Role-Based Access Controls | RBAC
Role-Based Access Control Ferraiolo and Kuhn nist.gov, 1992
TLS | SSL
Transport Layer Security | TLS wikipedia
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet.[1] TLS and SSLencrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.
SSL Labs ssllabs.com
SSL Test ssllabs.com
SSL/TLS Deployment Best Practices ssllabs.com
openSSL cookbook feistyduck.com
SSL Pulse trustworthyinternet.org
A (relatively easy to understand) primer on elliptic curve cryptography arstechnica.com
Gilbert Vernam wikipedia.org
- invented an automated one-time pad cipher in 1919
Security and software development
Open Web Application Security Project | OWASP owasp.org
2011 CWE/SANS Top 25 Most Dangerous Software Errors cwe.mitre.org
Public DMZ network architecture security.stackexchange.com
- no consensus, confusion of differing viewpoints
Access Control | Authorization
OASIS eXtensible Access Control Markup Language | XACML
XACML TC oasis-open.org
XACML 3.0 core specification docs.oasis-open.org
XACML data flow model
XACML policy language model
Risk Taxonomy (O-RT), Version 2.0 opengroup.org
- follow the references here
Risk
Risk estimates the probable frequency and magnitude of future loss (also known as “loss exposure”).
Loss Event Frequency
Loss Magnitude
Threat Event Frequency
Vulnerability
Contact Frequency
Probability of Action
Threat Capability
Resistance Strength
Primary Loss
Secondary Loss
Secondary Loss Event Frequency
Secondary Loss Magnitude
The following documents are referenced in this Standard:
A Taxonomy of Computer Program Security Flaws, with Examples, Naval Research
Laboratory, September 1994; refer to: http://chacs.nrl.navy.mil/publications.
An Introduction to Factor Analysis of Information Risk (FAIR), Risk Management Insight
LLC, November 2006; refer to: www.riskmanagementinsight.com.
FAIR – ISO/IEC 27005 Cookbook, Technical Guide, C103, published by The Open
Group, November 2010; refer to: www.opengroup.org/bookstore/catalog/c103.htm.
Methods for the Identification of Emerging and Future Risks, European Network and
Information Security Agency (ENISA), November 2007; refer to
www.enisa.europa.eu/doc/pdf/deliverables/EFR_Methods_Identification_200804.pdf.
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE),
US-CERT; refer to www.cert.org/octave.
Requirements for Risk Assessment Methodologies, Technical Guide, G081, published by
The Open Group, January 2009; refer to:
www.opengroup.org/bookstore/catalog/g081.htm.
Risk Analysis (O-RA), Open Group Standard, C13G, published by The Open Group,
October 2013; refer to: www.opengroup.org/bookstore/catalog/c13g.htm.
Risk Analysis (O-RA) opengroup.org
Tools
Sophos free security tools sophos.com
HIPAA
HIPAA Survival Guide - HIPAA and HITECH hipaasurvivalguide.com
Security Principles for Cloud and SOA opengroup.org
Authentication
FIPS 112 - Password Usage itl.nist.gov/fipspubs
[Http basic authentication and WS-Security authentication] soapui.org
Basic access authentication | HTTP basic wikipedia.org
Enable Anonymous Authentication (IIS 7) technet.microsoft.com
Anonymous authentication allows any user to access any public content without providing a user name and password challenge to the client browser. By default, Anonymous authentication is enabled in IIS 7.
If some content should be viewed only by selected users, you must configure the appropriate NTFS permissions to prevent anonymous users from accessing that content. If you want only registered users to view selected content, configure an authentication method for that content that requires a user name and password, for example, Basic or Digest authentication.
Consider using the following best practices when you configure anonymous authentication:
Create a group for all anonymous user accounts. You can deny access permissions to resources based on this group membership.
Deny execute permissions for anonymous users to all executables in Windows directories and subdirectories.
http://www.redbooks.ibm.com/redpapers/pdfs/redp4835.pdf redbooks.ibm.com
contains some useful single sign-on background information, best practices and use cases
- no, it doesn't.
Else
Subject Alternative Name | SubjectAltName | SAN
X.509 extension to support multiple domains in a single certificate
SubjectAltName wikipedia.org
RFC 5280 X.509 PKI Certificate and Certificate Revocation List Profile > Subject Alternative Name
How to add a subject alternative name to a secure LDAP certificate support.microsoft.com
The SAN lets you connect to a domain controller by using a Domain Name System (DNS) name other than the computer name
san:dns=dns.name[&dns=dns.name]
Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both names must be included in the SAN attributes. The resulting attribute string is displayed as follows:
san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com
Endpoint encryption
BitLocker Drive Encryption Overview windows.microsoft.com
Trusted Platform Module (TPM) and BitLocker Drive Encryption msdn.microsoft.com
A Guide to Claims Based Identity and Access Control msdn.microsoft.com
Offensive Countermeasures: The Art of Active Defense ebook, amazon.com
[pass the hash presentation] media.blackhat.com
Crypto-gram newsletter schneier.com
common credentials
Common Accounts Credentials Dilemma Next Steps liebsoft.com
automated solution for managing common system credentials
Common Vulnerability Scoring System | CVSS first.org
Top 10 Secure Coding Practices securecoding.cert.org
The CERT Oracle Secure Coding Standard for Java securecoding.cert.org
Alert (TA13-010A) Oracle Java 7 Security Manager Bypass Vulnerability cert.gov
Vulnerability Note VU#636312 cert.org
Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code
7 Free Windows Password Recovery Tools pcsupport.about.com
PGPdump interface pgpdump.net
PGPdump is a PGP packet visualizer. It supports OpenPGP (RFC 4880) and PGP v2 (RFC 1991) packet formats.
Cloud Computing: A Review Of Features, Benefits, And Risks, And Recommendations For Secure, Efficient Implementations csrc.nist.gov
Security Concepts, Challenges, and Design Considerations for Web Services Integration buildsecurityin.us-cert.gov
How To Create Ssh Trust Connection Between Servers Or Client-Server To Connect Without Password notesbit.com
SSH can give you authenticated and encrypted connections to remote computers. If you set up keys you can make these connections without passwords.
Security Concepts, Challenges, and Design Considerations for Web Services Integration buildsecurityin.us-cert.gov
Security Threat Report Mid-Year 2011 sophos.com
New Free Tool Helps Gather Attackers' 'Footprints' darkreading.com
The Legion of the Bouncy Castle - Resources bouncycastle.org/resources
Portecle portecle.sourceforge.net
Portecle is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more. Runs under Java Web Start.
Keytool IUI code.google.com
Java Web Start failed to load jar from fuin.org, 12/2011
PGP
OpenPGP Message Format RFC 4880 ietf.org
The International PGP Home Page pgpi.org
PGP links openpgp.org
MIT PGP Public Key Server pgp.mit.edu
GnuPGP gnupg.org
Linux/Unix tools; Windows version is Gpgp4win
Lock Box Labs PGP Tools lockboxlabs.org
Command line PGP tools - use Java runtime
Gpgp4win gpgp4win.org
PGP utility for Windows; requires administrator rights to install
Else
cryptix.org cryptix.org
Cryptography for Java platform; not maintained since 2005; points to bouncycastle.org
Rainbow table wikipedia
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering theplaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less CPU at the cost of more storage. Properkey derivation functions employ a salt to make this attack infeasible.
Workstation security mat
Kiosk security mat Larco lacromfg.com
- USB connected device
- hands-free locking when user steps off the mat
- clears browser cookies and cache
- retracts paper transactions if unclaimed
SANS reading room sans.org
SANS: Glossary of security terms sans.org
SANS InfoSec Reading Room - Managed Services sans.org
- outsourcing, IAM
SANS: Information Security Resources sans.org