About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
|
|
- Noel Jordan Ryan
- 5 years ago
- Views:
Transcription
1
2 About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
3 Agenda 3 Building a business case for SAP Vulnerability Management How to start off: roles, responsibilities and process? How to talk to the board about SAP security?
4 Introduction Building a business case for SAP Vulnerability Management
5 Business Applications Under Attack 5 All business processes are generally automated by ERP systems Information valuable to cybercriminals, industrial spies and competitors is stored in a company s ERP. This information includes: financial reports, customer data, public relation materials, intellectual property documents, personally identifiable information. Industrial espionage, sabotage and fraud or insider embezzlement procedures will be merely untraceable being executed in cybersecurity space of ERP system.
6 Problem 6 SAP is owned and managed by business Businesses rarely care about security (only SoD) CISO s sometimes don t even know about SAP CISO s care about infrastructure security But if a breach happens, they ll be blamed for lack of care Our mission is to close this gap
7 SAP Security Notes vulnerability risk level number of vulnerabilities
8 Latest news 8
9 SAP Cybersecurity Framework 9
10 Vulnerability Management Data Flows 10
11 Building business case Present SAP specific cybersecurity risks 2. Implement SAP Vulnerability Management Process 3. Develop metrics and demonstrate results
12 SAP Security Risks Security controls (ensuring CIA) unreliability caused by o o Weak passwords Lack of authorization checks 2. Execution of fraudulent business transactions caused by o o Unnecessary functionality enabled SAP application vulnerabilities 3. Compliance violation caused by o Specific configuration requirements
13 SAP Vulnerabilities 13 Vulnerability Type Misconfigurations Application Vulnerabilities Code Vulnerabilities Access Control Vulnerabilities Examples Allow Dynamic Query is enabled for migrated data servers Remote command execution in SAP HANA TREXNet protocol without authorization Hardcoded s, code injection and missing authorization checks Fraud scenario Redirected Payment : change a vendor bank, wait for payment or make a payment and then change a vendor bank back
14 Vulnerability Management 14
15 Vulnerability Management Metrics 15 SAP systems exposure response (mitigation) time labor and monetary costs state of compliance to standards
16 Agenda 16 Building a business case for SAP Vulnerability Management How to start off: roles, responsibilities and process? How to talk to the board about SAP security?
17 How to start off Roles, responsibilities and process
18 Vulnerability Management Identify Assets and Schedule Vulnerability Assessments: o Inventory of Assets o Scan Profiles o Scan Plan 2. Scan Vulnerabilities o Vulnerability Reports 3. Analyze Vulnerabilities and Recommend Remediations o Vulnerability Risk Assessment o Remediation Plan 4. Test and Deploy Remediations o Remediation Completion Report 5. Verify Remediations and Report o Executive Report
19 1.1 Inventory of Assets 19 System ID Purpose Interconnected Systems System Criticality Responsibili ty System Type Application Servers Clients Platform DM0 Supply chain management Internal: ERP, Internet: no; ICS: no; Partners: Partner1, Partner2 Mobile: no High John F. K. PROD :PRD SAP SCM 5.0 (NetWeaver AS 7.1 ABAP) ERP Enterprise Resource Planning Internal: HR1, HR2 Internet: no ICS: MES System Partners: no Mobile: no Low Mike. PROD :PRD SAP ECC 6.0 NetWeaver AS 7.3 ABAP CRM Customer Relationship management Internal: ERP Internet: yes ICS: no Partners: no Mobile: no Very High PROD :PRD SAP CRM 6.0 NetWeaver AS ABAP 7.0
20 1.1 Inventory of Assets. Demo 20
21 1.2 Scan Profiles 21 Technical Compliance of SAP system is its state of meeting the ITrelated requirements PCI DSS 3.2 ISO 27001:2013 Technical Check 1 DSAG Authority Document Control Technical Check 2 SAP security guidelines ISACA security guidelines Technical Check n
22 1.2 Scan Profiles. Demo 22
23 1.3 Scan Plan 23 Asset Date Time Frequency DM :00 Quarterly: Q1, Q2, Q3, Q4 EPR :00 Quarterly: Q1, Q2, Q3, Q4 CRM :00 Quarterly: Q1, Q2, Q3, Q4
24 3. Analyze Vulnerabilities and Recommend Remediations 24 Constraints and requirements (example): Duration: not more than 60 days Vulnerability risk level: medium and higher Allowed remediation types: No kernel patch Tasks: 1. Prioritizing vulnerabilities 2. Filtering vulnerabilities Outcome: Remediation Plan
25 3.1 Requirements and constraints System ID DM0 ERP Relevant Adversaries Internal attacker without rights in the system Internal attacker with rights Vulnerability Types Vulnerability Risk Level All except Medium and code and higher access control Allowed Remediation Types All except patch install All High All except configuration changes Maximum Level of Remediation Effort High and lower Maximum period of downtime Applicable Authority Documents Results of Filtering 2 hours 678 (66%) from 1023 vulnerabilities were filtered out: High risk: 5 Medium risk: 73 Low risk: 600 Any 8 hours NERC-CIP 215 (17%) from 1500 vulnerabilities were filtered out: High risk: 215 Medium risk: 30 Low risk: CRM External attacker All All All Any 1 hour PCI DSS (52%) from 600 vulnerabilities were filtered out: High risk: 15 Medium risk: 100 Low risk: 200
26 3.2 Prioritization 26 Check ID Vulnerability Description Vulnerability Type Vulnerability Risk External Usage Count of SAP systems with the vulnerability High Medium Low Vulnerability Priority SSEA_ SSCA_00130 SSCA_00223 SSCA_01082 SSCA_00009 SSCA_00143 External RFC server registration SSL encryption for ICM connections Central application server that maintains the system log Use of a weak password hashing (H version of hashing) Minimum number of letters in a password Enable login with external identity by RFC Misconfiguration High Yes Misconfiguration Medium Yes Misconfiguration Medium Yes Misconfiguration Medium No Misconfiguration Medium No Misconfiguration Medium No
27 3.3 Filtration. DM0. Constraints 27 Characteristic Values Constraint Rationale Results of Filtering Vulnerability Type Application vulnerability Misconfiguration Code vulnerability Access control Application vulnerabilities and misconfigurations Code vulnerabilities are irrelevant due to the lack of custom development 78 (8%) from 1023 vulnerabilities were filtered out: High risk: 5 Medium risk: 73 Vulnerability risk Very High High Medium Low Medium and higher 600 (59%) from 1023 vulnerabilities were filtered out: Low risk: 600 Maximum Level of Remediation Effort Less than 30 hours Allowed Remediation Types All except patch install
28 3.3 Filtration. DM0. Relevant vulnerabilities 28 Vulnerability Type & Risk High Medium Low Misconfiguration Application Vulnerability Code Access Control % reduction
29 3.4 Remediation Plan. DM0 29 Remediation Priority Vulnerability Vulnerability Risk Remediation Type Remediation 1 SSEA_ : External RFC server registration An attacker can use an insecure RFC configuration for registering his own RFC server. As result he will be able to control and intercept client requests as well as to copy and change information High Update configuration Effort level: medium (~2d, downtime 4h) To resolve this issue, it is recommended to configure the RFC server correctly Links: RFC/ICF Security Guide 2 SSCA_00130: SSL encryption for ICM connections Medium Update configuration Set the icm/server_port_nn parameter to PROT=HTTPS instead of PROT=HTTP to decrease the possibility of an unauthorized access No encryption of network connection may lead to interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, which allows to intercept it easily with the spoofing attack. Effort level: easy (~4h, downtime 2h) 3 SSCA_00223: Central application server that maintains the system log Incorrect permissions on this file in the operating system can allow an attacker to modify the contents of the file in such a way to hide his tracks. Medium Update configuration Effort level: easy (~4h, downtime 2h) The administrator of the operating system must correctly set the access rights to the file according to the principle of least privileges. Links: BOOK "Security, Audit and Control Features (SAP ERP 3rd edition)" p. 413 check DOC rslg/collect_daemon/host - Central Log Host
30 Outcomes 30 Inventory of Assets Scan Profiles Scan Plan Remediation Plan Executive Report List of assets in scope of the vulnerability management, technical details and descriptions List of security checks related to applicable information security standards and regulations List of assets and time at which vulnerability scans should be performed Description of SAP landscape, threat map, recommended remediations and action plans for each SAP system Report on performance SAP VM: security, compliance and remediation metrics
31 Agenda 31 Building a business case for SAP Vulnerability Management How to start off: roles, responsibilities and process? How to talk to the board about SAP security?
32 How to talk to the board?
33 What boards need to know? 33 Do we comply with security requirements? How protected are our most important assets against a cyber-attack? How high is a residual cyber risk, we have? What work related to remediation of cyber risk is in progress? What should we do next?
34 Executive Report. Summary 34 Title: SAP Vulnerability Management 2015 Dates: Goal: initial assessment of 40 SAP systems Conclusion: 1. Technical compliance increased in average by 10% 2. Vulnerability ratio (amount of vulnerabilities on host) decreased in average by 30% 3. Overall efforts amounted to 400 man/hours 4. There are still 100 vulnerabilities on high critical SAP systems, 50 on medium and 15 on low 5. Future goals: increase technical compliance on 10% for every standard and remediate all vulnerabilities with high risk 6. With current productivity, it will take 5 month of work for 2 employees
35 1. Technical Compliance. Authority Documents 35 RATIO OF SUCCESSFUL CHECKS BY STANDARD CIS CSC 50% 35% ISO 27001: % 50% PCI DSS 30% 40% -5% NIST 53 20%
36 1. Technical compliance. ISO27001: RATIO OF SUCCESSFUL CHECKS BY CONTROL CATEGORY Total Checks A.12 OPERATIONAL SECURITY 12, 65% 20% 18 A.9 ACCESS CONTROL 45, 45% 30% 100 A.13 COMMUNICATION SECURITY 14, 50% 5% 28 A.16 INFORMATION SECURITY INCEDENT MANAGEMENT 6, 45% 5% 13 A.6 ORGANIZATION OF INFORMATION SECURITY 23, 30% 10% 77 A.10 CRYPTOGRAPHY 22, 30% 10% 73 A.8 ASSET MANAGEMENT 25, 35% 5% 71 A.18 COMPLIANCE 23, 20% 15% 115 A.5 INFORMATION SECURITY POLICIES 17, 35% 0 49 A.7 HUMAN RESOURCES SECURITY 30, 20% 10% 150 A.15 SUPPLIER RELATIONSHIPS 15, 20% 10% 75 A.11 PHYSICAL AND ENVIRONMENTAL SECURITY A.17 INFORMATION SECUITY ASPECTS OF BUSINESS A.14 SYSTEM ACQUISITION, DEVELOPMENT AND 10, 20% 10% 20, 30% 0 34, 15% 0%
37 2. Security. Remediations by Risk Level 37 Vulnerability Risk Level Change High Medium Low
38 2. Security. Remediations by Vulnerability Type 38 Vulnerability Type Change Misconfiguration Application Vulnerability Code Access Control 5 4 1
39 Executive Report Future Plans 1. Current threat map 2. Remediation priorities Grouped by system Grouped by vulnerability 3. Productivity analysis 4. Goals 5. Conclusion
40 3. Future plans. Threat Map 40
41 3. Future Plans. Remediation priorities for SAP systems (TOP 10) 41 Priority SID Criticality Connectivity Total remediation efforts Total downtime Count of Vulnerabilities with different Risk Levels High Medium Low 1 PLM High SCADA ~ 500 hours 5 hours CR1 Low WEB ~ 150 hours ERP Medium - ~ 10 hours HR1 Low ERP, PLM FIN Low PLM DL0 Medium DL1 Medium DL2 Medium DL3 Medium DL4 Medium
42 3. Future Plans. Remediation priorities for vulnerabilities (TOP 5) 42 Priority Vulnerability Description Vulnerability Risk Remediati on Type Remediati on Effort Criticality of SAP systems with the vulnerability High Medium Low SAP Gateway authorization bypass Verb Tampering vulnerability Default password for user SAP* XSS vulnerability in config servlet MMC Server information disclosure High High Configure ACL change configuration Very High Low Very High User settings Medium Medium High Apply sapnote change configuration High High
43 3. Future Plans. Productivity analysis 43 Remediation Type Implemented remediations by Effort Amount Productivity by Effort Amount (Hours per a remediation) High Medium Low High Medium Low SAP Note installation h 5h Update a configuration setting 10 20h Install a kernel patch h Execute SQL command 10 20h Disable SAP Service 5 25 Total h 500h 45h
44 3. Future Plans. Compliance Goals Increase technical compliance by 10% for every standard 2. The goal implies: 10 high effort amount remediations 50 middle effort amount remediations 150 low effort amount remediations 3. Overall effort projection is 4 month for 2 employees
45 3. Future Plans. Security Goals Completely patch all TOP 10 SAP Systems: PLM, HR1, ERP, SCM, FIN, DL0, DL1, DL2, DL3, DL4 2. Remediate all vulnerabilities with high risks 3. The goals implies: 20 high effort remediation's 35 middle effort remediation's 100 low effort amount remediations 4. Overall effort projection is 3 month for 2 employees
46 3. Future Plans. Conclusion Technical compliance increased in average by 10% 2. Vulnerability ratio decreased in average by 30% 3. Overall efforts amounted to 400 man/hours 4. There are still 100 vulnerabilities on high critical SAP systems, 50 on medium and 15 on low 5. Future goals are to increase technical compliance on 10% for every standard and remediate all vulnerabilities with high risks 6. Maintaining the current productivity, it will take 7 months for 2 employees to do
47 Final Takeaways Operating SAP brings new risks 2. Vulnerabilities the raw data of security 3. Manage vulnerabilities to reach desired level of security
48 Thank you 48 Michael Rakutko Head of Professional Services USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA HQ Netherlands: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
About ERPScan. ERPScan and Oracle. ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008
1 2 About ERPScan 3 ERPScan and Oracle ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008 Totally 100+ Vulnerabilities closed in Oracle Applications o Oracle
More informationRoadmap. How to implement GDPR in SAP?
Roadmap 2 How to implement GDPR in SAP? 1. Introduction to GDPR 2. GDPR security-related requirements 3. SAP security controls for GDPR 4. GDPR security implementation plan 5. Follow-up actions Introduction
More informationOnapsis: The CISO Imperative Taking Control of SAP
Onapsis: The CISO Imperative Taking Control of SAP Cyberattacks @onapsis 2016 Key SAP Cyber-Security Trends Over 95% of the SAP systems we have assessed, were exposed to vulnerabilities that could lead
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES
ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES ROADMAP How to implement GDPR in SAP? 1. GDPR security requirements 2. How to discover personal data? 3. How
More informationSAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts
SAP Cybersecurity Solution Brief Objectives Solution Benefits Quick Facts Secure your SAP landscapes from cyber attack Identify and remove cyber risks in SAP landscapes Perform gap analysis against compliance
More informationEAS- SEC: Framework for Securing Enterprise Business Applica;ons
Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationIntegrigy Consulting Overview
Integrigy Consulting Overview Database and Application Security Assessment, Compliance, and Design Services March 2016 mission critical applications mission critical security About Integrigy ERP Applications
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationQualys Cloud Platform
Qualys Cloud Platform Quick Tour The Qualys Cloud Platform is a platform of integrated solutions that provides businesses with asset discovery, network security, web application security, threat protection
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationSAP Security anno Tim Lynen, Manager axl & trax 2017
SAP Security anno 2017 Tim Lynen, Manager axl & trax 2017 Agenda Introduction axl & trax Importance of landscape security Where to start Top items to focus on Security in the organization Q&A Introduction
More information10 Things Every Auditor Should Do Before Performing a Security Audit
10 Things Every Auditor Should Do Before Performing a Security Audit 2 Opening Remarks Moderator R. Kinney Poynter Executive Director NASACT Speaker Rick Gamache Senior Consultant BerryDunn Objectives
More informationAssurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant
Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1 About About me - Specialise in cybersecurity strategy, architecture, and assessment -
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationCISO as Change Agent: Getting to Yes
SESSION ID: CXO-W02F CISO as Change Agent: Getting to Yes Frank Kim Chief Information Security Officer SANS Institute @fykim Outline Catch the Culture Shape the Strategy Build the Business Case 2 #1 Catch
More informationIndustrial Security - Protecting productivity. Industrial Security in Pharmaanlagen
- Protecting productivity Industrial Security in Pharmaanlagen siemens.com/industrialsecurity Security Trends Globally we are seeing more network connections than ever before Trends Impacting Security
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationAutomated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk
Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk Skybox Security Whitepaper January 2015 Executive Summary Firewall management has
More informationEAS- SEC: Framework for Securing Enterprise Business ApplicaCons
SAP in Internet EAS- SEC: Framework for Securing Enterprise Business ApplicaCons Alexander Polyakov CTO ERPScan erpscan.com ERPScan invest in security to secure investments 1 SAP in Internet erpscan.com
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationAgenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.
Agenda Agenda Security essentials Year in review College/university challenges Recommendations 2 About me Matt Franko Director, Risk Advisory Services matthew.franko@rsmus.com (216) 927-8224 11+ years
More informationArt of Performing Risk Assessments
Clinical Practice Compliance Conference Art of Performing Risk Assessments October 2016 Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Member FBI InfraGard AGENDA Cyber Risk = Disruptive Business Risk Breaches:
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationMobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge
Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge Agenda Mobile Trends and The New Threats The Forgotten Layer Benchmarks of Defects in Custom
More informationДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT
ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT ENERGY AUTOMATION - SMART GRID Restricted Siemens AG 20XX All rights reserved. siemens.com/answers Frederic Buchi, Energy Management Division, Siemens AG Cyber
More informationSecurity Configuration Assessment (SCA)
Security Configuration Assessment (SCA) Getting Started Guide Security Configuration Assessment (SCA) is a lightweight cloud service which can quickly perform the configuration assessment of the IT assets,
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationMcAfee Database Security
McAfee Database Security Sagena Security Day 6 September 2012 September 20, 2012 Franz Hüll Senior Security Consultant Agenda Overview database security DB security from McAfee (Sentrigo) VMD McAfee Vulnerability
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationInsurance Industry - PCI DSS
Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services. Vanguard is the industry leader in z/os Mainframe Software to ensure enterprise compliance with the
More informationMike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS
Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS Can You Answer These Questions? 1 What s my company s exposure to the latest industrial cyber threat? Are my plants
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationVANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER
VANGUARD INSURANCE INDUSTRY WHITEPAPER Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to
More informationWhat It Takes to be a CISO in 2017
What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge
More informationCompliance Audit Readiness. Bob Kral Tenable Network Security
Compliance Audit Readiness Bob Kral Tenable Network Security Agenda State of the Market Drifting Out of Compliance Continuous Compliance Top 5 Hardest To Sustain PCI DSS Requirements Procedural support
More informationSecure Application Development. OWASP September 28, The OWASP Foundation
Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or
More informationWHITE PAPERS. INSURANCE INDUSTRY (White Paper)
(White Paper) Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to ensure enterprise compliance
More informationDesigning Secure Remote Access Solutions for Substations
Designing Secure Remote Access Solutions for Substations John R Biasi MBA, CISA, CISSP October 19, 2017 Agenda Brief Biography Interactive Remote Access Dial-Up Access Examples Transient Devices Vendor
More informationPCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing
PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing 1 WhiteHat Security Application Security Company Leader in the Gartner Magic Quadrant Headquartered in Santa Clara, CA 320+
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationK12 Cybersecurity Roadmap
K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the
More informationTechnical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016
For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission
More informationIndustrial Defender ASM. for Automation Systems Management
Industrial Defender ASM for Automation Systems Management INDUSTRIAL DEFENDER ASM FOR AUTOMATION SYSTEMS MANAGEMENT Industrial Defender ASM is a management platform designed to address the overlapping
More informationWhat is ISO ISMS? Business Beam
1 Business Beam Contents 2 Your Information is your Asset! The need for Information Security? About ISO 27001 ISMS Benefits of ISO 27001 ISMS 3 Your information is your asset! Information is an Asset 4
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes January 01 There were several Security Notes released by SAP in January for directory traversal vulnerabilities affecting a number of application areas.
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationDefense in Depth Security in the Enterprise
Defense in Depth Security in the Enterprise Mike Mulville SAIC Cyber Chief Technology Officer MulvilleM@saic.com Agenda The enterprise challenge - threat; vectors; and risk Traditional data protection
More informationSecurity
Security +617 3222 2555 info@citec.com.au Security With enhanced intruder technologies, increasingly sophisticated attacks and advancing threats, your data has never been more susceptible to breaches from
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationEstablishing a Credible Cybersecurity Program. September 2016
Establishing a Credible Cybersecurity Program September 2016 Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Member FBI InfraGard AFTERNOON PLENARY SESSION AGENDA Cyber Risk = Disruptive Business Risk Breaches:
More informationSkybox Firewall Assurance
Skybox Firewall Assurance Getting Started Guide 8.5.600 Revision: 11 Proprietary and Confidential to Skybox Security. 2017 Skybox Security, Inc. All rights reserved. Due to continued product development,
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationstandards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices
standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices mike.garcia@cisecurity.org The big three in their own words ISO 27000: family of standards to help organizations
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More information2017 Annual Meeting of Members and Board of Directors Meeting
2017 Annual Meeting of Members and Board of Directors Meeting Dan Domagala; "Cybersecurity: An 8-Point Checklist for Protecting Your Assets" Join this interactive discussion about cybersecurity trends,
More informationTIPS FOR AUDITING CYBERSECURITY
TIPS FOR AUDITING CYBERSECURITY Dr. Vilius Benetis, ISACA Lithuania Chapter, NRD CS 18 October 2016 TODAY S SPEAKER Dr. Vilius Benetis Cybersecurity Practice Leader Norway Registers Development (NRD Cybersecurity)
More informationINFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council
Use of SSL/Early TLS for POS POI Terminal Connections Date: Author: PCI Security Standards Council Table of Contents Introduction...1 Executive Summary...1 What is the risk?...1 What is meant by Early
More informationMitigation Controls on. 13-Dec-16 1
Mitigation Controls on 13-Dec-16 1 An organization s users are its greatest assets and its most challenging adversaries. one of the vulnerabilities posed by insiders is their knowledge of the quality of
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationVULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
More informationAudit Network Security. University System of New Hampshire
Audit Network Security Presenter Ashish Jain, CPA, CIA, CISA, CA Director of Internal Audit University System of New Hampshire 1 University System of New Hampshire 34,000 enrolled students 4 institutions
More informationOracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero
Oracle Security Products and Their Relationship to EBS Presented By: Christopher Carriero 1 Agenda Confidential Data in Corporate Systems Sensitive Data in the Oracle EBS What Are the Oracle Security Products
More informationCoreMax Consulting s Cyber Security Roadmap
CoreMax Consulting s Cyber Security Roadmap What is a Cyber Security Roadmap? The CoreMax consulting cyber security unit has created a simple process to access the unique needs of each client and allows
More informationCyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory
CyberArk Solutions for Secured Remote Interactive Access Addressing NERC Remote Access Guidance Industry Advisory Table of Contents The Challenges of Securing Remote Access.......................................
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationCompliance with CloudCheckr
DATASHEET Compliance with CloudCheckr Introduction Security in the cloud is about more than just monitoring and alerts. To be truly secure in this ephemeral landscape, organizations must take an active
More informationNY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO
NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO June 28, 2017 Alan Calder IT Governance Ltd www.itgovernanceusa.com PLEASE NOTE THAT
More informationSAP, dos, dos, race conditions => rce. Dmitry Chastuhin, Dmitry Yudin
SAP, dos, dos, race conditions => rce Dmitry Chastuhin, Dmitry Yudin 1 About us Yet another security researcher Business application security expert ERPScan Wiem, jak korzystać z tłumaczami 2 About us
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationGaps in Resources, Risk and Visibility Weaken Cybersecurity Posture
February 2019 Challenging State of Vulnerability Management Today: Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture In the last two years, businesses and governments have seen data breaches
More informationHost Hardening Achieve or Avoid. Nilesh Kapoor Auckland 2016
Host Hardening Achieve or Avoid Nilesh Kapoor Auckland 2016 Introduction Nilesh Kapoor Senior Security Consultant @ Aura Information Security Core 8 years experience in Security Consulting Co- Author Security
More informationRisk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23
Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance
More informationA New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO
A New Cyber Defense Management Regulation Ophir Zilbiger, CRISC, CISSP SECOZ CEO Personal Background IT and Internet professional (since 1992) PwC (1999-2003) Global SME for Network Director Information
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationSurprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS
Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is
More informationPROTECTING INFORMATION ASSETS NETWORK SECURITY
PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationAll the Latest Data Security News. Best Practices and Compliance Information From the PCI Council
All the Latest Data Security News Best Practices and Compliance Information From the PCI Council 1 What is the PCI Security Standards Council? Collaboration Education Simplified solutions for merchants
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationCyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory
CyberArk Solutions for Secured Remote Interactive Access Addressing NERC Remote Access Guidance Industry Advisory Table of Contents The Challenges of Securing Remote Access 3 Using CyberArk s Privileged
More informationRIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015
www.pwc.com RIMS Perk Session 2015 - Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015 Los Angeles RIMS Agenda Introductions What is Cybersecurity? Crown jewels The bad
More informationTips for Passing an Audit or Assessment
Tips for Passing an Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead Auditor Senior Security Engineer Structured Communication Systems Who likes audits? Compliance
More informationCYBER SECURITY AIR TRANSPORT IT SUMMIT
CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER
More informationMachine Learning for User Behavior Anomaly Detection EUGENE NEYOLOV, HEAD OF R&D
Machine Learning for User Behavior Anomaly Detection EUGENE NEYOLOV, HEAD OF R&D 2 AUTHOR Eugene Neyolov HEAD OF R&D Security engineer and analyst leading applied research projects in security monitoring,
More informationSecurity Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE
Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA Agenda No Agenda Some minimum theory More real
More informationPROFESSIONAL SERVICES (Solution Brief)
(Solution Brief) The most effective way for organizations to reduce the cost of maintaining enterprise security and improve security postures is to automate and optimize information security. Vanguard
More information