Topic Outline — Information security? — Security Why? — Security approach — Vocabulary — The weakest link — Real life security sample.

Slides:



Advertisements
Similar presentations
Driving Factors Security Risk Mgt Controls Compliance.
Advertisements

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems
Security Controls – What Works
Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
SOX & ISO Protect your data and be ready to be audited!!!
Chapter 3: Information Security Framework
Session 3 – Information Security Policies
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.
Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Storage Security and Management: Security Framework
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.
Information Security Update CTC 18 March 2015 Julianne Tolson.
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Protective Measures at NATO Headquarters Ian Davis Head, Information Systems Service NATO Headquarters Brussels, Belgium.
Confidentiality Integrity Accountability Communications Data Hardware Software Next.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
What does “secure” mean? Protecting Valuables
Anderson School of Management University of New Mexico.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
Information Systems Security Operations Security Domain #9.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Everyone’s Been Hacked Now What?. OakRidge What happened?
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Introduction to Information Security
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
Chap1: Is there a Security Problem in Computing?.
ISO/IEC 27001:2013 Annex A.8 Asset management
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
PRESENTED BY Raju. What is information security?  Information security is the process of protecting information. It protects its availability, privacy.
CS457 Introduction to Information Security Systems
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Security in Networking
Chapter 3: IRS and FTC Data Security Rules
I have many checklists: how do I get started with cyber security?
INFORMATION SYSTEMS SECURITY and CONTROL
Security week 1 Introductions Class website Syllabus review
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

Topic Outline — Information security? — Security Why? — Security approach — Vocabulary — The weakest link — Real life security sample

Information security? Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destructioninformation systems

Information security? According to Wikipedia, ISO2700x, CISSP, SANS,…. — Confidentiality: Classified information must, be protected from unauthorized disclosure. — Integrity: Information must be protected against unauthorized changes and modification. — Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.

Information security? Security attributes according to the Belgian privacy commission — Confidentiality — Integrity — Availability + — Accountability — Non-repudiation — Authenticity — Reliability

CIA Exercise Defacing of Belgian Army website

Confidentiality ?? Webserver only hosting public information? Webserver separated from LAN? — Integrity Unauthorized changes! — Availability Information is no longer available CIA Exercise

Security Why? Compliance with law Protect (valuable) assets —Prevent production breakdowns —Protect reputation, (non-)commercial image —Meet customer & shareholder requirements —Keep personnel happy

Security approach Both technical and non-technical countermeasures. —Top-management approval and support! —Communicate! —Information security needs a layered approach!!! Best practices – COBIT Control Objectives for Information and related Technology – ISO (ISO 17799) Code of practice for information security management – …..

ISO27002 Section 0 Introduction Section 1 Scope Section 2 Terms and Definitions Section 3 Structure of the Standard Section 4 Risk Assessment and Treatment Section 5 Security Policy Section 6 Organizing Information Security Section 7 Asset Management Section 8 Human Resources Security Section 9 Physical and Environmental Security Section 10 Communications and Operations Management Section 11 Access Control Section 12 Information Systems Acquisition, Development and Maintenance Section 13 Information Security Incident Management Section 14 Business Continuity Management Section 15 Compliance

ISO Example Security audit local government > 500 employees Technique: Social Engineering

Security vocabulary - Threat A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. —Samples: Fire Death of a key person (SPOK or Single Point of Knowledge) Crash of a critical network component e.g. core switch (SPOF: single point of failure)

Security vocabulary - Damage Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness — Damage in information security: – Operational – Financial – Legal – Reputational Example: —Damage defaced Belgian Army website? – Operational: probably (temporary frontpage, patch management,….) – Financial: probably (training personnel, hiring consultancy,….) – Legal: probably (lawsuit against external responsible?) – Reputational: certainly!

Damage Combination of the probability of an event and its consequence. Risk components Threat (probability) Damage (amount) — Example: Damage ProcessThreatOFLRMax impactProbabilityRisk Food freezingElectricity Failure > 24 h

The Zen of Risk What is just the right amount of security? Seeking Balance between Security (Yin) and Business (Yang) CostPotential Loss CountermeasuresProductivity

Authentication: technologies used to determine the authenticity of users, network nodes, and documents Authorization: who is allowed to do what? Accountability: is it possible to find out who has made any operations? Strong authentication (two-factor or multifactor) Something you know (password, PIN,…) Something you have (token,…) Something you are (fingerprint, …)

The weakest link Countermeasures: Force password policy on server Train personnel Use strong authentication … SEC_RITY is not complete without U!

The weakest link Countermeasures: Implement security & access policies Job rotation Encryption Employee awareness training Audit trail of all accesses to documents …. Amateurs hack systems, professionals hack people!

Attacks & Countermeasures StepCountermeasures (short list) 1. ReconnaissanceBe careful with information 2. Network mappingNetwork IDS – block ICMP 3. ExploitingSystem hardening 4. Keeping accessIDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…

Hacking Steps High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) Physical security: Personnel clearance Physical control Pc placement Clean desk policy Shredder Lock screen policy Fiber to pc Logical security VLAN’s Password policy

We LEARNED… Security is CIA(+) Confidentiality, Integrity, Availability + Accountability, Non-repudiation, Authenticity, Reliability —Why: law, reputation, production continuity,… —Approach: layered, technical & non-technical, support from CEO, lots of communication —Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability —Risk = threat * damage —Security balance: loss vs. cost & countermeasures vs. productivity The weakest link is personnel! —A hacker starts with information gathering

End of Topic

You are INVITED…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.