Web & Data Security White Papers

White Papers

Popular Tags: ADC, Audit, Compliance, Database, File, Threats, SharePoint, Web Application Security

	NEW: What Next Gen Firewalls Miss: 6 Requirements to Protect Web Applications Web application attacks threaten nearly every organization with an online presence. While some security vendors contend that their next generation firewalls can stop Web attacks, these products lack essential Web security features, leaving customers exposed to attack. This paper lays out the six key requirements needed to protect Web applications and it shows how Web application firewalls alone can effectively satisfy these requirements. Tags: Web Security, Web Application Security, Web Application Attacks, Firewalls


	NEW: Data Protection Under POPI 6 Step Data Privacy Protection Plan for the South African Protection of Personal Information (POPI) Bill Is your organization ready to address the South African Protection of Personal Information (POPI) bill? POPI prescribes information protection principles to regulate collection and processing of South African citizens' personal data. In this paper, we review POPI's eight principles and discuss how best to address those with practical data security processes and solutions. Tags: POPI, Data Security, Database Security, PII, Data Breach, Compliance


	NEW: SharePoint Governance and Security: Where to Start SharePoint is a complex platform experiencing explosive growth in adoption, exposure, and storage of sensitive content. Consequently, SharePoint security and governance are under greater scrutiny at the executive level and require immediate mitigation actions. The phased, risk-based perspective outlined in this paper aligns investments and priorities to accomplish the greatest security return for existing SharePoint deployments. Security plans should include both preventative and analytical capabilities and incorporate automated tools to provide controls and information that cannot be addressed practically by native SharePoint functionality or corporate resources. Tags: SharePoint, Data Security, Database Security, Government, Compliance


	NEW: Top Ten Database Threats Databases contain the crown jewels of an organization, which means a break-in, by insiders or outsiders, can cost millions from lawsuits fines and customer attrition. The good news is that there are only a small number of commonly used methods to attack databases. Defend against these, and you will have a highly secure database. Tags: Database Security, Database Hacks, Common Databases Attacks, Threats, Top Databases Attacks, Defend Against Databases Attacks, Stopping Databases Attacks


	The Future of Web Security: 10 Things Every Web Application Firewall Should Provide Web application firewalls have become the central platform for protecting applications against all online threats including technical Web attacks, business logic attacks, and online fraud. Web application firewalls understand Web usage and validate input to stop dangerous attacks like SQL injection, XSS, and directory traversal. They block scanners and virtually patch vulnerabilities. And they rapidly evolve to prevent new attacks and to keep critical applications safe. Because Web application firewalls are strategic, every organization must carefully evaluate the products' security, management, and deployment capabilities. This paper explains in detail the 10 features that every Web application firewall should provide. Tags: Web Application Firewall, Industrialized Hacking, Automated Attacks, Business Logic Attacks, ThreatRadar, Web Application Security


	Data Privacy: The High Cost of Unprotected Sensitive Data Today, organizations face a heightened threat landscape with data breaches constantly on the rise. Financial records, medical records, personally identifiable information (PII), and other private business data exist in virtually every enterprise data center. Failing to safeguard the databases that store this information can damage your reputation, impact your operations, and result in regulatory violations, fines, and legal fees. This white paper will (1) present 6 steps to automate and enforce enterprise data privacy policies (2) identify the database security tools needed to accomplish each step (3) highlight Imperva's market-leading SecureSphere Data Security Suite. Tags: Data Privacy, Data Security, Data Protection Plan, Database Security, Personally Identifiable Information, PII, Compliance


	An Inside Track on Insider Threats How do leading companies mitigate the invisible problem of rogue insiders? Imperva analyzed dozens of companies to understand some of the commonly deployed practices across human resources, legal and technology to stop malicious insiders from taking data and intellectual property. Specifically, we identify nine practices top enterprises have found the most useful to control the leakage of digital assets. Pinpointing the source and scope of data theft is often hard to quantify, especially since your largest internal threat may actually be one of your most loyal employees. This research presents the findings of the first-ever global insider threat study that catalogs common practices used by leading organizations across numerous verticals. Tags: Insider Threat, File Security, File Monitoring, File Auditing


	Five Steps for Protecting Australian Government Information According to the Information Security Manual (ISM), the primary cyber threat to Australia is cyber exploitation: malicious activities designed to silently gather information from ICT systems. The disclosure of sensitive commercial or government information can threaten national interests. The disclosure of sensitive personal information can enable malicious activities against individuals. The security of sensitive government and commercial information is critical for ensuring that Australia continues to be a safe place to do business online. This paper outlines Five Steps to protect critical information. Tags: Information Security Manual, ISM, Australia, Threats, Government


	Information Security Risk Management for Australian Financial Service Organizations Published in 2010 by the Australian Prudential Regulation Authority (APRA), the prudential practice guide PPG 234 aims to assist regulated financial institutions in the management of security risk in information and information technology. The guide targets areas where APRA continues to identify weaknesses as part of its ongoing supervisory activities. PPG 234 reflects the need for sound risk management disciplines and solid business understanding to evaluate and manage the IT security risk profile. This paper identifies how SecureSphere enables financial institutions to incrementally address the PPG 234 security recommendations and mitigate risks to their information and information systems. Tags: Australian Prudential Regulation Authority, APRA, PPG 234, Australia, Government, Risk Management


	Six Techniques for Mitigating Insider Threats How do you protect business data from trusted individuals who choose to abuse their privileges for personal or financial gain? And, what about users whose computers or personal devices have been compromised by malware, giving hackers access to your sensitive business data? Start by asking yourself the six questions in this whitepaper to help your organization determine if you've got insider threats under control. Tags: Data Security, Insider Threats, SOX, PCI, Database Activity Monitoring


	Advanced Persistent Threat - Are You the Next Target? Security researchers have been talking about advanced persistent threat (APT) for some time. Recently, we have seen a steep increase in the number of organizations hit by this type of attack. Initially, researchers thought APTs were mostly aimed at government agencies or political targets, but the latest attacks on enterprises suggest that APTs are not confined to a specific type of organization or sector. Tags: Data Security, Insider Threats, Advanced Persistent Threat, APT, User Rights Management, Risk Management


	Cutting the Cost of Application Security Web application attacks can result in devastating data breaches and application downtime, costing companies millions of dollars in fines, brand damage, and customer turnover. This paper illustrates how the SecureSphere Web Application Firewall provides a Return on Security Investment of 2090% by preventing data breaches and Website downtime. SecureSphere also offers a compelling return compared to manual vulnerability remediation by eliminating costly emergency fix and test measures. Tags: Application Vulnerabilities, Web Application Security, ROI


	Implementing Security Controls for addressing DHS Sensitive Systems Policy Directive 4300A This paper reviews how SecureSphere enables DHS components to implement the technical controls described in chapter 5 of the DHS 4300A Sensitive Systems Handbook. With SecureSphere Data Security Solutions, DHS components can facilitate detection of security violations, and support security requirements for applications and data, including Identification and Authentication, Access Controls and Auditing. Tags: Data Security, Access Controls, Auditing, Government, DHS, 4300A, Database Security, Security Controls, Sensitive Systems Handbook


	Compliance with the HIPAA Security Rule - Meeting the Electronic Code of Federal Requirements The HIPAA Security Rule establishes national standards to protect individuals' medical records and other personal health information. In this paper we review the security standards for protection of e-PHI as listed under part 164 of the 45 CFR, and map SecureSphere Data Security Suite solutions to the specified requirements described in these standards. Tags: Data Security, Compliance, HIPAA, Government, e-PHI, Database Security


	How to Secure Your SharePoint Deployment This paper presents five best practices for securing your SharePoint environment. It discusses how SecureSphere for SharePoint can help organizations get the most out of SharePoint's existing permissions system, and fill some of SharePoint's security gaps. Tags: SharePoint, File Security, Compliance, Auditing, Unstructured Data, Data Security


	Meeting NIST SP 800-53 Guidelines This paper reviews information security requirements described by NIST in SP 800-53. It discusses the main implementation challenges organizations struggle with. The paper also maps key capabilities of Imperva's SecureSphere Data Security Suite to NIST SP 800-53 guidelines, describing how SecureSphere solutions can be used to implement required controls, manage risk to federal information and demonstrate compliance. Tags: Data Security, Compliance, NIST, FISMA, NIST SP 800-53, Government


	Four Steps to Defeating a DDoS Attack Hackers, criminals, and political "hactivists" have increasingly turned to Distributed Denial of Service (DDoS) attacks to disrupt access to or even take down legitimate Websites. This white paper describes DDoS attack methods such as powerful DDoS attacks originating from servers and new, advanced application DDoS attacks. It then lays out four simple steps that organizations can undertake to mitigate DDoS attacks. Tags: Web Security, Web Application Security, Threats, Web Application Attacks, DDoS, Distributed Denial of Service, DDoS Protection, Cyber-Crime


	Facing Reality: Top Database Security Trends Enterprise database infrastructure is subject to an overwhelming range of threats. Securing databases and the data they host is challenging not only because of the volume of data spread across heterogeneous platforms, but also because of the increased sophistication and rising rate of database security threats. This paper reviews the top database security trends that IT managers and security teams struggle to keep up with, including: advanced persistent threat (APT), SQL injection, implementation of audit controls, database patch and configuration management, limiting users rights to data based on business need-to-know, abuse of legitimate data access privileges, and cloud security. Tags: Database Security, Trends, Advanced Persistent Threat, SQL Injection


	Cutting IT Operations Costs for Unstructured Data Market analysts estimate that 80% of all enterprise data is unstructured and that unstructured data will grow tenfold in the next five years. Crushed under the weight of these files are the IT organizations tasked with managing and securing them. Operationally, it's nearly impossible to keep track of who is creating all of these business documents, who owns them, and who can - and is - accessing them. Tags: File Security, Data Security, Unstructured Data, IT, ROI


	Detecting and Blocking Site Scraping Attacks Site scraping attacks range from harmless data collection for personal research to calculated, repeated data harvesting used to undercut competitor's prices or to illicitly publish valuable information. Site scraping, also called screen scraping or Web scraping, can undermine victims' revenues and profits by siphoning off customers and reducing competitiveness. This paper investigates various types of scraping attacks, site scraping tools, and effective techniques to detect and stop future attacks. Tags: Web Application Security, Threats, Web Application Attacks, Web Site Scraping, Scraping Attacks


	10 Building Blocks for Securing File Data Three fundamental capabilities are lacking in most organizations: Operationally efficient file activity monitoring and auditing Scalable user rights management for files Automated business policy enforcement for file data These three capabilities are core components of the emerging File Activity Monitoring market, and form the basis of a phased approach to file security. This guide describes ten phases for securing file data, including how and when to use these basic capabilities, as well as when to deploy other complementary technologies. Tags: File Security, Security Policies, File Monitoring, File Auditing


	Botnets at the Gate Stopping Botnets and Distributed Denial of Service Attacks Botnets have infiltrated millions of users' computers and wrecked incalculable damage. This white paper lifts the veil on botnets and on the cyber-criminals behind them. It analyzes the history, growth, and economics behind botnets. It then investigates one of the most common attacks executed by botnets: the Distributed Denial of Service (DDoS) attack. Tags: Web Security, Web Application Security, Cyber-Crime, Denial of Service Attacks, DOS, DDoS


	Security Trends for 2011 Imperva's Application Defense Center (ADC), led by Imperva CTO Amichai Shulman, is exclusively focused on advancing the practice of data security to help companies shield themselves from the threat of hackers and insiders. In 2010, the ADC successfully predicted many of the key issues that would plague security teams in 2010 and beyond. For 2011, the ADC has assembled its most comprehensive set of predictions. Tags: Business Case, Database Security, File Security, Web Application Security, ROSI, Trends


	The Business Case for Data Security (Database, File, and Web Security) The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions. Tags: Business Case, Database Security, File Security, Web Application Security, ROSI


	Security for PCI Compliance Addressing Security and Auditing Requirements for Web Applications, Databases, and File Servers For many organizations, Web, database, and file security present the most challenging barriers to achieving PCI DSS compliance. Often, businesses must provision new technologies or roll out new processes to satisfy Web application security, data audit, and user rights management requirements in the PCI standard. This paper focuses on the key PCI DSS requirements that impact application and data security. Designed for auditors and security professionals, it describes how Imperva SecureSphere solutions can help organizations address the most costly and complex PCI mandates. Tags: Web Application Security, Database Security, Audit, PCI, Compliance


	Five Signs Your File Data is at Risk Persistent insider threats and regulatory compliance mandates make protecting sensitive file data a business requirement for virtually every organization. However, the sheer volume of file data and its rapid and continuous growth make it a challenge to secure properly. This whitepaper reviews the five questions to help you assess your file security posture. If you aren't able to answer these five questions confidently, your file data is probably at risk. Tags: File Security, Compliance, Threats, Insider Threat, Unstructured Data, Data, File Activity Monitoring


	Anatomy of an XSS Campaign The Imperva Application Defense Center (ADC) observed the full anatomy of a cross-site scripting (XSS) campaign, showing why it's so easy to conduct a muscular phishing campaign in just under an hour. Tags: Web Application Security, Threats, Web Application Attacks, Cross-Site Scripting, XSS


	SecureSphere and OWASP 2010 Top Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) Top Ten is widely recognized as one of the leading standards for identifying critical web application security risks. This paper analyzes the latest 2010 release of the OWASP Top Ten most critical web application security risks and outlines how SecureSphere Web Application Firewall (WAF) addresses and mitigates each OWASP Top Ten threat. Tags: Web Application Security, Threats, Web Application Attacks, OWASP


	Protected! Mitigating Web Application and Database Vulnerabilities with Virtual Patching It's not always possible - or practical - to patch vulnerabilities in your Web applications or databases as soon as you discover them. You can use a technique known as "virtual patching" to rapidly address vulnerabilities and ensure you are protected until a long-term fix can be put in place. This brief whitepaper discusses the business benefits of virtual patching, including improved security and increased operational efficiency. Tags: Virtual Patching, Database Security, Web Application Security, Vulnerability Assessment, Threats, Data Risk Analysis


	The Industrialization of Hacking Today, hacking is $1T industry -- up from a few billion just three years ago. In 2007, professional hacking represented a multibillion-dollar industry. At present, this same industry posts -- in stolen data, IP and financial gain -- more than one trillion in value. What explains this rapid growth? Industrialization. Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today's cyber crime industry has similarly transformed and automated itself to achieve scalability and increase profits. The industrialization of hacking coincides with a critical shift in what's considered today's prized commodity: data. Tags: Cyber Crime, Data Security, Hacking, Automated Attacks


	Data Security Study: Consumer Password Worst Practices In December 2009, a major vulnerability was discovered in Rockyou.com. By examining a hacker's blog, a major vulnerability was discovered that led to the breach of 32 million passwords and the hacker posted to the Internet the full list of the 32 million passwords (with no other identifiable information). The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. Further, never before has there been such a high volume of real-world passwords to examine. The Imperva Application Defense Center (ADC) analyzed the strength of the passwords. Tags: Database Security, Data Security, Threats


	Closing the Window of Exposure with Database Virtual Patching This white paper describes how Vulnerability Assessment and Virtual Patching can help customers to quickly and transparently address known database vulnerabilities without deploying physical patches or custom scripts on corporate databases. Thus, organizations can minimize the window of exposure created by the need to build, receive, test and deploy software and operating system patches across a wide array of database platforms and instances. Tags: Database Security, Vulnerability Assessment, Data Risk Analysis, Database Discovery, Virtual Patching


	Top 10 Guide to Data Security for Federal Agencies Web application and database security remains one of the most vulnerable areas across federal agencies as well as the private sector in virtually every geography and business vertical. An essential difference between enterprises and federal agencies is the attacker. Irrespective of attacks from inside or outside an organization data remains the prize. Traditional network security controls while valuable and necessary simply don't scale to address data-centric attacks, and organizations need to augment them with data-centric solutions focused on the targets: Web applications and databases. But federal agencies are not just focused on security - they also need to demonstrate compliance to both agency and congressional mandates. Tags: Government, Federal, Compliance, FISMA, SOX, PCI, GLBA, HIPAA, NERC, Data Security


	Top 10 Guide for Protecting Sensitive Data from Malicious Insiders For years, organizations have worked diligently to lock down their perimeters only to find out that the most devastating enemy is already inside. Insider threats, both careless and malicious, abound. This fact is amplified during difficult economic times. With a plethora of digitized information, and vehicles for turning credit card data, personally identifiable information and intellectual property into cash, goods, and other services, risks have increased. It's no wonder that we're hearing about a growing number of attacks where the target is sensitive data, and the perpetrators are those with evaluated levels of trust and access: insiders. This guide will explore the top ten ways to protect sensitive data from the very people that need access to it. While this is a difficult problem to address, it is not impossible -- especially when leveraging the right tools. Tags: Insider Threat, Threats, Sensitive Data Protection, Database Security, Data Security


	The Anatomy of an Insider: Bad Guys Don't Always Wear Black Sensitive data protection is essential to any effective security or compliance strategy. Purpose-built data security solutions can prevent, detect, and continually audit how users, including privileged users interact with sensitive data. Visibility into ordinary users and privileged users in terms of their interactions with mission-critical applications and databases gives organizations the ability to effectively mitigate insider threats. Tags: Insider Threat, Privileged User Monitoring, Sensitive Data Protection, Threats


	Managing Risk to Sensitive Data with SecureSphere You can't protect it if you don't know about it. This paper explores the need to discover and classify sensitive data in enterprise databases. It explains how SecureSphere Discovery and Assessment Server (DAS) enables the assessment of data risk posture through the analysis of discovered data and vulnerabilities on database platforms. Additionally, we will explore risk mitigation via Imperva SecureSphere Data Security Suite in terms of identifying and managing risk to sensitive data. Tags: DAS, Discovery and Classification, Discovery and Assessment, Database Security, SecureSphere


	The Business Case for Database Security Build an airtight business case for database security and convince your senior management of the need for a dedicated security solution. This white paper describes database compliance and security requirements, project risks, alternatives, and evaluates the economic benefits of selecting Imperva SecureSphere. Tags: Database Security, Compliance, Business Case


	Protecting Databases from Unauthorized Activities The threat of compromising sensitive information either by leakage or unauthorized changes is driving compliance regulations such as Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS), and others, which require organizations to implement strong database access controls. Tags: Compliance, Data Security, Database Security, PCI, SOX


	Blindfolded SQL Injection Until today, exploiting SQL server injection attacks depended on having the Web Server return detailed error messages or having any other source of information. As a result, many security administrators suppressed these error messages, assuming this would protect them from SQL server injection exploitation. This white paper shows, however, that suppressing the error messages does not provide real protection. Imperva ADC research reveals a set of techniques that can be easily used to bypass error suppression, making it clear that more substantial measures must be taken against SQL server injection attacks. Tags: ADC, SQL Injection, Blindfolded SQL Injection, Web Application Attacks, Web Application Security


	Blame it on the Media(Bot) -- Using Google Advertising Mechanism for Web Application Attacks The research summarized in this paper is aimed at demonstrating how search engines can be manipulated to serve as attack tools. We were able to show that the AdWords and AdSense services from Google can indeed be used to launch attacks against unsuspecting web applications. Attacks types we were able to demonstrate include buffer overflows, SQL injections and CSRFs. Tags: ADC, Google Hacking, Web Application Attacks, Buffer Overflow, SQL Injection, CSRF, Web Application Security


	Implementing Sarbanes-Oxley Audit Requirements The Sarbanes-Oxley Act (SOX) of 2002 set requirements for the integrity of the source data related to financial transactions and reporting. In particular, auditors are looking at regulated data residing in databases connected to enterprise applications such as SAP, Oracle E-Business Suite, PeopleSoft, and other Web Applications. In this White Paper, Imperva presents the range of functions that need to take place to achieve and demonstrate compliance with SOX. Tags: Audit, Compliance, Sarbanes-Oxley, SOX


	Top 6 Security Trends for 2009 Based on the research conducted by Imperva's Application Defense Center (ADC), this report identifies the security trends that are most likely to cause the greatest impact on organizations in 2009. Combining the detailed information collected in the past year with ongoing research efforts, the ADC has made predictions on the top six trends that will affect security organizations in the upcoming year. Tags: ADC, Security Trends


	Imperva Data Security and Compliance Lifecycle SOX and other regulatory legislation are increasingly expanding formal enterprise audit processes to include information technology (IT) assets, especially databases. Imperva's Data Security and Compliance Lifecycle provides step-by-step best practices for implementing database controls and web application security. Tags: Data Security Lifecycle, Compliance Lifecycle, Audit, Best Practices


	Understanding Web 2.0: Technologies, Risks and Best Practices Feature rich and interactive Web 2.0 portals can lure customers and increase sales, but without effective security, they can be a hacker's paradise, exposing your business and customers to data theft. This technical brief details the security challenges inherent in Web 2.0 frameworks, including Ajax, collaboration, RSS feeds, and mashups. It also describes best practice techniques and tools to secure your Web 2.0 infrastructure without impacting existing development resources or your site's performance. Tags: Web 2.0 Risks, Web 2.0 Security Best Practices, Web Application Security, Best Practices


	SQL Injection 2.0 SQL Injection continues to be one of the most predominant Web application threats. Considering the widespread availability of valuable data on the Web, the popularity of ecommerce and dependency on the Web for all kinds of information, attackers are motivated to implement faster, more advanced SQL injection methods to launch high profile, widespread attacks on targeted Web sites. This paper provides of an overview of SQL Injection 2.0, including specific attack techniques such as automated SQL injection via search engines, SQL Injection for Web site defacement, malware distribution and Denial of Service (DoS) attacks, and direct database SQL Injection. Tags: SQL Injection 2.0, Web Application Security


	The Top 5 On-Line Identity Theft Attacks When digital thieves impersonate authorized users, everyone loses. On-line identity theft by insiders and outsiders can cost millions in fraud, fines, lawsuits, and customer attrition. Unfortunately, even sophisticated solutions, such as two-factor authorization, can be fooled by digital identity theft attacks. The good news is there are 5 commonly used methods for on-line identity theft. Defend against these, and you will have greatly increased the security of your on-line web application. Tags: Identity Theft, Web Application Security, Database Security


	The Hidden Costs of Free Database Auditing Native database auditing mechanisms are not as inexpensive as they might seem. This paper compares the costs of native database auditing with SecureSphere for a midsized IT datacenter. Tags: Database Auditing, Datacenter


	What Auditors Want -- Database Auditing Give your auditors what they want -- the way they want it -- with zero impact to your database and staff. Learn the top 5 key requirements for database auditing for SOX, PCI, HIPAA and other regulations. Understand the options to native database logging of Web-based applications, such as Oracle E-Business Suite, PeopleSoft or SAP. Learn more about what auditors want for compliance, so you can make informed choices and deliver. Tags: Database Auditing, Database Security, Compliance, SOX, PCI, HIPAA


	SecureSphere Web Application Security This paper provides an analysis of the Web and Web services threat environment, followed by a description of how Imperva's SecureSphere Web Application Firewall provides a comprehensive and completely automated platform for securing these important IT assets. Tags: Web Application Security, Threats, Web Application Firewall, SecureSphere

Popular Tags: ADC, Audit, Compliance, Database, File, Threats, SharePoint, Web Application Security