Gartner UK 2015 Anatomy of An Attack

•Download as PPTX, PDF•

2 likes•337 views

The document discusses the anatomy of an attack based on data from the Verizon Data Breach Investigation Report. It notes that over 99% of breaches exploited vulnerabilities that were over 1 year old. Common initial infection methods included malware, targeted phishing emails, and exploited zero-day vulnerabilities. Once inside a network, attackers would search for privileged accounts or sensitive data. The document recommends organizations focus on regular vulnerability assessments, password security, and breach detection to help prevent attacks.

Anatomy of an Attack
Wolfgang Kandek, Qualys
wkandek@qualys.com
@wkandek
14-September-2015

Verizon Data Breach Investigation Report

2122 Data Breaches
Financial data, Product data,
Personal data, Usernames/Passwords

1. CTO (punk rock fan), punk rock concert offer, doc opened, no run
2. Employee, employment offer, doc opened, script ran
3. COO (Greek History), article comment, doc not opened
4. Employee, inquiry on side project, doc not opened
5. Employee, survey form of past employment, doc opened,
infected, but no privileged account
6. System Admin, professional society membership offer, doc
opened, infected - Bingo

Vulnerabilities
Patch
95%/99%
Priority on Exploits
MS15-020, MS15-051

Now:
Vulnerability Assessments
3 months:
Passwords
12 months+:
Breach Detection

Thank you
Wolfgang Kandek
wkandek@qualys.com
@wkandek
http://www.qualys.com

Resources
• Verizon DBIR 2015
http://www.verizonenterprise.com/DBIR/
• Chevron
https://www.rsaconference.com/events/us15/agenda/sessions/1983/
building-a-next-generation-security-architecture
• BSI
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikatio
nen/Lageberichte/Lagebericht2014.pdf
• Hardening
https://www.virusbtn.com/pdf/conference_slides/2013/Niemela-
VB2013.pdf

Vulnerabilities The larger and more complex information systems are, the greater the possibility of error in logic and loopholes in algorithm. These are weak points that could enable hackers to breach a system and compromise the integrity of information stored. Programmers themselves who are not yet adept in writing software code can unknowingly misuse the code and lead to a vulnerability. A classic example of vulnerabilities that can be exploited is a weak password or its repeated use on various services or software. There are also websites containing malware that installs automatically once visited. Even legitimate software could be a venue for an exploit due to unknown errors (bugs) generated by the program. The end-user or the human element in information systems is arguably the weakest point that hackers easily utilize. 0-day exploits 0-hour or 0-day attack is the exploitation by outside parties of a security hole in a computer program which is unknown from its developers. The term comes from the premise that the attack unfolds on the “day 0, meaning no awareness as of yet from the developers so there is no opportunity and time to issue a fix for the threat. Zero-day exploits are usually shared among hackers even before the developer knew. Programmers could use the vulnerabilities via several avenues: on web browsers and email. Web browsers allow for a wider target. Meanwhile, using email, hackers can send a message that includes an executable file on the attachments, set to run once downloaded. Such 0-day threats are in the time frame where a security hole is exploited up to the time that the program developers issued a patch for it.

Security researcher

NoumanShah20

Android in the healthcare workplace - GrrCON and DerbyCON

Thomas Richards

Hacker Halted Miami , USA 2010Aditya K Sood

RATER scale

EHTASIMUL HOQUE

La informació que difonen els mitjans de comunicació és a vegades confusa i en alguns casos fins i tot errònia. D’altra banda, també es fa sovint un tractament inapropiat de les paraciències tractant-les com si fossin activitats amb el suport de la ciència o donant per bones afirmacions que s’han demostrat científicament falses. Aquesta presentació és part d'un curs té per objectiu proporcionar recursos i coneixements científics fonamentats que permetin a l’alumnat tractar la informació científica de manera correcta i amb el rigor que es requereix, i aplicar aquest mateix rigor i esperit crític al tractament de les paraciències i d’altres temes similars.

AWS Security in Plain English – AWS Security Day

Amazon Web Services

Ebook: Splunk SANS - CIS Top 20 Critical Security Controls

Dominique Dessy

The Critical Security Controls and the StealthWatch System

Lancope, Inc.

As today’s cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly. By leveraging NetFlow and other types of flow data, Lancope’s StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response. Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.

More practical insights on the 20 critical controls

EnclaveSecurity

This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.

Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...

James W. De Rienzo

Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks

Er. Rahul Jain

Extend Enterprise Application-level Security to Your AWS Environment

Imperva

When organizations shift to a public cloud environment, security and compliance must remain top of mind. While Amazon Web Services (AWS) provides robust infrastructure-level protections, today’s attackers target the applications themselves. This presentation will: - Discuss inherent AWS security capabilities - Review attack types that target the applications and why traditional security approaches can’t stop them - Illustrate how Imperva SecureSphere for AWS stops these attacks and enables you to use the security infrastructure in the cloud and on-premise

How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan

ControlScan, Inc.

20 Security Controls for the Cloud

NetStandard

The CIS Critical Security Controls the International Standard for Defense

EnclaveSecurity

Networking and communications security – network architecture design

EnterpriseGRC Solutions, Inc.

Webinar: 10 steps you can take to protect your business from phishing attacks

Cyren, Inc

Using an Open Source Threat Model for Prioritized Defense

EnclaveSecurity

Security Attack Analysis for Finding and Stopping Network Attacks

Savvius, Inc

Network breaches are on the rise, and the consequences are getting more dire. Needless to say, you don't want to be the next Target.You've invested in security tools like firewalls and IPS systems. But today's stealthy attacks can still get through. When you suspect an attack, you need your insurance policy—network forensics. In this seminar, you'll learn how network forensics—network recording along with powerful search and analysis tools—can enable your in-house security team to track down, verify, and characterize attacks. You'll also learn about the requirements for effective forensics on today's 10G and 40G networks. And you'll learn some best practices for configuring captures to help you and your team pinpoint and remediate anomalous behavior that could signal an attack.

CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)

WAJAHAT IQBAL

This post contains detailed Mindmap related to Complex subject of Cyber security and address critical components summarized as below: - Cyber Security standards - SOC (Security Operation Center) - Cybersecurity Lifecycle - Hacker Kill Chain - Malware (Types,Protection Mechanism) - Cyber Architecture - CSC (Critical Security Standards) - Incident Management - Network Perimeter best security practices - Final Case Study I hope the Technical post is appreciated and liked by Security Consultants and Subject Matter experts on Cybersecurity.Your criticals Inputs are appreciated.Thank you - Wajahat Iqbal (Wajahat_Iqbal@Yahoo.com)

Splunk EMEA Webinar: Scoping infections and disrupting breaches

Splunk

To successfully prevent infections from becoming a data breach, security analysts need the ability to continuously collect, analyse, correlate and investigate a diverse set of data. Join this webinar to hear Matthias Maier, Splunk Security Product Marketing Manager and Filip Wijnholds, Splunk Senior Systems Engineer, discuss the specific data sources and capabilities required to determine the scope of an infection before it turns into a breach. During this session, you'll learn: - The capabilities required to distinguish an infection from a breach - The specific analysis steps to understand the scope of an attack - The data sources required to gain deep and broad visibility - What to look for from network and endpoint data sources We also demonstrate a live incident investigation using this approach, you can view the recording here: https://splunkevents.webex.com/splunkevents/lsr.php?RCID=cab764b0457c615aa5f02ddfd351fe9f

Paul Henry’s 2011 Malware Trends

Lumension

Join security and forensics expert, Paul Henry, to learn about the latest malware trends and more importantly, practical steps you can take to better protect your organization from evolving threats. Learn: • How social media and removable devices have become new, targeted paths into your network • Why traditional defenses are not effective in the unending arms race with financially motivated “bad guys” • How to ensure an effective depth-in-defense security strategy that includes application whitelisting

Viewers also liked

20 Critical Security Controls and QualysGuard

Wolfgang Kandek

SANS Critical Security Controls Summit London 2013

Wolfgang Kandek

Using a Network Model to Address SANS Critical Controls 10 and 11

Skybox Security

MindTheSec Anatomia de um Ataque

Wolfgang Kandek

Estadística i pensament crític a la vida diària

Universitat de Barcelona

AWS Security in Plain English – AWS Security Day

Amazon Web Services

Ebook: Splunk SANS - CIS Top 20 Critical Security Controls

Dominique Dessy

The Critical Security Controls and the StealthWatch System

Lancope, Inc.

More practical insights on the 20 critical controls

EnclaveSecurity

Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...

James W. De Rienzo

Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks

Er. Rahul Jain

Extend Enterprise Application-level Security to Your AWS Environment

Imperva

How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan

ControlScan, Inc.

20 Security Controls for the Cloud

NetStandard

The CIS Critical Security Controls the International Standard for Defense

EnclaveSecurity

Networking and communications security – network architecture design

EnterpriseGRC Solutions, Inc.

Webinar: 10 steps you can take to protect your business from phishing attacks

Cyren, Inc

Using an Open Source Threat Model for Prioritized Defense

EnclaveSecurity

Security Attack Analysis for Finding and Stopping Network Attacks

Savvius, Inc

CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)

WAJAHAT IQBAL

Viewers also liked (20)

20 Critical Security Controls and QualysGuard

SANS Critical Security Controls Summit London 2013

Using a Network Model to Address SANS Critical Controls 10 and 11

MindTheSec Anatomia de um Ataque

Estadística i pensament crític a la vida diària

AWS Security in Plain English – AWS Security Day

Ebook: Splunk SANS - CIS Top 20 Critical Security Controls

The Critical Security Controls and the StealthWatch System

More practical insights on the 20 critical controls

Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...

Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks

Extend Enterprise Application-level Security to Your AWS Environment

How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan

20 Security Controls for the Cloud

The CIS Critical Security Controls the International Standard for Defense

Networking and communications security – network architecture design

Webinar: 10 steps you can take to protect your business from phishing attacks

Using an Open Source Threat Model for Prioritized Defense

Security Attack Analysis for Finding and Stopping Network Attacks

CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)

Similar to Gartner UK 2015 Anatomy of An Attack

Splunk EMEA Webinar: Scoping infections and disrupting breaches

Splunk

Paul Henry’s 2011 Malware Trends

Lumension

Ethical Hacking & Penetration Testingecmee

Secure authentication in the age of remote working - MFA

Yusuf Khan

Ochrana pred modernými malware útokmi

MarketingArrowECS_CZ

REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS

ForgeRock

Ch01-Computer Security

Attaporn Ninsuwan

Why Passwords are not strong enough

EMC

Introduction to the Current Threat Landscape

Melbourne IT

Do you know what threats are lurking in the shadows? Have you been compromised without even knowing about it? Most companies don't even know if their business has been subjected to attacks and even worse, may have lost sensitive data without knowing about it until it’s too late. The latest vulnerabilities highlight the extent and depth that hackers are adopting to steal your content or destroy trust in your brand. Our industry experts joining us for the presentation have a wealth of experience in robust security strategies and will be discussing the current online threat landscape, the most prominent approaches to security breaches and what you need to consider to protect your online presence from any potential malicious attacks. About Melbourne IT: Melbourne IT Enterprise Services designs, builds and operates custom cloud solutions for Australia’s leading enterprises. Its expert staff help enterprises solve business challenges and build cultures that enable organisations to use technology investments efficiently to improve long-term value. With more than 15 years’ experience in delivering managed outcomes to Australian enterprises, Melbourne IT has been long associated with enabling success. Its certified cloud, consulting, and security experts repeatedly deliver results. Many of the brands you already know and trust rely on Melbourne IT. For more information, visit www.melbourneitenterprise.com.au

Building Human Intelligence – Pun Intended

EnergySec

Presented by: Rohyt Belani, Phishme Abstract: In the physical world, the human brain has evolved to avoid danger. The threat of physical pain triggers fear – and we have learned to avoid behavior that causes pain. In the electronic world of email, however, this concept doesn’t translate. Clicking on a malicious link or opening an attachment laced with malware doesn’t cause pain, and often a user won’t even notice anything is wrong after doing it. How then, can we teach fear perception in the electronic world? Is it even possible? In this presentation I’ll discuss how immersive training can key on psychological triggers to teach people to become skeptical email users who not only avoid undesired security behavior but can aid intrusion detection by reporting suspicious emails, helping to mitigate one of the most serious problems in security: slow incident detection times. According to reports from Mandiant and Verizon, average detection time for an incident is in the hundreds of days. A properly trained workforce is not only resilient to phishing attacks, but can improve detection times as well.

Identity intelligence: Threat-aware Identity and Access Management

Prolifics

Presentation at Pulse 2014 as part of the session, "Enhance Your Identity and Access Management Solution with Integrations from Key IBM Technology Partners" Speaker: Russell Tait, Prolifics Join a panel of IBM technology partners to learn about new and exciting Identity and Access Management (IAM) integrations that have been validated through the Ready for IBM Security Intelligence program. In this slide deck, IBM technology partner, Prolifics, discusses how their integrations with key areas of the IBM Security portfolio increase solution value for customers. The panel discussion will cover strong authentication, mobile, cloud, and security intelligence use cases.

Cybercriminals and security attacks

GFI Software

Internal Risk Management

Barry Caplin

The media has given a great deal of attention to the “insider threat”, the issue of someone within an organization harming or stealing data or assets. How does this happen and why? Shouldn’t we be more concerned with external threats like hackers and cyber-thieves? Learning Nuggets · Insider threat components and issues · Current research · Mitigation and good practices

VAPT - Vulnerability Assessment & Penetration Testing

Netpluz Asia Pte Ltd

VCU INFO 644 Critical Thinking 1tgbrunet

Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel

Adam Palmer

Understanding Advanced Cybersecurity Threats for the In-House Counsel

Adam Palmer

COVID-19: Strategies to Stay Secure and Ensure Business Continuity

Optiv Security

Optiv is committed to guiding the cybersecurity industry through these shifting times by providing strategies to keep your organization and employees secure while ensuring business continuity. Whether your concerns focus on technology or people, Optiv has outlined specific actions you can take to build confidence in this more connected world. To read our response to the COVID-19 pandemic, as well as other resources and actionable checklists, please visit optiv.com/covid-19-response.

Eileen Presentationjc06442n

White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...

Invincea, Inc.

The single largest threat your organization faces today is network breach. Spear-phishing, poisoned search results, drive-by downloads, and legitimate sites being compromised to push malware are all part of our current reality. The most successful and common attacks vectors stem from targeted attacks on your employees. Organizations need to utilize solutions that protect their network from user error and support requirements for continuous monitoring, real-time situational awareness and providing actionable threat intelligence for their security teams.

Similar to Gartner UK 2015 Anatomy of An Attack (20)

Splunk EMEA Webinar: Scoping infections and disrupting breaches

Paul Henry’s 2011 Malware Trends

Ethical Hacking & Penetration Testing

Secure authentication in the age of remote working - MFA

Ochrana pred modernými malware útokmi

REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS

Ch01-Computer Security

Why Passwords are not strong enough

Introduction to the Current Threat Landscape

Building Human Intelligence – Pun Intended

Identity intelligence: Threat-aware Identity and Access Management

Cybercriminals and security attacks

Internal Risk Management

VAPT - Vulnerability Assessment & Penetration Testing

VCU INFO 644 Critical Thinking 1

Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel

Understanding Advanced Cybersecurity Threats for the In-House Counsel

COVID-19: Strategies to Stay Secure and Ensure Business Continuity

Eileen Presentation

White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

Welocme to ViralQR, your best QR code generator.

ViralQR

Welcome to ViralQR, your best QR code generator available on the market! At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies. Our Vision We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide. Our Achievements Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes. Our Services At ViralQR, here is a comprehensive suite of services that caters to your very needs: Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses. Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding. Pricing and Packages Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service. Why choose us? ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations. Comprehensive Analytics Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country. So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

Quantum Computing: Current Landscape and the Future Role of APIs

Vlad Stirbu

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

Free Complete Python - A step towards Data Science

RinaMondal9

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

Bits & Pixels using AI for Good.........

Alison B. Lowndes

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Assuring Contact Center Experiences for Your Customers With ThousandEyes

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Essentials of Automations: Optimizing FME Workflows with Parameters

Welocme to ViralQR, your best QR code generator.

How world-class product teams are winning in the AI era by CEO and Founder, P...

Quantum Computing: Current Landscape and the Future Role of APIs

The Art of the Pitch: WordPress Relationships and Sales

By Design, not by Accident - Agile Venture Bolzano 2024

PHP Frameworks: I want to break free (IPC Berlin 2024)

UiPath Test Automation using UiPath Test Suite series, part 3

Free Complete Python - A step towards Data Science

Key Trends Shaping the Future of Infrastructure.pdf

FIDO Alliance Osaka Seminar: Overview.pdf

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

GraphRAG is All You need? LLM & Knowledge Graph

Bits & Pixels using AI for Good.........

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Leading Change strategies and insights for effective change management pdf 1.pdf

Gartner UK 2015 Anatomy of An Attack

1. Anatomy of an Attack Wolfgang Kandek, Qualys wkandek@qualys.com @wkandek 14-September-2015

3. Verizon Data Breach Investigation Report

4. Verizon Data Breach Investigation Report

5. 2122 Data Breaches

6. 2122 Data Breaches Financial data, Product data, Personal data, Usernames/Passwords

7. Vulnerabilities

8. > 99% over 1 year old

9. > 99%

10. But 40 in 2014

11. But 40 in 2014 and 50% within 2 weeks

12. > 99%

13. Malware Infects Computer Exploit for known Vulnerability Targeted E-mail Spear Phishing Social Media Profile Exploit for 0-day Vulnerability Known Worm/Virus Infected USB Drive Find infected Computers Command and Control Username/ Passwords Dataloss Brand Finance Others

14. > 99%

15. 1. CTO (punk rock fan), punk rock concert offer, doc opened, no run 2. Employee, employment offer, doc opened, script ran 3. COO (Greek History), article comment, doc not opened 4. Employee, inquiry on side project, doc not opened 5. Employee, survey form of past employment, doc opened, infected, but no privileged account 6. System Admin, professional society membership offer, doc opened, infected - Bingo

16. Demo

17. Phishing Training

18. Phishing Training 10%->2%

19. Vulnerabilities Patch

20. Vulnerabilities Patch 95%/99%

21. > 99%

22. > 99%

23. Vulnerabilities Patch 95%/99% Priority on Exploits MS15-020, MS15-051

24. 0-days Hardening

25.

26. Then: Passwords

27. Finally: Breach Detection

28. Now: Vulnerability Assessments 3 months: Passwords 12 months+: Breach Detection

29. Thank you Wolfgang Kandek wkandek@qualys.com @wkandek http://www.qualys.com

30. Resources • Verizon DBIR 2015 http://www.verizonenterprise.com/DBIR/ • Chevron https://www.rsaconference.com/events/us15/agenda/sessions/1983/ building-a-next-generation-security-architecture • BSI https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikatio nen/Lageberichte/Lagebericht2014.pdf • Hardening https://www.virusbtn.com/pdf/conference_slides/2013/Niemela- VB2013.pdf

Editor's Notes

PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.
PCI Compliance: A secure connection between the customer’s browser and the web server Validation that the Website operators are a legitimate, legally accountable organization Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted orreceived over open, public networks Verify that strong encryption is used during data transmission For SSL implementations:- Verify that the server supports the latest patched versions.- Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).- Verify that no cardholder data is required when HTTPS does not appear in the URL. Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit. Verify that only trusted SSL/TLS keys/certificates are accepted. Verify that the proper encryption strength is implemented for the encryption methodology in use.(Check vendor recommendations/best practices.) Typically, compliant entities have a year grace period to meet the new requirement. Transmission confidentiality and Integrity (SC-8) The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.

Gartner UK 2015 Anatomy of An Attack

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to Gartner UK 2015 Anatomy of An Attack

Similar to Gartner UK 2015 Anatomy of An Attack (20)

More from Wolfgang Kandek

More from Wolfgang Kandek (8)

Recently uploaded

Recently uploaded (20)

Gartner UK 2015 Anatomy of An Attack

Editor's Notes