web - All Articles - CISO Platform2024-03-29T14:44:29Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/webNIST and Web Application Security:Is Your Organization Really Considering All of the Risks in the Enterprise?https://www.cisoplatform.com/profiles/blogs/nist-and-application-security-is-your-organization-really2013-05-16T13:30:00.000Z2013-05-16T13:30:00.000ZMark Wiremanhttps://www.cisoplatform.com/members/MarkWireman<div><p class="BasicParagraph">Writing not only functional but secure applications is not a new concept or idea that has taken the Industry by storm. However, many Government and Commercial Organizations are still not adhering to or requiring their Organizations to adopt, implement, and build in security into the Systems Development Life Cycle process. Instead, Organizations are continuing to focus on the functional aspects of software, only to be surprised when a weakness or vulnerability in the software leads to a compromise, resulting in thousands of records stolen in the process. So the fundemental question is why is this still a hard problem for Organizations to tackle?</p><p class="BasicParagraph">Application Security is still fraught with challenges (Challey, 2009) which gives Application Security the appearance of an enigma due to the following:</p><ul><li><b>Application Security Changes Rapidly</b><ul><li>With the growing landscape and priority of threats, vulnerabilities, and weaknesses, an Organization can quickly fall behind.</li></ul></li><li><b>Changing Landscape</b><ul><li>The technology landscape is constantly changing. This requires constant awareness and education of new technologies to prepare for and address new threat vectors and attack landscapes.</li></ul></li><li><b>Becoming an Enabler</b><ul><li>Security is typically viewed as a disabler because of the perception Security mandates and controls hinders and slows processes. Within the Software Development processes Security is viewed as an overhead in terms of additional financial and human resources as well as slowing down the “time to market” for the applications.</li></ul></li></ul><p class="BasicParagraph">Because of the stigma of Application Security as an enigma, the Challenges in the reasons implementing an Application Security program internally within an Organization, and the Gap in academia in teaching Developers how to write both functional and secure applications, Organizations – both Government and Commercial – <b><i>continue to be front page news items as a result of the compromise of one of their Applications</i></b>.</p><p class="BasicParagraph"><strong style="font-size:10pt;">(Read more: <span style="text-decoration:underline;color:#3366ff;"><a href="http://www.cisoplatform.com/profiles/blogs/how-to-have-unique-passwords-for-each-website-and-yet-remember" target="_blank"><span style="color:#3366ff;text-decoration:underline;">How to have unique passwords for each website and yet remember them easily?</span></a></span></strong>)</p><p class="BasicParagraph">Most Government Organizations and Commercial Organizations that work directly with the Government, deal with medical records, or are held to certain legal requirements are typically held to the regulatory requirement from a Security perspective of NIST (National institute of Standards and Technology). NIST provides specific guidelines known as Special Publications that an Organization can leverage to prepare their Organization for a NIST audit, certification, and accredidation. There an Organization must understand the NIST requirements and it is this understanding that allows allow the Organization to be uniquely positioned and prepared for and receive accredidation, especially with building security into your System Development Life Cycle (SDLC) process.</p><p class="BasicParagraph">(Kissel et al, 2008) offers a guide in building in the necessary security and controls into the various phases of the SDLC. (Kissel et al, 2008) is a complement to the Risk Management Framework presented in (Ross, 2011). To better understand the RMF and its relation to Application Security, the following 3 Tier (Ross, 2011) understanding of Risk controls within an Organization is adopted to identify where the SDLC fits in:</p><ol><li><b>Tier 1</b> – Organizational. A Risk Assessment at this Tier is focused on the Organization’s Information Security programs, policies, procedures, and guidance. Risk Acceptance, Avoidance, Mitigation, Sharing, and Transfer is a key element of the driver behind the IS Program. Investment decisions are then determined based on the Risk posture, to include procurement activities, controls, and monitoring activities. This is equivalent to the Management Controls listed in (Swanson, 2011) and (Guttman and Roback, 2006). From an SDLC perspective, this includes the Life Cycle Assessment process, focusing on a Program, Policies, and Procedures for SDLC Activities that include identification and remediation of Vulnerabilities within the SDLC Phases (Initiation, Deployment/Acquisition, Implementation/Assessment, Operation/Maintenance, and Disposal).</li></ol><p> </p><ol><li><b>Tier 2</b> – Mission / Business Processes. A Risk Assessment can implement Enterprise and Security Architecture design decisions, common Controls, Acquisition partners and Vendors, Risk Awareness for Business Processes, and demonstrating Security as a Business Enabler by interpreting Policies and Procedures as Business essentials that help in the streamlining of Business Operations vs a mandated necessary. From an SDLC perspective, this is building in the Gate Controls providing check-points between the Phases, Training, and Change Management.</li></ol><p><b> </b></p><ol><li><b>Tier 3</b> – Information Systems. A Risk Assessment can drive the design and implementation decisions for the Security Controls from a technology perspective. In addition, Operational decisions can be determined, which include monitoring, authorization, and maintenance. From an SDLC perspective, this is the implementation of the technologies in the Technical Controls that will be introduced to help meet the Gate requirements, as well as the Policy requirements for Identification and Authentication (I&A), Access Controls (Logical), and Auditing within the Applications.</li></ol><p class="BasicParagraph">It is, therefore, important to align your Organization with the requirements in NIST SP 800-64 with the Risk Management Framework. The approach breaks down each of the phases of the SDLC and within each phase, assign and align each Control Objective with a Control Number, Description, Level, and a recommended set of decision points to include within a Gate process that will provide for a Go / No Go decision to the next phase. Table 1 is a sample of the approach within the Initiation Phase of the SDLC:</p><table width="100%" border="1" cellspacing="0"><tbody><tr><td width="13%" nowrap="nowrap"><p align="center"><b>Control Number</b></p></td><td width="17%"><p align="center"><b>Control</b></p></td><td width="25%"><p align="center"><b>Description</b></p></td><td width="15%"><p align="center"><b>Metrics </b></p></td><td width="8%"><p align="center"><b>Level</b></p></td><td width="19%"><p align="center"><b>Recommended Control Gates</b></p></td></tr><tr><td width="100%" nowrap="nowrap" valign="bottom" colspan="6"><p><b>Initiation</b></p></td></tr><tr><td width="13%" nowrap="nowrap" valign="top"><p>I.1.1</p></td><td width="17%"><p>Identify sources of Security Requirements</p></td><td width="25%"><p>Security sources are requirements to implement security controls in accordance with laws, regulations, and compliance standards.</p></td><td width="15%" valign="bottom"><p>Number of Security Requirements<br /> % of Applications per Requirement</p></td><td width="8%" nowrap="nowrap"><p align="center">1</p></td><td width="19%" rowspan="6"><p><b>System Concept Review that verifies the concept is in line with Organization's objectives and budgetary constraints<br /> <br /> Performance requirements that has addressed all Security Requirements<br /> <br /> Enterprise Architecture alignment that aligns with IT standards and LoB requirements, as well as Security alignment to enable LoB by meeting Security Requirements with appropriate Security Services<br /> <br /> Risk Management review that provides a Risk view of the System that aligns with the Organization's level of acceptance</b></p></td></tr><tr><td width="13%" nowrap="nowrap" valign="top"><p>I.1.2</p></td><td width="17%"><p>Ensuring all Key Stakeholders have a Common Understanding</p></td><td width="25%"><p>All relevant Development, Security, and Business Stakeholders are fully aware of and an understanding of the Security Implications, Considerations, and Requirements per the Identified Sources as well as the Organization's Policies, Procedures, and Guidelines.</p></td><td width="15%"><p> </p></td><td width="8%" nowrap="nowrap"><p align="center">1</p></td></tr><tr><td width="13%" nowrap="nowrap" valign="top"><p>I.1.3</p></td><td width="17%"><p>Establishment of a Security Guide as part of the SDLC Process</p></td><td width="25%" valign="bottom"><p>The Guide consists of the following information: Security Responsibilities (Roles and Responsibilities); Security Reporting Metrics; Certification and Accreditation Process (Go / No Go Decision at appropriate Gates between Phases); Security Testing and Assessment Techniques (static code analysis, dynamic scanning, pentesting, fuzzing, etc); Security Document and Requirements Deliverables; Secure Design, Architecture, and Coding Practices (in accordance with Security Requirements).</p></td><td width="15%"><p> </p></td><td width="8%" nowrap="nowrap"><p align="center">2</p></td></tr><tr><td width="13%" nowrap="nowrap" valign="top"><p>I.2.1</p></td><td width="17%"><p>Security Categorization Process</p></td><td width="25%" valign="bottom"><p>A process is in place that will categorize the Application in accordance with the type of data being processed, the deployment location of the application, and the types of users of the application. A Business Impact Analysis procedure is an integral part of this process and should be expanded to include the Security Categorization of each Application. In addition to the classification of the Application, other factors to consider are the Confidentiality, Integrity, and Availability aspects of the Application's Business Requirements.</p></td><td width="15%"><p>% of Applications per Categorization</p></td><td width="8%" nowrap="nowrap"><p align="center">3</p></td></tr><tr><td width="13%" nowrap="nowrap" valign="top"><p>I.2.2</p></td><td width="17%"><p>Business Impact Assessment Process</p></td><td width="25%"><p>A process that identifies and documents the Line of Business (LoB) supported by the Application and how the LoB will impacted; identifies and documents core Components needed to maintain functionality of the Application (both Software and Hardware Components); identifies and documents the length of time the system can be down before the LoB is negatively impacted; identifies and documents the LoB's tolerance for the loss of data.</p></td><td width="15%"><p>Service Level Agreements per Component per Application (in Hrs)<br /> Number of Components per Application by Type, i.e. Software, Hardware<br /> Number of Applications per LoB by Categorization</p></td><td width="8%" nowrap="nowrap"><p align="center">4</p></td></tr><tr><td width="13%" nowrap="nowrap" valign="top"><p>I.3.1</p></td><td width="17%"><p>Secure Systems Development Process</p></td><td width="25%"><p>A documented Standards and Process for System (Software) Development that includes Security Best Practices; a Security Training Program for Developers, Managers, and Architects are required; Quality Management program is documented that includes planning, change management, and security testing (misuse cases, fuzzing, dynamic scanning); Separation of development, test, and operational facilities, where all facilities have been accredited; documented Secure Code Practices (common framework usage for common security functions; language specific secure coding requirements); implementation of source code repositories that adhere to role-based access procedures and logging enabled.</p></td><td width="15%"><p>% of Applications per Categorization that have a separate test environment<br /> % of Completed Training Requirement</p></td><td width="8%" nowrap="nowrap"><p align="center">5</p></td></tr></tbody></table><p align="center" class="BasicParagraph"><b>Table 1.</b> Example of mapping NIST Controls with the Initiation phase of the SDLC.</p><p class="BasicParagraph"><span class="font-size-2"><strong>(</strong></span>Watch more : <span style="color:#3366ff;"><b><a href="http://www.cisoplatform.com/video/5-implications-of-html-5-on-security"><span style="color:#3366ff;">5 Implications of HTML 5 on Security</span></a></b></span><strong style="font-size:10pt;">)</strong></p><p class="BasicParagraph"><span class="font-size-5"><strong>Conclusion</strong></span></p><p class="BasicParagraph">The most effective way to help your Organization to implement the Risk Management Framework (RMF) is to consider and include the increasing reliability on and growing complexity of Applications. Applications and the technologies used to develop and deploy to are constantly changing, and with this constant change the risk environment is also changing, resulting in the need to reduce risks before the Applications escape into the environment. With the inclusion of the SDLC as part of the RMF the following return on investment is provided:</p><ol><li>Early identification and mitigation of weaknesses, vulnerabilities, and misconfigurations resulting in lower cost of mitigation and remediation (Ponemon, 2010).</li><li>Awareness of potential integration and engineering issues resulting from mandatory controls, resulting in lower cost of integrating and engineering into the Application altnerate compensating controls.</li><li>Identification of shared controls and reusability security frameworks and application programming interfaces, resulting in lower development costs and reduction in impact to development schedule while simultanously improving the overall security of Application in the marketplace.</li><li>Ability to allow Executive management to make key decisions in a comprehensive Risk Management strategy, resulting in reduced risk to the Organization.</li></ol><h2>References</h2><ul><li>Kissel, R., et al. (2008). NIST SP 800-64 Rev 2: Security Considerations in the System Development Life Cycle. <a href="http://csrc.nist.gov/publications/PubsSPs.html">http://csrc.nist.gov/publications/PubsSPs.html</a>.</li><li>Ross, R. (2011). NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View. <a href="http://www.nist.gov/manuscript-publication-search.cfm?pub_id=908030">http://www.nist.gov/manuscript-publication-search.cfm?pub_id=908030</a>.</li><li>Swanson, M. (2001). NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems. <a href="http://infohost.nmt.edu/~sfs/Regs/sp800-26.pdf">http://infohost.nmt.edu/~sfs/Regs/sp800-26.pdf</a>.</li><li>Guttman, B. and Roback, E. (2006). Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook. <a href="http://csrc.nist.gov/publications/nistpubs/800-12/">http://csrc.nist.gov/publications/nistpubs/800-12/</a>.</li><li>Challey, D. (2009). Enterprise Application Security - GE's approach to solving root cause and establishing a Center of Excellence. <a href="https://www.owasp.org/index.php/Enterprise_Application_Security_-_GE's_approach_to_solving_root_cause_and_establishing_a_Center_of_Excellence">https://www.owasp.org/index.php/Enterprise_Application_Security_-_GE's_approach_to_solving_root_cause_and_establishing_a_Center_of_Excellence</a>.</li><li>Ponemon. (2010). Fifth Annual US Cost of Data Breach, January 2010. Retrieved from <a href="http://www.ponemon.org/data-security">http://www.ponemon.org/data-security</a>.</li></ul><p><span style="text-decoration:underline;" class="font-size-3"><strong><a href="http://www.cisoplatform.com/profiles/blog/new" target="_blank"> </a></strong></span></p><p></p><p>More: <span style="color:#3366ff;"><b><a href="http://www.cisoplatform.com/page/be-a-speaker"><span style="color:#3366ff;">Want to become a speaker and address the security community?</span></a></b><b> <a href="http://www.cisoplatform.com/page/be-a-speaker"><span style="color:#3366ff;">Click here</span></a></b></span> </p><p></p></div>Checklist to Evaluate A Cloud Based WAF Vendorhttps://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-a-web-application-firewall2014-07-03T19:30:00.000Z2014-07-03T19:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p align="center" style="text-align:left;"><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-a-web-application-firewall" target="_blank"></a>These days’ web applications are under siege. Commercially motivated Hackers, bots, and fraudsters are attacking around the clock, attempting to steal data, disrupt access, and commit fraud which today’s next generation firewall, IPS and other network security product are unable to safeguard. So in order to prevent breaches and downtime against web attacks, DDoS, site scraping and fraud we have introduced cost effective, in the cloud, Security as a Service (SaaS) based Web Application Firewall Service. The Solution is deployed in a reverse proxy mode so one just needs to route web traffic through Application Firewall which will mitigate web attacks & threats in real time and send out clean traffic back to web server.</p>
<p>( Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/captivating-new-insights-into-hbb-tvs">Can your SMART TV get hacked?</a></strong> )</p>
<p></p>
<p><em><span class="font-size-4">Check-list for Vendor Evaluation:</span></em></p>
<p><strong>1. Deployment Architecture & Mode of Operation</strong></p>
<ul>
<li>Active/Inline, Passive, Bridge, Router, Reverse Proxy etc.</li>
<li>How the SSL traffic is processed & offloading done, whether it terminates SSL connections, passively decrypts traffic etc.</li>
<li>What Authentication method used to validate users/customers</li>
<li>High Availability, Redundancy & Scalability</li>
<li>Protect Multiple Website Behind Single IP</li>
</ul>
<p> </p>
<p><strong>2. Connection Handling & Traffic Processing</strong></p>
<ul>
<li>How the traffic is blocked – Drop Packet, TCP Reset etc.</li>
<li>HTTP versions, Encoding & File transfer Support</li>
<li>Any other protocol support</li>
<li>Response Filtering</li>
</ul>
<p> </p>
<p><strong>3. Detection Technique</strong></p>
<ul>
<li>Normalization technique used</li>
<li>Negative Security Models</li>
<li>Positive Security Models</li>
<li>Minimal False Positives</li>
<li>Signature/Rule Database</li>
<li>How frequently Database is updated</li>
<li>Is APIs available to customize or extend vendor’s detection functionality</li>
<li>Virtual Patching</li>
<li>Fraud Detection</li>
<li>Business Logic Attacks</li>
</ul>
<p>( Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/technology-implementation-status-in-various-top-verticals-india">Security Technology Implementation Report- Annual CISO Survey</a></strong> )<b><br /></b></p>
<p></p>
<p><strong>4. Protection Technique</strong></p>
<ul>
<li>Brute Force Attacks</li>
<li>Cookie based Attacks</li>
<li>Session or Denial of Service Attacks</li>
<li>Hidden Form field Protection</li>
<li>Cryptographic URL & Parameter Protection</li>
<li>Reputation-Based Service</li>
<li>External Intelligence Feed, threat landscape etc.</li>
<li>Protection against Application DDoS</li>
<li>Protection against OWASP Top 10</li>
</ul>
<p> </p>
<p><strong>5. Logging</strong></p>
<ul>
<li>Which commonly used logs are supported</li>
<li>Log Forwarding to Syslog or SIEM</li>
<li>Unique transaction IDs are included with every log message</li>
<li>Log Export facility</li>
<li>Event logs and notification via Email, SMS, Syslog support, SNMP Trap etc.</li>
<li>Log Retention</li>
<li>Sanitization or Masking Critical Data from the logs</li>
</ul>
<p> </p>
<p><strong>6. Reporting</strong></p>
<ul>
<li>Reporting Format Supported</li>
<li>On Demand report generation, automation & scheduling</li>
<li>Report Customization</li>
<li>Report distribution methods available</li>
<li>Customized Block Page Display Message</li>
<li>Compliance Reports</li>
</ul>
<p> </p>
<p><strong>7. Management</strong></p>
<ul>
<li>GUI – Web Based</li>
<li>Multi-Tenancy, RBAC & Secure Administration</li>
<li>Centralized Dashboard, Alerts & Reporting</li>
<li>Support of External APIs</li>
<li>Integration with existing infrastructure</li>
<li>Integration with Vulnerability Scanner, SIEM, DLP etc.</li>
<li>Configuration Management & Backup</li>
<li>Automatic signature update and Install</li>
<li>Profile Learning</li>
<li>Policy Management, Export/Import, Roll back mechanism,</li>
<li>WAF Security</li>
</ul>
<p> </p>
<p><strong>8. Performance</strong></p>
<ul>
<li>HTTP level performance</li>
<li>HTTP level performance with SSL enabled</li>
<li>Maximum number of concurrent connections</li>
<li>Performance under Load</li>
<li>Fail-Safe & Pass through when device fails</li>
</ul>
<p>( Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/sneak-peek-into-the-future">Hardware Trojans: Sneak Peek into the Future</a></strong> )</p>
<p></p>
<p><strong>9. Support</strong></p>
<ul>
<li>24*7*365 Support Available</li>
<li>Quality of technical support</li>
<li>Support presence in local City, Country etc.</li>
<li>Direct Support or Partner</li>
<li>SLA, TAT, Escalation Matrix etc.</li>
</ul>
<p> </p>
<p><strong>10. Cost</strong></p>
<ul>
<li>Initial cost</li>
<li>Setup & Implementation Cost</li>
<li>Recurring subscription costs</li>
<li>Patch Update & Upgrade Cost</li>
<li>Any other hidden cost</li>
</ul>
<p> </p>
<p><strong>11. Vendor Reputation</strong></p>
<ul>
<li>Market share, Turnover, Profitability</li>
<li>Any certification like ICSA Labs etc.</li>
<li>Enable PCI 6.6 compliance requirement</li>
<li>Listed by any IT research company like Gartner, Forrester, IDC etc.</li>
<li>Customer Base</li>
<li>Any customer implementation similar to your line of business</li>
</ul>
<p> </p>
<p><em><em>-With Yadavendra Awasthi, Netmagic Solutions Pvt. Ltd., on How To Evaluate a WAF(Web Application Firewall) Vendor <a href="http://ctt.ec/O02fm" target="_blank">ClickToTweet</a></em></em></p>
<p><em>What are your quick tips to evaluate WAF vendors? Share with us in the comments below or write your own article <strong><a href="http://www.cisoplatform.com/profiles/blog/new" target="_blank">here</a></strong> </em><em><br /></em></p></div>CISO Guide: Surface Web, Deep Web and Dark Web - Are they different?https://www.cisoplatform.com/profiles/blogs/surface-web-deep-web-and-dark-web-are-they-different2018-04-19T06:00:00.000Z2018-04-19T06:00:00.000ZY R Chandra Sekhar Varmahttps://www.cisoplatform.com/members/YRChandraSekharVarma<div><p><span style="font-size:12pt;">There are millions of pages on the internet however about 90% of the pages are not indexed by search engines like Google, Yahoo, Bing ..etc. Which means only a tiny portion of the internet is accessible through search engines or standard means. </span><span style="font-size:12pt;"><b>Deep Web is the internet that cannot be accessed through standard search engines or the pages that are not indexed in any way.</b></span></p><p><span style="font-size:14pt;"><b><a href="https://www.sacon.io/" target="_blank">>> Hands-on workshop: Dark Web for Threat Intelligence @SACON</a></b></span></p><p><a href="http://www.cisoplatform.com/profiles/blogs/surface-web-deep-web-and-dark-web-are-they-different" target="_blank"><img width="750" src="{{#staticFileLink}}8669823061,original{{/staticFileLink}}" class="align-center" alt="8669823061?profile=original" /></a></p><p></p><p><span style="font-size:18pt;"><b><strong>Surface Web vs Deep Web vs Dark Web</strong></b></span></p><p><span style="font-size:12pt;">If we imagine web as an ocean, the surface web is the top of the ocean which appears to spread for miles around, and which can be seen easily or "accessible"; the deep web is the deeper part of the ocean beneath the surface; the dark web is the bottom of the ocean, a place accessible only by using special technologies.</span></p><p></p><p><a href="{{#staticFileLink}}8669822859,original{{/staticFileLink}}"></a><a href="http://www.cisoplatform.com/profiles/blogs/surface-web-deep-web-and-dark-web-are-they-different" target="_blank"><img width="547" src="{{#staticFileLink}}8669823082,original{{/staticFileLink}}" class="align-center" alt="8669823082?profile=original" /></a><a href="{{#staticFileLink}}8669822859,original{{/staticFileLink}}"></a></p><p></p><ul><li><span style="font-size:12pt;"><strong>Surface web:</strong> Surface web is the portion of the World Wide Web that is readily available to the general public and searchable with standard web search engines. It is the opposite of the deep web. The section of the internet that is being indexed by search engines is known as the “Surface Web” or “Visible Web”.<br /> <br /></span></li><li><span style="font-size:12pt;"><strong>Deep web:</strong> Deep web is part of the World Wide Web whose contents are not indexed by standard web search engines for any reason.The content of the deep web is hidden behind HTTP forms, and includes many common uses such as web mail, online banking, and services that users must pay for, and which is protected by a paywall, such as video on demand, some online magazines and newspapers, and many more.Content of the deep web can be located and accessed by a direct URL or IP address, and may require password or other security access past the public website page.<br /> <br /></span></li><li><span style="font-size:12pt;"><strong>Dark web:</strong> The Dark Web is defined as a layer of information and pages that you can only get access to through so-called "overlay networks", which run on top of the normal internet and obscure access. You need special software to access the Dark Web because a lot of it is encrypted, and most of the dark web pages are hosted anonymously.</span></li></ul><p></p><p><span style="font-size:14pt;"><a href="https://www.sacon.io/" target="_blank">>> Hands-on workshop: Dark Web for Threat Intelligence @SACON</a></span></p><p></p><p><span style="font-size:12pt;"><strong>Surface web VS Deep web VS Dark Web VS Darknet</strong></span></p><p><a href="https://www.firecompass.com/blog/darkweb-deepweb-darknet-browsers/" target="_blank"><img width="693" src="{{#staticFileLink}}8669823453,original{{/staticFileLink}}" class="align-center" alt="8669823453?profile=original" /></a> </p><p><span style="font-size:12pt;"><strong>Clearnet VS Darknet</strong></span></p><p><a href="http://www.cisoplatform.com/profiles/blogs/surface-web-deep-web-and-dark-web-are-they-different" target="_blank"><img width="661" src="{{#staticFileLink}}8669823271,original{{/staticFileLink}}" class="align-center" alt="8669823271?profile=original" /></a></p><p></p><p><span style="font-size:18pt;"><strong>What Should a CISO be Concerned About?</strong></span></p><p><span style="font-size:10pt;">Once a CISO is aware of what is available on the dark web, deep web or surface web, its easier to take steps to defend & protect those data from being used by the attackers. </span></p><ul><li><span style="font-size:10pt;">Exposed DB Servers & S3 Buckets (due to misconfigurations etc.)</span></li><li><span style="font-size:10pt;">Exposed applications & websites, files & documents which are accessible</span></li><li><span style="font-size:10pt;">Exposed services like APIs, FTP Servers etc.</span></li><li><span style="font-size:10pt;">Personnel data which is available freely on the internet, including email addresses, phone numbers etc.</span></li></ul><p><span style="font-size:10pt;">For more information on how to Discover & Map your Applications & Services which are publicly exposed on the internet, intentionally or unintentionally: <a href="https://www.firecompass.com/" target="_blank">Click Here</a></span></p><p></p><p></p><p>source: <a href="https://en.wikipedia.org/wiki/Deep_web" target="_blank">Wikipedia</a>, <a href="https://darkwebnews.com/deep-web/" target="_blank">darkwebnews</a>, <a href="https://www.firecompass.com/blog/darkweb-deepweb-darknet-browsers/" target="_blank">Firecompass</a>, <a href="https://beebom.com/dark-web-vs-deep-web/" target="_blank">beebom.com</a></p><p><a href="{{#staticFileLink}}8669822859,original{{/staticFileLink}}"></a></p></div>(20 Page Guide) Critical Capabilities For Evaluating WAF - Web Application Firewallhttps://www.cisoplatform.com/profiles/blogs/20-page-guide-critical-capabilities-for-evaluating-waf-web-applic2018-07-25T06:30:00.000Z2018-07-25T06:30:00.000ZCISO Platformhttps://www.cisoplatform.com/members/CISOPlatform<div><p><span style="font-size:12pt;">With the increased growth in the usage of the internet, mobile applications, and the Internet of Things, applications become ubiquitous but their security is low key. Deploying an effective WAF will be one of the baseline measures organizations can take to protect themselves from breaches and secure their customers.</span></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/20-page-guide-critical-capabilities-for-evaluating-waf-web-applic" target="_blank"><img src="{{#staticFileLink}}8669821680,original{{/staticFileLink}}" class="align-left" alt="8669821680?profile=original" /></a></p>
<p></p>
<p></p>
<p><span style="font-size:12pt;"><span class="il"><span>This is a detailed 20 page guide that helps you understand the critical capabilities for evaluating web applic</span>ation </span><span class="il">firewall</span>.<strong> </strong><span>This report is created by FireCompass Analysts along with the F5 Networks Team. </span>Organizations can customize this checklist based on their specific requirements. </span></p>
<p></p>
<p><span class="font-size-4"><strong>What will you Find in the Report? </strong></span></p>
<ul>
<li><span style="font-size:12pt;"><font face="arial, helvetica neue, helvetica, sans-serif">Use Cases & Key Evaluation Parameters</font></span><br /> <span style="font-size:12pt;"> </span></li>
<li><span style="font-size:12pt;">Various Deployment Options</span><br /> <span style="font-size:12pt;"> </span></li>
<li><span style="font-size:12pt;">Evaluation Checklist for <span class="il">WAF</span></span></li>
</ul>
<p></p>
<p><span class="font-size-5">>> <a href="https://pre.firecompass.com/report-how-to-benchmark-waf/" target="_blank">Download the Complete Report</a></span></p>
<p></p></div>Forrester Wave WAF Guide 2018 : Top 10 Vendors That Matter & How They Stack Uphttps://www.cisoplatform.com/profiles/blogs/forrester-wave-waf-guide-2018-top-10-vendors-that-matter-how-they2018-08-08T09:30:00.000Z2018-08-08T09:30:00.000ZCISO Platformhttps://www.cisoplatform.com/members/CISOPlatform<div><p><span><span class="il"><br /> T</span></span><span>he Forrester Wave™ Guide on Web Application Firewall, Q2 2018, is a detailed guide that helps you understand the 33 criteria <span class="il">& How To Use To Effectively WAF, Forrester Wave, helps in Measure Up WAF Vendors which is </span>developed by Forrester for evaluating web application firewall vendors. </span></p>
<p><span>In this evaluation, Forrester has identified 10 most significant ones - Akamai Technologies, Amazon Web Services, Barracuda Networks, Cloudflare, F5 Networks, </span>Fortinet, Imperva, Positive Technologies, Radware and Rohde & Schwarz Cybersecurity. Forrester analysts have analysed, researched and scored them. This report shows how each measures up and helps security professionals make the right choice.</p>
<p></p>
<p></p>
<p><span class="font-size-4"><strong>What Will You Find In The Report? </strong></span></p>
<ul>
<li><span>An Understanding Of WAF & How To Use To Effectively<br /> <br /></span></li>
<li><span>WAF Scorecard & Forrester Wave<br /> <br /></span></li>
<li><span>How Each Of The WAF Vendors Measure Up <br /> <br /></span></li>
<li><span>Which WAF Solution Is Right Fit For Your Company & more</span></li>
</ul>
<p></p>
<p><span class="font-size-5">>> <a href="https://event.cisoplatform.com/forrester-waf-report-q2-2018/" target="_blank">Download The Complete Report</a></span></p></div>