Article Summary of: Understanding Cloud Computing Vulnerabilities. Michael R. Eldridge
|
|
- Clement Strickland
- 6 years ago
- Views:
Transcription
1 Article Summary of: Understanding Cloud Computing Vulnerabilities Michael R. Eldridge April 14, 2016
2 2 Introduction News stories abound about the almost daily occurrence of break-ins and the stealing of information from cloud computing data centers. Most times, these episodes are caused by bad user practices regarding safeguarding user login credentials. But other times, they suggest a fundamental weakness in the design or management of cloud computing resources. How can we classify and assess the risks and vulnerabilities in cloud computing and determine the necessary security controls to be implemented? In their article, Understanding Cloud Computing Vulnerabilities (Grobauer, et al, 2010), the authors differentiate between the wide-ranging security issues within general computing to those associated with cloud computing. In doing so, they define cloudspecific vulnerabilities called indicators which can be used to spotlight security controls that are frequently successful in general computing, but ineffective in the cloud. Vulnerability The Open Group s risk taxonomy describes risk factors in terms of the potential that a threat can exploit a vulnerability (loss event frequency) and the effects (probable loss magnitude) of such an attack. Loss magnitude is further divided into loss factors such as the value of lost assets, lost time and productivity, organization credibility, etc. Event frequency is driven by several factors including a threat agent s motivations (gains) versus risk to the agent and their ability to drive an attack. An attack agent s capabilities compared with the strengths of security controls define vulnerabilities which are factors in loss event frequency. This leads to the definition of vulnerability by the Open Group as the probability that an asset will be unable to resist the actions of a threat agent. The ability to resist in this case means the presence or lack of adequate security controls and implementation of security policies. For example, not applying current Operating System (OS) updates undermines a systems ability to resist attack. It s interesting to note that from a customer s standpoint, cloud computing does not really change the probable loss magnitude, as the cloud does not force a customer to have any more or less resources (data, users, etc.) that could be exploited. However, from a cloud service provider perspective, the loss impact could be significantly bigger. With this refined definition of vulnerability, a detailed review of how cloud computing can influence the loss event frequency, either by affecting security controls, or the motivations and capabilities of an attacker, can be obtained. Indicators of Cloud-Specific Vulnerabilities Cloud computing utilizes several, basic technologies to provide services to many customers via the internet and through service providers. These core technologies include web applications and services, virtualization and cryptography. The basis of cloud computing is the ability to provide pay-as-you-go services which are implemented using web based applications. The service models include Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). To make these offerings cost effective for customers and profitable for providers, they must be able to scale in order to support, yet isolate many customers without incurring a per customer cost in facilities, hardware, power and support. This is done by virtualization of hardware and software which gives the appearance to customers that they are alone in using the service(s). Lastly, cryptography is used to solve other security requirements. Along with core technologies, cloud computing has several attributes which allow delivery and use of services in a cost effective
3 3 manner. These essential characteristics as described by the US National Institute of Standards and Technology (NSIT) are, on-demand self-service, ubiquitous network access, resource pooling, rapid elasticity and measured service (Mell & Grance, 2009). With core technologies and essential characteristics of cloud computing as a backdrop, we can use these as indicators as to whether a vulnerability is cloud-specific. Vulnerabilities can be bounded as cloud-specific if, they are inherent in a core cloud computing technology, or have as its origin one of the NISTs essential cloud characteristics. Additionally, a vulnerability is cloud-specific if the technology or implementation limits or prevents security controls from being applied. And lastly, if the vulnerability is widespread in cloud applications. Cloud-Specific Vulnerabilities With the indicators now in hand, it is straightforward to determine which vulnerabilities are specific to cloud computing by looking at vulnerabilities that pertain to those indicators. The indicator for core technologies of web applications and services, virtualization and cryptography have many well-known vulnerabilities including virtual machine escapes, session hijacking and weak cryptography. Essential cloud characteristic vulnerabilities consist of unauthorized access to management and administrative tools, internet protocol exploits, unauthorized access to data via covert channels or by accessing data in memory or storage, and the ability to affect metering which can be used to forge billing records or avoid paying for services. The indicator of when cloud computing technology leads to ineffective or non-existent security controls, presents vulnerabilities which include key management as it pertains to generating keys through hardware in a shared environment, the lack of standard security monitoring and reporting tools for cloud resources, and the fact that many security controls are built for common, network computing and generally do not work well in virtualized, cloud computing environments. Finally, if vulnerabilities associated with the technologies and software used to implement cloud computing services are wide-spread, they are considered cloud-specific. These can include command interception, privilege escalation at the OS level, cross-site scripting and weak authentication mechanisms. An important class to this list is user behavior, i.e.; weak or bad passwords, unattended desktops, or poor security policies. Architectural Vulnerabilities Utilizing the cloud infrastructure reference architecture developed by IBM in conjunction with the University of California, Los Angeles (Youseff, et al, 2008), more detail is provided to the cloud services models which can be used to identify other cloud-specific vulnerabilities associated with the different layers that are used to implement SaaS, PaaS, and IaaS. The architecture has three parts, Supporting (IT) Infrastructure, Cloud Specific Infrastructure and Service Customer. At the center is the Cloud Software Infrastructure which provides access to lower level components such as the OS and HW through abstraction, and the Cloud Software Environment which provides application services. Together they comprise three resource types, Computational Resources, Storage and Communication. The vulnerabilities associated with these three resource types are typical in an environment where users and processes share resources, for which cloud computing depends on. These include virtual machine compromise and data leakage, weak cryptography keys because of shared hardware key generation, data compromise due to remnant data on storage devices or in memeory and network software weakness internal to VMs, such as DNS, DHCP and
4 4 IP vulnerabilities. Cloud Specific Infrastructure also includes Cloud Web Applications, Services & APIs, and Management Access and Authentication and Authorization processes. Again, the vulnerabilities associated with these components as well as the ones which comprise the Supporting (IT) Infrastructure are common for most computing environments, but considered cloud-specific in this context. Examples include input fuzzing at the browser to either crash applications or get them to operate in unexpected ways, interceding in the communication between client and server (man-in-the-middle), poor authorization checks and insufficient logging and monitoring. Conclusion This article provides a simple, yet comprehensive framework for identifying and understanding cloud-specific vulnerabilities. It does so by taking familiar vulnerabilities associated with noncloud based computing and classifies them into a cloud computing architecture. The result is the ability to move away from the vague fears that cloud computing is just unsafe, to a concrete taxonomy which reveals what and where the real vulnerabilities are, thus providing a practical foundation for a thorough assessment of the risks and threats in cloud computing.
5 5 References: [1] Brobauer, B., Walloschek, T., Stocker, E. (2010), Understanding Cloud Computing Vulnerabilities. IEEE Security & Privacy, 9(2), [2] Mell, P., Grance, T., (2009), Effectively and Securely Using the Cloud Computing Paradigm (v0.25), US Nat l Inst. Standards and Technology presentation. csrc.nist.gov/groups/sns/cloud-computing. [3] Youseff, L., Butrico, M., Da Silva, D., (2008), Towards a Unified Ontology of Cloud Computing. Proc. Grid Computing Environments Workshop (GCE), IEEE Press, doi: /GCE
C1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationGuide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis Objectives Explain the fundamental concepts of risk analysis Describe different approaches to
More informationCompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management
CompTIA Security+ Lecture Six Threats and Vulnerabilities Vulnerability Management Copyright 2011 - VTC Malware Malicious code refers to software threats to network and systems, including viruses, Trojan
More informationEssential Cloud Security Features in Windows Azure
Essential Cloud Security Features in Windows Azure Ramya Dharam 1, and Sajjan G. Shiva 2 1 Department of Computer Science, University of Memphis, Memphis, TN, USA 2 Department of Computer Science, University
More informationSecuring Cloud Computing
Securing Cloud Computing NLIT Summit, May 2018 PRESENTED BY Jeffrey E. Forster jeforst@sandia.gov Lucille Forster lforste@sandia.gov Sandia National Laboratories is a multimission laboratory managed and
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationSecuring Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection
Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection Azure Active Directory 3 rd Party IaaS IaaS Rights Management Services
More informationSecurity for an age of zero trust
Security for an age of zero trust A Two-factor authentication: Security for an age of zero trust shift in the information security paradigm is well underway. In 2010, Forrester Research proposed the idea
More informationKen Agress, Senior Consultant PlanNet Consulting, LLC.
Elements of a Vulnerability Assessment Ken Agress, Senior Consultant PlanNet Consulting, LLC. Defining a Vulnerability Assessment Agenda Types of Vulnerability Assessments Are You Ready for an Assessment?
More informationIntroduction to Cloud Computing. [thoughtsoncloud.com] 1
Introduction to Cloud Computing [thoughtsoncloud.com] 1 Outline What is Cloud Computing? Characteristics of the Cloud Computing model Evolution of Cloud Computing Cloud Computing Architecture Cloud Services:
More informationCloud Computing and Service-Oriented Architectures
Material and some slide content from: - Atif Kahn SERVICES COMPONENTS OBJECTS MODULES Cloud Computing and Service-Oriented Architectures Reid Holmes Lecture 20 - Tuesday November 23 2010. SOA Service-oriented
More informationCloud-Security: Show-Stopper or Enabling Technology?
Cloud-Security: Show-Stopper or Enabling Technology? Fraunhofer Institute for Secure Information Technology (SIT) Technische Universität München Open Grid Forum, 16.3,. 2010, Munich Overview 1. Cloud Characteristics
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationGood Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy
Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy SESSION ID: CSV-W01 Bryan D. Payne Director of Security Research Nebula @bdpsecurity Cloud Security Today Cloud has lots of momentum
More informationJoe Stocker, CISSP, MCITP, VTSP Patriot Consulting
Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting Microsoft Cloud Evangelist at Patriot Consulting Principal Systems Architect with 17 Years of experience Technical certifications: MCSE, MCITP Office
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationNetwork Services, Cloud Computing and Virtualization
Network Services, Cloud Computing and Virtualization Client Side Virtualization Purpose of virtual machines Resource requirements Emulator requirements Security requirements Network requirements Hypervisor
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationIBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan
IBM Cloud Security for the Cloud Amr Ismail Security Solutions Sales Leader Middle East & Pakistan Today s Drivers for Cloud Adoption ELASTIC LOWER COST SOLVES SKILLS SHORTAGE RAPID INNOVATION GREATER
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationWireless LAN Security (RM12/2002)
Information Technology in Education Project Reference Materials Wireless LAN Security (RM12/2002) Infrastructure Division Education Department The Government of HKSAR www.ited.ed.gov.hk December 2002 For
More informationIn this unit we are going to look at cloud computing. Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing,
In this unit we are going to look at cloud computing. Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing, where shared resources, data and information are provided
More informationCloud Essentials for Architects using OpenStack
Cloud Essentials for Architects using OpenStack Course Overview Start Date 5th March 2015 Duration 2 Days Location Dublin Course Code SS15-13 Programme Overview Cloud Computing is gaining increasing attention
More informationManaging SaaS risks for cloud customers
Managing SaaS risks for cloud customers Information Security Summit 2016 September 13, 2016 Ronald Tse Founder & CEO, Ribose For every IaaS/PaaS, there are 100s of SaaS PROBLEM SaaS spending is almost
More informationCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm Webinar April 19,
More informationWhitepaper. Endpoint Strategy: Debunking Myths about Isolation
Whitepaper Endpoint Strategy: Debunking Myths about Isolation May 2018 Endpoint Strategy: Debunking Myths about Isolation Endpoints are, and have always been, a major cyberattack vector. Attackers, aiming
More informationEllie Bushhousen, Health Science Center Libraries, University of Florida, Gainesville, Florida
Cloud Computing Ellie Bushhousen, Health Science Center Libraries, University of Florida, Gainesville, Florida In the virtual services era the term cloud computing has worked its way into the lexicon.
More informationINFS 214: Introduction to Computing
INFS 214: Introduction to Computing Session 13 Cloud Computing Lecturer: Dr. Ebenezer Ankrah, Dept. of Information Studies Contact Information: eankrah@ug.edu.gh College of Education School of Continuing
More informationBenefits of Cloud Computing
Cloud Computing Deployment Models Public Cloud Systems and services easily accessed by the general public. Less secure. Private Cloud Systems and Services accessed within an organisation. Increased security
More informationEV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE
EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE UtiliNet Europe Cyber Security Workshop Brussels, Belgium Dr. Christian Hille Dr. Manuel Allhoff
More informationALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast
21 ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards
More informationWhy the cloud matters?
Why the cloud matters? Speed and Business Impact Expertise and Performance Cost Reduction Trend Micro Datacenter & Cloud Security Vision Enable enterprises to use private and public cloud computing with
More informationProtect Your Organization from Cyber Attacks
Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers
More informationAN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP
AN IPSWITCH WHITEPAPER The Definitive Guide to Secure FTP The Importance of File Transfer Are you concerned with the security of file transfer processes in your company? According to a survey of IT pros
More informationCompTIA Security+ Study Guide (SY0-501)
CompTIA Security+ Study Guide (SY0-501) Syllabus Session 1 At the end of this session, students will understand what risk is and the basics of what it means to have security in an organization. This includes
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationChapter 4. Fundamental Concepts and Models
Chapter 4. Fundamental Concepts and Models 4.1 Roles and Boundaries 4.2 Cloud Characteristics 4.3 Cloud Delivery Models 4.4 Cloud Deployment Models The upcoming sections cover introductory topic areas
More informationAchieving End-to-End Security in the Internet of Things (IoT)
Achieving End-to-End Security in the Internet of Things (IoT) Optimize Your IoT Services with Carrier-Grade Cellular IoT June 2016 Achieving End-to-End Security in the Internet of Things (IoT) Table of
More informationEXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT
EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT FEBRUARY 18, 2016 This engagement was performed in accordance with the Statement of Work, and the procedures were limited to those described
More informationHALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.
HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD Automated PCI compliance anytime, anywhere. THE PROBLEM Online commercial transactions will hit an estimated
More informationCLOUD Virtualization. Certification. Cloud Virtualization. Specialist
CLOUD Virtualization Certification Cloud Virtualization The Cloud Professional (CCP) program from Arcitura is dedicated to excellence in the fields of cloud computing technology, mechanisms, platforms,
More informationCloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com
Cloud Computing Faculty of Information Systems Duc.NHM nhmduc.wordpress.com Evaluating Cloud Security: An Information Security Framework Chapter 6 Cloud Computing Duc.NHM 2 1 Evaluating Cloud Security
More informationIntroduction To Cloud Computing
Introduction To Cloud Computing What is Cloud Computing? Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g.,
More informationWHITE PAPER. Vericlave The Kemuri Water Company Hack
WHITE PAPER Vericlave The Kemuri Water Company Hack INTRODUCTION This case study analyzes the findings of Verizon Security Solutions security assessment of the Kemuri Water Company security breach. The
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationConducting Risk Assessment Cloud Provider Perspective
Jonna-Janita Eskelinen Conducting Risk Assessment Cloud Provider Perspective le of the Thesis Helsinki Metropolia University of Applied Sciences Master s Degree Information Technology Master s Thesis 11
More informationSO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY
SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY www.securelink.net BACKGROUND Macro trends like cloud and mobility change the requirements for endpoint security. Data can
More informationCloud Computing and Service-Oriented Architectures
Material and some slide content from: - Atif Kahn SERVICES COMPONENTS OBJECTS MODULES Cloud Computing and Service-Oriented Architectures Reid Holmes Lecture 29 - Friday March 22 2013. Cloud precursors
More informationWeak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann
Weak Spots Enterprise Mobility Management Dr. Johannes Hoffmann Personal details TÜV Informationstechnik GmbH TÜV NORD GROUP Dr. Johannes Hoffmann IT Security Business Security & Privacy Main focus: Mobile
More informationContents. Contents (ix) Chapter 1 EVOLUTION OF CLOUD COMPUTING. Chapter 2 INTRODUCTION TO CLOUD COMPUTING. (ix)
(ix) Preface... (v) Acknowledgment... (vii) Abbreviations... (xvii) Chapter 1 EVOLUTION OF CLOUD COMPUTING 1.1 Chapter Overview... 1 1.2 Distributed System... 1 1.2.1 Examples of Distributed Systems...
More informationInternational Journal of Computer Engineering and Applications, Volume XIII, Issue II, Feb. 19, ISSN STUDY ON CLOUD COMPUTING
Omkumar R. Badhai, Shreya A. Deo, Snehal B.Satpute, Mansi Agrawal Department of Computer Engineering, Sipna College Of engineering and Technology, Amravati, Sant Gadge Baba Amravati University ABSTRACT:
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationTitle: Planning AWS Platform Security Assessment?
Title: Planning AWS Platform Security Assessment? Name: Rajib Das IOU: Cyber Security Practices TCS Emp ID: 231462 Introduction Now-a-days most of the customers are working in AWS platform or planning
More informationCLOUD SECURITY SPECIALIST Certification. Cloud Security Specialist
CLOUD SECURITY SPECIALIST Certification Cloud Security The Cloud Professional (CCP) program from Arcitura is dedicated to excellence in the fields of cloud computing technology, mechanisms, platforms,
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationPrivilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer
Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com Agenda The Next-Gen Threat Landscape o Infomatics, Breaches & the Attack Chain o Securing
More informationJim Reavis CEO and Founder Cloud Security Alliance December 2017
CLOUD THREAT HUNTING Jim Reavis CEO and Founder Cloud Security Alliance December 2017 A B O U T T H E BUILDING SECURITY BEST PRACTICES FOR NEXT GENERATION IT C L O U D S E C U R I T Y A L L I A N C E GLOBAL,
More informationMoving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop
Moving to computing are auditors ready for the security challenges? Albert Otete CPA CISA ISACA Uganda Workshop 10.08.2011 What is computing? Examples of service providers Computing preface Cloud computing
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control SESSION ID: CDS-T11 Sheung-Chi NG Senior Security Consulting Manager, APAC SafeNet, Inc. Cloud and Virtualization Are Change the
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationRSA DISTRIBUTED CREDENTIAL PROTECTION
RSA DISTRIBUTED CREDENTIAL PROTECTION There is a security weakness lurking in many of today s best designed systems a primary point of compromise. Think about your own IT operations. Chances are that by
More informationEthical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition
Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition Chapter 7 Hacking Mobile Phones, PDAs, and Handheld Devices Objectives After completing this chapter,
More informationCyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks
Cyber Hygiene: Uncool but necessary Automate Endpoint Patching to Mitigate Security Risks 1 Overview If you analyze any of the recent published attacks, two patterns emerge, 1. 80-90% of the attacks exploit
More informationThe Business of Security in the Cloud
The Business of Security in the Cloud Dr. Pamela Fusco Vice President Industry Solutions Solutionary Inc. CISSP, CISM, CHSIII, IAM, NSA/CSS Adjunct Faculty Promises Promises The promise of cloud computing
More informationRBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5
RBS-2017-001 OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution 2018-03-22 1 of 5 Vendor / Product Information OpenEMR is a Free and Open Source electronic health records and medical
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationRequirements for IT Infrastructure
Requirements for IT Infrastructure This information contained in this document is taken from the NCSC Website directly via: https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure.html
More informationAnnouncements. me your survey: See the Announcements page. Today. Reading. Take a break around 10:15am. Ack: Some figures are from Coulouris
Announcements Email me your survey: See the Announcements page Today Conceptual overview of distributed systems System models Reading Today: Chapter 2 of Coulouris Next topic: client-side processing (HTML,
More informationINFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council
Use of SSL/Early TLS for POS POI Terminal Connections Date: Author: PCI Security Standards Council Table of Contents Introduction...1 Executive Summary...1 What is the risk?...1 What is meant by Early
More informationMOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner
MOBILE SECURITY 2017 SPOTLIGHT REPORT Group Partner Information Security PRESENTED BY OVERVIEW Security and privacy risks are on the rise with the proliferation of mobile devices and their increasing use
More informationMIS5206-Section Protecting Information Assets-Exam 1
Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationContents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Symbolic Links 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical
More informationRisk Identification: Vulnerability Analysis
Risk Identification: Vulnerability Analysis Vulnerability Analysis Vulnerability flaw or weakness in an info. asset, its design, implementation or security procedure that can be exploited accidentally
More informationStop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico
1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become
More informationjk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022
CompTIA Exam Questions jk0-022 CompTIA Academic/E2C Security+ Certification Exam Voucher Only Version:Demo 1.An attacker used an undocumented and unknown application exploit to gain access to a file server.
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationForensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud
Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud Ezz El-Din Hemdan 1, Manjaiah D.H 2 Research Scholar, Department of Computer Science, Mangalore University,
More informationSoftLayer Security and Compliance:
SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers
More informationSecuring the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.
Securing the Smart Grid Understanding the BIG Picture The Power Grid The electric power system is the most capital-intensive infrastructure in North America. The system is undergoing tremendous change
More informationNext Generation Privilege Identity Management
White Paper Next Generation Privilege Identity Management Nowadays enterprise IT teams are focused on adopting and supporting newer devices, applications and platforms to address business needs and keep
More informationControlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:
Page 1 of 6 I. Common Principles and Approaches to Privacy A. A Modern History of Privacy a. Descriptions, definitions and classes b. Historical and social origins B. Types of Information a. Personal information
More informationCUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE
Instructor: Prof Aftab Ahmad Office: NB 612 Telephone No. (212)393-6314 Email Address: aahmad@jjay.cuny.edu Office Hours: By appointment TEXT & REFERENCE MATERIAL Text Notes from instructor posted on Blackboard
More informationAuthentication Security
Authentication Security Hui Zhu Copyright 2005 www.ebizsec.com Agenda Authentication Components Authentication Hacking Consideration for Authentication Security Principle for Authentication Security Case
More informationCLOUD COMPUTING. Lecture 4: Introductory lecture for cloud computing. By: Latifa ALrashed. Networks and Communication Department
1 CLOUD COMPUTING Networks and Communication Department Lecture 4: Introductory lecture for cloud computing By: Latifa ALrashed Outline 2 Introduction to the cloud comupting Define the concept of cloud
More informationCloud Computing and Its Impact on Software Licensing
Cloud Computing and Its Impact on Software Licensing By Gretchen Kwashnik & Jim Cecil January 25, 2012 What is Cloud Computing? Cloud computing is a model for enabling: on-demand network access to a shared
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationCloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm
Presentation Title Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm Background A career of helping companies integrate new technologies into their existing infrastructure
More informationTOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION
INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security
More informationLEXICON. An introduction to basic cybersecurity terminology and concepts THE (ISC) 2 CYBERSECURITY LEXICON 1
THE CYBERSECURITY LEXICON An introduction to basic cybersecurity terminology and concepts THE (ISC) 2 CYBERSECURITY LEXICON 1 INTRODUCTION (ISC) 2 the world s largest nonprofit membership association of
More informationCLOUD GOVERNANCE SPECIALIST Certification
CLOUD GOVERNANCE SPECIALIST Certification The Cloud Professional (CCP) program from Arcitura is dedicated to excellence in the fields of cloud computing technology, mechanisms, platforms, architecture,
More information