-
Univers
-
Ebooks
-
Livres audio
-
Presse
-
Podcasts
-
BD
-
Documents
-
- Cours
- Révisions
- Ressources pédagogiques
- Sciences de l’éducation
- Manuels scolaires
- Langues
- Travaux de classe
- Annales de BEP
- Etudes supérieures
- Maternelle et primaire
- Fiches de lecture
- Orientation scolaire
- Méthodologie
- Corrigés de devoir
- Annales d’examens et concours
- Annales du bac
- Annales du brevet
- Rapports de stage
La lecture à portée de main
Tout savoir sur nos offres
Tout savoir sur nos offres
Description
Informations
| Publié par | Anfo |
| Nombre de lectures | 19 |
| Langue | English |
Extrait
The Mythical Audit Point
Mignona Cote
Senior Manager,
Security Vulnerabilities
Nortel Networks
Why this Topic?Agenda
• The Control Expert
• One Size Fits All
• The Real World
• A Case Study
• Let’s Progress
The Control Expert
• Knowledge
• Training
• Experience
• ChecklistsFirewall
Database
Application Servers
Remote Access
Knowledge
Business
Back Office ApplicationsPartner
RAS
Front Office Systems
Wireless Access
UNIX, Windows NT,VPN
Outlook, DevelopmentInternet
Remote Users
Do we know the controls to
secure this environment?
Training
Have we been trained
to understand the
magnitude of risk?Experience
Where do we draw the line?
Does our experience within technology
let us know the acceptable risk?let us know the acceptable risk?
Checklists
MAJOR CONTROL CATEGORIES BaaN SAP
1.5 Security AdministrationDocumentation Process and Standards XX X
Corporate Procedures
Corporate Standards
Login Controls X
Practices
Change Control Procedures
OS Controls X Verify UNIX Directory Structure
1.6 Authentication
Verify root login disabledChange Control XX X
root login limited to console on HP systems
Identify users with root access
Disaster Recovery Planning X
Database Management / Controls X
Transport of Data XX X
Developer Access Controls X
Exemptions X
Application Auditing Processes XX X
Next Scheduled Revalidation 28-Dec-02 28-Aug-02One Size Fits All
Audit Report
Perform Any Function Application
We recommend:
– Privileged access be limited
to a prime and a backup
– DRP be tested
– All vulnerabilities be corrected
– System comply to all standards
Mythical Audit Point #1
• Common Issue
– “We recommend administrative
access be limited to a prime and a
backup.”
• Typical Exposure
– Accountability
– “Keys to the Kingdom”
– Logging of ActivityMythical Audit Point #1
• Real World
– 7x24 support
– Global Operations–
– Small IS shop
– System Installations
– Reboots
– Reduced Workforces
– Mergers, Acquisitions, Divestitures
Mythical Audit Point #2
• Common Issue
– “DRP be tested”
• Typical Exposure
– Unable to recover
– Loss of critical data
– Business not able to operate–Mythical Audit Point #2
• Real World
– Failover systems
–– 1400 applications
– 300+ data feeds
– Dispersed operations
– Mirroring
– Walkthrough vs. Live Tests
Mythical Audit Point #3
• Common Issue
– “All vulnerabilities must be
corrected.””
• Typical Exposure
– Systems may be easily hacked
–– Unauthorized AccessMythical Audit Point #3
• Real World
– False Positives
– “Genius” to exploit– “Genius”
– Can we expose/exploit
– Compensating Controls
– NIPC, CERT
– Patch Availability
– SNMP
Perimeter Router Disable Patch
Mythical Audit Point #4
• Common Issue
– “We recommend all systems
comply with Standards.””
• Typical Exposure
– Systems may be compromised
–– Systems are unsecuredMythical Audit Point #4
• Real World
– 200+ Unix OS Configurations
– Application Dependencies
– Required Services
– Implementation Cost
Reality vs. Over ControlA Case Study
• Situation:
– IS received over 50 audit points over 8
audits resulting in bad ratings
– 40% were the same issue
– Were these a real threat?
A Case Study
• Remediation
– Accountability model for Issues
–– Root Cause
– Hardening Plan
– Improved Audit Practices
-
Univers
-
Ebooks
-
Livres audio
-
Presse
-
Podcasts
-
BD
-
Documents
-
Jeunesse
-
Littérature
-
Ressources professionnelles
-
Santé et bien-être
-
Savoirs
-
Education
-
Loisirs et hobbies
-
Art, musique et cinéma
-
Actualité et débat de société
-
Jeunesse
-
Littérature
-
Ressources professionnelles
-
Santé et bien-être
-
Savoirs
-
Education
-
Loisirs et hobbies
-
Art, musique et cinéma
-
Actualité et débat de société
-
Actualités
-
Lifestyle
-
Presse jeunesse
-
Presse professionnelle
-
Pratique
-
Presse sportive
-
Presse internationale
-
Culture & Médias
-
Action et Aventures
-
Science-fiction et Fantasy
-
Société
-
Jeunesse
-
Littérature
-
Ressources professionnelles
-
Santé et bien-être
-
Savoirs
-
Education
-
Loisirs et hobbies
-
Art, musique et cinéma
-
Actualité et débat de société
- Cours
- Révisions
- Ressources pédagogiques
- Sciences de l’éducation
- Manuels scolaires
- Langues
- Travaux de classe
- Annales de BEP
- Etudes supérieures
- Maternelle et primaire
- Fiches de lecture
- Orientation scolaire
- Méthodologie
- Corrigés de devoir
- Annales d’examens et concours
- Annales du bac
- Annales du brevet
- Rapports de stage
