ShareWhite Papers
| Popular Tags: Audit, Compliance, Database Security, Threats, Web Application Security | |
 
|
NEW: Anatomy of an XSS CampaignThe Imperva Application Defense Center (ADC) observed the full anatomy of a cross-site scripting (XSS) campaign, showing why it's so easy to conduct a muscular phishing campaign in just under an hour. Tags: Web Application Security, Threats, Web Application Attacks, Cross-Site Scripting, XSS |
|
Blame it on the Media(Bot) -- Using Google Advertising Mechanism for Web Application AttacksThe research summarized in this paper is aimed at demonstrating how search engines can be manipulated to serve as attack tools. We were able to show that the AdWords and AdSense services from Google can indeed be used to launch attacks against unsuspecting web applications. Attacks types we were able to demonstrate include buffer overflows, SQL injections and CSRFs. Tags: ADC, Google Hacking, Web Application Attacks, Buffer Overflow, SQL Injection, CSRF, Web Application Security |
|
Blindfolded SQL InjectionUntil today, exploiting SQL server injection attacks depended on having the Web Server return detailed error messages or having any other source of information. As a result, many security administrators suppressed these error messages, assuming this would protect them from SQL server injection exploitation. This white paper shows, however, that suppressing the error messages does not provide real protection. Imperva ADC research reveals a set of techniques that can be easily used to bypass error suppression, making it clear that more substantial measures must be taken against SQL server injection attacks. Tags: ADC, SQL Injection, Blindfolded SQL Injection, Web Application Attacks, Web Application Security |
|
Closing the Window of Exposure with Database Virtual PatchingThis white paper describes how Vulnerability Assessment and Virtual Patching can help customers to quickly and transparently address known database vulnerabilities without deploying physical patches or custom scripts on corporate databases. Thus, organizations can minimize the window of exposure created by the need to build, receive, test and deploy software and operating system patches across a wide array of database platforms and instances. Tags: Database Security, Vulnerability Assessment, Data Risk Analysis, Database Discovery, Virtual Patching |
|
Cutting the Cost of Application Security: An ROI White PaperApplication vulnerabilities can expose organizations to loss of service, an embarrassing Web site defacement, or even a multi-million dollar data compromise. This paper compares different methods of securing Web applications, including manually fixing application vulnerabilities and implementing a Web application firewall. Then it evaluates the cost savings in financial terms, illustrating how SecureSphere provides immediate Return on Investment (ROI) and saves organizations 530% over five years compared to disruptive fix and test measures. Tags: Application Vulnerabilities, Web Application Security, ROI |
|
Data Security Study: Consumer Password Worst PracticesIn December 2009, a major vulnerability was discovered in Rockyou.com. By examining a hacker's blog, a major vulnerability was discovered that led to the breach of 32 million passwords and the hacker posted to the Internet the full list of the 32 million passwords (with no other identifiable information). The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. Further, never before has there been such a high volume of real-world passwords to examine. The Imperva Application Defense Center (ADC) analyzed the strength of the passwords. Tags: Database Security, Data Security, Threats |
|
|
NEW: Five Signs Your File Data is at RiskPersistent insider threats and regulatory compliance mandates make protecting sensitive file data a business requirement for virtually every organization. However, the sheer volume of file data and its rapid and continuous growth make it a challenge to secure properly. This whitepaper review the five questions to help you assess your file security posture. If you aren't able to answer these five questions confidently, your file data is probably at risk. Tags: File Security, Compliance, Threats, Insider Threat, Unstructured Data, Data, File Activity Monitoring |
|
Imperva Data Security and Compliance LifecycleSOX and other regulatory legislation are increasingly expanding formal enterprise audit processes to include information technology (IT) assets, especially databases. Imperva's Data Security and Compliance Lifecycle provides step-by-step best practices for implementing database controls and web application security. Tags: Data Security Lifecycle, Compliance Lifecycle, Audit, Best Practices |
|
Implementing Sarbanes-Oxley Audit RequirementsThe Sarbanes-Oxley Act (SOX) of 2002 set requirements for the integrity of the source data related to financial transactions and reporting. In particular, auditors are looking at regulated data residing in databases connected to enterprise applications such as SAP, Oracle E-Business Suite, PeopleSoft, and other Web Applications. In this White Paper, Imperva presents the range of functions that need to take place to achieve and demonstrate compliance with SOX. Tags: Audit, Compliance, Sarbanes-Oxley, SOX |
|
Managing Risk to Sensitive Data with SecureSphereYou can't protect it if you don't know about it. This paper explores the need to discover and classify sensitive data in enterprise databases. It explains how SecureSphere Discovery and Assessment Server (DAS) enables the assessment of data risk posture through the analysis of discovered data and vulnerabilities on database platforms. Additionally, we will explore risk mitigation via Imperva SecureSphere Data Security Suite in terms of identifying and managing risk to sensitive data. Tags: DAS, Discovery and Classification, Discovery and Assessment, Database Security, SecureSphere |
|
Next Generation Web Application Firewalls (NG-WAF)This paper describes Imperva's vision for the next generation of WAFs. It details Web application security problems and solutions today, and gives perspectives on the future. While this paper is not product specific, areas where Imperva SecureSphere currently provides NG-WAF capabilities such as anti-automation, and adaptive threat response are highlighted. Tags: Web Application Firewall, Industrialized Hacking, Automated Attacks, Business Logic Attacks, ThreatRadar, Web Application Security |
|
Protected! Mitigating Web Application and Database Vulnerabilities with Virtual PatchingIt's not always possible - or practical - to patch vulnerabilities in your Web applications or databases as soon as you discover them. You can use a technique known as "virtual patching" to rapidly address vulnerabilities and ensure you are protected until a long-term fix can be put in place. This brief whitepaper discusses the business benefits of virtual patching, including improved security and increased operational efficiency. Tags: Virtual Patching, Database Security, Web Application Security, Vulnerability Assessment, Threats, Data Risk Analysis |
|
Protecting Databases from Unauthorized ActivitiesThe threat of compromising sensitive information either by leakage or unauthorized changes is driving compliance regulations such as Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS), and others, which require organizations to implement strong database access controls. Tags: Compliance, Data Security, Database Security, PCI, SOX |
|
SecureSphere and OWASP 2010 Top Ten Most Critical Web Application Security RisksThe Open Web Application Security Project (OWASP) Top Ten is widely recognized as one of the leading standards for identifying critical web application security risks. This paper analyzes the latest 2010 release of the OWASP Top Ten most critical web application security risks and outlines how SecureSphere Web Application Firewall (WAF) addresses and mitigates each OWASP Top Ten threat. Tags: Web Application Security, Threats, Web Application Attacks, OWASP |
|
SecureSphere Web Application SecurityThis paper provides an analysis of the Web and Web services threat environment, followed by a description of how Imperva's SecureSphere Web Application Firewall provides a comprehensive and completely automated platform for securing these important IT assets. Tags: Web Application Security, Threats, Web Application Firewall, SecureSphere |
|
Securing Web Applications and Databases for PCI ComplianceThis paper, designed for security and compliance professionals, illustrates how to achieve compliance on three of the most costly and complex sections: requirements 3, 6, and 10 of PCI DSS. This paper also highlights how Web application and database appliances can deliver resource effective compliance while maintaining cost efficiency. Tags: Web Application Security, Database Security, Audit, PCI, Compliance |
|
SQL Injection 2.0SQL Injection continues to be one of the most predominant Web application threats. Considering the widespread availability of valuable data on the Web, the popularity of ecommerce and dependency on the Web for all kinds of information, attackers are motivated to implement faster, more advanced SQL injection methods to launch high profile, widespread attacks on targeted Web sites. This paper provides of an overview of SQL Injection 2.0, including specific attack techniques such as automated SQL injection via search engines, SQL Injection for Web site defacement, malware distribution and Denial of Service (DoS) attacks, and direct database SQL Injection. |
|
The Anatomy of an Insider: Bad Guys Don't Always Wear BlackSensitive data protection is essential to any effective security or compliance strategy. Purpose-built data security solutions can prevent, detect, and continually audit how users, including privileged users interact with sensitive data. Visibility into ordinary users and privileged users in terms of their interactions with mission-critical applications and databases gives organizations the ability to effectively mitigate insider threats. Tags: Insider Threat, Privileged User Monitoring, Sensitive Data Protection, Threats |
|
The Business Case for Database SecurityBuild an airtight business case for database security and convince your senior management of the need for a dedicated security solution. This white paper describes database compliance and security requirements, project risks, alternatives, and evaluates the economic benefits of selecting Imperva SecureSphere. Tags: Database Security, Compliance, Business Case |
|
The Hidden Costs of Free Database AuditingNative database auditing mechanisms are not as inexpensive as they might seem. This paper compares the costs of native database auditing with SecureSphere for a midsized IT datacenter. Tags: Database Auditing, Datacenter |
|
The Industrialization of HackingToday, hacking is $1T industry -- up from a few billion just three years ago. In 2007, professional hacking represented a multibillion-dollar industry. At present, this same industry posts -- in stolen data, IP and financial gain -- more than one trillion in value. What explains this rapid growth? Industrialization. Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today's cyber crime industry has similarly transformed and automated itself to achieve scalability and increase profits. The industrialization of hacking coincides with a critical shift in what's considered today's prized commodity: data. Tags: Cyber Crime, Data Security, Hacking, Automated Attacks |
|
The Top 5 On-Line Identity Theft AttacksWhen digital thieves impersonate authorized users, everyone loses. On-line identity theft by insiders and outsiders can cost millions in fraud, fines, lawsuits, and customer attrition. Unfortunately, even sophisticated solutions, such as two-factor authorization, can be fooled by digital identity theft attacks. The good news is there are 5 commonly used methods for on-line identity theft. Defend against these, and you will have greatly increased the security of your on-line web application. Tags: Identity Theft, Web Application Security, Database Security |
|
Top 10 Database Hacks and How to Stop ThemCorporate databases contain the crown jewels of an organization, which means a break-in, by insiders or outsiders, can cost millions in fines, lawsuits, and customer attrition. The good news is there are 10 commonly used methods to attack databases. Defend against these, and you will have a highly secure database. Tags: Database Security, Database Hacks, Common Databases Attacks, Threats, Top Databases Attacks, Defend Against Databases Attacks, Stopping Databases Attacks |
|
Top 10 Guide for Protecting Sensitive Data from Malicious InsidersFor years, organizations have worked diligently to lock down their perimeters only to find out that the most devastating enemy is already inside. Insider threats, both careless and malicious, abound. This fact is amplified during difficult economic times. With a plethora of digitized information, and vehicles for turning credit card data, personally identifiable information and intellectual property into cash, goods, and other services, risks have increased. It's no wonder that we're hearing about a growing number of attacks where the target is sensitive data, and the perpetrators are those with evaluated levels of trust and access: insiders. This guide will explore the top ten ways to protect sensitive data from the very people that need access to it. While this is a difficult problem to address, it is not impossible -- especially when leveraging the right tools. Tags: Insider Threat, Threats, Sensitive Data Protection, Database Security, Data Security |
|
Top 10 Guide to Data Security for Federal AgenciesWeb application and database security remains one of the most vulnerable areas across federal agencies as well as the private sector in virtually every geography and business vertical. An essential difference between enterprises and federal agencies is the attacker. Irrespective of attacks from inside or outside an organization data remains the prize. Traditional network security controls while valuable and necessary simply don't scale to address data-centric attacks, and organizations need to augment them with data-centric solutions focused on the targets: Web applications and databases. But federal agencies are not just focused on security - they also need to demonstrate compliance to both agency and congressional mandates. Tags: Government, Federal, Compliance, FISMA, SOX, PCI, GLBA, HIPAA, NERC, Data Security |
|
Top 6 Security Trends for 2009Based on the research conducted by Imperva's Application Defense Center (ADC), this report identifies the security trends that are most likely to cause the greatest impact on organizations in 2009. Combining the detailed information collected in the past year with ongoing research efforts, the ADC has made predictions on the top six trends that will affect security organizations in the upcoming year. Tags: ADC, Security Trends |
|
Understanding Web 2.0: Technologies, Risks and Best PracticesFeature rich and interactive Web 2.0 portals can lure customers and increase sales, but without effective security, they can be a hacker's paradise, exposing your business and customers to data theft. This technical brief details the security challenges inherent in Web 2.0 frameworks, including Ajax, collaboration, RSS feeds, and mashups. It also describes best practice techniques and tools to secure your Web 2.0 infrastructure without impacting existing development resources or your site's performance. Tags: Web 2.0 Risks, Web 2.0 Security Best Practices, Web Application Security, Best Practices |
|
What Auditors Want -- Database AuditingGive your auditors what they want -- the way they want it -- with zero impact to your database and staff. Learn the top 5 key requirements for database auditing for SOX, PCI, HIPAA and other regulations. Understand the options to native database logging of Web-based applications, such as Oracle E-Business Suite, PeopleSoft or SAP. Learn more about what auditors want for compliance, so you can make informed choices and deliver. Tags: Database Auditing, Database Security, Compliance, SOX, PCI, HIPAA |
| Popular Tags: Audit, Compliance, Database Security, Threats, Web Application Security | |