PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS) is a standard that all organizations including online retailers, must follow when storing, processing and transmitting their customer's credit card information.
The DSS was developed and the standard is maintained by Payment Card Industry Security Standards Council (PCI SCC).
Listed below are the twelve requirements for PCI DSS Compliance.
Build and Maintain a Secure Network
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security
November 17, 2011
March 4, 2011
Different Ways of Virtualization
Introduction:
What does “virtualization” or in simple terms “going virtual” really mean in today’s IT world? Virtualization is an old concept that is now being widely used for its benefits.
Virtualization can almost be applied to any and all parts of an IT infrastructure. Since virtualization is more versatile term and each of has its own significant; let’s discuss each one it in brief.
Virtualization falls into three basic categories:
Operating System
Storage
Applications.
But these categories are very broad and don’t passably outline the key aspects. It is helpful to refine these categories into eight, specific categories to thoroughly understand the differences and similarities between the definitions of virtualization.
Operating System Virtualization:
This is the most widespread form of virtualization today. Virtual operating systems (or virtual machines) are quickly becoming a core component of the IT infrastructure today. Generally, this is the form of virtualization that most of the end-users are most familiar with. Virtual machines are typically full implementations of standard operating systems, such as Windows or Red Hat Enterprise Linux, running concurrently on the same physical hardware machine. Virtual Machine Managers manage each virtual machine individually. Each operating system instance is unaware that it is a virtual and other operating system instances may be running at the same time. Companies like VMware, Intel, Microsoft, and AMD are leading the way in breaking the physical relationship between an operating system and its native hardware and extending this pattern into the data center. Data centre consolidation being a primary driving force is bringing the benefits of virtual machines to the mainstream market, allowing enterprises to reduce the number of physical machines in their data centers without reducing the number of underlying applications. This trend ultimately reduces infrastructure costs.
Application Server Virtualization:
Application Server Virtualization is often used as a synonym for advanced load balancing. The core concept of application server virtualization is best seen with an appliance or service that provides access to many different application services transparently. The virtual interface often referred to as a Virtual IP is exposed to the outside world representing itself as the actual web server, and manages the connections to and from the web server as needed. This enables the load balancer to manage multiple web servers or applications as a single instance, providing a more secure and robust topology than one allowing users direct access to individual web servers.
Application Virtualization:
While this may sound very similar; Application Server and Application Virtualization are two completely different concepts. What we now refer to as application virtualization we used to call “thin clients.” The technology is exactly the same, only the name has changed to make it more correct. One of the best examples of this includes Microsoft Terminal Services and browser-based applications. These implementations depend on the virtual application running locally and the management and application logic running remotely.
Management Virtualization:
If you implement separate passwords for your root/administrator accounts between your mail and web servers, and your mail administrators don’t know the password to the web server and vise versa, then you’ve deployed management virtualization in its most basic form. The pattern can be extended down to segmented administration roles on one platform or box, which is where segmented administration becomes “virtual”. User and group policies in Microsoft platform are an excellent example of virtualized administration rights. This is also referred as Management Virtualization.
Network Virtualization:
Network virtualization may be the most vague, specific definition of virtualization. A simple example of this is IP virtualization (VLAN): a single Ethernet port may support multiple virtual connections from multiple IP addresses and networks, but they are virtually segmented. Each virtual IP connection over this single physical port is independent and unaware of others’ existence, but the managing hardware (switch) is aware of each unique connection and manages each one independently.
Hardware Virtualization:
Hardware virtualization is very similar in concept to operating system virtualization, and to some extent it is required for virtualization to occur. Hardware virtualization breaks up pieces and locations of physical hardware into independent segments and manages those segments as separate, individual components. Although they fall into different classifications, both symmetric and asymmetric multiprocessing are examples of hardware virtualization. In both instances, the process requesting CPU time is not aware of which processor it is running on. As far as the process is concerned, it could be spread across any number of CPUs and any amount of RAM.
Storage Virtualization:
Storage virtualization can be divided into two classes:
- Block virtualization and
- File virtualization.
Block virtualization is best summed up by Storage Area Network (SAN) and Network Attached
Storage (NAS) technologies: distributed storage networks that appear to be single physical devices. SAN devices themselves typically implement another form of Storage virtualization: RAID.
File virtualization moves the virtual layer up into the more human-consumable file and directory structure level. Most file virtualization technologies sit in front of storage networks and keep track of which files and directories reside on which storage devices, maintaining global mappings of file locations. When a request is made to read a file, the user may think this file is statically located on their personal remote drive; however, the file virtualization appliance knows that the file is actually located on a server in a data center across the globe.
Service Virtualization:
Service virtualization is consolidation of all of the above into one phrase. Service virtualization connects all of the components utilized in delivering an application over the network, and includes the process of making all pieces of an application work together regardless of where those pieces physically reside. This is why service virtualization is typically used as an enabler for application availability.
References:
F5 WHITE PAPER - BY ALAN MURPHY
What does “virtualization” or in simple terms “going virtual” really mean in today’s IT world? Virtualization is an old concept that is now being widely used for its benefits.
Virtualization can almost be applied to any and all parts of an IT infrastructure. Since virtualization is more versatile term and each of has its own significant; let’s discuss each one it in brief.
Virtualization falls into three basic categories:
Operating System
Storage
Applications.
But these categories are very broad and don’t passably outline the key aspects. It is helpful to refine these categories into eight, specific categories to thoroughly understand the differences and similarities between the definitions of virtualization.
Operating System Virtualization:
This is the most widespread form of virtualization today. Virtual operating systems (or virtual machines) are quickly becoming a core component of the IT infrastructure today. Generally, this is the form of virtualization that most of the end-users are most familiar with. Virtual machines are typically full implementations of standard operating systems, such as Windows or Red Hat Enterprise Linux, running concurrently on the same physical hardware machine. Virtual Machine Managers manage each virtual machine individually. Each operating system instance is unaware that it is a virtual and other operating system instances may be running at the same time. Companies like VMware, Intel, Microsoft, and AMD are leading the way in breaking the physical relationship between an operating system and its native hardware and extending this pattern into the data center. Data centre consolidation being a primary driving force is bringing the benefits of virtual machines to the mainstream market, allowing enterprises to reduce the number of physical machines in their data centers without reducing the number of underlying applications. This trend ultimately reduces infrastructure costs.
Application Server Virtualization:
Application Server Virtualization is often used as a synonym for advanced load balancing. The core concept of application server virtualization is best seen with an appliance or service that provides access to many different application services transparently. The virtual interface often referred to as a Virtual IP is exposed to the outside world representing itself as the actual web server, and manages the connections to and from the web server as needed. This enables the load balancer to manage multiple web servers or applications as a single instance, providing a more secure and robust topology than one allowing users direct access to individual web servers.
Application Virtualization:
While this may sound very similar; Application Server and Application Virtualization are two completely different concepts. What we now refer to as application virtualization we used to call “thin clients.” The technology is exactly the same, only the name has changed to make it more correct. One of the best examples of this includes Microsoft Terminal Services and browser-based applications. These implementations depend on the virtual application running locally and the management and application logic running remotely.
Management Virtualization:
If you implement separate passwords for your root/administrator accounts between your mail and web servers, and your mail administrators don’t know the password to the web server and vise versa, then you’ve deployed management virtualization in its most basic form. The pattern can be extended down to segmented administration roles on one platform or box, which is where segmented administration becomes “virtual”. User and group policies in Microsoft platform are an excellent example of virtualized administration rights. This is also referred as Management Virtualization.
Network Virtualization:
Network virtualization may be the most vague, specific definition of virtualization. A simple example of this is IP virtualization (VLAN): a single Ethernet port may support multiple virtual connections from multiple IP addresses and networks, but they are virtually segmented. Each virtual IP connection over this single physical port is independent and unaware of others’ existence, but the managing hardware (switch) is aware of each unique connection and manages each one independently.
Hardware Virtualization:
Hardware virtualization is very similar in concept to operating system virtualization, and to some extent it is required for virtualization to occur. Hardware virtualization breaks up pieces and locations of physical hardware into independent segments and manages those segments as separate, individual components. Although they fall into different classifications, both symmetric and asymmetric multiprocessing are examples of hardware virtualization. In both instances, the process requesting CPU time is not aware of which processor it is running on. As far as the process is concerned, it could be spread across any number of CPUs and any amount of RAM.
Storage Virtualization:
Storage virtualization can be divided into two classes:
- Block virtualization and
- File virtualization.
Block virtualization is best summed up by Storage Area Network (SAN) and Network Attached
Storage (NAS) technologies: distributed storage networks that appear to be single physical devices. SAN devices themselves typically implement another form of Storage virtualization: RAID.
File virtualization moves the virtual layer up into the more human-consumable file and directory structure level. Most file virtualization technologies sit in front of storage networks and keep track of which files and directories reside on which storage devices, maintaining global mappings of file locations. When a request is made to read a file, the user may think this file is statically located on their personal remote drive; however, the file virtualization appliance knows that the file is actually located on a server in a data center across the globe.
Service Virtualization:
Service virtualization is consolidation of all of the above into one phrase. Service virtualization connects all of the components utilized in delivering an application over the network, and includes the process of making all pieces of an application work together regardless of where those pieces physically reside. This is why service virtualization is typically used as an enabler for application availability.
References:
F5 WHITE PAPER - BY ALAN MURPHY
February 17, 2011
Database Security
DATABASE SECURITY WHY?
Database security is given much importance only in the last couple of years, however, that it is beginning to draw more attention from industry analysts and security and database professionals. The combination of worsening and highly publicized data breaches on the one hand, and stricter regulatory compliance demands on the other hand are pushing database security to the foreground.
Today many database professionals are not familiar with security aspects of database management, while many security professionals are familiar with network and desktop security, but not with database security. This is beginning to change as the importance of securing databases becomes apparent.
UNDERSTANDING THE THREAT
Databases are subject to some unique types of threat that cannot be handled by firewalls, intrusion detection and prevention systems and other perimeter defenses. The threat scene is constantly evolving and becoming more stylish and specialized (e.g. attacking through memory backdoors inside databases).
Who Are The Intruders?
The Intruders could be any; the high-school student hacking into the Pentagon just to prove that he can do it; could be a professional hacker doing so with the aim of making a profit; or could be a sick person doing for fun.
This has changed the nature of intrusion attempts from ones that try to penetrate, then perhaps deface or wreak havoc, to ones that strive to be stealthy and leave no tracks with the aim of stealing data for financial gain.
Insider Threat, Privileged Users
Concurrently with the change in the nature of the external threat, there is increasing attention being given to the “insider threat”. This umbrella term refers to damage caused by individuals within the organization, either maliciously or accidentally.
Is the insider threat serious? It certainly is. Recent breaches such as the one at Fidelity National
Information Services, where a senior DBA sold millions of customer credit card records is proof of that. This does not mean that all insiders are suspects – however it is clear that insiders bent on stealing data have a greater chance of succeeding at it than outside intrusion attempts.
VULNERABILITIES
As database management systems have grown in complexity, they have become more vulnerable to attacks. The nature of these vulnerabilities ranges from relatively gentle to ones that allow unauthorized users to own the database through privilege elevation.
Much has been said and written about how DBMS vendors cope with vulnerabilities and how quickly they should patch them. The reality over the past few years shows that the number of reported vulnerabilities is rising, and while vendors are doubling their efforts to patch them, the number is constantly rising.
Additionally, it usually takes the vendor several months or more to distribute a patch, and it takes an additional several months for customer to install the patches, which usually require testing and database downtime. Many customers do not apply the patches at all, and their databases remain vulnerable to severe attacks.
The existing steps taken by organization towards database security measures are not adequate and could potentially allow intruders to attack. The organizations need to understand severity of these attacks and should take strong measures to prevent them.
Database security is given much importance only in the last couple of years, however, that it is beginning to draw more attention from industry analysts and security and database professionals. The combination of worsening and highly publicized data breaches on the one hand, and stricter regulatory compliance demands on the other hand are pushing database security to the foreground.
Today many database professionals are not familiar with security aspects of database management, while many security professionals are familiar with network and desktop security, but not with database security. This is beginning to change as the importance of securing databases becomes apparent.
UNDERSTANDING THE THREAT
Databases are subject to some unique types of threat that cannot be handled by firewalls, intrusion detection and prevention systems and other perimeter defenses. The threat scene is constantly evolving and becoming more stylish and specialized (e.g. attacking through memory backdoors inside databases).
Who Are The Intruders?
The Intruders could be any; the high-school student hacking into the Pentagon just to prove that he can do it; could be a professional hacker doing so with the aim of making a profit; or could be a sick person doing for fun.
This has changed the nature of intrusion attempts from ones that try to penetrate, then perhaps deface or wreak havoc, to ones that strive to be stealthy and leave no tracks with the aim of stealing data for financial gain.
Insider Threat, Privileged Users
Concurrently with the change in the nature of the external threat, there is increasing attention being given to the “insider threat”. This umbrella term refers to damage caused by individuals within the organization, either maliciously or accidentally.
Is the insider threat serious? It certainly is. Recent breaches such as the one at Fidelity National
Information Services, where a senior DBA sold millions of customer credit card records is proof of that. This does not mean that all insiders are suspects – however it is clear that insiders bent on stealing data have a greater chance of succeeding at it than outside intrusion attempts.
VULNERABILITIES
As database management systems have grown in complexity, they have become more vulnerable to attacks. The nature of these vulnerabilities ranges from relatively gentle to ones that allow unauthorized users to own the database through privilege elevation.
Much has been said and written about how DBMS vendors cope with vulnerabilities and how quickly they should patch them. The reality over the past few years shows that the number of reported vulnerabilities is rising, and while vendors are doubling their efforts to patch them, the number is constantly rising.
Additionally, it usually takes the vendor several months or more to distribute a patch, and it takes an additional several months for customer to install the patches, which usually require testing and database downtime. Many customers do not apply the patches at all, and their databases remain vulnerable to severe attacks.
The existing steps taken by organization towards database security measures are not adequate and could potentially allow intruders to attack. The organizations need to understand severity of these attacks and should take strong measures to prevent them.
Subscribe to:
Posts (Atom)