rule sets when using the NFQ module.
The document discusses implementing the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards that aim to protect cardholder data. Any company that processes, stores, or transmits card data must comply with PCI DSS. The standard contains 12 requirements across 6 goal areas: build and maintain a secure network; protect cardholder data; maintain vulnerability management; implement strong access control; regularly monitor networks; and maintain security policies. The document provides examples of key steps under each requirement to help organizations implement PCI DSS effectively. Non-compliance can result in fines, loss of merchant accounts, and reputational damage.
Building PCI Compliance Solution on AWS - Pop-up Loft Tel AvivAmazon Web Services
PCI-DSS is one of the most popular compliance regulations facing most customers on the cloud. In this session we will take a look at reference architecture that will provide you with guidelines and strategies to design a PCI compliant environment. By Lahav Savir, Emind CEO & Architect
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following in this presentation:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
Firewalls can effectively protect networks from external threats while allowing access to outside networks. There are different types of firewalls that use packet filtering, application gateways, or circuit gateways. More complex firewall configurations provide multiple layers of defense by using screened subnets or dual-homed bastion hosts. Trusted systems aim to enhance security through mandatory access control and multilevel security models enforced by a reference monitor.
Best practices in NIPS - IDC Sofia - March 2010EQS Group
They were called "Network Intrusion Detection Systems" first - today we call them "Network Intrusion Prevention Systems". Those tools have been around for several years, and are now experiencing a second youth once they are part of new compliance requirements and helps in meet your mitigation measures and policies. But are those systems really useful and provide an effective security tool? Many says, that if not implemented correctly, they can be easily bypassed. Is that true? and so, how should I implement them? Is my current deployment really optimal? Are NIPS really worth their (high) cost? This presentation aims at shredding some light - or at least, to give some tool, to start looking at NIPS from a more realistic point of view, out of the vendors' hype.
Protect the data - Cyber security - Breaches - Brand/ReputationPa Al
Protecting data is essential and requires full executive support and comprehensive policies. Big data and cloud data must be secured through strong access controls, encryption, firewalls, and anti-malware detection. A layered security approach is needed including physical security, forensics capabilities, and innovation to stay ahead of evolving threats. Cutting costs on data protection risks losing customers, reputation and intellectual property.
The document discusses the limitations of being PCI DSS compliant and argues that true security requires going beyond basic compliance. It notes that compensating controls allow organizations to not fully meet requirements, and questions whether organizations with privileged user access, unencrypted data, and incomplete monitoring can truly detect or prevent unauthorized access. The document advocates for encryption of cardholder data and comprehensive monitoring to protect against insider threats.
You may be compliant, but are you really secure?Thomas Burg
Presented by Greg Swedosh from Knightcraft Technology (www.knightcraft.com) at NonStop Bootcamp 2014.
This presentation explains why being PCI compliant does *not* equal being secure. While this is a general statement, the presentation does focus on the HP NonStop platform.
Excerpt from a summary slide:
Without a strong commitment to security by the executive team, being compliant only provides a false sense of security.
It often just becomes about ticking boxes and “filling gaps”.
Where there is no serious commitment to security, an organization will always be significantly more vulnerable.
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
This document discusses approaches to data protection beyond basic PCI compliance. It presents case studies of organizations using encryption to protect credit card data across various systems. It evaluates options like encryption, tokenization, and monitoring and argues a risk-adjusted approach is best. Centralized key management and policy can provide control while balancing security, performance and transparency across different data types and environments like cloud.
This document provides an overview of the Secure Software Development Lifecycle (SSDLC). It discusses how SSDLC differs from traditional development by focusing on security requirements, design, testing, and operations. Key aspects include threat modeling to identify risks, the principle of least privilege, extensive testing and logging, and having policies and response plans for security incidents. The goal of SSDLC is to build resilience, stability, and trust into software through a more proactive and defensive approach throughout the entire development lifecycle.
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersITExamAnswers.net
This document contains the answers to exam questions for IT Essentials (ITE v6.0 + v7.0) Chapter 13. It discusses topics related to computer security including asymmetric encryption, hashing algorithms, social engineering, DDoS attacks, Windows features for encrypting files and drives, firewall types, malware types, and security best practices. The answers provided explanations for each multiple choice question to help students learn about common computer security threats and mitigation techniques.
This document provides guidelines for elementary information security practices for organizations. It discusses basic steps organizations can take to improve security without spending much money. The guidelines are divided into sections on basic security, web application security, network/host security, and include recommendations such as using strong passwords, encrypting sensitive data, updating software regularly, conducting security awareness training, and closing unnecessary network ports. The overall aim is to help organizations identify and address common security mistakes and vulnerabilities.
The document outlines key points about improving cyber security maturity through effective privileged access management (PAM). It discusses how most cyber attacks involve compromised privileged credentials. A PAM maturity model is presented with 4 levels - from analog/basic up to advanced/intelligent - measuring an organization's PAM practices and risk level. The goal is for organizations to progress through the levels by implementing stronger PAM strategies like automated discovery of privileged accounts, password vaulting, multi-factor authentication, privileged session monitoring and restricting use of local administrators. This helps reduce the attack surface and risk of breaches involving privileged credentials.
Get to know which security standards are applicable to OpenStack clouds
Evgeniya Shumakher, Mirantis
Compliance with critical industry and regulatory standards used to be mostly the concern of application makers and customers integrating their solutions. Cloud computing – especially IaaS – has made things a lot more complicated. Meanwhile, emerging cloud-specific standards, like FedRAMP or CSA cloud security guidelines, are suggesting new, complex and stringent requirements – while also offering critical guidance.
The presentation offers an inside look at the process:
The most important compliance and security standards for cloud builders,
Where existing OpenStack resources can fully or partially solve common compliance problems
Where standards support within OpenStack is currently thin
The common workflow for architecting standards-compliant clouds,
Common risks and emerging opportunities.
Take a closer look at PCI Compliance for private OpenStack clouds
Scott Carlson, PayPal
PCI Compliance is very important for large financial institutions. As one of the larger installations of OpenStack within the Financial space, PayPal has driven forward the PCI conversation and will be sharing the technical perspective on the following related to PCI and OpenStack Private Clouds:
How does OpenStack fit into an existing PCI-Compliant Environment
When there is not an external Cloud Service Provider, how does your team need to compensate
What are the design choices required to continue to be PCI-Compliant
Physical versus Logical devices
Hypervisor versus Guest compliance
Management Networks for PCI and non-PCI Zones
The case study won’t give a fully prescriptive talk on how to obtain PCI compliance, because there is a lot more to gaining compliance than just making your cloud compliant, but will help to understand:
Where existing OpenStack resources can fully or partially solve PCI compliance problems,
Where OpenStack community needs to join together to solve in order to continue growth
into PCI-compliant spaces.
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
Work from Home - Practical Advice on Operations and Security Impact and what to do about it.
DR and BCP Planning Ideas
Widening Attack Surface Solutions
Managing Threats Solutions
This document discusses ensuring security of an IT environment based on the CIA triad of confidentiality, integrity, and availability. It provides definitions and examples of risks to each component, as well as controls and best practices to mitigate those risks. Specific recommendations are given around access controls, encryption, monitoring, backups, disaster recovery planning, and security awareness training for both leadership and employees.
RSA issued an updated note to help customers assess their risk and prioritize remediation steps following a cyber attack that extracted some information related to RSA SecurID authentication products. The note provides a customer FAQ, updated best practices guides, and recommends securing authentication databases and logs, educating users on social engineering, and strengthening PIN policies. RSA SecurID remains effective if customers take steps to protect the additional information needed for attacks.
Project Instructions You have been recently hired as a.docxbriancrawford30935
Project Instructions
You have been recently hired as a network security analyst for a small accounting firm. The firm realizes
that it needs help to secure its network and customers' data. With your background and skills, the firm is
looking to you to provide guidance. In addition to helping the firm secure its network, the firm requires that
you obtain your CompTIA Security+ certification within 60 days of being hired.
In addition to the owner, who serves as the overall business manager, there are about 20 people on staff:
➢ 10 accountants
➢ 3 administrative support specialists
➢ 1 vice president
➢ 1 financial manager
➢ 2 interns
There is also one IT support technician on staff, who has basic computer hardware and networking
knowledge. He has requested that the firm create a website, hosted internally, so that new customers can
get information about the firm. This will be important to remember as you complete your final project.
The firm has a simple network. There are 20 computers and two multipurpose printers. All computers and
printers are connected wirelessly to a NETGEAR MR814 device. This router is connected to a Motorola
SB3100 cable modem. Staff email accounts are set up through the company’s Internet provider.
Employees use a combination of Microsoft Outlook and standard web browsers to access their e-mail.
The owner uses his personal iPad during work hours to check and respond to email messages.
Prior to your hiring, the firm hired a network cabling contractor to run Cat 6 cables from the central wiring
closet to all offices and cubicles. The firm wants to move away from using wireless as the primary network
connection, but wants to keep wireless access for customers coming to the building. The technician who
did the wiring mentioned to your supervisor that he should look into setting up a Windows Server domain
to manage user access, instead of the current peer-to-peer network. He also recommended that the firm
invest in a managed switch and a firewall, and look into having some backups. The internal IT support
technician agreed with these recommendations but needs your help to implement them.
You’ve been asked to assess the current vulnerabilities and provide a recommendation to the firm’s
owner on how to better secure the network infrastructure. Now that you are aware of the firm’s history,
your assessment and recommendation should provide specifics about the network security settings that
must be implemented and the equipment that must be procured, installed, and configured. The firm’s
owner has a basic understanding of computing, so it is important that you explain the technical issues in
layman's terms.
Overview
You will provide a detailed vulnerabilities assessment document, along with some specific
recommendations to implement to address the vulnerabilities you have described. This document
should be based on the scenario provided.
Your proposal will be submitted in thre.
Thinking like a hacker - Introducing Hacker VisionPECB
This webinar will explain how to improve Security by adopting the mindset of your opponent, and 'seeing like a hacker'!
Main points covered:
• Introducing ways in which you can think like a hacker, and get into your attacker's mindset so that you can better identify and assess threats.
• How to use this thinking to improve your security controls - how effective are they? And how can you better test them for readiness?
• Visual examples to really lift the lid on what your attackers see, as 'hacker vision' gets you thinking in the mindset of a hacker.
• Examples covered will include physical security, Network security, as well as IoT security.
Presenter:
Our exclusive presenter, Mark Carney is a former pen tester and now a professional security researcher for Security Research Labs in Berlin, specializing in embedded systems and IoT. His background spans compliance testing, Red Teaming, full stack pen testing, and social engineering & physical access engagements.
Link to the recorded webinar: https://youtu.be/Fx2Ha8kIqgE
The document discusses various network hardening techniques, including encryption basics, wireless network hardening, and security policies. For encryption basics, it explains that encryption scrambles data and relies on keys to unscramble it at the receiving end. It discusses symmetrical and asymmetrical encryption. For wireless network hardening, it describes methods like MAC address filtering and different types of wireless encryption standards. It notes security policies establish allowed network activities and give administrators authority to enforce security measures.
The document compares the security features of SSL and IPsec. It discusses how each protocol provides authentication, confidentiality, integrity and other security services. It also outlines some of the benefits and limitations of each, such as SSL being best for web applications while IPsec provides broader security. Sample use cases are presented to illustrate when each protocol may be best to use.
Similar to Achieving PCI-DSS compliance with network security implementations - April 2011 (20)
Blockchain: everyone wants to sell me that - but is that really right for my ...EQS Group
Another day, another article praising blockchain’s untapped potential: it will start a new era, revolution the financial system, disrupt every industry and will change the world. Or will it not? and is that really what I need for my next project?
After this presentation, you will be able to:
- Understand the basic of blockchains as compared to other traditional (both centralized and distributed) technologies such as relational databases and identity management systems.
- Identify the characteristics of a potentially successful blockchain project, versus one that should be tackled with "traditional" technology.
- What are the main factors that tell an initiative is or is not a good candidate for a blockchain project, and how to find a topic which may be a good candidate within your organization.
- How to answer the excessive counter-critiques, such as that there is no good use for blockchains at all. This is obviously not true and there are very good examples of successful projects, from which we can learn the essentials.
Impact of GDPR on Third Party and M&A SecurityEQS Group
GDPR impact has been dissected and examined to death - however, M&A activities, as well as third-party security posture, can be greatly affected as well, and this aspect has not been very often pursued. This session hopes to be useful for that.
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
Architecting Security across global networksEQS Group
The document discusses identifying networks in a complex company. It describes challenges with the company's asset database, including many outdated or duplicate entries for operating systems and support groups. It also notes the network maps and asset database do not have a clear correspondence to the physical network. The document advocates identifying currently used versus legacy systems, their functions, vulnerabilities, and how they are arranged on the network. It contrasts firewall-based versus routing-based network planning and some pros and cons of the firewall approach.
313 – Security Challenges in Healthcare IoT - MEEQS Group
The document discusses security challenges for medical IoT devices. It begins with background on cyber-physical systems, Industry 4.0, and the context of IoT. It then presents a threat model for medical IoT devices, outlining risks across the device lifecycle from physical security to orchestration issues. Regulatory requirements for medical device cybersecurity from the FDA and EU are summarized. Suggestions for improvement include standardizing network communication, strengthening regulations, adopting a security-by-design approach, and supporting secure and agile software updates.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Infrastructure Challenges in Scaling RAG with Custom AI models
Achieving PCI-DSS compliance with network security implementations - April 2011
1. Achieving PCI-DSS compliance with
network security implementations
Marco Ermini
Vodafone Group Network Security
14 April 2011
1 Presentation title in footer Confidentiality level on title master January 3, 2013
Department on title master Version number on title master
2. W this is about
hat
…and what is not about!
This presentation is not about…
> …what my company has done. This is personal point of view (of course based on
experience)
> …explaining what are the various network security devices. You know them. If not,
you need other BrightTalks to get better informed
> …choosing vendors/brands – even if we may lean towards network security vendors
versus “host based” vendors, when this makes sense
> …discussing if you need a network security device or not, or which technology you
do need (maybe a short note…)
> … “off the shelves” or “vendor provided” best practices
– you can just Google for “be s t p ra c tic e s PCI
-DSS” - it will do the job!
> I assume you need and want PCI-DSS compliance
> I assume you care about security, as much as compliance
> I will only touch the main points. The argument is really wide
What you are looking for, are best practices to make your investment worth
2 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
3. W is speaking?
ho
This is not a bio…
W are you listening to me? – 1
hy
> I am supposed to know what I am talking about. However I am not a compliance
expert
– Do not ask me about compliance, but about technology
> Yes, that’s my daily job. No, I am not a trainer or something like that
> No, this is not academia or pure science. There is hardly here!
> I know what the market offers. Everyone can download Snort or nmap. It’s not about
that
> I have a realistic view about network security technology
> Yes, I have been under a real attack. And not just once!
> I am a customer of network security technology. I evaluate, test, deploy, implement,
use them. But I don’t sell them. I will never try to contact you and sell you anything
> Yes, this will be my personal, partial, questionable, but realistic point of view
> Yes, I will compare host/agent-based against network-based approaches, and I
prefer the second
You are not drinking from the fountain of truth. Never ever!
3 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
4. W is this for?
ho
Why do you care?
W are you listening to me? – 2
hy
> You are a security officer, security manager, or compliance manager, and need to…
– of course achieve PCI-DSS compliance
> You are a security or network engineer, or compliance manager, and need to…
– possibly bring “real” value from your investment
– are thinking/need about the network security approach for PCI-DSS
> You are a PCI-DSS auditor, and need to…
– understand if network security approach is valid
> You are just curious…
– graduate student, and/or future PCI-DSS auditor, getting into the security job’s
World
– experienced security or network personnel trying to understand network security
appliances
You are welcome to share your expectation, doubts, questions!
4 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
5. W is required by PCI-DSS?
hat
It is in many senses, a technical compliance standard
W is PCI-DSS different from other compliance requirements?
hy
> Differently from others, it goes into the nitty-gritty details of technical specifications
> For this reason, it has already required a couple of updates
> However, like any requirement, you can have documented exceptions, if needed (i.e.
NAT)
> We are concentrating on the latest version, PCI DSS v 2.0
– Changes from latest version (1.2.1) are mainly about virtualisation and several
clarifications
> There are several standards:
– Data Security Standard: how to protect cardholders’ data
– Requirement and Security Assessment Procedures: about how to assess the
environment
– PIN Transaction Security
– Various supporting documents focusing on roles like merchants, service
providers, and so on
5 The argument is extremely wide!!! level on title master
Presentation title in footer
Confidentiality
January 3, 2013
Department on title master Version number on title master
6. W use network-based approach?
hy
In many cases it is easier to implement
W should I stop securing with the PCI-DSS environment?
hy
> Although it is necessary by requirement to isolate the zone where cardholders’ data
are processed, in many cases it is easier to implement many of the requirements to
the whole DC
> You can leverage the investment to apply best practices to a wider zone
> In some cases, the standard seems to encourage it (i.e. wireless devices in a PCI
DSS zone?!?)
> In many cases, network security appliances can be used in multiple zones and it is
just a matter of license how many systems you protect
– Caveat: management stations (we will see this later)
> It is much easier to leverage this investment when using network-based approaches
> In some cases, there is no choice but use network security devices
– for instance when the requirements specify it
If you are forced to invest in security, make the most of it!
6 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
7. Let’s see the requirements
Requirement 2
“Do not use vendor-supplied defaults for system passwords and other security
parameters”
> You can use network security scanners and compliance scanners to verify that this
is in place
– Verify that best practices and hardening (i.e. passwords, SNMP, defaults, not
needed daemons…) have been implemented, through scanning of the
environment
– Some network scanners can login to the systems and verify that policies are
implemented. This is very often a much better approach than deploying agent-
based solutions
– Be sure that the vendor supports both servers and network devices
– You need to verify for instance wireless devices, if present
– Scan virtualisation technologies: this seems to suggest that we must verify
hypervisors
– Only documented daemons/services must be running
> Must verify that newer installed systems are compliant
– This is much better done with a scanner, that detects when new systems are
installed
7 Presentation title in footer a network title master January 3, 2013
Confidentiality level on title master
I do prefer by a great extent Version number onbased, agent-free solution for hardening
Department on title master
8. Let’s see the requirements
Requirement 3
“Protect stored cardholder data”
> Tricky pitfalls for network security devices, let’s see why
> Keep data retention to a minimum, do not store authentication/authorisation data and credit cards
– If data is transmitted in an encrypted way (i.e. HTTPS), the Intrusion Detection/Prevention or the
WAF often cannot see them
– However, if they are placed after HTTPS reverse-proxies, or are instructed to decrypt the traffic,
they may also see authentication/authorisation data, or even credit card data
– If a signature is triggered, the IDS/IPS/WAF management station can keep a record of the
transaction
> How to address this?
– Have a geographically/topologically localised management station in the zone (“manager of the
manager” issue)?
– Disable packet capture/logging?
– Special policy for PCI-DSS IDS/IPS/WAF?
– Disk encryption on the management station?
– How security operation people handle packet captures of signatures?
It can be tricky so we must plan this in advance. Also you don’t want “special” deployments if possible
8 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
9. Let’s see the requirements
Requirement 3
“Protect stored cardholder data”
> Management of encryption keys
– Do you need HSM devices/modules?
– Do your IDS/IPS/WAF supports HSM modules?
– How are crypto keys stored on your device?
– How are crypto keys distributed?
– Do you implement “split knowledge” for key management?
– Do you monitor for keys substitution/replacement?
– Best practices for keys’ custodians
Again, it can be tricky so we must plan this in advance. And choose the right devices
9 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
10. Let’s see the requirements
Requirement 4
“Encrypt transmission of cardholder data across open, public networks”
> Are considered public networks in scope:
– Internet
– Wireless technologies in general
– GSM/GPRS networks as well
> You must implement encryption, and take care that IDS/IPS/WAF supports:
– inspection of HTTPS if necessary, or placed after reverse-proxies
– GTP traffic, if this makes sense for you
– Must implement wireless scanners, if this makes sense for you
I do prefer by a great extent a network based, agent-free solution for hardening
checks!!!
10 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
11. Let’s see the requirements
Requirement 6
“Develop and maintain secure systems and applications”
> As per requirement 2, you can use network security scanners and compliance
scanners
– Verify that patches are installed – both with vulnerability and compliance scanners
– Verify that undocumented or “custom” applications/services are removed
– Verify that there are no development tools installed in production
> Use Web Application Scanners to scan application for SQL injection, buffer
overflows, XSS, CSRF, and so on
– Suggestion: focus on OWASP top 10
– Ensure your vendor covers the PCI-DSS requirements but also OWASP
– PCI-DSS inspired by OWASP
I do prefer by a great extent a network based, agent-free solution for hardening
checks!!!
11 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
12. Let’s see the requirements
Requirement 6
“Develop and maintain secure systems and applications”
> It is required that for externally-facing web sites, either a review is done, or a Web
Application Firewall (WAF) is in use
> About reviews:
– can be performed with “automated” tools (Web Application Scanners) or manually
– however they must be done at least annually, and anyway after any change
– if you find a vulnerability, you must correct it; this means you are deploying a
change, so this means you must review again the application!
– therefore it is better to plan for an automated tool anyway
> About Web Application Firewalls (WAF)
– you do not need to review your application
– anyway, experience shows that it is better than you do it. Do not use WAF as
scapegoat to avoid application reviews. Heard about Barracuda Networks
recently?
I suggest to have both W and assess the applications, as having the W simplify
AF AF
the application patching too – catch 22
12 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
13. Let’s see the requirements
Requirement 6
“Develop and maintain secure systems and applications”
> FAQ: can I use an IDS/IPS as WAF?
– I cannot go into great extent into this, however I discourage it
– They are inheritely different technologies
– All of the IDS/IPS vendors have web protection functionality, however they are not
the same as a Web Application Firewall
– Although you may argue about that with an auditor, if you care about real security
and not just compliance, do not take the shortcut
– Please feel free to ask me about details on that off line if you care.
I suggest to have both W and IDS/
AF IPS. Do not use shortcuts unless you are on a
budget
13 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
14. Let’s see the requirements
Requirement 7/8
“Restrict access to cardholder data by business need to know”
> Use vulnerability and compliance scanners to assess that servers and network
devices have proper RBAC set up in place
> Firewalls and Access Control Systems set up with a final “deny all” rule
– May look trivial, but sometimes it is not
“Assign a unique ID to each person with computer access”
> Two factors authentication in place for all of the remote accesses
> This is also valid for security appliance management!
> If you have not implemented good practices for security appliance management,
now you must do it!
In many cases security appliances have a very simple management model, this must
be reviewed for PCI-DSS!!!
14 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
15. Let’s see the requirements
Requirement 8
“Assign a unique ID to each person with computer access”
> Database protection
> Restrict access to the databases, restrict direct user accesses, review database
applications, do not use application IDs outside of applications
> This can be achieved with a Database Activity Monitor (DAM) technology
> Agent or Agent-less solution
> I strongly suggest a combination of both, where the focus is on the agent-less
solution
> For specific questions contact me off line
Database Activity Monitors are a good practice, along with proper set up of database
management for the environment
15 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
16. Let’s see the requirements
Requirement 9
“Restrict physical access to cardholder data”
> Again, if your security appliances enters into PCI-DSS scope, you must apply the
same requirements to them
> If you have not implemented good physical security practices for security appliance
management, now you must do it!
> This includes camera surveillance, badge systems and practices, logs and physical
escort of visitors by an internal employee (i.e. PCI-DSS auditors too!) and so on
> Usually part of the DC practices, but it may be different for security monitoring
In many cases security appliances have a very simple management model, this must
be reviewed for PCI-DSS!!!
16 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
17. Let’s see the requirements
Requirement 10
“Track and monitor all access to network resources and cardholder data”
> Again, if your security appliances enters into PCI-DSS scope, you must apply the
same requirements to them
> You must implement audit logs on accessing to the management systems of the
security devices
– You must implement single users and not use generic or default users
– You must use a time server (NTP), and verify against company’s LDAP/AD
> You must off-load logs to a syslog/logging server
– Logs for IPS/IDS/firewalls/and so on
– Best to use a SEM/SIEM if you are not doing it already
> Use file integrity monitoring tool
– Agent-less solutions are again my favourite
Again, in many cases security appliances have a very simple management model, and
SEM/ SIEM are not in use
17 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
18. Let’s see the requirements
Requirement 11
“Regularly test security systems and processes”
> It goes without saying, internal network vulnerability and compliance scanners are
often the best solution for test of systems from the internal network
> Many scanners can scan themselves too
> Ensure scanners also supports security systems and appliances
– Some systems like IDS/IPS and possibly WAF, are only available for scan on the
management network
– Ensure scanners can also reach management networks, and networks for
hypervisor’s management
Ensure scanners can internally reach the whole environment and they support a wide
range of checks
18 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
19. Let’s see the requirements
Requirement 11
“Regularly test security systems and processes”
> External vulnerability scanning is a requirement
> Can be done with external or internal resource, but it must be “qualified”
> There are requirements clearly defined for external resources, a bit less for internals
> Generally easier to use a qualified external supplier
> Tricky for security: vulnerabilities are stored outside of company’s network, this can
be a problem for some organisation’s policy
– Some vendors offer solutions for that
– Some vendors have not secure enough external solutions
Ensure you are using a qualified vendor and you are not violating your own policies or
compromising your security using an external vendor
19 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
20. Let’s see the requirements
Requirement 11
“Regularly test security systems and processes”
> Ensure you have IDS/IPS systems at the perimeter
– You must verify “all the traffic at the perimeter”, but nothing prohibits to check the
internal network too
– You must ensure proper management of IDS/IPS
– Must verify that they can see decrypted traffic (after reverse-proxies) and packet
captures are properly treated for the data retention requirements already
explained
> File integrity monitors
Again, in many cases security appliances have a very simple management model, this
must be reviewed for PCI-DSS!!!
20 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
21. Thank you
21 Presentation title in footer Confidentiality level on title master January 3, 2013
Department on title master Version number on title master