302 Content Server Security Challenges And Best Practices
1. Content Server Security – Challenges and Best Practices Brian “Bex” Huff, Software Developer Stellent, Inc. January 30, 2006
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
Hinweis der Redaktion
This talk is about how to ensure the integrity of your content, and secure access to it. For security experts: This talk will expose some of the risks specific to the Content Server, and ways to mitigate those risks. Including configuration and customization options. You might be more interested in s ession 1502 . For SCS experts: This will present lots of information about network security that will help you design a security plan for your organization. For folks familiar with both: don’t worry, this talk is technical but will not bog you down with details.
Skip
Skip
The $105 billion is most likely hyper-inflated. As is the $50 billion number. The $1 billion estimate by Garner is the most believable, because they have the least to gain by inflating the numbers. Although it ‘feels’ low to me. Gartner called 2005 a ‘watershed year’ when it came to e-commerce. For the first time, security is major problem for the growth of the internet. 14% stopped paying bills online, 5% stopped e-commerce altogether. Big changes might be coming in 2006.
Mention lunchroom example here – would you secure your lunch in public fridge?
This methodology is care of Bruce Schneier. Risks: Who is trying to do what, and why. What are the odds of success. What are the repercussions? Policy: user/admin access depends on your organization. Hackers should be thwarted at every step, however. Countermeasures: Safe manufacturers rate their safes based on how many minutes (15, 30, 60) a professional takes to crack it. The safe is the PROTECTION. A guard checking on it every 5 minutes is DETECTION. The guard sounding an alarm for the police is the REACTION. In software its much harder, because you don’t know the vulnerabilities of the system.
Five kinds possible threats. Remember – a threat is a person. That 70% stat is probably meaningless, because there just isn’t enough hard evidence. Its true that 70% of identity thieves are insiders (Identity Theft Resource Center)... but only 30% of corporations have admitted firing somebody because of violating security practices (IDC's 2004 Security Survey ).
Five kinds possible threats. Remember – a threat is a person. That 70% stat is probably meaningless, because there just isn’t enough hard evidence. Its true that 70% of identity thieves are insiders (Identity Theft Resource Center)... but only 30% of corporations have admitted firing somebody because of violating security practices (IDC's 2004 Security Survey ).
Too many general network vulnerabilities to enumerate in detail. However, we will try to address all SCS vulnerabilities in detail. When selecting countermeasures, go for dual-purpose technology first. That is the best way to get security. If it improves the lives of administrators AND increases security, they are much more likely to buy it and learn it. Examples to follow. Will cover protection aspect first, then detection tools. Reactions
Single Sign On makes problem worse – you’re never prompted for a login.
Im not a huge fan of biometrics. You should have access keys first, add passwords to the keys for extra security, and add biometrics as a last resort. It helps, but only a little. And management is a pain. If somebody copies your password, you can make a new password. If somebody copies your thumbprint, you cant make a new thumb!