Early Life Cycle Risk Analysis: Planning for Software Assurance
|
|
- Rosamond Nash
- 6 years ago
- Views:
Transcription
1 Early Life Cycle Risk Analysis: Planning for Software Assurance Carol Woody, Ph.D. Software Engineering Institute 2014 Carnegie Mellon University
2 Copyright 2014 Carnegie Mellon University and IEEE This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM
3 Agenda Introduction Mission Threads Evaluating Security Risks Summary 3
4 Software Assurance Mission success for software-reliant systems requires software assurance Software assurance: implementing software with a level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout the life cycle Section 933 of National Defense Appropriation Act 2013 Mission success requires the capability to engineer software assurance into the acquisition and development life cycle. 4
5 High Security Risk in Software-reliant Systems Security is not typically engineered into software-reliant systems Engineering focuses on cost, schedule, and functional requirements Security decisions can be delayed to later life-cycle activities Security controls are mandated (passwords, encryption, etc.) instead of security requirements Primary causes of operational security vulnerabilities: Design weaknesses Implementation/coding vulnerabilities System configuration errors Design weaknesses are not easily addressed during operations. 379 of the 940 common weakness enumerations (CWEs) are design weaknesses ( 19 of the top 25 are linked to design weaknesses( * 5
6 Example Design Weakness: Wireless Emergency Alerts (WEA) Spoofing Attack Threat An outside attacker with malicious intent gets a WEA certificate through social engineering and sends a WEA alert intended to incite panic in a crowd. Consequence Health, safety, legal, financial, and reputation consequences could result. Attack 1. Threat actor performs social engineering to get certificate. 2. Threat actor develops illegitimate wireless alert. 3. Threat actor sends illegitimate wireless alert to IPAWS-OPEN gateway. 4. IPAWS-OPEN gateway sends illegitimate wireless alert through WEA pipeline. 5. Recipients receive illegitimate wireless alert and take action. Mitigation: Confirm intent to send message with Alert Originator Carnegie Mellon University 6
7 Primary Causes of Design Weaknesses Poor, incomplete, or non-existent security requirements Failure to consider security impacts beyond an individual system Failure to evaluate mission dependencies on multi-system interactions 7
8 Primarily Focused on Data Security (Information Assurance) Information Assurance Manage risks related to the use, processing, storage, and transmission of data. Enforce security policies; control and audit access. Protect data; encrypt communications and data stores. From TACP-M VCS TRD dated January
9 Software Assurance Focuses on the Mission Success Mission Success requires acceptable software behavior over a spectrum of operational conditions, including attacker-created events. Software Assurance methods support this objective. From TACP-M VCS TRD dated January
10 Current Practice for Early Life Cycle Security Risk Identification techniques are ad hoc Notation for expressing a security event/risk is incomplete Approaches rely on software engineers tacit knowledge of operational context and security risks Risk analysis is focused on a single system Single system scope Standalone (i.e., single system) models have been developed Risk analysis considers the exploit of an individual vulnerability within a single system Security risk identification techniques do not consider: Compositions of multiple vulnerabilities Cross-system security events/risks Impacts beyond the exploit of a single system (to the mission and organization) 2014 Carnegie Mellon University 10 10
11 Agenda Introduction Mission Threads Evaluating Security Risks Summary 11
12 Mission Threads Establish functioning as intended for the mission then look for ways things can go wrong and make sure mitigations are sufficient Analysis Framework Process 1. Identify a critical mission thread. 2. Define successful completion for the mission. 3. Describe critical steps required to complete the mission process (end to end) sequenced activities, participants, and technology. 4. Define ways that execution can be compromised at each critical step (execution failure, attack, etc.). 5. Evaluate the effectiveness of response and recovery. 12
13 Example: Mission Thread for WEA 13
14 Example: Mission Thread Steps for WEA AOS Step Alert Originating System (AOS) operator attempts to log on to the AOS. AOS logon activates auditing of the operator s session. AOS converts message to Common Alerting Protocol (CAP) compliant format. Supporting Technologies Server (valid accounts/authentication information) Logon application Communications between logon software/ server/aos Auditing application Communications from accounts to auditing application Local/remote storage devices Conversion application AOS transmits message to the IPAWS-OPEN Gateway. Application that securely connects to IPAWS- OPEN AOS and IPAWS-OPEN 14
15 Mission Step Failure Analysis People Involved Manual Intervention Coordination across multiple systems Previous Step Can the system adapt if not all expected conditions are met? Resources Mission Step Required Sources for failures Mission impact Recovery options Next Step Automatic 15
16 Identifying Threats using STRIDE Threat modeling tool used by Microsoft to help non-security experts consider security issues Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Nonrepudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization 16
17 Example: Security Analysis of Mission Step Step AOS operator attempts to log on to the alert origination system. Technology and People - One person - Server (valid accounts/ authentication information) - Logon procedure - Logon application - Username/password data in database - Communications between logon software/ server/aosp STRIDE Threat Identification Examples S: Unidentified individual attempts to logon with AOSP operator s information T: (none identified) R: AOSP operator denies having logged on I: Capture of logon info using key logger or packet sniffer D: AOSP operator s account not registered / servers are down E: Successful log on by an unidentified and unauthorized individual [1] S: Spoofing; T: Tampering with data; R: Repudiation; I: Information disclosure; D: Denial of service; E: Elevation of privilege. 17
18 Agenda Introduction Mission Threads Evaluating Security Risks Summary 18
19 Security Engineering Risk Analysis (SERA) Mission Threads 1. Establish operational context. Mission Thread Worksheet Risk Identification Worksheet 2. Identify risk. Risk Evaluation Criteria Risk Analysis Worksheet 3. Analyze risk. Control Approach Worksheet 4. Determine control approach. Control Plan Worksheet 5. Develop control plan. 19
20 Use Case Scenario Data Items involved Technology Security Controls/Relevant Step Actor and Action Standards and Regulations 1 AOS operator logs on to the AOS using account and authentication information [Note: operator log on and session auditing Authentication information AO Desktop Firewall Account information AOS Client User authentication (next step) are performed by team at start of shift] Procedures Server USB? 2 AOS logon activates auditing of the AOS operator s session Session log Session log software starting the session log. Backup of session log Server 3 AOS operator enters the approved alert message (text and Alert message optional audio/visual) including the relevant command alert, Command (which is incorporated cancel, or update message with status of actual 1 indicating into CAP-compliant message) this is an actual alert or command. [also includes the distribution channels via FEMA, of which wireless is the only relevant Alert scripts Procedures channel, and the actual geographic distribution for the alert] Session log data record of input and all the sources it went to (in addition to wireless) 4 AOS converts alert message to CAP-compliant format. Alert message (original format, AOS Database server text piece) AOS server Alert message in CAP-compliant format Backup or saved version of CAP-compliant message Session log data 5 AOS transmits alert message to the IPAWS-OPEN Gateway. Alert message (CAP-compliant format) Session log data IPAWS certificate 6 IPAWS-OPEN Gateway verifies 2 alert message using authentication information and logs the receipt of message in IPAWS Status message Alert message log. Authentication information Message validation scripts IPAWS log 7 AOS operator pulls the IPAWS receipt status from IPAWS log. IPAWS log/ipaws Receipt Status Procedures for checking IPAWS log 1 Other status values include test and system. Test will be addressed in an another use case. 2 In this table, message verification includes authenticating the message and ensuring that it is in the correct format. Multi-System Mission Security Risk Framework Threat Identification Models Consequence Analysis Models Use-Case View Data View Workflow View Stakeholder View Data Requirements Data Element Form Confidentiality Integrity Availability Initiator alert request Verbal or There are no restrictions on who can The data element must be correct and This data element must be available Electronic view this data element. (public data) complete. (high data integrity) when needed. (high availability) Alert message content Verbal, There are no restrictions on who can The data element must be correct and This data element must be available Electronic, or view this data element. (public data) complete. (high data integrity) when needed. (high availability) Physical CAP-compliant alert Electronic There are no restrictions on who can The data element must be correct and This data element must be available message view this data element. (public data) complete. (high data integrity) when needed. (high availability) IPAWS certificate Electronic Only authorized people can view this The data element must be correct and This data element must be available data element. (sensitive but complete. (high data integrity) when needed. (high availability) unclassified) IPAWS receipt status Electronic There are no restrictions on who can The data element must be correct and No availability requirement for this data view this data element. (public data) complete. (high data integrity) element. Commercial Federal Mobile Service Emergency Initiator (e.g., Recipients Alert Originator (AO) Providers Management First Responder) (CMSP) Agency (FEMA) Stakeholder View Stakeholder Mission Interest First responders Get content to the AOS operator within a required timeframe AOS operators Enter alert message into AOS in the required timeframe AO managers Maintain their organization s authority to operate, including applying for and maintaining certificate for their AOS FEMA Transmit alert messages to CMSP within a requires timeframe and maintain trust in WEA and the overall emergency alert system CMSP Get alert messages to their customers as rapidly as possible without adversely affecting customer satisfaction Recipients (residents of given area Indirectly provide funding to the AO funding source covered by WEA) Receive and act on wireless alert messages in the area where they reside Recipients (transient population Receive and act on wireless alert messages within the given area covered by the visiting an area) AO Providers and maintainers of AOS Maintain trust in the services provided and in the security of their equipment AO funding source (e.g., Provide funding to operate the WEA service government) AO community Promote the value of the WEA service. Share information related to the WE service (e.g., problems, lessons learned) Network View Threat Actor Motive Attack Outcome Consequences Workflow Consequences Stakeholder Consequences Attack Attack Library Type Action Potential Damage Candidate Mitigation Requirements External Attack An external attacker spoofs a legitimate user of the system and enters false information into the system. Incorrect information is processed by the Implement mechanisms to authenticate system. (Integrity) users. Physical View Action 1 Vulnerabilities Action 2 Vulnerabilities Action 3 Vulnerabilities Action 4 Vulnerabilities... Action N Vulnerabilities Communication The primary communication channel for the system fails (e.g., The system cannot transmit data to other Implement a backup communication Failure unavailable internet service provider). systems. (Availability) channel that is not redundant with the primary communication channel. Insider Attack An insider destroys important information on the system. Important information is deleted or Perform periodic backups of system data. destroyed. (Availability) Recover lost data from latest backup. Insider Attack An insider modifies or changes system information. Incorrect information is processed by the Perform periodic backups of system data. system. (Integrity) Recover lost data from latest backup. Insider Attack An insider enters false information into the system. Incorrect information is processed by the Perform periodic backups of system data. system. (Integrity) Recover lost data from latest backup. Eavesdropping An attacker installs a sniffer on the network (i.e., an application or System information is collected by the Implement encryption to protect network device that can read, monitor, and capture network data exchanges attacker. (Confidentiality) communication. and read network packets). Network communications occur in an unsecured or "cleartext" format, which allows an attacker who has gained access to data paths in the network to "listen in" or interpret (read) the traffic sent by the system. Repudiation An insider denies taking an action. --- Implement monitoring and logging [This action can be coupled with other mechanisms to keep track of users insider actions.] actions. Elevated An insider has been granted access to more information and --- Implement mechanisms to control access Privileges services than he or she needs. [This action can be coupled with other to information and services based on insider actions.] role. Use access control mechanisms to restrict aces to information and services based on role. Defined semantics for expressing a security event/risk Library of attack primitives to support threat identification Models to support threat identification Models to support consequence analysis 2014 Carnegie Mellon University 20 20
21 Security Risk Components Threat Consequence Enablers 21
22 Task 1: Mission Thread for WEA 22
23 Example: AOS Network Topology 23
24 Example: AO Computer Room Physical Layout AOS Clients AO Servers AO Desktop with AOS management capability AO Manager s Office Mobile AO capability Hotline with initiators. C M AO Operator Room Note: Keypad access is required for entry. AO Desktops Note: Door can be locked using physical key. AO Server Room Note: The door to the server room is open during business hours. A physical key is required for entry outside of business hours. AO System Administration Computer AO System Administrators Office 24
25 Task 2: Example Threat An outside attacker with malicious intent obtains a valid certificate and uses it to send an illegitimate CAP-compliant message that sends people to a dangerous location. Threat components : Actor a person with an outsider s knowledge of the organization Motive malicious intent Action the actor obtains a valid certificate and uses it to send an illegitimate CAP-compliant message that sends people to a dangerous location 25
26 Example: Enablers A valid certificate could be captured by an attacker. Certificates are sent to recipients in encrypted . This is replicated in many locations, including Computers of recipients servers server/recipient computer back-ups Off-site storage of backup tapes The attacker could compromise the Emergency Operations Center or vendor to gain access to the certificate (e.g., through social engineering). Limited control over the distribution and use of certificates could enable an attacker to obtain access to a certificate. Unencrypted certificates could be stored on recipient s systems. Management of certificates is performed manually. 26
27 Example: Threat Sequence 1. The threat actor performs reconnaissance to determine who to target for social engineering. 2A. The threat actor obtains an AOS certificate from an employee at the AO (through social engineering). The employee provides an electronic copy of the certificate to the threat actor. 2B. The threat actor finds information about constructing CAP-compliant messages from public documents. 3. The threat actor creates an illegitimate CAP-compliant message intended to incite panic in a crowd that a bomb is about to explode in their location (e.g., an alert message of a bomb in Times Square on New Year s Eve). 4. The threat actor sends the illegitimate CAP-compliant message and certificate to the IPAWS-OPEN gateway. 27
28 Example: Workflow Consequences Threat An outside attacker with malicious intent gets a WEA certificate through social engineering and sends a WEA alert intended to incite panic in a crowd. IPAWS-OPEN processes the alerts and forwards it to commercial mobile service providers Commercial mobile service providers distribute the message to people s smart phones. People receive and read the illegitimate alert on their smart phones. 28
29 Example: Stakeholder Consequences Recipients Some people will ignore the message and take no action. Some people will believe the message, panic, and decide to leave the area. People could be put in harm s way leading to injuries and death. Alert Originators Alert originators could be held liable for damages. The reputations of alert originators could be damaged. FEMA The reputation of WEA could be damaged. Alert originators could decide not to use WEA Commercial Mobile Service Providers (CMSP) The reputation of service providers could be damaged. Alert Originators/FEMA/Commercial Mobile Service Providers Future attacks could become more likely (i.e., copy-cat attacks). 29
30 Example: Mitigation Option Threat An outside attacker with malicious intent gets a WEA certificate through social engineering and sends a WEA alert intended to incite panic in a crowd. Mitigation Confirm intent to send message with Alert Originator. IPAWS-OPEN processes the alerts and forwards it to commercial mobile service providers Commercial mobile service providers distribute the message to people s smart phones. People receive and read the illegitimate alert on their smart phones. 30
31 Security Engineering Risk Analysis (SERA) 1. Establish operational context. Mission Thread Worksheet Risk Identification Worksheet 2. Identify risk. Risk Evaluation Criteria Risk Analysis Worksheet 3. Analyze risk. Control Approach Worksheet 4. Determine control approach. Control Plan Worksheet 5. Develop control plan. 31
32 Task 3: Analyze Risk Each risk is analyzed in relation to predefined criteria. Sub-tasks: Establish probability. Establish impact. Determine risk exposure. 32
33 Probability Criteria Value Definition Context/Guidelines/Examples Frequent (5) Likely (4) Occasional (3) Remote (2) Rare (1) The scenario occurs on numerous occasions or in quick succession. It tends to occur quite often or at close intervals. The scenario occurs on multiple occasions. It tends to occur reasonably often, but not in quick succession or at close intervals. The scenario occurs from time to time. It tends to occur once in a while. The scenario can occur, but it is not likely to occur. It has "an outside chance" of occurring. The scenario infrequently occurs and is considered to be uncommon or unusual. It is not frequently experienced. one time per month ( 12 / year) ~ one time per 6 months (~ 2 / year) one time every 3 years (.33 / year) 33
34 Impact Criteria Value Maximum (5) High (4) Medium (3) Low (2) Minimal (1) Definition The impact on the organization is severe. Damages are extreme in nature. Mission failure has occurred. Stakeholders will lose confidence in the organization and its leadership. The organization either will not be able to recover from the situation, or recovery will require an extremely large investment of capital and resources. Either way, the future viability of the organization is in doubt. The impact on the organization is large. Significant problems and disruptions are experienced by the organization. As a result, the organization will not be able to achieve its current mission without a major re-planning effort. Stakeholders will lose some degree of confidence in the organization and its leadership. The organization will need to reach out to stakeholders aggressively to rebuild confidence. The organization should be able to recover from the situation in the long run. Recovery will require a significant investment of organizational capital and resources. The impact on the organization is moderate. Several problems and disruptions are experienced by the organization. As a result, the organization will not be able to achieve its current mission without some adjustments to its plans. The organization will need to work with stakeholders to ensure their continued support. Over time, the organization will be able to recover from the situation. Recovery will require a moderate investment of organizational capital and resources. The impact on the organization is relatively small, but noticeable. Minor problems and disruptions are experienced by the organization. The organization will be able to recover from the situation and meet its mission. Recovery will require a small investment of organizational capital and resources. The impact on the organization is negligible. Any damages can be accepted by the organization without affecting operations or the mission being pursued. No stakeholders will be affected. Any costs incurred by the organization will be incidental. 34
35 35 Risk Exposure Matrix Risk Exposure Matrix Probability Rare (1) Remote (2) Occasional (3) Probable (4) Frequent (5) Impact Maximum (5) Medium (3) Medium (3) High (4) Maximum (5) Maximum (5) High (4) Low (2) Low (2) Medium (3) High (4) Maximum (5) Medium (3) Minimal (1) Low (2) Low (2) Medium (3) High (4) Low (2) Minimal (1) Minimal (1) Minimal (1) Low (2) Medium (3) Minimal (1) Minimal (1) Minimal (1) Minimal (1) Minimal (1) Low (2)
36 Task 4: Determine Control Approach A strategy for controlling each risk is determined based on Predefined criteria Current constraints (e.g., resources and funding available for control activities) Control approaches for security risks include: Accept If a risk occurs, its consequences will be tolerated. Transfer A risk is shifted to another party (e.g., through insurance or outsourcing). Avoid Activities are restructured to eliminate the possibility of a risk occurring. Mitigate Actions are implemented in an attempt to reduce or contain a risk. Sub-tasks: Prioritize risks. Select control approach. 36
37 Example: Risk Spreadsheet with Control Approach ID Risk Statement Impact Prob Risk Exp Control Approach 1 If an outside attacker with malicious intent obtains a valid certificate and uses it to send an illegitimate CAP-compliant message that directs people to a dangerous location, then health, safety, legal, financial, and reputation consequences could result. High-Max Rare Low-Med Mitigate 3 If an insider with malicious intent spoofs the identity of a colleague and sends an illegitimate CAP-compliant message, then individual and organizational reputation consequences could result. Med Rare- Remote Min-Low Mitigate 2. If malicious code prevents an operator from entering an alert into the Alert Originating System (AOS), then health, safety, legal, financial, and productivity consequences could result. 4 If the internet communication channel for the AOS is unavailable due to a cybersecurity attack on the internet service provider, then health and safety consequences could result. Low-Med Remote Min-Low Mitigate Low-Med Remote Min-Low Mitigate 37
38 Task 5: Develop Control Plan A control plan is defined and documented for all security risks that are not accepted (i.e., risks that will be mitigated, transferred, or avoided). Sub-tasks: Review data. Establish control requirements. 38
39 Establish Control Requirements Transfer: What can be done to transfer the risk? How can the risk be shifted to another party? How will you know that the transfer works? Will you be adversely affected if the other party ignores the transfer? Avoid: What can be done to avoid the risk? How can activities be restructured [or requirements altered] to eliminate the possibility of the risk occurring? Mitigate: What can be done to mitigate the risk? Which actions can be implemented to reduce or contain the risk? Monitor and Respond Protect/Resist Recover 39
40 Agenda Introduction Mission Threads Evaluating Security Risks Summary 40
41 SERA: Key Points Provides decision makers with the information they need when they need it in a usable form Assesses operational security risks early in the software life cycle. Requirements Architecture Design Applies structured, systematic risk analysis to handle the complex nature of security risk identify and address design weaknesses early in the life cycle 41
42 Summary Mission Threads value: Provides a connection between technology and mission Provides visibility for mission dependencies on actions across systems and components that are independently designed and developed to optimize local needs Supports failure identification and mission impact analysis of interacting systems and components Security Risk Analysis Identifies gaps in system requirements through the evaluation of potential mission failure and needed mitigations Provides a communication structure among system engineers, software engineers, stakeholders, and security experts Helps management understand the value in planning for security attacks Provides a structure for evaluating various mitigation options (recognize, resist, recover) 42
43 Publications and Resources Cyber Security Engineering (CSE) Team Web Page Woody, C., Mission Thread Security Analysis: A Tool for Systems Engineers to Characterize Operational Security Behavior, INCOSE/INSIGHT, July 2013, Vol. 16, Issue 2 Ellison, R. & Woody, C., Survivability Analysis Framework, CMU/SEI-2010-TN-013. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, Alberts, Christopher & Dorofee, Audrey. Mission Risk Diagnostic (MRD) Method Description (CMU/SEI-2012-TN-005). Software Engineering Institute, Carnegie Mellon University,
44 Contact Information Carol Woody (412) Web Resources (CERT/SEI)
45 Acronyms AO Alert Originator AOS Alert Originating System AOSP Alert Originator Service Provider CAP Common Alerting Protocol (emergency alert message format) CMAC Cipher based MAC used for block cypher-based message authentication protocols CMSP Commercial Mobile Service Provider FEMA Federal Emergency Management Agency IPAWS-OPEN Gateway for Federal emergency alert input SERA Security Engineering Risk Analysis STRIDE Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege Threat Model WEA Wireless Emergency Alerts 45
Fall 2014 SEI Research Review FY14-03 Software Assurance Engineering
Fall 2014 SEI Research Review FY14-03 Software Assurance Engineering Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Carol Woody, Ph.D. October 28, 2014 Report Documentation
More informationEvaluating Security Risks Using Mission Threads
Evaluating Security Risks Using Mission Threads Carol Woody, Ph.D., SEI Christopher Alberts, SEI Abstract. Mission threads describe operational process steps required to perform organizational functions.
More informationEngineering Improvement in Software Assurance: A Landscape Framework
Engineering Improvement in Software Assurance: A Landscape Framework Lisa Brownsword (presenter) Carol C. Woody, PhD Christopher J. Alberts Andrew P. Moore Agenda Terminology and Problem Scope Modeling
More informationDefining Computer Security Incident Response Teams
Defining Computer Security Incident Response Teams Robin Ruefle January 2007 ABSTRACT: A computer security incident response team (CSIRT) is a concrete organizational entity (i.e., one or more staff) that
More informationCyber Threat Prioritization
Cyber Threat Prioritization FSSCC Threat and Vulnerability Assessment Committee Jay McAllister Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information
More informationThis material has been approved for public release and unlimited distribution except as restricted below.
Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the
More informationDenial of Service Attacks
Denial of Service Attacks CERT Division http://www.sei.cmu.edu REV-03.18.2016.0 Copyright 2017 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by
More informationDefine information security Define security as process, not point product.
CSA 223 Network and Web Security Chapter One What is information security. Look at: Define information security Define security as process, not point product. Define information security Information is
More informationCyber Hygiene: A Baseline Set of Practices
[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright
More informationJulia Allen Principal Researcher, CERT Division
Improving the Security and Resilience of U.S. Postal Service Mail Products and Services Using CERT -RMM (Case Study) Julia Allen Principal Researcher, CERT Division Julia Allen is a principal researcher
More informationSoftware, Security, and Resiliency. Paul Nielsen SEI Director and CEO
Software, Security, and Resiliency Paul Nielsen SEI Director and CEO Dr. Paul D. Nielsen is the Director and CEO of Carnegie Mellon University's Software Engineering Institute. Under Dr. Nielsen s leadership,
More informationAdvancing Cyber Intelligence Practices Through the SEI s Consortium
Advancing Cyber Intelligence Practices Through the SEI s Consortium SEI Emerging Technology Center Jay McAllister Melissa Kasan Ludwick Copyright 2015 Carnegie Mellon University This material is based
More informationThe CERT Top 10 List for Winning the Battle Against Insider Threats
The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification:
More informationBe Like Water: Applying Analytical Adaptability to Cyber Intelligence
SESSION ID: HUM-W01 Be Like Water: Applying Analytical Adaptability to Cyber Intelligence Jay McAllister Senior Analyst Software Engineering Institute Carnegie Mellon University @sei_etc Scuttlebutt Communications
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationInformation Security Is a Business
Information Security Is a Business Continuity Issue: Are You Ready? Dr. Nader Mehravari Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie Mellon University
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationThreat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017
Threat analysis Tuomas Aura CS-C3130 Information security Aalto University, autumn 2017 Outline What is security Threat analysis Threat modeling example Systematic threat modeling 2 WHAT IS SECURITY 3
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationCyberspace : Privacy and Security Issues
Cyberspace : Privacy and Security Issues Chandan Mazumdar Professor, Dept. of Computer Sc. & Engg Coordinator, Centre for Distributed Computing Jadavpur University November 4, 2017 Agenda Cyberspace Privacy
More informationAnalyzing 24 Years of CVD
public release and unlimited distribution. Allen Householder adh@cert.org Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright. All Rights Reserved. This material is
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationComponents and Considerations in Building an Insider Threat Program
Components and Considerations in Building an Insider Threat Program Carly Huth Insider Threat Researcher, CEWM Carly L. Huth is an insider threat researcher in the Cyber Enterprise and Workforce Management
More informationSEI/CMU Efforts on Assured Systems
Unclassified//For Official Use Only SEI/CMU Efforts on Assured Systems 15 November 2018 *** Greg Shannon CERT Division Chief Scientist Software Engineering Institute Carnegie Mellon University Pittsburgh,
More information2013 US State of Cybercrime Survey
2013 US State of Cybercrime Survey Unknown How 24 % Bad is the Insider Threat? Insiders 51% 2007-2013 Carnegie Mellon University Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationISO/IEC Common Criteria. Threat Categories
ISO/IEC 15408 Common Criteria Threat Categories 2005 Bar Biszick-Lockwood / QualityIT Redmond, WA 2003 Purpose This presentation introduces you to the threat categories contained in ISO/IEC 15408, used
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationGoal-Based Assessment for the Cybersecurity of Critical Infrastructure
Goal-Based Assessment for the Cybersecurity of Critical Infrastructure IEEE HST 2010 November 10, 2010 NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationEthics and Information Security. 10 주차 - 경영정보론 Spring 2014
Ethics and Information Security 10 주차 - 경영정보론 Spring 2014 Ethical issue in using ICT? Learning Outcomes E-policies in an organization relationships and differences between hackers and viruses relationship
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationCybersecurity: Incident Response Short
Cybersecurity: Incident Response Short August 2017 Center for Development of Security Excellence Contents Lesson 1: Incident Response 1-1 Introduction 1-1 Incident Definition 1-1 Incident Response Capability
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationDr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs
War Fighting Technologies: Enhance Advance - Modernize: -Technological/Acquisition Advances Enabling a More Responsive 24th Anniversary - Systems & Software Technology Conference April 23-26, 2012 Salt
More informationSituational Awareness Metrics from Flow and Other Data Sources
Situational Awareness Metrics from Flow and Other Data Sources SEI CERT NetSA 2011 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationBoston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018
Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security BRANDEIS UNIVERSITY PROFESSOR ERICH SCHUMANN MAY 2018 1 Chinese military strategist Sun Tzu: Benchmark If you know your
More informationHIPAA Regulatory Compliance
Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationInformation Security for Mail Processing/Mail Handling Equipment
Information Security for Mail Processing/Mail Handling Equipment Handbook AS-805-G March 2004 Transmittal Letter Explanation Increasing security across all forms of technology is an integral part of the
More informationAN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers
AN IPSWITCH WHITEPAPER 7 Steps to Compliance with GDPR How the General Data Protection Regulation Applies to External File Transfers Introduction Stolen personal data drives a thriving black market for
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationFlow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University
Flow Analysis for Network Situational Awareness Tim Shimeall January 2010 NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS.
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationInference of Memory Bounds
Research Review 2017 Will Klieber, software security researcher Joint work with Will Snavely public release and unlimited distribution. 1 Copyright 2017 Carnegie Mellon University. All Rights Reserved.
More informationThe Shortcut Guide To. Protecting Against Web Application Threats Using SSL. Dan Sullivan
tm The Shortcut Guide To Protecting Against Web Application Threats Using SSL Chapter 3: Planning, Deploying, and Maintaining SSL Certificates to Protect Against Inf ormation Loss and Build Customer Trust...
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationXerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers
Xerox FreeFlow Print Server Security White Paper Secure solutions for you and your customers Executive Summary Why is security more important than ever? New government regulations have been implemented
More informationSecure Access & SWIFT Customer Security Controls Framework
Secure Access & SWIFT Customer Security Controls Framework SWIFT Financial Messaging Services SWIFT is the world s leading provider of secure financial messaging services. Their services are used and trusted
More informationTable of Contents. Sample
TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 4 1.1 GOALS AND OBJECTIVES... 5 1.2 REQUIRED REVIEW... 5 1.3 APPLICABILITY... 5 1.4 ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT AND BOARD OF DIRECTORS...
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationIncident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles
Incident Response Lessons From the Front Lines Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles 1 Conflict of Interest Nolan Garrett Has no real or apparent conflicts of
More informationThreat and Vulnerability Assessment Tool
TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...
More informationRoles and Responsibilities on DevOps Adoption
Roles and Responsibilities on DevOps Adoption Hasan Yasar Technical Manager, Adjunct Faculty Member Secure Lifecycle Solutions CERT SEI CMU Software Engineering Institute Carnegie Mellon University Pittsburgh,
More informationInsider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm
Insider Threat Program: Protecting the Crown Jewels Monday, March 2, 2:15 pm - 3:15 pm Take Away Identify your critical information Recognize potential insider threats What happens after your critical
More informationThe Insider Threat Center: Thwarting the Evil Insider
The Insider Threat Center: Thwarting the Evil Insider The CERT Top 10 List for Winning the Battle Against Insider Threats Randy Trzeciak 14 June 2012 2007-2012 Carnegie Mellon University Notices 2011 Carnegie
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationA Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management
A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management D r. J o h n F. M i l l e r T h e M I T R E C o r p o r a t i o n P e t e r D. K e r t z n e r T h
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationCurrent Threat Environment
Current Threat Environment Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213, PhD Technical Director, CERT mssherman@sei.cmu.edu 29-Aug-2014 Report Documentation Page Form
More informationDHS Cybersecurity: Services for State and Local Officials. February 2017
DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationReport Writer and Security Requirements Finder: User and Admin Manuals
Report Writer and Security Requirements Finder: User and Admin Manuals Nancy R. Mead CMU MSE Studio Team Sankalp Anand Anurag Gupta Swati Priyam Yaobin Wen Walid El Baroni June 2016 SPECIAL REPORT CMU/SEI-2016-SR-002
More informationSoftware Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group
Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group Defence Research and Development Canada Recherche et développement pour la défense Canada Canada Agenda
More informationISO27001:2013 The New Standard Revised Edition
ECSC UNRESTRICTED ISO27001:2013 The New Standard Revised Edition +44 (0) 1274 736223 consulting@ecsc.co.uk www.ecsc.co.uk A Blue Paper from Page 1 of 14 Version 1_00 Date: 27 January 2014 For more information
More informationSecurity analysis and assessment of threats in European signalling systems?
Security analysis and assessment of threats in European signalling systems? New Challenges in Railway Operations Dr. Thomas Störtkuhl, Dr. Kai Wollenweber TÜV SÜD Rail Copenhagen, 20 November 2014 Slide
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationMedical Device Vulnerability Management
Medical Device Vulnerability Management MDISS / NH-ISAC Process Draft Dale Nordenberg, MD June 2015 Market-based public health: collaborative acceleration Objectives Define a trusted and repeatable process
More informationProviding Information Superiority to Small Tactical Units
Providing Information Superiority to Small Tactical Units Jeff Boleng, PhD Principal Member of the Technical Staff Software Solutions Conference 2015 November 16 18, 2015 Copyright 2015 Carnegie Mellon
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system
More informationPanel: Future of Cloud Computing
Panel: Future of Cloud Computing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Grace Lewis Advanced Mobile Systems (AMS) Initiative July 9, 2014 Mobile Device Trends Smartphones
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments A. Introduction 1. Title: Cyber Security Configuration Change Management and Vulnerability Assessments 2. Number:
More informationThe Confluence of Physical and Cyber Security Management
The Confluence of Physical and Cyber Security Management GOVSEC 2009 Samuel A Merrell, CISSP James F. Stevens, CISSP 2009 Carnegie Mellon University Today s Agenda: Introduction Risk Management Concepts
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationCERT Symposium: Cyber Security Incident Management for Health Information Exchanges
Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,
More informationUNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)
UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update) Koji NAKAO, NICT, Japan (Expert of UNECE WP29/TFCS) General Flow of works in WP29/TFCS and OTA Data protection
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationCOMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy
COMPUTER & INFORMATION TECHNOLOGY CENTER Information Transfer Policy Document Controls This document is reviewed every six months Document Reference Document Title Document Owner ISO 27001:2013 reference
More informationImproving Software Assurance 1
Improving Software Assurance 1 Carol Woody Robert J. Ellison April 2010 ABSTRACT: Software assurance objectives include reducing the likelihood of vulnerabilities such as those on a Top 25 Common Weakness
More informationCYBERSECURITY PENETRATION TESTING - INTRODUCTION
CYBERSECURITY PENETRATION TESTING - INTRODUCTION Introduction Pen-testing 101 University Focus Our Environment Openness and learning Sharing and collaboration Leads to Security Weaknesses What is Penetration
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More information