Comprehensive Cybersecurity Tips and Tools for Website Hardening

Slide Note
Embed
Share

Frosty Walker, Chief Information Security Officer at Texas Education Agency, leads the Data Security Advisory Committee offering guidance to Texas education communities. Explore resources like the Texas Gateway for cybersecurity tips and tools, process flow charts, application diagrams, and a vulnerability scanning program for secure development practices.

jano424
jano424 Follow

Uploaded on Oct 08, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. CYBERSECURITY TIPS AND TOOLS- WEBSITE HARDENING Frosty Walker Chief Information Security Officer Texas Education Agency Frosty.Walker@tea.texas.gov (512) 463-5095

  2. Data Security Advisory Committee The Data Security Advisory Committee (DSAC) provides guidance to the Texas education communities, maximizing collaboration and communication regarding information security issues and resources which can be utilized within the educational communities served. The DSAC is currently comprised of representatives from school districts, ESCs, TEA and the private sector.

  3. Texas Gateway https://www.texasgateway.org/ Cybersecurity Tips and Tools

  4. Planning a Secure Application Maintaining an Existing Site

  5. Process Flow Chart

  6. Simple Application Diagram HTTPS (SSL via TLS 1.2) Port 443 with HTTP Strict Transport Security https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

  7. Application Diagram with Firewall

  8. Application Diagram with Segmented Network

  9. Vulnerability Scanning Program Once the development of the application starts, we should be prepared to start your Vulnerability Scanning. Vulnerability Scanning should take place as sprints or modules are completed. The most economical and efficient time to correct security issues are during this early phase of the project. By the time the application is ready to move into TEST, it should be clean of most vulnerabilities or we have documented artifacts and potential remediation steps to resolve the issues during a TEST release. Each release version in TEST should be scanned and remediation efforts scheduled. Prior to being promoted into PRODUCTION, all vulnerabilities (not warnings) should be remediated. As soon as it is in production, it should be scanned again to make sure it is clean.

  10. Vulnerability Scanning Program Once the application is in production, we start routine scanning for any issues (at a minimum once a quarter) and planned remediation. Additionally, any new releases should be scanned and remediated in DEV/TEST prior to being promoted to production.

  11. Who needs an Application Vulnerability Scanning Program? If you develop applications in-house, you need a Vulnerability Scanning Program. A vulnerability Scanner should do at least four things: Identify security issues Identify where the security issues are located Estimate the amount of time it will take to remediate the issue References how to resolve the security issue

  12. What should be included in a Vulnerability Scanning Program? All of your publicly-facing applications at a minimum should be routinely scanned for vulnerabilities and remediation steps should be taken to resolve issues in a timely manner.

  13. You can outsource everything, except responsibility. John Keel, Texas State Auditor

  14. Sample Contract Language with NYE conducting Vulnerability Scanning Program Name of Your Entity (NYE) expects all partners, consultants, and vendors to abide by NYE information security policies. Appropriate security controls shall be incorporated at all relevant stages of data storage, processing, transmission, and destruction. This is to accomplish the overall information security objective of mitigating risk, both directly and indirectly, to any NYE-managed or business partner- managed information resource. administrative, technical, and physical

  15. The off-site downloading, transfer, and/or storage of sensitive and protected data is strictly prohibited. Any NYE data that is stored, transmitted, or processed on non-NYE computers or media renders them subject to Public Information Act requests. Websites or portals shall be accessible through a secure connection (HTTPS-only, with HTTP Strict Transport Security (HSTS)), utilizing Transport Layer Security (TLS) version 1.2 or higher. NYE retains the right to scan websites for vulnerabilities and request remediation of identified issues in a timely manner not to exceed three months.

  16. Vendor agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The following sample list of requirements is given to exemplify best application practices: a. Usage-limiting techniques countermeasures wherever a denial-of-service or automated attack vulnerability is clearly inherent in the architecture. b. Sufficiently strong encryption, per industry standards, wherever confidential data is at rest or traverses a network. c. Effective error handling that does not return unnecessarily verbose messages to the user that could be used to gain insight into application internals or other privileged processes or data. and development and other protective

  17. Vendor will notify NYE within committed timeframes to the NYE Information Security Officer, of a security or privacy incident including but not limited to an actual or suspected security breach or denial of service attack that will affect infrastructure and operations as set forth in the service agreement. Further, vendor will notify NYE within 24 hours of any new report of any security vulnerability that affects their platforms directly or indirectly, that is published in sources including but not limited to the CVE and US- CERT, and will provide mitigation or repair advice within 72 hours. Vendor will provide a roadmap for final resolution within one week, and complete remediation must conclude within three months.

  18. Sample Contract Language with Vendor conducting Vulnerability Scanning Program Name of Your Entity (NYE) expects all partners, consultants, and vendors to abide by NYE information security policies. Appropriate security controls shall be incorporated at all relevant stages of data storage, processing, transmission, and destruction. This is to accomplish the overall information security objective of mitigating risk, both directly and indirectly, to any NYE-managed or business partner- managed information resource. administrative, technical, and physical

  19. The off-site downloading, transfer, and/or storage of sensitive and protected data is strictly prohibited. Any NYE data that is stored, transmitted, or processed on non-NYE computers or media renders them subject to Public Information Act requests. Websites or portals shall be accessible through a secure connection (HTTPS-only, with HTTP Strict Transport Security (HSTS)), utilizing Transport Layer Security (TLS) version 1.2 or higher. NYE retains the right to scan websites for vulnerabilities and request remediation of identified issues in a timely manner not to exceed three months.

  20. Vendor agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security.

  21. The following sample list of requirements is given to exemplify best application practices. a. Usage-limiting techniques countermeasures wherever a denial-of-service or automated attack vulnerability is clearly inherent in the architecture. b. Sufficiently strong encryption, per industry standards, wherever confidential data is at rest or traverses a network. c. Effective error handling that does not return unnecessarily verbose messages to the user that could be used to gain insight into application internals or other privileged processes or data. d. Vendor agrees to run quarterly Vulnerability Scans on any NYE application in production and will share Vulnerability Scan report with NYE along with a roadmap for completion vulnerabilities within a 90 day timeframe and development and other protective remediation of all

  22. Vendor will notify NYE within committed timeframes to the NYE Information Security Officer, of a security or privacy incident including but not limited to an actual or suspected security breach or denial of service attack that will affect infrastructure and operations as set forth in the service agreement. Further, vendor will notify NYE within 24 hours of any new report of any security vulnerability that affects their platforms directly or indirectly, that is published in sources including but not limited to the CVE and US- CERT, and will provide mitigation or repair advice within 72 hours. Vendor will provide a roadmap for final resolution within one week, and complete remediation must conclude within three months.

  23. Questions?

Related


Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

emmitt
Ice Cream Hardening Process: Techniques and Factors

Ice Cream Hardening Process: Techniques and Factors

astra
Shovel-Ready Projects Initiative for Cybersecurity Innovation in Canada

Shovel-Ready Projects Initiative for Cybersecurity Innovation in Canada

aberm
Cybersecurity Career Path Overview

Cybersecurity Career Path Overview

rusty
Ensuring Business Security: Cybersecurity Webinar Insights

Ensuring Business Security: Cybersecurity Webinar Insights

amelia
IRIS H2020 Project - Enhancing Cybersecurity for SMART CITIES

IRIS H2020 Project - Enhancing Cybersecurity for SMART CITIES

airt550
Cybersecurity Workforce Management: Engage, Empower, Elevate

Cybersecurity Workforce Management: Engage, Empower, Elevate

dena835
Cybersecurity and Computer Science Education Projects at UH Maui College

Cybersecurity and Computer Science Education Projects at UH Maui College

karm_14
Enhancing Cybersecurity for Improved Insurability and Risk Management

Enhancing Cybersecurity for Improved Insurability and Risk Management

trac_745
Workshop on Cybersecurity Professionalism & Ethics

Workshop on Cybersecurity Professionalism & Ethics

acke_ddy
Ethics in Cybersecurity: Evolution, Challenges, and Solutions

Ethics in Cybersecurity: Evolution, Challenges, and Solutions

kdett
Insights into Cosmic Ray Spectrum Breaks and Hardening after Centuries of High-Resolution Measurements

Insights into Cosmic Ray Spectrum Breaks and Hardening after Centuries of High-Resolution Measurements

peti_mi
The Hardening of Pharaoh in Exodus: A Biblical Study

The Hardening of Pharaoh in Exodus: A Biblical Study

czec_ban
Secure System Hardening Techniques for Metasploitable 2 Linux VM

Secure System Hardening Techniques for Metasploitable 2 Linux VM

bsasa
Cybersecurity Expert Shiva V. Parasram - Profile and Advice

Cybersecurity Expert Shiva V. Parasram - Profile and Advice

deniz
Kuken Co. Ltd.: Leading Provider of Specialized Tools Since 1968

Kuken Co. Ltd.: Leading Provider of Specialized Tools Since 1968

paer999
Financial Management and Cybersecurity: Essential Tips for Treasurers

Financial Management and Cybersecurity: Essential Tips for Treasurers

mariama
Empowering NNSA Cyber Professionals Through Enterprise Tools and Data Analytics

Empowering NNSA Cyber Professionals Through Enterprise Tools and Data Analytics

bloom
Instrument human capital cybersecurity mkb bedrijven

Instrument human capital cybersecurity mkb bedrijven

myron
Comprehensive Bug Hunting Toolkit for Cybersecurity Enthusiasts

Comprehensive Bug Hunting Toolkit for Cybersecurity Enthusiasts

cyan
Cybersecurity Risk Management in K-12 Education: Challenges and Strategies

Cybersecurity Risk Management in K-12 Education: Challenges and Strategies

betsy
C2M2 Version 2.1 Cybersecurity Model Overview

C2M2 Version 2.1 Cybersecurity Model Overview

giana
Enhancing California's Election Cybersecurity Readiness

Enhancing California's Election Cybersecurity Readiness

mallory
Cybersecurity and Personal Finance: A Tale of Appily Ever After

Cybersecurity and Personal Finance: A Tale of Appily Ever After

elspeth

More Related Content

Automated Signature Extraction for High Volume Attacks in Cybersecurity
Automated Signature Extraction for High Volume Attacks in Cybersecurity
Franco-Japanese Cybersecurity Workshop Highlights and Future Plans
Franco-Japanese Cybersecurity Workshop Highlights and Future Plans
Adversarial Machine Learning in Cybersecurity: Challenges and Defenses
Adversarial Machine Learning in Cybersecurity: Challenges and Defenses
Which and How of Cybersecurity Frameworks
Which and How of Cybersecurity Frameworks
Exploring Adversarial Machine Learning in Cybersecurity
Exploring Adversarial Machine Learning in Cybersecurity
Cybersecurity Tabletop Exercise Overview
Cybersecurity Tabletop Exercise Overview
Cybersecurity Entrepreneurship Workshop Highlights
Cybersecurity Entrepreneurship Workshop Highlights
Professionalism in Cybersecurity: Developing Essential Skills
Professionalism in Cybersecurity: Developing Essential Skills
Machine Learning for Cybersecurity Challenges: Addressing Adversarial Attacks and Interpretable Models
Machine Learning for Cybersecurity Challenges: Addressing Adversarial Attacks and Interpretable Models
Cybersecurity and Supply Chain Risk Management: Best Practices for Procurement
Cybersecurity and Supply Chain Risk Management: Best Practices for Procurement
Challenges in Cybersecurity Implementation: A Philippine Perspective
Challenges in Cybersecurity Implementation: A Philippine Perspective
Empowering Women in Cyber: CyberFirst Girls Competition
Empowering Women in Cyber: CyberFirst Girls Competition
REWIRE Cybersecurity Skills Alliance
REWIRE Cybersecurity Skills Alliance
CYBERSECURITY AWARENESS MONTH 2023
CYBERSECURITY AWARENESS MONTH 2023
Cybersecurity Risks for Remote CISTAR Facilities Study
Cybersecurity Risks for Remote CISTAR Facilities Study
Cybersecurity Industry Call for Innovation (CyberCall)
Cybersecurity Industry Call for Innovation (CyberCall)
Fuel Cycle Analysis Toolbox: Enhancing Understanding and Optimization
Fuel Cycle Analysis Toolbox: Enhancing Understanding and Optimization
Hands-On Training with P4 and Hardware Switches at University of South Carolina
Hands-On Training with P4 and Hardware Switches at University of South Carolina
Cybersecurity Challenges and Tips for Remote Workforce in Education
Cybersecurity Challenges and Tips for Remote Workforce in Education
Comprehensive Cloud Security Measures and Solutions
Comprehensive Cloud Security Measures and Solutions
Understanding Cybersecurity for Kids: STOP. THINK. CONNECT.
Understanding Cybersecurity for Kids: STOP. THINK. CONNECT.
Comprehensive Guide to Sewing Tools and Equipment
Comprehensive Guide to Sewing Tools and Equipment
Enhancing Cybersecurity with Bluedog VAPT Services
Enhancing Cybersecurity with Bluedog VAPT Services
Curing and Protection of Concrete: A Comprehensive Guide
Curing and Protection of Concrete: A Comprehensive Guide