Security

Role-Based Access Controls | RBAC

Role-Based Access Control Ferraiolo and Kuhn nist.gov, 1992

TLS | SSL

Transport Layer Security | TLS wikipedia

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet.[1] TLS and SSLencrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

SSL Labs ssllabs.com

SSL Test ssllabs.com

SSL/TLS Deployment Best Practices ssllabs.com

openSSL cookbook feistyduck.com

SSL Pulse trustworthyinternet.org

A (relatively easy to understand) primer on elliptic curve cryptography arstechnica.com

Gilbert Vernam wikipedia.org

- invented an automated one-time pad cipher in 1919

Security and software development

Open Web Application Security Project | OWASP owasp.org

2011 CWE/SANS Top 25 Most Dangerous Software Errors cwe.mitre.org

Public DMZ network architecture security.stackexchange.com

- no consensus, confusion of differing viewpoints

Access Control | Authorization

OASIS eXtensible Access Control Markup Language | XACML

XACML TC oasis-open.org

XACML 3.0 core specification docs.oasis-open.org

XACML data flow model

XACML policy language model

Risk Taxonomy (O-RT), Version 2.0 opengroup.org

- follow the references here

Risk

Risk estimates the probable frequency and magnitude of future loss (also known as “loss exposure”).

Loss Event Frequency

Loss Magnitude

Threat Event Frequency

Vulnerability

Contact Frequency

Probability of Action

Threat Capability

Resistance Strength

Primary Loss

Secondary Loss

Secondary Loss Event Frequency

Secondary Loss Magnitude

The following documents are referenced in this Standard:

 A Taxonomy of Computer Program Security Flaws, with Examples, Naval Research

Laboratory, September 1994; refer to: http://chacs.nrl.navy.mil/publications.

 An Introduction to Factor Analysis of Information Risk (FAIR), Risk Management Insight

LLC, November 2006; refer to: www.riskmanagementinsight.com.

 FAIR – ISO/IEC 27005 Cookbook, Technical Guide, C103, published by The Open

Group, November 2010; refer to: www.opengroup.org/bookstore/catalog/c103.htm.

 Methods for the Identification of Emerging and Future Risks, European Network and

Information Security Agency (ENISA), November 2007; refer to

www.enisa.europa.eu/doc/pdf/deliverables/EFR_Methods_Identification_200804.pdf.

 Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE),

US-CERT; refer to www.cert.org/octave.

 Requirements for Risk Assessment Methodologies, Technical Guide, G081, published by

The Open Group, January 2009; refer to:

www.opengroup.org/bookstore/catalog/g081.htm.

 Risk Analysis (O-RA), Open Group Standard, C13G, published by The Open Group,

October 2013; refer to: www.opengroup.org/bookstore/catalog/c13g.htm.

Risk Analysis (O-RA) opengroup.org

Tools

Sophos free security tools sophos.com

HIPAA

HIPAA Survival Guide - HIPAA and HITECH hipaasurvivalguide.com

Security Principles for Cloud and SOA opengroup.org

Authentication

FIPS 112 - Password Usage itl.nist.gov/fipspubs

[Http basic authentication and WS-Security authentication] soapui.org

Basic access authentication | HTTP basic wikipedia.org

Enable Anonymous Authentication (IIS 7) technet.microsoft.com

Anonymous authentication allows any user to access any public content without providing a user name and password challenge to the client browser. By default, Anonymous authentication is enabled in IIS 7.

If some content should be viewed only by selected users, you must configure the appropriate NTFS permissions to prevent anonymous users from accessing that content. If you want only registered users to view selected content, configure an authentication method for that content that requires a user name and password, for example, Basic or Digest authentication.

Consider using the following best practices when you configure anonymous authentication:

Create a group for all anonymous user accounts. You can deny access permissions to resources based on this group membership.
Deny execute permissions for anonymous users to all executables in Windows directories and subdirectories.

http://www.redbooks.ibm.com/redpapers/pdfs/redp4835.pdf redbooks.ibm.com

contains some useful single sign-on background information, best practices and use cases

- no, it doesn't.

Else

Subject Alternative Name | SubjectAltName | SAN

X.509 extension to support multiple domains in a single certificate

SubjectAltName wikipedia.org

RFC 5280 X.509 PKI Certificate and Certificate Revocation List Profile > Subject Alternative Name

How to add a subject alternative name to a secure LDAP certificate support.microsoft.com

The SAN lets you connect to a domain controller by using a Domain Name System (DNS) name other than the computer name

san:dns=dns.name[&dns=dns.name]

Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both names must be included in the SAN attributes. The resulting attribute string is displayed as follows:

san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com

Endpoint encryption

BitLocker Drive Encryption Overview windows.microsoft.com

Trusted Platform Module (TPM) and BitLocker Drive Encryption msdn.microsoft.com

A Guide to Claims Based Identity and Access Control msdn.microsoft.com

Offensive Countermeasures: The Art of Active Defense ebook, amazon.com

[pass the hash presentation] media.blackhat.com

Crypto-gram newsletter schneier.com

common credentials

Common Accounts Credentials Dilemma Next Steps liebsoft.com

automated solution for managing common system credentials

Common Vulnerability Scoring System | CVSS first.org

Top 10 Secure Coding Practices securecoding.cert.org

The CERT Oracle Secure Coding Standard for Java securecoding.cert.org

Alert (TA13-010A) Oracle Java 7 Security Manager Bypass Vulnerability cert.gov

Vulnerability Note VU#636312 cert.org

Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code

7 Free Windows Password Recovery Tools pcsupport.about.com

PGPdump interface pgpdump.net

PGPdump is a PGP packet visualizer. It supports OpenPGP (RFC 4880) and PGP v2 (RFC 1991) packet formats.

Cloud Computing: A Review Of Features, Benefits, And Risks, And Recommendations For Secure, Efficient Implementations csrc.nist.gov

Security Concepts, Challenges, and Design Considerations for Web Services Integration buildsecurityin.us-cert.gov

How To Create Ssh Trust Connection Between Servers Or Client-Server To Connect Without Password notesbit.com

SSH can give you authenticated and encrypted connections to remote computers. If you set up keys you can make these connections without passwords.

Security Concepts, Challenges, and Design Considerations for Web Services Integration buildsecurityin.us-cert.gov

Security Threat Report Mid-Year 2011 sophos.com

New Free Tool Helps Gather Attackers' 'Footprints' darkreading.com

The Legion of the Bouncy Castle - Resources bouncycastle.org/resources

Portecle portecle.sourceforge.net

Portecle is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more. Runs under Java Web Start.

Keytool IUI code.google.com

Java Web Start failed to load jar from fuin.org, 12/2011

PGP

OpenPGP Message Format RFC 4880 ietf.org

The International PGP Home Page pgpi.org

PGP links openpgp.org

MIT PGP Public Key Server pgp.mit.edu

GnuPGP gnupg.org

Linux/Unix tools; Windows version is Gpgp4win

Lock Box Labs PGP Tools lockboxlabs.org

Command line PGP tools - use Java runtime

Gpgp4win gpgp4win.org

PGP utility for Windows; requires administrator rights to install

Else

cryptix.org cryptix.org

Cryptography for Java platform; not maintained since 2005; points to bouncycastle.org

Rainbow table wikipedia

A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering theplaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less CPU at the cost of more storage. Properkey derivation functions employ a salt to make this attack infeasible.