ShareWhite Papers
| Popular Tags: ADC, Audit, Compliance, Database Security, File, Threats, Web Application Security | |
 
|
10 Building Blocks for Securing File DataThree fundamental capabilities are lacking in most organizations:
Tags: File Security, Security Policies, File Monitoring, File Auditing |
|
Anatomy of an XSS CampaignThe Imperva Application Defense Center (ADC) observed the full anatomy of a cross-site scripting (XSS) campaign, showing why it's so easy to conduct a muscular phishing campaign in just under an hour. Tags: Web Application Security, Threats, Web Application Attacks, Cross-Site Scripting, XSS |
|
Blame it on the Media(Bot) -- Using Google Advertising Mechanism for Web Application AttacksThe research summarized in this paper is aimed at demonstrating how search engines can be manipulated to serve as attack tools. We were able to show that the AdWords and AdSense services from Google can indeed be used to launch attacks against unsuspecting web applications. Attacks types we were able to demonstrate include buffer overflows, SQL injections and CSRFs. Tags: ADC, Google Hacking, Web Application Attacks, Buffer Overflow, SQL Injection, CSRF, Web Application Security |
|
Blindfolded SQL InjectionUntil today, exploiting SQL server injection attacks depended on having the Web Server return detailed error messages or having any other source of information. As a result, many security administrators suppressed these error messages, assuming this would protect them from SQL server injection exploitation. This white paper shows, however, that suppressing the error messages does not provide real protection. Imperva ADC research reveals a set of techniques that can be easily used to bypass error suppression, making it clear that more substantial measures must be taken against SQL server injection attacks. Tags: ADC, SQL Injection, Blindfolded SQL Injection, Web Application Attacks, Web Application Security |
|
Botnets at the GateStopping Botnets and Distributed Denial of Service Attacks Botnets have infiltrated millions of users' computers and wrecked incalculable damage. This white paper lifts the veil on botnets and on the cyber-criminals behind them. It analyzes the history, growth, and economics behind botnets. It then investigates one of the most common attacks executed by botnets: the Distributed Denial of Service (DDoS) attack. Tags: Web Security, Web Application Security, Cyber-Crime, Denial of Service Attacks, DOS, DDoS |
|
Closing the Window of Exposure with Database Virtual PatchingThis white paper describes how Vulnerability Assessment and Virtual Patching can help customers to quickly and transparently address known database vulnerabilities without deploying physical patches or custom scripts on corporate databases. Thus, organizations can minimize the window of exposure created by the need to build, receive, test and deploy software and operating system patches across a wide array of database platforms and instances. Tags: Database Security, Vulnerability Assessment, Data Risk Analysis, Database Discovery, Virtual Patching |
|
Compliance with the HIPAA Security Rule - Meeting the Electronic Code of Federal RequirementsThe HIPAA Security Rule establishes national standards to protect individuals' medical records and other personal health information. In this paper we review the security standards for protection of e-PHI as listed under part 164 of the 45 CFR, and map SecureSphere Data Security Suite solutions to the specified requirements described in these standards. Tags: Data Security, Compliance, HIPAA, Government, e-PHI, Database Security |
|
Cutting IT Operations Costs for Unstructured DataMarket analysts estimate that 80% of all enterprise data is unstructured and that unstructured data will grow tenfold in the next five years. Crushed under the weight of these files are the IT organizations tasked with managing and securing them. Operationally, it's nearly impossible to keep track of who is creating all of these business documents, who owns them, and who can - and is - accessing them. Tags: File Security, Data Security, Unstructured Data, IT, ROI |
|
NEW: Cutting the Cost of Application SecurityWeb application attacks can result in devastating data breaches and application downtime, costing companies millions of dollars in fines, brand damage, and customer turnover. This paper illustrates how the SecureSphere Web Application Firewall provides a Return on Security Investment of 2090% by preventing data breaches and Website downtime. SecureSphere also offers a compelling return compared to manual vulnerability remediation by eliminating costly emergency fix and test measures. Tags: Application Vulnerabilities, Web Application Security, ROI |
|
Data Security for PCI ComplianceAddressing Security and Auditing Requirements for In-scope Web Applications, Databases, and File Servers Data security represents a significant barrier to many organizations that need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Secure Web application software development, cardholder data access auditing and user rights management are complex and costly business processes. This paper focuses on the key PCI DSS requirements that impact data security. Designed for auditors, risk and security professionals, key compliance challenges are analyzed with respect to impact on existing IT infrastructure, staff, and budget and applicable solutions are outlined for consideration. Tags: Web Application Security, Database Security, Audit, PCI, Compliance |
|
Data Security Study: Consumer Password Worst PracticesIn December 2009, a major vulnerability was discovered in Rockyou.com. By examining a hacker's blog, a major vulnerability was discovered that led to the breach of 32 million passwords and the hacker posted to the Internet the full list of the 32 million passwords (with no other identifiable information). The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism. Further, never before has there been such a high volume of real-world passwords to examine. The Imperva Application Defense Center (ADC) analyzed the strength of the passwords. Tags: Database Security, Data Security, Threats |
|
Detecting and Blocking Site Scraping AttacksSite scraping attacks range from harmless data collection for personal research to calculated, repeated data harvesting used to undercut competitor's prices or to illicitly publish valuable information. Site scraping, also called screen scraping or Web scraping, can undermine victims' revenues and profits by siphoning off customers and reducing competitiveness. This paper investigates various types of scraping attacks, site scraping tools, and effective techniques to detect and stop future attacks. Tags: Web Application Security, Threats, Web Application Attacks, Web Site Scraping, Scraping Attacks |
|
Facing Reality: Top Database Security TrendsEnterprise database infrastructure is subject to an overwhelming range of threats. Securing databases and the data they host is challenging not only because of the volume of data spread across heterogeneous platforms, but also because of the increased sophistication and rising rate of database security threats. This paper reviews the top database security trends that IT managers and security teams struggle to keep up with, including: advanced persistent threat (APT), SQL injection, implementation of audit controls, database patch and configuration management, limiting users rights to data based on business need-to-know, abuse of legitimate data access privileges, and cloud security. Tags: Database Security, Trends, Advanced Persistent Threat, SQL Injection |
|
|
Five Signs Your File Data is at RiskPersistent insider threats and regulatory compliance mandates make protecting sensitive file data a business requirement for virtually every organization. However, the sheer volume of file data and its rapid and continuous growth make it a challenge to secure properly. This whitepaper reviews the five questions to help you assess your file security posture. If you aren't able to answer these five questions confidently, your file data is probably at risk. Tags: File Security, Compliance, Threats, Insider Threat, Unstructured Data, Data, File Activity Monitoring |
|
Four Steps to Defeating a DDoS AttackHackers, criminals, and political "hactivists" have increasingly turned to Distributed Denial of Service (DDoS) attacks to disrupt access to or even take down legitimate Websites. This white paper describes DDoS attack methods such as powerful DDoS attacks originating from servers and new, advanced application DDoS attacks. It then lays out four simple steps that organizations can undertake to mitigate DDoS attacks. Tags: Web Security, Web Application Security, Threats, Web Application Attacks, DDoS, Distributed Denial of Service, DDoS Protection, Cyber-Crime |
|
How to Secure Your SharePoint DeploymentThis paper presents five best practices for securing your SharePoint environment. It discusses how SecureSphere for SharePoint can help organizations get the most out of SharePoint's existing permissions system, and fill some of SharePoint's security gaps. Tags: SharePoint, File Security, Compliance, Auditing, Unstructured Data, Data Security |
|
Imperva Data Security and Compliance LifecycleSOX and other regulatory legislation are increasingly expanding formal enterprise audit processes to include information technology (IT) assets, especially databases. Imperva's Data Security and Compliance Lifecycle provides step-by-step best practices for implementing database controls and web application security. Tags: Data Security Lifecycle, Compliance Lifecycle, Audit, Best Practices |
|
Implementing Sarbanes-Oxley Audit RequirementsThe Sarbanes-Oxley Act (SOX) of 2002 set requirements for the integrity of the source data related to financial transactions and reporting. In particular, auditors are looking at regulated data residing in databases connected to enterprise applications such as SAP, Oracle E-Business Suite, PeopleSoft, and other Web Applications. In this White Paper, Imperva presents the range of functions that need to take place to achieve and demonstrate compliance with SOX. Tags: Audit, Compliance, Sarbanes-Oxley, SOX |
|
Implementing Security Controls for addressing DHS Sensitive Systems Policy Directive 4300AThis paper reviews how SecureSphere enables DHS components to implement the technical controls described in chapter 5 of the DHS 4300A Sensitive Systems Handbook. With SecureSphere Data Security Solutions, DHS components can facilitate detection of security violations, and support security requirements for applications and data, including Identification and Authentication, Access Controls and Auditing. Tags: Data Security, Access Controls, Auditing, Government, DHS, 4300A, Database Security, Security Controls, Sensitive Systems Handbook |
|
Managing Risk to Sensitive Data with SecureSphereYou can't protect it if you don't know about it. This paper explores the need to discover and classify sensitive data in enterprise databases. It explains how SecureSphere Discovery and Assessment Server (DAS) enables the assessment of data risk posture through the analysis of discovered data and vulnerabilities on database platforms. Additionally, we will explore risk mitigation via Imperva SecureSphere Data Security Suite in terms of identifying and managing risk to sensitive data. Tags: DAS, Discovery and Classification, Discovery and Assessment, Database Security, SecureSphere |
|
Meeting NIST SP 800-53 GuidelinesThis paper reviews information security requirements described by NIST in SP 800-53. It discusses the main implementation challenges organizations struggle with. The paper also maps key capabilities of Imperva's SecureSphere Data Security Suite to NIST SP 800-53 guidelines, describing how SecureSphere solutions can be used to implement required controls, manage risk to federal information and demonstrate compliance. Tags: Data Security, Compliance, NIST, FISMA, NIST SP 800-53, Government |
|
Next Generation Web Application Firewalls (NG-WAF)This paper describes Imperva's vision for the next generation of WAFs. It details Web application security problems and solutions today, and gives perspectives on the future. While this paper is not product specific, areas where Imperva SecureSphere currently provides NG-WAF capabilities such as anti-automation, and adaptive threat response are highlighted. Tags: Web Application Firewall, Industrialized Hacking, Automated Attacks, Business Logic Attacks, ThreatRadar, Web Application Security |
|
Protected! Mitigating Web Application and Database Vulnerabilities with Virtual PatchingIt's not always possible - or practical - to patch vulnerabilities in your Web applications or databases as soon as you discover them. You can use a technique known as "virtual patching" to rapidly address vulnerabilities and ensure you are protected until a long-term fix can be put in place. This brief whitepaper discusses the business benefits of virtual patching, including improved security and increased operational efficiency. Tags: Virtual Patching, Database Security, Web Application Security, Vulnerability Assessment, Threats, Data Risk Analysis |
|
Protecting Databases from Unauthorized ActivitiesThe threat of compromising sensitive information either by leakage or unauthorized changes is driving compliance regulations such as Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS), and others, which require organizations to implement strong database access controls. Tags: Compliance, Data Security, Database Security, PCI, SOX |
|
SecureSphere and OWASP 2010 Top Ten Most Critical Web Application Security RisksThe Open Web Application Security Project (OWASP) Top Ten is widely recognized as one of the leading standards for identifying critical web application security risks. This paper analyzes the latest 2010 release of the OWASP Top Ten most critical web application security risks and outlines how SecureSphere Web Application Firewall (WAF) addresses and mitigates each OWASP Top Ten threat. Tags: Web Application Security, Threats, Web Application Attacks, OWASP |
|
SecureSphere Web Application SecurityThis paper provides an analysis of the Web and Web services threat environment, followed by a description of how Imperva's SecureSphere Web Application Firewall provides a comprehensive and completely automated platform for securing these important IT assets. Tags: Web Application Security, Threats, Web Application Firewall, SecureSphere |
|
Security Trends for 2011Imperva's Application Defense Center (ADC), led by Imperva CTO Amichai Shulman, is exclusively focused on advancing the practice of data security to help companies shield themselves from the threat of hackers and insiders. In 2010, the ADC successfully predicted many of the key issues that would plague security teams in 2010 and beyond. For 2011, the ADC has assembled its most comprehensive set of predictions. Tags: Business Case, Database Security, File Security, Web Application Security, ROSI, Trends |
|
SQL Injection 2.0SQL Injection continues to be one of the most predominant Web application threats. Considering the widespread availability of valuable data on the Web, the popularity of ecommerce and dependency on the Web for all kinds of information, attackers are motivated to implement faster, more advanced SQL injection methods to launch high profile, widespread attacks on targeted Web sites. This paper provides of an overview of SQL Injection 2.0, including specific attack techniques such as automated SQL injection via search engines, SQL Injection for Web site defacement, malware distribution and Denial of Service (DoS) attacks, and direct database SQL Injection. |
|
The Anatomy of an Insider: Bad Guys Don't Always Wear BlackSensitive data protection is essential to any effective security or compliance strategy. Purpose-built data security solutions can prevent, detect, and continually audit how users, including privileged users interact with sensitive data. Visibility into ordinary users and privileged users in terms of their interactions with mission-critical applications and databases gives organizations the ability to effectively mitigate insider threats. Tags: Insider Threat, Privileged User Monitoring, Sensitive Data Protection, Threats |
|
The Business Case for Data Security (Database, File, and Web Security)The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions. Tags: Business Case, Database Security, File Security, Web Application Security, ROSI |
|
The Business Case for Database SecurityBuild an airtight business case for database security and convince your senior management of the need for a dedicated security solution. This white paper describes database compliance and security requirements, project risks, alternatives, and evaluates the economic benefits of selecting Imperva SecureSphere. Tags: Database Security, Compliance, Business Case |
|
The Hidden Costs of Free Database AuditingNative database auditing mechanisms are not as inexpensive as they might seem. This paper compares the costs of native database auditing with SecureSphere for a midsized IT datacenter. Tags: Database Auditing, Datacenter |
|
The Industrialization of HackingToday, hacking is $1T industry -- up from a few billion just three years ago. In 2007, professional hacking represented a multibillion-dollar industry. At present, this same industry posts -- in stolen data, IP and financial gain -- more than one trillion in value. What explains this rapid growth? Industrialization. Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today's cyber crime industry has similarly transformed and automated itself to achieve scalability and increase profits. The industrialization of hacking coincides with a critical shift in what's considered today's prized commodity: data. Tags: Cyber Crime, Data Security, Hacking, Automated Attacks |
|
The Top 5 On-Line Identity Theft AttacksWhen digital thieves impersonate authorized users, everyone loses. On-line identity theft by insiders and outsiders can cost millions in fraud, fines, lawsuits, and customer attrition. Unfortunately, even sophisticated solutions, such as two-factor authorization, can be fooled by digital identity theft attacks. The good news is there are 5 commonly used methods for on-line identity theft. Defend against these, and you will have greatly increased the security of your on-line web application. Tags: Identity Theft, Web Application Security, Database Security |
|
Top 10 Database Hacks and How to Stop ThemCorporate databases contain the crown jewels of an organization, which means a break-in, by insiders or outsiders, can cost millions in fines, lawsuits, and customer attrition. The good news is there are 10 commonly used methods to attack databases. Defend against these, and you will have a highly secure database. Languages: English | Deutsch | Español | Français Tags: Database Security, Database Hacks, Common Databases Attacks, Threats, Top Databases Attacks, Defend Against Databases Attacks, Stopping Databases Attacks |
|
Top 10 Guide for Protecting Sensitive Data from Malicious InsidersFor years, organizations have worked diligently to lock down their perimeters only to find out that the most devastating enemy is already inside. Insider threats, both careless and malicious, abound. This fact is amplified during difficult economic times. With a plethora of digitized information, and vehicles for turning credit card data, personally identifiable information and intellectual property into cash, goods, and other services, risks have increased. It's no wonder that we're hearing about a growing number of attacks where the target is sensitive data, and the perpetrators are those with evaluated levels of trust and access: insiders. This guide will explore the top ten ways to protect sensitive data from the very people that need access to it. While this is a difficult problem to address, it is not impossible -- especially when leveraging the right tools. Tags: Insider Threat, Threats, Sensitive Data Protection, Database Security, Data Security |
|
Top 10 Guide to Data Security for Federal AgenciesWeb application and database security remains one of the most vulnerable areas across federal agencies as well as the private sector in virtually every geography and business vertical. An essential difference between enterprises and federal agencies is the attacker. Irrespective of attacks from inside or outside an organization data remains the prize. Traditional network security controls while valuable and necessary simply don't scale to address data-centric attacks, and organizations need to augment them with data-centric solutions focused on the targets: Web applications and databases. But federal agencies are not just focused on security - they also need to demonstrate compliance to both agency and congressional mandates. Tags: Government, Federal, Compliance, FISMA, SOX, PCI, GLBA, HIPAA, NERC, Data Security |
|
Top 6 Security Trends for 2009Based on the research conducted by Imperva's Application Defense Center (ADC), this report identifies the security trends that are most likely to cause the greatest impact on organizations in 2009. Combining the detailed information collected in the past year with ongoing research efforts, the ADC has made predictions on the top six trends that will affect security organizations in the upcoming year. Tags: ADC, Security Trends |
|
Understanding Web 2.0: Technologies, Risks and Best PracticesFeature rich and interactive Web 2.0 portals can lure customers and increase sales, but without effective security, they can be a hacker's paradise, exposing your business and customers to data theft. This technical brief details the security challenges inherent in Web 2.0 frameworks, including Ajax, collaboration, RSS feeds, and mashups. It also describes best practice techniques and tools to secure your Web 2.0 infrastructure without impacting existing development resources or your site's performance. Tags: Web 2.0 Risks, Web 2.0 Security Best Practices, Web Application Security, Best Practices |
|
What Auditors Want -- Database AuditingGive your auditors what they want -- the way they want it -- with zero impact to your database and staff. Learn the top 5 key requirements for database auditing for SOX, PCI, HIPAA and other regulations. Understand the options to native database logging of Web-based applications, such as Oracle E-Business Suite, PeopleSoft or SAP. Learn more about what auditors want for compliance, so you can make informed choices and deliver. Tags: Database Auditing, Database Security, Compliance, SOX, PCI, HIPAA |
| Popular Tags: ADC, Audit, Compliance, Database Security, File, Threats, Web Application Security | |