Active Security Common Active Security Common PracticesPractices

Rafal LukawieckiRafal Lukawiecki

Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd

rafal@projectbotticelli.co.ukrafal@projectbotticelli.co.uk

www.projectbotticelli.co.ukwww.projectbotticelli.co.uk

Copyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.File/Properties.

22

ObjectivesObjectives

Using Defence-in-Depth overview main security Using Defence-in-Depth overview main security problem areasproblem areas

Review major security protection technologiesReview major security protection technologies

Briefly look at security checklists for main Briefly look at security checklists for main Microsoft serversMicrosoft servers

33

Session AgendaSession Agenda

Decomposing the Operating EnvironmentDecomposing the Operating Environment

Defending:Defending:

ApplicationsApplications

HostsHosts

NetworkNetwork

Microsoft Guidance ChecklistsMicrosoft Guidance Checklists

44

Decomposing the Decomposing the Operating Operating EnvironmentEnvironment

55

Defense in DepthDefense in Depth

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

OS hardening, update management, OS hardening, update management, authenticationauthentication

Firewalls, VPN quarantineFirewalls, VPN quarantine

Guards, locks, tracking devices, Guards, locks, tracking devices, HSMHSM

Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS

Application hardening, antivirusApplication hardening, antivirus

ACL, encryptionACL, encryption

User education against social User education against social engineeringengineering

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

66

Common Threat ClassificationCommon Threat Classification

Spoofed packets, etc.

Buffer overflows, illicit paths, etc.

SQL injection, XSS, input tampering, etc.

Network Host Application

Threats againstthe network

Threats against the host

Threats against the application

77

Examples of Network ThreatsExamples of Network Threats

ThreatThreat ExamplesExamples

Information gatheringInformation gathering Port scanningPort scanning

Using trace routing to detect network topologiesUsing trace routing to detect network topologies

Using broadcast requests to enumerate subnet hostsUsing broadcast requests to enumerate subnet hosts

EavesdroppingEavesdropping Using packet sniffers to steal passwordsUsing packet sniffers to steal passwords

Denial of service (DoS)Denial of service (DoS) SYN floodsSYN floods

ICMP echo request floodsICMP echo request floods

Malformed packetsMalformed packets

SpoofingSpoofing Packets with spoofed source addressesPackets with spoofed source addresses

88

Examples of Host ThreatsExamples of Host Threats

ThreatThreat ExamplesExamples

Arbitrary code executionArbitrary code execution Buffer overflows in ISAPI DLLs (e.g., MS01-033)Buffer overflows in ISAPI DLLs (e.g., MS01-033)

Directory traversal attacks (MS00-078)Directory traversal attacks (MS00-078)

File disclosureFile disclosure Malformed HTR requests (MS01-031)Malformed HTR requests (MS01-031)

Virtualized UNC share vulnerability (MS00-019)Virtualized UNC share vulnerability (MS00-019)

Denial of service (DoS)Denial of service (DoS) Malformed SMTP requests (MS02-012)Malformed SMTP requests (MS02-012)

Malformed WebDAV requests (MS01-016)Malformed WebDAV requests (MS01-016)

Malformed URLs (MS01-012)Malformed URLs (MS01-012)

Brute-force file uploadsBrute-force file uploads

Unauthorized accessUnauthorized access Resources with insufficiently restrictive ACLsResources with insufficiently restrictive ACLs

Spoofing with stolen login credentialsSpoofing with stolen login credentials

Exploitation of open ports Exploitation of open ports and protocolsand protocols

Using NetBIOS and SMB to enumerate hostsUsing NetBIOS and SMB to enumerate hosts

Connecting remotely to SQL ServerConnecting remotely to SQL Server

99

Examples of Application ThreatsExamples of Application Threats

ThreatThreat ExamplesExamples

SQL injectionSQL injection Including a DROP TABLE command in text typed into Including a DROP TABLE command in text typed into an input fieldan input field

Cross-site scriptingCross-site scripting Using malicious client-side script to steal cookiesUsing malicious client-side script to steal cookies

Hidden-field tamperingHidden-field tampering Maliciously changing the value of a hidden fieldMaliciously changing the value of a hidden field

EavesdroppingEavesdropping Using a packet sniffer to steal passwords and cookies Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connectionsfrom traffic on unencrypted connections

Session hijackingSession hijacking Using a stolen session ID cookie to access someone Using a stolen session ID cookie to access someone else's session stateelse's session state

Identity spoofingIdentity spoofing Using a stolen forms authentication cookie to pose as Using a stolen forms authentication cookie to pose as another useranother user

Information disclosureInformation disclosure Allowing client to see a stack trace when an unhandled Allowing client to see a stack trace when an unhandled exception occursexception occurs

1010

Typical Pattern of a Targeted AttackTypical Pattern of a Targeted Attack

Enter the network through SQL Injection etc.Enter the network through SQL Injection etc.

Install or use port proxy software to open Install or use port proxy software to open inbound connectionsinbound connections

Remotely control the host to mount further Remotely control the host to mount further attacks from inside until a domain controller is attacks from inside until a domain controller is accessibleaccessible

Gain control of the desired resourcesGain control of the desired resources

Erase traces of attack and remove installed Erase traces of attack and remove installed softwaresoftware

1111

What to Do when under AttackWhat to Do when under Attack

Engage your Emergency Operating ProcedureEngage your Emergency Operating Procedure

Or increase the emergency level (Or increase the emergency level (yellowyellow to to redred etc.) etc.)

Follow these steps:Follow these steps:

1.1. Identify the nature of the attackIdentify the nature of the attack

2.2. Localize the sourceLocalize the source

3.3. Protect and save the evidenceProtect and save the evidence

4.4. Find other compromised machinesFind other compromised machines

5.5. Immunise against this problem as soon as practicalImmunise against this problem as soon as practical

1212

Attack Vectors – EntrypointsAttack Vectors – Entrypoints

That is what attacker is looking forThat is what attacker is looking for

You always have themYou always have them

You must protect them as well as you canYou must protect them as well as you can

““Bottom” leaves (vectors) on the threat treeBottom” leaves (vectors) on the threat tree

Tree categories of entry:Tree categories of entry:

Social EngineeringSocial Engineering

Unpatched known vulnerabilitiesUnpatched known vulnerabilities

New, generally unknown vulnerabilitiesNew, generally unknown vulnerabilities

1616

Typical Security Levels (Microsoft)Typical Security Levels (Microsoft)

Based on typical security-usability-cost requirements, Microsoft Based on typical security-usability-cost requirements, Microsoft favours three generic security levels:favours three generic security levels:

LegacyLegacyAllowing compatibility with Windows 98, ME etc. – generally most usable Allowing compatibility with Windows 98, ME etc. – generally most usable and fairly insecureand fairly insecure

EnterpriseEnterpriseTypical needs of usability based on Windows 2000 and XP clients with Typical needs of usability based on Windows 2000 and XP clients with resilience against all popular attacksresilience against all popular attacks

Generally cost-effectiveGenerally cost-effective

High SecurityHigh SecurityAdds pro-active security against future attacks based on highly Adds pro-active security against future attacks based on highly restrictive policies at the cost of loss of use of many applications and restrictive policies at the cost of loss of use of many applications and other usability limitations and may use formal security modellingother usability limitations and may use formal security modelling

Expensive but may be worth the priceExpensive but may be worth the price

““Windows Server 2003 Security Guide” and other Microsoft security Windows Server 2003 Security Guide” and other Microsoft security guidance documents make use of those termsguidance documents make use of those terms

1717

Defending Defending ApplicationsApplications

1818

Why Application Security MattersWhy Application Security Matters

Perimeter defenses provide limited protectionPerimeter defenses provide limited protection

Many host-based defenses are not application Many host-based defenses are not application specificspecific

Most modern attacks occur at the application Most modern attacks occur at the application layer layer

1919

Developers!Developers!

From operational perspective, the problem is From operational perspective, the problem is caused by the developers, of course caused by the developers, of course

Their applications have access to privileged Their applications have access to privileged resourcesresources

Through vulnerabilities those resources become Through vulnerabilities those resources become compromisedcompromised

Solving the problem requires an almost intimate Solving the problem requires an almost intimate relationship between development and relationship between development and operationsoperations

2020

Security BaselineSecurity Baseline

Use vendor-recommended security baselinesUse vendor-recommended security baselinesSuch as “Microsoft Exchange Server Security Guidelines” etc.Such as “Microsoft Exchange Server Security Guidelines” etc.

Define a universal security baseline for all application Define a universal security baseline for all application serversservers

Base your baseline on OS vendor recommendations, such as Base your baseline on OS vendor recommendations, such as “Windows Server 2003 Security Guide” server roles“Windows Server 2003 Security Guide” server roles

Implement them as a policyImplement them as a policyActive Directory Group Policies are an excellent way to Active Directory Group Policies are an excellent way to manage themmanage them

Use resulting policy tool to verify if policy applies to hosts Use resulting policy tool to verify if policy applies to hosts as requiredas required

Verification of compliance is an ongoing activityVerification of compliance is an ongoing activity

2121

In-House ApplicationsIn-House Applications

Most enterprises use a number of own, self-Most enterprises use a number of own, self-developer applications for a number of key developer applications for a number of key business activitiesbusiness activities

Those applications rarely meet stringent security Those applications rarely meet stringent security design requirementsdesign requirements

Developer security education is critically Developer security education is critically importantimportant

Existing applications need to be treated as “evil” Existing applications need to be treated as “evil” until proven to be safe through Threat Modellinguntil proven to be safe through Threat Modelling

2222

Treating Unproven ApplicationsTreating Unproven Applications

Until proven to be secure, treat all applications as “evil”Until proven to be secure, treat all applications as “evil”

Restrict access only to users on need-to-use basisRestrict access only to users on need-to-use basis

Restrict remote useRestrict remote use

Isolate to dedicated application serversIsolate to dedicated application servers

Restrict servers through IPSec policies to only allow Restrict servers through IPSec policies to only allow communication that applications explicitly requirecommunication that applications explicitly require

Monitor usage pattern to establish a baseline and raise alarm Monitor usage pattern to establish a baseline and raise alarm when patterns varywhen patterns vary

Enable stringent auditingEnable stringent auditing

Request a formal threat analysis if above restrictions are too Request a formal threat analysis if above restrictions are too severesevere

2323

Developer RelationsDeveloper Relations

For future in-house and outsourced For future in-house and outsourced development, formally request that all new development, formally request that all new application state their required security policy application state their required security policy and comply with baseline policiesand comply with baseline policies

Deal with exceptions very carefullyDeal with exceptions very carefully

Insist that application is tested under restrictive Insist that application is tested under restrictive security conditions before being “beta tested” or security conditions before being “beta tested” or pilotedpiloted

Establish an operational point of contact for Establish an operational point of contact for developer queriesdeveloper queries

2424

Secure DevelopmentSecure Development

.NET applications can use a number of new and .NET applications can use a number of new and powerful security techniquespowerful security techniques

Advocate that future development should use .NET Advocate that future development should use .NET Framework and its security models where possibleFramework and its security models where possible

Actual development language is not essential as long as the Actual development language is not essential as long as the framework is usedframework is used

Other middleware environments may require you to Other middleware environments may require you to integrate their security subsystems into OS, Host and integrate their security subsystems into OS, Host and Network security more manuallyNetwork security more manually

Sometimes this is a significant weaknessSometimes this is a significant weakness

2525

Recommended .NET Security Recommended .NET Security MechanismsMechanisms

.NET Code Access Security.NET Code Access Security

.NET Evidence.NET Evidence

Using digital signatures, developers create cryptographically Using digital signatures, developers create cryptographically strong IDs for their applicationsstrong IDs for their applications

You can use those “Strong Names” (SNs) for creating policies You can use those “Strong Names” (SNs) for creating policies that allow or disallow whole classes of applications from that allow or disallow whole classes of applications from runningrunning

You control associated policiesYou control associated policies

.NET Isolated Storage.NET Isolated Storage

A new feature allowing applications to create a “virtual file A new feature allowing applications to create a “virtual file system” in a manner that is more resistant to cross-application system” in a manner that is more resistant to cross-application attacksattacks

2626

Defending HostsDefending Hosts

2727

OS HardeningOS Hardening

Use most up-to-date security patches and service packsUse most up-to-date security patches and service packs

Windows XP SP2Windows XP SP2

Windows Firewall with application-specific settingsWindows Firewall with application-specific settings

Attachment Execution protectionAttachment Execution protection

Pop-up BlockerPop-up Blocker

Memory Protection (only some CPUs)Memory Protection (only some CPUs)

RPC/DCOM ImprovementsRPC/DCOM Improvements

May cause compatibility problems with legacy applications, so May cause compatibility problems with legacy applications, so you may need to bypass or amend this featureyou may need to bypass or amend this feature

Apply your policy-based security baselineApply your policy-based security baseline

2828

Patch ManagementPatch Management

Approaches:Approaches:

SMS (System Management Server)SMS (System Management Server)

Do-it-yourself, time-consuming but most flexibleDo-it-yourself, time-consuming but most flexible

Software Update ServicesSoftware Update Services

You’re in control, but only for Windows OSYou’re in control, but only for Windows OS

Windows UpdateWindows Update

Little enterprise control, only Windows OS, most pervasiveLittle enterprise control, only Windows OS, most pervasive

Application-vendorApplication-vendor

Installshield Update, HP Software Update and many othersInstallshield Update, HP Software Update and many others

Use tools, such as MBSA, to discover missing patchesUse tools, such as MBSA, to discover missing patches

Microsoft Baseline Security AnalyserMicrosoft Baseline Security Analyser

2929

Virus ProtectionVirus Protection

Defence in-DepthDefence in-Depth

On clientsOn clients

On serversOn servers

On firewallsOn firewalls

Ensure full compliance, especially with signature update Ensure full compliance, especially with signature update serviceservice

Consider dual-vendor approach:Consider dual-vendor approach:

Major system on hostsMajor system on hosts

Secondary system from a different vendor on firewalls and Secondary system from a different vendor on firewalls and communication servers (email etc.)communication servers (email etc.)

3030

Attachment ExecutionAttachment Execution

#1 of Social Engineering attacks (so called #1 of Social Engineering attacks (so called “Layer 8 Vulnerabilities”)“Layer 8 Vulnerabilities”)

EducationEducation is main defence is main defence

Newer software can handle attachments in a Newer software can handle attachments in a protected, safer mannerprotected, safer manner

Outlook 2003Outlook 2003

XP SP2XP SP2

Extends to 3Extends to 3rdrd party applications party applications

Control via GPOsControl via GPOs

3131

Spyware (Malware) ProtectionSpyware (Malware) Protection

90% machines have malicious software, on average 28 90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink & separate spyware programs (report by Earthlink & Webroot)Webroot)

ZombiesZombies

Network bandwidth and CPU degradationNetwork bandwidth and CPU degradation

Commercial secrets leakedCommercial secrets leaked

Privacy destroyedPrivacy destroyed

Best practice:Best practice:

SpyBot Search and Destroy (www.spybot.info)SpyBot Search and Destroy (www.spybot.info)

Microsoft AntiSpyware (in beta)Microsoft AntiSpyware (in beta)

AdAwareAdAware

3232

Traffic FilteringTraffic Filtering

In addition to network firewalls, consider In addition to network firewalls, consider enabling incoming and outgoing traffic filtering enabling incoming and outgoing traffic filtering on each hoston each host

Defence in-depthDefence in-depth

Application and user-specificApplication and user-specific

Only enable protocols and ports required by Only enable protocols and ports required by applications running on the hostapplications running on the host

XP SP2 helps in this on workstationsXP SP2 helps in this on workstations

IPSec rulesets are a great tool for thisIPSec rulesets are a great tool for this

3333

Defending NetworkDefending Network

3434

Many PerimetersMany Perimeters

External – Network EdgeExternal – Network Edge

Between you and internet etc.Between you and internet etc.

DMZ – De-militarized ZoneDMZ – De-militarized Zone

Between network edge and all Between network edge and all protected resourcesprotected resources

Only minimal protection possibleOnly minimal protection possible

Default Security ZoneDefault Security Zone

The traditional LANThe traditional LAN

High Security ZoneHigh Security Zone

““Network inside network”Network inside network”

For key assetsFor key assets

Perimeter (Edge) of IsolationPerimeter (Edge) of Isolation

Assets physically not connected Assets physically not connected to networksto networks

Useful for some key assets (e.g. Useful for some key assets (e.g. master keys)master keys)

DMZDMZ

DefaultDefault

HighHigh

IsolationIsolation

Network EdgeNetwork Edge

3535

Goals of Network SecurityGoals of Network Security

Perimeter Perimeter DefenseDefense

Client Client DefenseDefense

Intrusion Intrusion DetectionDetection

Network Network Access Access ControlControl

Confi-Confi-dentialitydentiality

SecureSecureRemote Remote AccessAccess

ISA ServerISA Server

WF/ICFWF/ICF

802.1x / 802.1x / WPAWPA

IPSecIPSec

3636

Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS)

A reactive and nascent area with only few tools A reactive and nascent area with only few tools available, e.g.:available, e.g.:

Certain rule sets for Microsoft Operations Manager Certain rule sets for Microsoft Operations Manager (MOM) 2005(MOM) 2005

Monitored “honeypots”Monitored “honeypots”

ISS Internet Scanner (ISS Internet Scanner (www.iss.netwww.iss.net))

NetcatNetcat

3737

HoneypotsHoneypots

Hosts (typically servers) left with known Hosts (typically servers) left with known vulnerabilitiesvulnerabilities

Disconnected from the rest of the networkDisconnected from the rest of the network

Otherwise a major threat to the enterpriseOtherwise a major threat to the enterprise

Heavily monitoredHeavily monitored

Any unauthorised access is allowed to continue in a Any unauthorised access is allowed to continue in a controlled mannercontrolled manner

Provide a great indicator of the source of attack and Provide a great indicator of the source of attack and the abilities of the attackerthe abilities of the attacker

3838

FirewallsFirewalls

ISA Server 2004 greatly helps in coping with ISA Server 2004 greatly helps in coping with abundant (ab)use of port 80abundant (ab)use of port 80

Communication between firewalls and servers Communication between firewalls and servers they protect is a growing concernthey protect is a growing concern

Apart from filtering of traffic, consider using the Apart from filtering of traffic, consider using the firewall for:firewall for:

Virus scanningVirus scanning

Intrusion DetectionIntrusion Detection

Compliance MonitoringCompliance Monitoring

3939

Network Device Port ProtectionNetwork Device Port Protection

WirelessWireless

802.1x or full use of WPA802.1x or full use of WPA

Physical radio coverage modellingPhysical radio coverage modelling

WiredWired

Equivalent of 802.1x for wired networks is currently Equivalent of 802.1x for wired networks is currently being developedbeing developed

Protection against rogue hosts being attachedProtection against rogue hosts being attached

4040

Heterogeneous SystemsHeterogeneous Systems

In reality, most enterprises run a bewildering array of In reality, most enterprises run a bewildering array of systemssystems

Lack of homogeneity creates vulnerabilities in Lack of homogeneity creates vulnerabilities in inconsistencies:inconsistencies:

AuthenticationAuthentication

Multiple PKIsMultiple PKIs

Delegation of administrationDelegation of administration

Incompatible securityIncompatible security

Can also be a benefit: if things go wrong, less is affectedCan also be a benefit: if things go wrong, less is affected

4141

Single Sign-OnSingle Sign-On

Strive for a single user identity and password (or Strive for a single user identity and password (or smartcard) for everythingsmartcard) for everything

Multiple user accounts with same password are a major Multiple user accounts with same password are a major security hole and administrative nightmaresecurity hole and administrative nightmare

Three approaches:Three approaches:Unified authenticationUnified authentication

E.g. “all apps use Kerberos v5 and Microsoft AD”E.g. “all apps use Kerberos v5 and Microsoft AD”

E.g. “use certificates and PKI everywhere”E.g. “use certificates and PKI everywhere”

Synchronised administrationSynchronised administration

E.g. Microsoft Identity Integration ServerE.g. Microsoft Identity Integration Server

Client-basedClient-based

Smartcard that automates multiple authentications (next Smartcard that automates multiple authentications (next session)session)

4242

Unified Delegated AuthenticationUnified Delegated Authentication

Very difficult to impose unless all applications Very difficult to impose unless all applications have been written to use the same systemhave been written to use the same system

In reality only possible when one system is very In reality only possible when one system is very dominant and others sporadicdominant and others sporadic

Such as large AD and a small and limited UNIX Such as large AD and a small and limited UNIX realmrealm

For web-based applications quite possible:For web-based applications quite possible:

.NET Passport, or.NET Passport, or

WS-Federation and WS-Security in generalWS-Federation and WS-Security in general

4343

Distributed PKI AuthenticationDistributed PKI Authentication

Most open and independent solutionMost open and independent solution

Quite future-proofQuite future-proof

Multiple CAs that recognise each otherMultiple CAs that recognise each other

Cross-signingCross-signing

Import of each others’ root certificatesImport of each others’ root certificates

TLS, WS-Security, CAPI and .NET Fx APIsTLS, WS-Security, CAPI and .NET Fx APIs

AD Integration:AD Integration:

AD can provide CA autoenrollment and provisioningAD can provide CA autoenrollment and provisioning

Client certificate properties can automatically translate to AD Client certificate properties can automatically translate to AD users and roles if neededusers and roles if needed

4444

Recommendation on PKIRecommendation on PKI

3-tier structure for resilience and security:3-tier structure for resilience and security:

Root CA (offline)Root CA (offline)

OU CAs (offline)OU CAs (offline)

Issuing CAs (online)Issuing CAs (online)

More discussion on PKI problems and issues in More discussion on PKI problems and issues in later sessions todaylater sessions today

4545

Synchronised AdministrationSynchronised Administration

Microsoft Identity Integration ServerMicrosoft Identity Integration Server

Changes in one system are translated into a Changes in one system are translated into a meta-directory representation and forced on all meta-directory representation and forced on all other participating systemsother participating systems

Can integrate with HR and other systemsCan integrate with HR and other systems

Fully automated staff provisioning is possibleFully automated staff provisioning is possible

Works between AD/AD and AD/other-directoriesWorks between AD/AD and AD/other-directories

4646

Microsoft Guidance Microsoft Guidance ChecklistsChecklists

4747

Application Server Best PracticesApplication Server Best Practices

Configure security on the base operating system

Apply operating system and application service packs and patches

Install or enable only those services that are required

Applications accounts should be assigned with the minimal permissions

Apply defense-in-depth principles to increase protection

Assign only those permissions needed to perform required tasks

4848

Top Ten Things to Secure ExchangeTop Ten Things to Secure Exchange

Install the latest service pack

Install all applicable security patches

Run MBSA

Check relay settings

Disable or secure well-known accounts

Use a layered antivirus approach

Use a firewall

Evaluate ISA Server

Secure OWA

Implement a backup strategy

1

2

3

4

5

6

7

8

9

10

4949

Top Ten Things to Protect SQL ServerTop Ten Things to Protect SQL Server

Install the most recent service pack

Run MBSA

Configure Windows authentication

Isolate the server and back it up

Check the sa password

Limit privileges of SQL services

Block ports at your firewall

Use NTFS

Remove setup files and sample databases

Audit connections

1

2

3

4

5

6

7

8

9

10

5050

Security Guidelines for UsersSecurity Guidelines for Users

Choose complex passwords*

Protect passwords

Lock unattended computers*

Do not log on using a privileged account*

Run only trusted programs*

Do not open suspicious attachments*

Do not fall prey to social engineering

Review your organization’s security policies

Do not attempt to override security settings*

Report suspicious incidents

1

2

3

4

5

6

7

8

9

10*These security guidelines can be fully or partially implemented through centralized policies

5151

SummarySummary

5252

SummarySummary

A systematic approach, such as Defence-in-A systematic approach, such as Defence-in-Depth, helps to secure every angleDepth, helps to secure every angle

Education and ongoing research are as Education and ongoing research are as important as technologiesimportant as technologies

Follow the prescriptive security guidance from Follow the prescriptive security guidance from your suppliersyour suppliers