Security Top Lists - ISSA

Download Report

Transcript Security Top Lists - ISSA

ISSA - Sacramento Valley
Security Top Lists
prepared by
Dean Hipwell, CISSP
References:
www.OWASP.org
www.SANS.edu
www.dsd.gov.au
Security Top Lists
Security_Top_Lists.ppt Slide: 1
OWASP Top 10
Web Application Security Risks for 2010
Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session
Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Security Top Lists
Security_Top_Lists.ppt Slide: 2
SANS
Top Cyber Security Risks
Source: http://www.sans.org/top-cyber-security-risks/
Priority One:
Client-side software that remains unpatched.
Priority Two:
Internet-facing web sites that are vulnerable.
Operating systems continue to have fewer remotelyexploitable vulnerabilities that lead to massive
Internet worms.
Rising numbers of zero-day vulnerabilities
Security Top Lists
Security_Top_Lists.ppt Slide: 3
SANS Top 20
Critical Security Controls - Version 3.0
Source: http://www.sans.org/critical-security-controls/
1: Inventory of Authorized and Unauthorized
Devices
2: Inventory of Authorized and Unauthorized
Software
3: Secure Configurations for Hardware and Software
on Laptops, Workstations, and Servers
4: Secure Configurations for Network Devices such
as Firewalls, Routers, and Switches
5: Boundary Defense
6: Maintenance, Monitoring, and Analysis of Audit
Logs
7: Application Software Security
8: Controlled Use of Administrative Privileges
9: Controlled Access Based on the Need to Know
10: Continuous Vulnerability Assessment and
Remediation
Security Top Lists
Security_Top_Lists.ppt Slide: 4
SANS Top 20
Critical Security Controls - Version 3.0
Source: http://www.sans.org/critical-security-controls/
11: Account Monitoring and Control
12: Malware Defenses
13: Limitation and Control of Network Ports,
Protocols, and Services
14: Wireless Device Control
15: Data Loss Prevention
16: Secure Network Engineering
17: Penetration Tests and Red Team Exercises
18: Incident Response Capability
19: Data Recovery Capability
20: Security Skills Assessment and Appropriate
Training to Fill Gaps
Security Top Lists
Security_Top_Lists.ppt Slide: 5
SANS Top 25
Most Dangerous Software Errors
Source: http://www.sans.org/top25-software-errors/
Insecure Interaction Between Components
CWE ID
Name
CWE-89
Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')
CWE-78
Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')
CWE-79
Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Security Top Lists
Security_Top_Lists.ppt Slide: 6
SANS Top 25
Most Dangerous Software Errors
Source: http://www.sans.org/top25-software-errors/
Risky Resource Management
CWE ID
Name
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow')
CWE-22
Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')
CWE-494 Download of Code Without Integrity Check
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-676 Use of Potentially Dangerous Function
CWE-131 Incorrect Calculation of Buffer Size
CWE-134 Uncontrolled Format String
CWE-190 Integer Overflow or Wraparound
Security Top Lists
Security_Top_Lists.ppt Slide: 7
SANS Top 25
Most Dangerous Software Errors
Source: http://www.sans.org/top25-software-errors/
Porous Defenses
CWE ID
CWE-306
CWE-862
CWE-798
CWE-311
CWE-807
CWE-250
CWE-863
CWE-732
CWE-327
CWE-307
CWE-759
Security Top Lists
Name
Missing Authentication for Critical Function
Missing Authorization
Use of Hard-coded Credentials
Missing Encryption of Sensitive Data
Reliance on Untrusted Inputs in a Security Decision
Execution with Unnecessary Privileges
Incorrect Authorization
Incorrect Permission Assignment for Critical Resource
Use of a Broken or Risky Cryptographic Algorithm
Improper Restriction of Excessive Authentication Attempts
Use of a One-Way Hash without a Salt
Security_Top_Lists.ppt Slide: 8
Au-DSD Top 35
Mitigation Strategies (Part 1)
Source: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
Ranking
1
2
3
4
5
6
7
8
9
10
11
12
Security Top Lists
Strategy
Patch applications within 2 days for high risk vulnerabilities.
Patch O/S within 2 days for high risk vulnerabilities.
Minimize the number of local admins. Assign separate accounts.
Application white-listing: Prevent unauthorized programs.
HIDS/HIPS: Identify anomalous behavior.
E-mail content filtering: Allow only authorized attachments.
Block spoofed e-mail.
User education.
Web content filtering.
Web domain white-listing.
Web domain white-listing for HTTP/SSL.
Workstation inspection of Microsoft Office files.
Security_Top_Lists.ppt Slide: 9
Au-DSD Top 35
Mitigation Strategies (Part 2)
Source: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
Ranking
13
14
15
16
17
18
19
20
21
22
23
24
Security Top Lists
Strategy
Application-based workstation firewall: block incoming traffic.
Application-based workstation firewall: prevent outgoing traffic.
Network segregation.
Multi-factor authentication.
Randomized local admin passphrases. (Prefer domain groups)
Enforce strong passphrases.
Border gateway using an IPv6-capable firewall.
Data Execution Prevention.
Antivirus software with up to date signatures.
Non-persistent virtualized trusted operating environment.
Centralized and time-synchronized logging: network traffic.
Centralized and time-synchronized logging: computer events.
Security_Top_Lists.ppt Slide: 10
Au-DSD Top 35
Mitigation Strategies (Part 3)
Source: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
Ranking
25
26
27
28
29
30
31
32
33
34
35
Security Top Lists
Strategy
Standard O/S with unneeded functions disabled.
Application hardening: disable unneeded features.
Restrict access to NetBOIS features.
Server hardening.
Removable and portable media control.
TLS encryption between email servers.
Disable LanMan password support and cached credentials.
Block attempts to access web sites by their IP address instead of
by their domain name.
NIDS/NIPS: Identify anomalous traffic.
Gateway blacklisting to block access to known malicious
domains.
Full network traffic capture to perform post-incident analysis.
Security_Top_Lists.ppt Slide: 11