Low Hanging Fruit: Securing Your Basic MongoDB Installation
|
|
- Chastity Lloyd
- 5 years ago
- Views:
Transcription
1 Low Hanging Fruit: Securing Your Basic MongoDB Installation
2 About: Tom Spitzer, VP, Engineering, EC Wise EC Wise builds/enables Complex Secure Solutions Software Products / Service Delivery Platforms / Cyber Security Key Practices: Security, Secure Software Development, Intelligent Systems, Data Mature, International Offices and customers: North and South America, Asia ~ 60 employees, senior experienced teams Founded 1998 Prior to EC Wise I developed ecommerce and ERP systems
3 Learning Objectives 1. Describe how attackers are able to compromise other people s data 2. Configure MongoDB instances securely 3. Manage users, roles, and privileges, so that when a user logs in, that user has access to a set of role based privileges 4. Encrypt data in transit 5. Know how to use Read Only Views to improve security 6. Have an intelligent conversations with your organization about locking down your MongoDB instances
4 Top Risks / Common attacks Ransomware ,000 MongoDB servers in January, WannaCry in May Of course, affected MongoDB servers did not have authentication enabled! DDOS, Steganography, SQL/NoSQL Injection, system hijacking Political destabilization / infrastructure compromise Massive data theft via Advanced Persistent Threats : Experian, Yahoo, Target
5 Common Weaknesses / Mitigations - Access Weaknesses Authentication weak or not enabled Overly permissive, inappropriate, and unused privileges Abuse & lax management of privileged and service accounts e.g. do DBAs really require always-on access to application data? Mitigations Least privilege Strong authentication Multiple MongoDB options Access restrictions Role Based Access Control Account monitoring, especially for servers Slide 5
6 Common Weaknesses / Mitigations Surface Area Weaknesses Mitigations Lack of Control of Info Assets Storage media not secured Too much info generally available Inventory what, where, how Reduce surface area Dispose of data that is no longer needed; (archive / delete) Devalue data through encryption, tokenization, masking Pay attention to key management Slide 6
7 Common Weaknesses / Mitigations Practices Weaknesses Failure to apply patches Risky DB features enabled Weak application security Lack of visibility into DB and network activity Mitigations Create patch friendly environment Disable risky DB features -- noscripting Take advantage of OWASP tools, strategies Move controls closer to the data itself Log sensitive operations Enterprise: Consider DLP or SIEM Slide 7
8 I. Secure connectivity to and between servers Secure Connectivity reduces Surface Area MongoDB TLS (SSL successor) hierarchy Walk through enabling TLS Configuration options Code examples
9 PKI is acronym laden! MongoDB TLS Hierarchy
10 Driver MongoDB TLS protected communications DB Server 1 Server Key & Certificate PEM File CA Certificates File Client Machine DB Server 2 Server Key & Certificate PEM File CA Certificates File Server Key & Certificate PEM File CA Certificates File CRUD API calls over TLS Internal Traffic over TLS DB Server 3 CA Certificates File
11 SSL/TLS configuration Create server.pem files # Initialize CA by creating PK for it $ openssl genrsa -out CAKey.key -aes256 # Create CA certificate $ openssl req -x509 -new -extensions v3_ca -key CAKey.key -out CA-cert.crt # create key file and Certificate Signing Request for each server # will prompt for information used to create Distinguished Name or DN # Country, State/Province; Locality; Organization Name; Org Unit; Common Name; $ openssl req -new -nodes -newkey rsa:2048 -keyout serverx.key -out serverx.csr # have CA "sign" each server's CSR and generate server's public Cert $openssl x509 -CA./CA/CA-cert.crt -CAkey./CA./CA/CAkey.key -CAcreateserial -req -in./csr/serverx.csr - out./certs/serverx.crt # create.pem file for each server $ cat serverx.key serverx.crt > serverx.pem # copy.pem and host CERT file to config directory $ cp serverx.pem CA-cert.crt /mongodb/config/ Note:.pem is a container file format Note: example creates self-signed certificate, not recommended for production. For production, have a CA create a cert; to do so run the openssl command to create a CSR, and send it to your CA. This process is more fully explained at OpenSSL Essentials #update MongDB Config file with SSL info net: port:27017 bindip: ssl: mode: requiressl OR preferssl PEMKeyFile: /mongodb/config/serverx.pem CAFile: /mongodb/config/ca-cert.crt
12 SSL/TLS configuration Create Client.pem file # generate client key and CSR, again it will prompt for DN components # note that DN has to be different from server DN, can use different Org Unit $ openssl req -new -nodes -newkey rsa:2048 -keyout rootuser.key -out rootuser.csr # submit client CSR to CA for signing and Cert generation $ openssl x509 - CA./CA/CA-cert.crt -CAKey./CA/CAKey -CAcreateserial -req -in./csr/rootuser.csr -out./certs/rootuser.crt # concatenate client.pem $ cat mongokey/rootuser.key ssl/certs/rootuser.crt > mongokey/rootuser.pem # get client Cert subject details $ openssl x509 -in mongokey/rootuser.pem -inform PEM -subject -nameopt RFC2253 [subject= address=tspitzer@ecwise.com,cn=root,ou=ecwiseclients,o=ecwise,l=sr,st=ca,c=us] Note: be sure that client and server certs have different DNs, i.e. that at least one DN component, or RDN differs Note: consider secure repository for key storage, e.g. keystore service in Java or third party key manager; also Protect.pem file directories
13 SSL/TLS configuration restart with SSL Restart mongod ~]$ mongod -f /etc/mongod.conf Provide CERT to client, and connect with SSL ~]$ mongo --ssl --host server1 sslpemkeyfile./mongokey/rootuser.pem --sslcafile=cacert.crt
14 Mini Clinic Python SSL connection self._role_mapping = {'AUTHORIZE': self.get_authorize_db, 'SCHEDULER': self.get_scheduler_db, 'PRACTITIONER': self.get_practitioner_db, 'PHARMACIST': self.get_pharmacist_db, 'AUDITOR': self.get_auditor_db} def _get_database(self, type): username = config[type]['username'] password = config[type]['password'] cert_path = config['security']['cert_path'] uri = "mongodb://%s:%s@%s:%s" % ( quote_plus(username), quote_plus(password), self._host, self._port) return MongoClient(uri, ssl=true, ssl_ca_cert=cert_path)[self._db_name] def get_database_by_role(self, role): return self._role_mapping.get(role, None)() def get_authorize_db(self): if self._authorize_db is None: self._authorize_db = self._get_database('mongo_authorize') return self._authorize_db
15 II. Authentication: Available Strategies, Details Follow Username / Password Certificate 1. Challenge/Response (SCRAM-SHA-1) based on RFC5802) 2. x.509 Certificate (requires CA) Local CA Certificates File Authentication Strategy Comparisons Authentication Method Clear Text Password Identity Location Challenge/Response (SCRAM-SHA-1) No (Digest) Internal x.509 Certificate No (Digital Signature) External Addresses Weak Authentication vulnerability
16 SCRAM-SHA-1: Enable authentication, create accounts Start MongoDB without access control Connect in instance Create user administrator Restart instance with access control $ mongod -f /etc/mongod.conf Connect and authenticate as user administrator mongo --ssl --host mongod_host --sslcafile=/etc/ssl/mongodb.pem -uuseradmin -ppassword abc123 Create additional users use admin db.createuser( { user: "UserAdmin", pwd: "abc123", roles: [ { role: "useradminanydatabase", db: "admin" } ] } ) in /etc/mongod.conf security.authorization: enabled
17 Authentication using x.509 Certs Note Client vs. Member authentication capabilities Slide 17
18 x.509 authentication: Create,assign, enable Certs Create local certification authority or use third party Generate and sign certificates for client and servers in replica set Server and client certs must differ in organization part of DNs RS member O, OU, and DC components must match Start MongoDB replica set instances without access control Initialize replica set Update config.json Restart replica set in x.509 mode mongod --replset set509 --port $mport --dbpath./db/$host \ --sslmode requiressl --clusterauthmode x509 --sslcafile root-ca.pem \ --sslallowinvalidhostnames --fork --logpath./db/${host}.log \ --sslpemkeyfile ${host}.pem --sslclusterfile ${cluster}.pem
19 Client Authentication Examples SCRAM-SHA-1 $ mongo... > db.getsiblingdb("admin").auth( { mechanism: "SCRAM-SHA-1", user: "dbmaster", pwd: "adminpasswd123", digestpassword: true } ); x.509 Certificate $mongo... > db.getsiblingdb("$external").auth( { mechanism: "MONGODB-X509", user: "CN=client1,OU=MyClients,O=EC Wise, L=Chengdu,ST=GD,C=CN" } ); Client names must > db.test.find() match DN in cert FQDN
20 III. User & Role Management in MongoDB Addresses Overly permissive, inappropriate, and unused privileges vulnerability Enable Access Control for authentication Set up users and roles, applicable to both humans and services Enforce the Least Privilege strategy we discussed earlier Bind users and roles to machines or (sub)networks with Authentication Restriction
21 Use Roles to Manage Privilege Assignments Privilege allows an action on a resource. MongoDB defines a bunch of privileged operations. Roles are defined pairings of resources and actions that you can assign users Sixteen built-in roles, you have probably read about them class Authorization Model User Role Permission Resource Action read, readwrite, dbadmin, clusteradmin, backup, restore, etc.. Create custom roles, assign users to roles per the scripts on following slides
22 User & Role Examples based on Mini-Clinic app* Obviously, a medical clinic needs to be secure Roles Scheduler, Practitioner, Pharmacist, Auditor Objects Patient, Encounter, Observation, Prescription Operations Schedule Encounter, Make Diagnosis, Prescribe Medication Mini-Clinic Website Mini-Clinic Restful Services MongoDB *based on HL7 Fast Healthcare Interoperability Resources
23 Mini Clinic Role Mapping Role \ Data Scheduler Practitioner Patient Encounters Observation Medication Order Medication CUD R CUD R CUD R CUD R CUD R (only name) (no national ID) Pharmacist Auditor CUD = Create/Update/Delete R = Read
24 User and Role Management Examples db = db.getsiblingdb('admin'); //create scheduler db.createrole( { "role": "scheduler", "privileges": [ { "resource": {"db": "mini_clinic", "collection": "scheduler_patient"}, "actions": ["find"] }, { "resource": {"db": "mini_clinic", "collection": "encounter"}, "actions": ["find","insert","update"] } ], "roles": [] authenticationrestrictions : [{ clientsource : [ , ], serveraddress : [ /24, ] }] } ); //create scheduler user db.dropuser("user_scheduler"); db.createuser( { "user": "user_scheduler", "pwd": "ecwise.c1m", "roles": [ { "role": "scheduler", "db": "admin authenticationrestrictions : [{ clientsource : [ , ], serveraddress : [ /24, ] }] } ] } ); Slide 24
25 IV. Network/OS considerations Mongo DB Cluster Internal Network behind firewall DBs on separate subnet, not accessible to internet Internal Authentication between nodes of cluster With Key File (or X.509 certification) Shard + Replication set Amazon VLAN/VPCs Authentication with account & password Application Dedicated OS users for DB and App Services Router Single Public Access Configure Server Replication Set Shard + Replication set Localhost Default (3.6) VPN Authentication Maintenance Admin user Use BindIP to tell MongoDB any other adapter and sockets to listen to VPN Access Shard + Replication set IP Whitelisting (3.6) (enhances authentication) You re mainly addressing Surface Area risks, i.e. limiting areas of exposure
26 V. MongoDB Atlas has Security Baked In TLS/SSL enabled by default with mongodb+srv connection string Authentication, and authorization via SCRAM Network isolation and VPC Peering on AWS IP whitelists using Authentication Restriction Encrypted storage volumes Roles not definable: create users through Atlas UI and assign them to predefined roles
27 VI. Read Only Views Addresses both Surface area reduction and weak authorization risks Enable administrators to define a query that is materialized at runtime db.createview(<name>, <collection>, <pipeline>, <options>) where pipeline is an array that consists of the aggregation pipeline stage Admins can define permissions on who can access the views Use these Views in your applications to provide another level of security
28 Read only views db = db.getsiblingdb('admin'); /* create View */ db.createview( "scheduler_patient", "patient", { $project: { "firstname": 1, "lastname": 1 } } ); db.createview( "practitioner_patient", "patient", { $project: { "nationalid": 0 } } ); set13:primary> db.patient.findone({lastname : Maddin }) { "_id" : ObjectId(" c8e a5172"), "nationalid" : " ", "firstname" : "Joe", "dob" : " ", "lastname" : "Maddin", "phone" : " ", "gender" : "MALE" } set13:primary> db.scheduler_patient.findone({lastname : Maddin }) { "_id" : ObjectId(" c8e a5172"), "firstname" : "Joe", "lastname" : "Maddin" } set13:primary> db.practitioner_patient.findone({lastname : Maddin }) { "_id" : ObjectId(" c8e a5172"), "firstname" : "Joe", "dob" : " ", "lastname" : "Maddin", "phone" : " ", "gender" : "MALE" } // everything BUT national ID
29 VII. Architecting a secure system Consider the whole application from the UI/service initiation down to the DB A layered security strategy will be most effective Break down organizational barriers work across teams Always encrypt network traffic Decide on authentication model: standing alone vs. integrated with corporate Think carefully about Roles
30 Thank You Closing comments/questions? For follow up: Tom Slide 30
31 Appendix Examples and References Some additional code examples and web references are provided
32 MongoDB x.509 authentication settings { } "db" : "mongodb://localhost:27001/db-name?ssl=true", "dbopts": { "user": " address=john.doe@example.com,cn=xyz,ou=xyz-client,o=xyz,l=xyz,st=xyz,c=xyz", "auth": { "authmechanism": "MONGODB-X509" }, "server": { "sslvalidate": false, "sslkey": {"filepath": "/absolute/path/to/db-user.pem"}, "sslcert": {"filepath": "/absolute/path/to/db-user.crt"} } }
33 Cyber-Security References CyberCriminals and their APT and AVT Techniques InfoSec Institute: Anatomy of an APT Attack: Step by Step Approach Forrester Wave: Data Loss Prevention Suites Q4, 2016 Data Guardian s Definitive Guide to Data Loss Prevention How to Avoid Ransomware attacks against MongoDB InfoWorld Guide to MongoDB Security MongoDB Security Checklist (product documentation) Download link for MongoDB Security Reference Architecture
MongoDB Security (Users & Roles) MongoDB User Group 22 March 2017, Madrid
MongoDB Security (Users & Roles) MongoDB User Group 22 March 2017, Madrid Who am I Juan Roy Twitter: @juanroycouto Email: juanroycouto@gmail.com MongoDB DBA at Grupo Undanet 2 MongoDB - Characters The
More informationMongoDB Security Checklist
MongoDB Security Checklist Tim Vaillancourt Sr Technical Operations Architect, Percona Speaker Name `whoami` { name: tim, lastname: vaillancourt, employer: percona, techs: [ mongodb, mysql, cassandra,
More informationMongoDB Security: Making Things Secure by Default
MongoDB Security: Making Things Secure by Default Wed, Aug 9, 2017 11:00 AM - 12:00 PM PDT Adamo Tonete, Senior Technical Services Engineer 1 Recent Security Problems 2 { me : 'twitter.com/adamotonete'
More informationSSL Configuration: an example. July 2016
SSL Configuration: an example July 2016 This document details a walkthrough example of SSL configuration in an EM managed mongodb environment. SSL certificates are used to enforce certificate based security
More informationDocument Sub Title. Yotpo. Technical Overview 07/18/ Yotpo
Document Sub Title Yotpo Technical Overview 07/18/2016 2015 Yotpo Contents Introduction... 3 Yotpo Architecture... 4 Yotpo Back Office (or B2B)... 4 Yotpo On-Site Presence... 4 Technologies... 5 Real-Time
More informationPurpose. Target Audience. Overview. Prerequisites. Nagios Log Server. Sending NXLogs With SSL/TLS
Purpose This document describes how to setup encryption between and NXLog on Windows using self signed certificates. Target Audience This document is intended for use by Administrators who would like encryption
More informationCIS MongoDB 3.2 Benchmark
CIS MongoDB 3.2 Benchmark v1.0.0-06-07-2017 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International Public License. The link to the license terms can be found
More informationSecuring VMware NSX-T J U N E 2018
Securing VMware NSX-T J U N E 2018 Securing VMware NSX Table of Contents Executive Summary...2 NSX-T Traffic [Control, Management, and Data]...3 NSX Manager:...7 NSX Controllers:...9 NSX Edge:...10 NSX-T
More informationAN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP
AN IPSWITCH WHITEPAPER The Definitive Guide to Secure FTP The Importance of File Transfer Are you concerned with the security of file transfer processes in your company? According to a survey of IT pros
More informationAre You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus
Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus 1 60 Second AWS Security Review 2 AWS Terminology Identity and Access Management (IAM) - AWS Security Service to manage
More informationManaging External Identity Sources
CHAPTER 5 The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other
More informationHow to Enable Client Certificate Authentication on Avi
Page 1 of 11 How to Enable Client Certificate Authentication on Avi Vantage view online Overview This article explains how to enable client certificate authentication on an Avi Vantage. When client certificate
More informationMSE System and Appliance Hardening Guidelines
MSE System and Appliance Hardening Guidelines This appendix describes the hardening of MSE, which requires some services and processes to be exposed to function properly. This is referred to as MSE Appliance
More informationADC im Cloud - Zeitalter
ADC im Cloud - Zeitalter Applikationsdienste für Hybrid-Cloud- und Microservice-Szenarien Ralf Sydekum, SE Manager DACH, F5 Networks GmbH Some of the Public Cloud Related Questions You May Have.. It s
More informationCybersecurity Survey Results
Cybersecurity Survey Results 4 November 2015 DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
More informationNEXT GENERATION CLOUD SECURITY
SESSION ID: CMI-F02 NEXT GENERATION CLOUD SECURITY Myles Hosford Head of FSI Security & Compliance Asia Amazon Web Services Agenda Introduction to Cloud Security Benefits of Cloud Security Cloud APIs &
More informationGetting Started Guide. VMware NSX Cloud services
VMware NSX Cloud services You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback
More informationManaging and Auditing Organizational Migration to the Cloud TELASA SECURITY
Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting
More informationIntroduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview
IBM Watson on the IBM Cloud Security Overview Introduction IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential
More informationConfiguring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)
Solution Guide ios Managed Configuration Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider) Solution Guide 1 Introduction
More informationMMS Backup Manual Release 1.4
MMS Backup Manual Release 1.4 MongoDB, Inc. Jun 27, 2018 MongoDB, Inc. 2008-2016 2 Contents 1 Getting Started with MMS Backup 4 1.1 Backing up Clusters with Authentication.................................
More informationManaging Certificates
Loading an Externally Generated SSL Certificate, page 1 Downloading Device Certificates, page 4 Uploading Device Certificates, page 6 Downloading CA Certificates, page 8 Uploading CA Certificates, page
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More informationeroaming platform Secure Connection Guide
eroaming platform Secure Connection Guide Contents 1. Revisions overview... 3 2. Abbrevations... 4 3. Preconditions... 5 3.1. OpenSSL... 5 3.2. Requirements for your PKCS10 CSR... 5 3.3. Java Keytool...
More informationMongoDB in AWS (MongoDB as a DBaaS)
MongoDB in AWS (MongoDB as a DBaaS) Jing Wu Zhang Lu April 2017 Goals Automatically build MongoDB cluster Flexible scaling options Automatically recover from resource failures 2 Utilizing CloudFormation
More informationSecuring VMware NSX MAY 2014
Securing VMware NSX MAY 2014 Securing VMware NSX Table of Contents Executive Summary... 2 NSX Traffic [Control, Management, and Data]... 3 NSX Manager:... 5 NSX Controllers:... 8 NSX Edge Gateway:... 9
More informationPublic Key Enabling Oracle Weblogic Server
DoD Public Key Enablement (PKE) Reference Guide Public Key Enabling Oracle Weblogic Server Contact: dodpke@mail.mil URL: http://iase.disa.mil/pki-pke URL: http://iase.disa.smil.mil/pki-pke Public Key Enabling
More informationSecure PostgreSQL Deployment
Secure PostgreSQL Deployment PGDay'14 Russia St Petersburg, Russia Magnus Hagander magnus@hagander.net PRODUCTS CONSULTING APPLICATION MANAGEMENT IT OPERATIONS SUPPORT TRAINING Magnus Hagander PostgreSQL
More informationProtecting MySQL network traffic. Daniël van Eeden 25 April 2017
Protecting MySQL network traffic Daniël van Eeden 25 April 2017 Booking.com at a glance Started in 1996; still based in Amsterdam Member of the Priceline Group since 2005 (stock: PCLN) Amazing growth;
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationCyber Security Hardening Guide
Cyber Security Hardening Guide HOW FEENICS PROTECTS THE DATA AND INTEGRITY OF TRANSACTIONS FEENICS, INC. 301-2310 St. Laurent Blvd., Ottawa, Ontario K1G 5H9 (855) 333-6427 www.feenics.com Contents The
More informationAddressing Cybersecurity in Infusion Devices
Addressing Cybersecurity in Infusion Devices Authored by GEORGE W. GRAY Chief Technology Officer / Vice President of Research & Development Ivenix, Inc. INTRODUCTION Cybersecurity has become an increasing
More informationCertificate Enrollment for the Atlas Platform
Certificate Enrollment for the Atlas Platform Certificate Distribution Challenges Digital certificates can provide a secure second factor for authenticating connections from MAP-wrapped enterprise apps
More informationGrandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide
Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide Table of Contents SUPPORTED DEVICES... 5 INTRODUCTION... 6 GWN7000 VPN FEATURE... 7 OPENVPN CONFIGURATION... 8 OpenVPN
More informationGrandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide
Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide Table of Contents INTRODUCTION... 4 SCENARIO OVERVIEW... 5 CONFIGURATION STEPS... 6 Core Site Configuration... 6 Generate Self-Issued Certificate
More informationInstalling and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.
Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on
More informationSignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer
SignalFx Platform: Security and Compliance MARZENA FULLER Chief Security Officer SignalFx Platform: Security and Compliance INTRODUCTION COMPLIANCE PROGRAM GENERAL DATA PROTECTION DATA SECURITY Data types
More informationProvisioning Certificates
CHAPTER 8 The Secure Socket Layer (SSL) protocol secures the network communication and allows data to be encrypted before transmission and provides security. Many application servers and web servers support
More informationSecurity Readiness Assessment
Security Readiness Assessment Jackson Thomas Senior Manager, Sales Consulting Copyright 2015 Oracle and/or its affiliates. All rights reserved. Cloud Era Requires Identity-Centric Security SaaS PaaS IaaS
More informationSecurity: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration
Security: A Driving Force Behind Moving to the Cloud Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration 2017, Amazon Web Services, Inc. or its affiliates.
More informationM2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres
M2M / IoT Security Eurotech`s Everyware IoT Security Elements Overview Robert Andres 23. September 2015 The Eurotech IoT Approach : E2E Overview Application Layer Analytics Mining Enterprise Applications
More informationHow to Configure Authentication and Access Control (AAA)
How to Configure Authentication and Access Control (AAA) Overview The Barracuda Web Application Firewall provides features to implement user authentication and access control. You can create a virtual
More informationRunning MongoDB in Production, Part I
Running MongoDB in Production, Part I Tim Vaillancourt Sr Technical Operations Architect, Percona Speaker Name `whoami` { name: tim, lastname: vaillancourt, employer: percona, techs: [ mongodb, mysql,
More informationTips for Passing an Audit or Assessment
Tips for Passing an Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor Senior Security Engineer Structured Communication Systems Who likes audits? Compliance
More informationIBM SmartCloud Notes Security
IBM Software White Paper September 2014 IBM SmartCloud Notes Security 2 IBM SmartCloud Notes Security Contents 3 Introduction 3 Service Access 4 People, Processes, and Compliance 5 Service Security IBM
More informationSecure Communications Over a Network
Secure Communications Over a Network Course: MITS:5400G Proffessor: Dr. Xiaodong Lin By: Geoff Vaughan 100309160 March 20th 2012 Abstract The purpose of this experiment is to transmit an encrypted message
More informationSurprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS
Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is
More informationForescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2
Forescout Version 1.2 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationTitle: Planning AWS Platform Security Assessment?
Title: Planning AWS Platform Security Assessment? Name: Rajib Das IOU: Cyber Security Practices TCS Emp ID: 231462 Introduction Now-a-days most of the customers are working in AWS platform or planning
More informationUsing Smart Cards to Protect Against Advanced Persistent Threat
Using Smart Cards to Protect Against Advanced Persistent Threat Smart Cards in Government Oct 30, 2014 Chris Williams Export Approval # 14-leidos-1016-1281 Agenda Who is Leidos? The Identity Challenge
More informationSecurity Overview of the BGI Online Platform
WHITEPAPER 2015 BGI Online All rights reserved Version: Draft v3, April 2015 Security Overview of the BGI Online Platform Data security is, in general, a very important aspect in computing. We put extra
More informationProtect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013
Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security
More informationVSP18 Venafi Security Professional
VSP18 Venafi Security Professional 13 April 2018 2018 Venafi. All Rights Reserved. 1 VSP18 Prerequisites Course intended for: IT Professionals who interact with Digital Certificates Also appropriate for:
More informationVIRTUAL GPU LICENSE SERVER VERSION , , AND 5.1.0
VIRTUAL GPU LICENSE SERVER VERSION 2018.10, 2018.06, AND 5.1.0 DU-07754-001 _v7.0 through 7.2 March 2019 User Guide TABLE OF CONTENTS Chapter 1. Introduction to the NVIDIA vgpu Software License Server...
More informationBlackBerry UEM Configuration Guide
BlackBerry UEM Configuration Guide 12.9 2018-11-05Z 2 Contents Getting started... 7 Configuring BlackBerry UEM for the first time... 7 Configuration tasks for managing BlackBerry OS devices... 9 Administrator
More informationZero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection
Zero Trust on the Endpoint Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection March 2015 Executive Summary The Forrester Zero Trust Model (Zero Trust) of information
More informationEJBCA Enterprise Cloud Edition CloudHSM Integration Guide
EJBCA Enterprise Cloud Edition CloudHSM Integration Guide PRINT DATE: 2019-03-26 Copyright 2019 PrimeKey Solutions Published by PrimeKey Solutions AB Solna Access, Sundbybergsvägen 1 SE-171 73 Solna, Sweden
More informationForeScout Extended Module for IBM BigFix
Version 1.1 Table of Contents About BigFix Integration... 4 Use Cases... 4 Additional BigFix Documentation... 4 About this Module... 4 About Support for Dual Stack Environments... 5 Concepts, Components,
More informationLoad Balancing Web Servers with OWASP Top 10 WAF in AWS
Load Balancing Web Servers with OWASP Top 10 WAF in AWS Quick Reference Guide V1.0.1 ABOUT THIS GUIDE This document provides a quick reference guide on how to load balance Web Servers and configure a WAF
More informationHow to integrate CMS Appliance & Wallix AdminBastion
How to integrate CMS Appliance & Wallix AdminBastion Version 1.0 Date 24/04/2012 P 2 Table of Contents 1.0 Introduction... 3 1.1 Context and objective... 3 3.0 CMS Appliance prerequisites... 4 4.0 Certificate
More informationBacula. Ana Emília Machado de Arruda. Protegendo seu Backup com o Bacula. Palestrante: Bacula Backup-Pt-Br/bacula-users/bacula-devel/bacula-users-es
Bacula Protegendo seu Backup com o Bacula Palestrante: Ana Emília Machado de Arruda Bacula Backup-Pt-Br/bacula-users/bacula-devel/bacula-users-es Protegendo seu backup com o Bacula Security goals Authentication
More informationEn partenariat avec CA Technologies. Genève, Hôtel Warwick,
SIGS Afterwork Event in Geneva API Security as Part of Digital Transformation Projects The role of API security in digital transformation Nagib Aouini, Head of Cyber Security Services Defense & Cyber Security
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationForeScout Extended Module for IBM BigFix
ForeScout Extended Module for IBM BigFix Version 1.0.0 Table of Contents About this Integration... 4 Use Cases... 4 Additional BigFix Documentation... 4 About this Module... 4 Concepts, Components, Considerations...
More informationManaging User Accounts
Configuring Guest User Accounts, page 1 Configuring Administrator Usernames and Passwords, page 4 Changing the Default Values for SNMP v3 Users, page 6 Generating a Certificate Signing Request, page 7
More informationAWS Remote Access VPC Bundle
AWS Remote Access VPC Bundle Deployment Guide Last updated: April 11, 2017 Aviatrix Systems, Inc. 411 High Street Palo Alto CA 94301 USA http://www.aviatrix.com Tel: +1 844.262.3100 Page 1 of 12 TABLE
More informationConfiguration Guide. BlackBerry UEM. Version 12.9
Configuration Guide BlackBerry UEM Version 12.9 Published: 2018-07-16 SWD-20180713083904821 Contents About this guide... 8 Getting started... 9 Configuring BlackBerry UEM for the first time...9 Configuration
More informationPrecisionAccess Trusted Access Control
Data Sheet PrecisionAccess Trusted Access Control Defeats Cyber Attacks Credential Theft: Integrated MFA defeats credential theft. Server Exploitation: Server isolation defeats server exploitation. Compromised
More informationUpgrade Instructions. NetBrain Integrated Edition 7.0
NetBrain Integrated Edition 7.0 Upgrade Instructions Version 7.0b1 Last Updated 2017-11-14 Copyright 2004-2017 NetBrain Technologies, Inc. All rights reserved. Contents 1. System Overview... 3 2. System
More informationOpen XML Gateway User Guide. CORISECIO GmbH - Uhlandstr Darmstadt - Germany -
Open XML Gateway User Guide Conventions Typographic representation: Screen text and KEYPAD Texts appearing on the screen, key pads like e.g. system messages, menu titles, - texts, or buttons are displayed
More informationJamf Pro Installation and Configuration Guide for Windows. Version
Jamf Pro Installation and Configuration Guide for Windows Version 10.0.0 copyright 2002-2017 Jamf. All rights reserved. Jamf has made all efforts to ensure that this guide is accurate. Jamf 100 Washington
More informationUnified Security Platform. Security Center 5.4 Hardening Guide Version: 1.0. Innovative Solutions
Unified Security Platform Security Center 5.4 Hardening Guide Version: 1.0 Innovative Solutions 2016 Genetec Inc. All rights reserved. Genetec Inc. distributes this document with software that includes
More informationXerox Audio Documents App
Xerox Audio Documents App Additional information, if needed, on one or more lines Month 00, 0000 Information Assurance Disclosure 2018 Xerox Corporation. All rights reserved. Xerox, Xerox,
More informationConfiguration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2
Configuration Guide BlackBerry UEM Version 12.7 Maintenance Release 2 Published: 2017-12-04 SWD-20171130134721747 Contents About this guide... 8 Getting started... 9 Configuring BlackBerry UEM for the
More informationManage Certificates. Certificates Overview
Certificates Overview, page 1 Show Certificates, page 3 Download Certificates, page 4 Install Intermediate Certificates, page 4 Delete a Trust Certificate, page 5 Regenerate a Certificate, page 6 Upload
More informationJamf Pro Installation and Configuration Guide for Linux. Version
Jamf Pro Installation and Configuration Guide for Linux Version 10.0 copyright 2002-2017 Jamf. All rights reserved. Jamf has made all efforts to ensure that this guide is accurate. Jamf 100 Washington
More informationIT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery and Support Week Three IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 Infrastructure Essentials Computer Hardware Operating Systems (OS) & System Software Applications
More informationInformation Security Policy
Information Security Policy Information Security is a top priority for Ardoq, and we also rely on the security policies and follow the best practices set forth by AWS. Procedures will continuously be updated
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS
ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS Dr Adnene Guabtni, Senior Research Scientist, NICTA/Data61, CSIRO Adnene.Guabtni@csiro.au EC2 S3 ELB RDS AMI
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationUsing ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxgrid) Clients
Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxgrid) Clients Author: John Eppich Table of Contents About this Document... 4 Using ISE 2.2 Internal
More informationHPE Knowledge Article
HPE Knowledge Article HPE 5930/5940 Switch Series - Connect to OVSDB Client Article Number mmr_sf-en_us000021071 Environment HPE 5930/5940 switches can be configured as OVSDB servers. One common use case
More informationJamf Pro Installation and Configuration Guide for Mac. Version
Jamf Pro Installation and Configuration Guide for Mac Version 10.5.0 copyright 2002-2018 Jamf. All rights reserved. Jamf has made all efforts to ensure that this guide is accurate. Jamf 100 Washington
More informationCisco ISE pxgrid App 1.0 for IBM QRadar SIEM. Author: John Eppich
Cisco ISE pxgrid App 1.0 for IBM QRadar SIEM Author: John Eppich Table of Contents About This Document... 4 Solution Overview... 5 Technical Details... 6 Cisco ISE pxgrid Installation... 7 Generating the
More informationVSP16. Venafi Security Professional 16 Course 04 April 2016
VSP16 Venafi Security Professional 16 Course 04 April 2016 VSP16 Prerequisites Course intended for: IT Professionals who interact with Digital Certificates Also appropriate for: Enterprise Security Officers
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationMost Common Security Threats (cont.)
Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?
More informationLDAP Directory Integration
LDAP Server Name, Address, and Profile Configuration, on page 1 with Cisco Unified Communications Manager Task List, on page 1 for Contact Searches on XMPP Clients, on page 6 LDAP Server Name, Address,
More informationNetwrix Auditor for SQL Server
Netwrix Auditor for SQL Server Quick-Start Guide Version: 9.5 10/25/2017 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment from
More informationSelecting Software Packages for Secure Database Installations
Selecting Software Packages for Secure Database Installations Afonso Araújo Neto, Marco Vieira This document includes complementary information for the paper Selecting Software Packages for Secure Database
More informationLET S ENCRYPT WITH PYTHON WEB APPS. Joe Jasinski Imaginary Landscape
LET S ENCRYPT WITH PYTHON WEB APPS Joe Jasinski Imaginary Landscape SSL / TLS WHY USE SSL/TLS ON YOUR WEB SERVER? BROWSERS ARE MANDATING IT Firefox 51 and Chrome 56 Non-HTTPS Pages with Password/CC Forms
More informationWHITE PAPER. Authentication and Encryption Design
WHITE PAPER Authentication and Encryption Design Table of Contents Introduction Applications and Services Account Creation Two-step Verification Authentication Passphrase Management Email Message Encryption
More informationGetting started with AWS security
Getting started with AWS security Take a prescriptive approach Stella Lee Manager, Enterprise Business Development $ 2 0 B + R E V E N U E R U N R A T E (Annualized from Q4 2017) 4 5 % Y / Y G R O W T
More informationSHA-1 to SHA-2. Migration Guide
SHA-1 to SHA-2 Migration Guide Web-application attacks represented 40 percent of breaches in 2015. Cryptographic and server-side vulnerabilities provide opportunities for cyber criminals to carry out ransomware
More informationLook Who s Hiring! AWS Solution Architect AWS Cloud TAM
Look Who s Hiring! AWS Solution Architect https://www.amazon.jobs/en/jobs/362237 AWS Cloud TAM https://www.amazon.jobs/en/jobs/347275 AWS Principal Cloud Architect (Professional Services) http://www.reqcloud.com/jobs/701617/?k=wxb6e7km32j+es2yp0jy3ikrsexr
More informationWhy AWS CloudHSM Can Revolutionize AWS
Why AWS CloudHSM Can Revolutionize AWS SESSION ID: CSV-R04A Oleg Gryb Security Architect at Intuit @oleggryb Todd Cignetti Sr. Product Manager at AWS Security Subra Kumaraswamy Chief Product Security at
More informationNetwrix Auditor. Administration Guide. Version: /31/2017
Netwrix Auditor Administration Guide Version: 9.5 10/31/2017 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment from Netwrix Corporation
More information