Stakeholder Specific Visualization and Automated Reporting of Network Scanning Results 11. DFN-Forum Kommunikationstechnologien, Günzburg, 27.

Similar documents
The DG SANTE approach to evaluate food safety control systems in Member States and non EU countries

Key Considerations for Oversight Actors

DevOps Course Content

Brexit Transition Support for Local Cymdeithas Llywodraeth Leol Cymru Welsh Local Government Association

Key Considerations for Implementing Bodies and Oversight Actors

Child Check In Quick Start Guide. v 9.5. Local: (706) Atlanta: (404) Toll Free: (866)

STATE OF NEW JERSEY. SENATE, No th LEGISLATURE

PRIVACY STATEMENT - TERMS & CONDITIONS. For users of Princh printing, copying and scanning services PRIVACY STATEMENT

IBM Cognos Open Mic Cognos Analytics 11 Part nd June, IBM Corporation

Mobile Application End User License Agreement

MI3P GRid Compliance Agreement

D. Statement on Internal Control Structure E. Management Summary G. Detailed Audit Findings II. MANAGEMENT'S RESPONSE...

Colorado Secretary of State Election Rules [8 CCR ]

SPECIAL INSPECTOR GENERAL FOR AFGHANISTAN RECONSTRUCTION CHIEF FOIA OFFICER REPORT FISCAL YEAR 2010

END-USER LICENSE AGREEMENT

IC Chapter 15. Ballot Card and Electronic Voting Systems; Additional Standards and Procedures for Approving System Changes

E-vote 2011 Case no: Version: 3.3 Electronic counting of p-votes Date: 10/9/2009

Essence Kernel. Kristian Sandahl

Voting System Examination Election Systems & Software (ES&S)

Punchscan: Introduction and System Definition of a High-Integrity Election System

DRAFT RECOMMENDATION ON THE PROMOTION AND USE OF MULTILINGUALISM AND UNIVERSAL ACCESS TO CYBERSPACE OUTLINE

STATE OF RHODE ISLAND

Global Conditions (applies to all components):

Commission on Trial Court Performance and Accountability Court Statistics and Workload Committee

Machine Readable Travel Documents: Biometrics Deployment. Barry J. Kefauver

OVERVIEW OF UL 2900 MEDICAL DEVICE CYBERSECURITY WORKSHOP MINNEAPOLIS, MN

H 8072 S T A T E O F R H O D E I S L A N D

Cadac SoundGrid I/O. User Guide

GENERAL TERMS & CONDITIONS

Overview of the Design Process. Avoid Bad Design, Use UCD Evidence-based Design Hypothesis testing!

Secure Electronic Voting

Hoboken Public Schools. PLTW Introduction to Computer Science Curriculum

GAO ELECTIONS. States, Territories, and the District Are Taking a Range of Important Steps to Manage Their Varied Voting System Environments

Mobile Application End User License Agreement

a GAO GAO HOMELAND SECURITY Planned Expenditures for U.S. Visitor and Immigrant Status Program Need to Be Adequately Defined and Justified

Maryland State Board of Elections Comprehensive Audit Guidelines Revised: February 2018

CLINICAL TRIAL AGREEMENT [Identification of the trial, Person in charge of research] Sponsor of the Trial: Institution:

Mecklenburg County Department of Internal Audit. Mecklenburg County Board of Elections Elections Process Report 1476

Post-Election Audit Pilots, and New Physical and Cyber Security Requirements in Indiana Election Code

Data Management Governance

The documents listed below were utilized in the development of this Test Report:

SECURITY, ACCURACY, AND RELIABILITY OF TARRANT COUNTY S VOTING SYSTEM

Update on EAST Policies

Lecture 8: Verification and Validation

FOOD SECURITY OUTCOME MONITORING : SYRIAN REFUGEES IN JORDAN

Introduction of Electronic Voting In Namibia

State of Colorado Department of State epollbook and Ballot On-Demand

Challenges and Advances in E-voting Systems Technical and Socio-technical Aspects. Peter Y A Ryan Lorenzo Strigini. Outline

SPARC Version New Features

Case Study. MegaMatcher Accelerator

GUEST WIFI NETWORK. Terms and Conditions and Acceptable Use Protocol

United States Government Accountability Office GAO. Report to Congressional Committees

Economic and Social Council

BIOMETRICS IN A HUMANITARIAN CONTEXT

Achieving Interoperability

Electronic pollbooks: usability in the polling place

CHAPTER 354. (Senate Bill 60)

ANALYTICAL GRAPHICS, INC. STK Components License Agreement

Trusted Logic Voting Systems with OASIS EML 4.0 (Election Markup Language)

RECORDS RETENTION IN THE MONTANA LEGISLATURE

Trustwave Subscriber Agreement for Digital Certificates Ver. 15FEB17

Canada s FASTER-PrivBio Project Biometrics at the Virtual Border to enhance security and facilitation

SOFTWARE AS A SERVICE (SaaS) TERMS and CONDITIONS FOR REMOTE ACCESS SERVICE SOLD BY VIDEOJET

Towards Tackling Hate Online Automatically

Vulnerability Assessment and Targeting of Syrian Refugees in Lebanon

Principles of Information Visualization Tutorial Part 1 Design Principles. Prof Jessie Kennedy Institute for Informatics & Digital Innovation

(1) PURPOSE. To establish minimum security standards for voting systems pursuant to Section (4), F.S.

THE UNIVERSITY OF TEXAS M.D. ANDERSON CANCER CENTER TECHNOLOGY DEVELOPMENT PROGRAM MANUAL

SECURE REMOTE VOTER REGISTRATION

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Ad-Hoc Query on the implementation of Council regulation 2725/2000 (Eurodac) Requested by FR on 1 st December 2010

Annex to the Decision 28

The Pupitre System: A desk news system for the Parliamentary Meeting rooms

Biometrics in Border Management Grand Challenges for Security, Identity and Privacy

Framework Convention on Climate Change

Subtitle F Medical Device Innovations

PRINCIPLES GOVERNING IPCC WORK

ACT ON THE DANISH INSTITUTE FOR HUMAN RI GHTS - CHAPTER 1. Establishment and tasks

Volume I Appendix A. Table of Contents

MOCO development company, LLC TERMS OF USE

END USER LICENSE AGREEMENT

Electronic Voting Systems

(Revised with the approval of 227 th Governing Body

OFFENDER TRACKING EVIDENCE PROTOCOLS

ForeScout Extended Module for McAfee epolicy Orchestrator

COBIS Policy on Disclosure & Barring Service Checks for Member Schools COBIS Policy on the Recruitment of Ex-Offenders... 3

Contributary Platform User Terms of Service

Visa Entry to the United Kingdom The Entry Clearance Operation

NEWSLETTER MESSAGE FROM DEAN VOTING SYSTEMS ASSESSMENT PROJECT IN THIS ISSUE FUNDING UPDATE JUNE 2015 VOL. 1 ISSUE 1

Complaints and appeals procedure

GOOD GOVERNANCE ROLES & RESPONSIBILITIES FOR EXECUTIVE & NON-EXEC DIRECTORS

A guide to the new privacy landscape for the Commonwealth Government

TERMS OF REFERENCE FOR A COMMUNICATIONS CONSULTANT- SHORT TERM OAU- AU 50 TH ANNIVERSARY YEARLONG PROGRAMME

Meisterplan Software as a Service Terms and Conditions (hereinafter referred to as Terms of Service )

1. Definitions. In addition to terms defined elsewhere in this Agreement, the terms set forth immediately below have the following meanings.

Selecting a topic and methodology for gender politics of policy research

Colorado s Risk-Limiting Audits (RLA) CO Risk-Limiting Audits -- Feb Neal McBurnett

8 USC 1365b. NB: This unofficial compilation of the U.S. Code is current as of Jan. 4, 2012 (see

Statement on Security & Auditability

An overview of the European approach to the cross-jurisdictional and societal aspects of biometrics

Transcription:

Stakeholder Specific Visualization and Automated Reporting of Network Scanning Results 11. DFN-Forum Kommunikationstechnologien, Günzburg, 27. Juni 2018 Tanja Hanauer, Stefan Metzger 1

Agenda Ø Motivation Ø State of the Art Ø Process Framework Vis4Sec Ø Exemplary Process Iterations Limitation and Control of Network Ports Vulnerable OpenSSL Library Ø Conclusion 23.07.18 Leibniz-Rechenzentrum 2

Motivation Ø Compliance -> Implementation Ø Organizational Knowledge Ø Overview 23.07.18 Leibniz-Rechenzentrum 3

State of the Art Ø Visualization and Data Guidelines Gestalt Theory Tufte s Design Criteria Shneiderman s Information Seeking Mantra 23.07.18 Leibniz-Rechenzentrum 4

Data Quality Dimensions according to Data Management Association UK Ø Completeness: Proportion of stored data against the potential of 100 % complete. Ø Uniqueness: No thing will be recorded more than once based upon how that thing is identified. Ø Timeliness: The degree to which data represent reality from the required point in time. Ø Validity: The data conforms to the syntax (format, type range) of its definition. Ø Accuracy: The degree to which data correctly describes the real world object or event being described. Ø Consistency: The absence of difference, when comparing two or more representations of a thing against a definition. 7/23/18 Leibniz-Rechenzentrum 5

State of the Art Ø Visualization and Data Guidelines Ø Security Best Practices ISO/IEC 27001 Critical Security Controls 23.07.18 Leibniz-Rechenzentrum 6

Security Best Practices Ø ISO/IEC 27001 13.1.2 Security of network services 18.2.3 Technical review to ensure compliance with information security policy Ø Critical Security Controls CSC 9 Limitation and control of network ports 9.1 Only ports, protocols, and services with validated business needs are running on each system 9.3 Automated regular port scans against all key servers and comparison of the results to a known baseline 23.07.18 Leibniz-Rechenzentrum 7

State of the Art Ø Visualization and Data Guidelines Ø Security Best Practices ISO/IEC 27001 Critical Security Controls Ø Existing Publications 23.07.18 Leibniz-Rechenzentrum 8

Existing Publications 23.07.18 Leibniz-Rechenzentrum 9

State of the Art Ø Visualization and Data Guidelines Ø Security Best Practices ISO/IEC 27001 Critical Security Controls Ø Existing Publications Ø Visualization and Knowledge Processes Ware, Fry, Marty, and Balakrishnan Burkhard 23.07.18 Leibniz-Rechenzentrum 10

Process Framework Vis4Sec Ø Initiation Environment Requirements Stakeholders Planned Actions Ø Question Phase Ø Data Preparation Phase Data Sources Ensure Data Quality Ø Visualization Phase Ø Interaction Phase Ø Iterations 23.07.18 Leibniz-Rechenzentrum 11

Initiation Ø Environment: Scientific Data Center LRZ Ø Requirements Know running services Detect new services Detect and patch potentially vulnerable services Ø Stakeholders System- and security-admins IT management Ø Planned Actions Automation of network scans Stakeholder specific filtering and distribution of results 23.07.18 Leibniz-Rechenzentrum 12

Question Phase? Ø What are the reachable ports on each system? Externally Internally 23.07.18 Leibniz-Rechenzentrum 13

Data Preparation Phase Data Source I DR Portscan Centralized regular network scans Aggregated Automated -reporting Information à operations 23.07.18 Leibniz-Rechenzentrum 14

Data Preparation Phase - Ensure Data Quality I 7/23/18 Leibniz-Rechenzentrum 15

Data Preparation Phase - Ensure Data Quality II 7/23/18 Leibniz-Rechenzentrum 16

Data Preparation Phase - Data Source II Ø DR Portscan Ø Organizational CMDB Inventory DB LDAP 7/23/18 Leibniz-Rechenzentrum 17

Visualization Phase Visualization gives you answers to questions you didn t know you had. Ben Shneiderman 7/23/18 Leibniz-Rechenzentrum 18

Interaction Phase Ø Data Ø Dashboards 23.07.18 Leibniz-Rechenzentrum 19

Iteration Redefined Question: Ø What are the externally reachable services that use a vulnerable OpenSSL library? 23.07.18 Leibniz-Rechenzentrum 20

Data Preparation Phase Ø Data Sources Port Scanner Organizational Scan: SSL Cipher-Suites Common Vulnerabilities and Exposures Installed software on each system 23.07.18 Leibniz-Rechenzentrum 21

Visualization + Interaction Phase Ø Data Ø Dashboards Ø Reports 23.07.18 Leibniz-Rechenzentrum 22

Conclusion Process Iterations Various iterations Ø Vulnerabilities Ø Ø Ø Unneeded open ports Printer (9100) Ntp (123) Stakeholders Controls Authorized devices Updates and patching Improvement Ø Ø Ø Settings corrected Awareness 23.07.18 Leibniz-Rechenzentrum 23

Further Iterations Ø Transferable to further Vulnerabilities Security controls Security approaches Ø Updates Ø Vulnerabilities 7/23/18 Leibniz-Rechenzentrum 24

Conclusion Ø Initiates Communication among stakeholders Revision of security settings Security and data awareness Ø Supports Implementation of compliance requirements Organizational knowledge generation and transfer Overview of existing systems and security state Ø Knowledge IT management + IT operations 23.07.18 Leibniz-Rechenzentrum 25

Thank you for your attention Source adapted https://xkcd.com/1354/ 23.07.18 Leibniz-Rechenzentrum 26

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback