Copyright Justin C. Klein Keane InfoSec Training Introduction to Information Security Concepts.

Slides:



Advertisements
Similar presentations
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advertisements

Module 1 Evaluation Overview © Crown Copyright (2000)
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security Controls – What Works
1 An Overview of Computer Security computer security.
Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice
Stephen S. Yau CSE , Fall Security Strategies.
Vulnerability Assessments
Department Of Computer Engineering
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
CSCE 548 Secure Software Development Risk-Based Security Testing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
A Framework for Automated Web Application Security Evaluation
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Got Security? Information Assurance Considerations for Your Research, Course Projects, and Everyday Life James Cannady, Ph.D. Assistant Professor.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
CSCE 522 Secure Software Development Best Practices.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Topic 5: Basic Security.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Chapter 1: Fundamental of Testing Systems Testing & Evaluation (MNN1063)
Csci5233 computer security & integrity 1 An Overview of Computer Security.
CSCE 201 Secure Software Development Best Practices.
Brandon Traffanstedt Systems Engineer - Southeast
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Computer Security By Duncan Hall.
Role Of Network IDS in Network Perimeter Defense.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Proactive Incident Response
Seminar On Ethical Hacking Submitted To: Submitted By:
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
CSCE 548 Secure Software Development Risk-Based Security Testing
Critical Security Controls
Design for Security Pepper.
Security Standard: “reasonable security”
Compliance with hardening standards
I have many checklists: how do I get started with cyber security?
How to Mitigate the Consequences What are the Countermeasures?
Security Overview: Honeypots
White Box testing & Inspections
6. Application Software Security
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Copyright Justin C. Klein Keane InfoSec Training Introduction to Information Security Concepts

Copyright Justin C. Klein Keane Vocabulary: Security Policy Refers to the way a system is supposed to function Can be explicit or implicit Outlines assumptions of protections and violations If you users don't have passwords is account hijack a violation of policy?

Copyright Justin C. Klein Keane Vocabulary: Incident Security incident is a violation (or series of violations) of a systems security policy Scope can vary from narrow to broad Incidents are events caused by (malicious) behavior Can be automated (a virus) or manual (abuse of access)

Copyright Justin C. Klein Keane Vocabulary: Threat Potential cause of a security incident Can be purposeful (a specific tool used to break into a site or a malicious insider) Accidental (floods, fire, lost backup tape, etc.)

Copyright Justin C. Klein Keane Vocabulary: Vulnerability Flaw in a system that could allow a threat to violate the security policy Can be a result of oversight or architecture Logic flaws can present vulnerabilities Vulnerabilities are static aspects of systems

Copyright Justin C. Klein Keane Vocabulary: Exploit Exploit is when a threat capitalizes on a vulnerability Exploits can be manual or automated Exploits demonstrate that there is a problem with a system

Copyright Justin C. Klein Keane Vocabulary: Malware Software that does bad stuff Malware include virus and worm code Includes software designed to modify legitimate systems to: Allow unauthorized remote access Hide evidence of intrusion Exfiltrate data from a target Surreptitiously monitor user activity And more...

Copyright Justin C. Klein Keane What is Security? Defined in terms of threats Secure from what?

Copyright Justin C. Klein Keane Security Concepts The Golden Rule (Au) Authentication  Users are who they claim to be, or at least can present credentials Authenticity  Data has not been altered and remains true to its original form Audit  The system can track what activity, data and users

Copyright Justin C. Klein Keane Security as Asset Protection A secure system must protect: Confidentiality  Threat: Information disclosure Integrity (and Reliability)  Threat: Data corruption Access  Threat: Denial of service

Copyright Justin C. Klein Keane Security Lifecycle Security is a process not a product Complexity is the enemy of security Security is an evolutionary landscape “Secure” is a point in time evaluation “Secure” is defined by known threats

Copyright Justin C. Klein Keane 0 day 0 day is a vulnerability for which there is no patch available If 0 day cannot be predicted, how can we defend against it? 0 day can often be mitigated How can we detect 0 day? Defense in depth is often the only defense against 0 day When evaluating security you should assume 0 day

Copyright Justin C. Klein Keane A Word on Software Bugs Software engineering is a robust, and mature, field of academic study All software projects of sufficient size and complexity contain bugs, regardless of development process A certain number of bugs will be security related Conclusion: all software contain security related bugs

Copyright Justin C. Klein Keane Classifying Software Bugs Not all bugs are the same Bugs may present wildly varying threats Bugs may have different risks associated with them All bugs are significant, however

Copyright Justin C. Klein Keane Even if it's bug free Bug free software can still have vulnerabilities: Configuration problems:  Default or weak credentials  Improper trust model  Etc. Logic flaws  Fundamentally insecure design  Software functions exactly as designed but the result is an unintended vulnerability Two bug free systems might have insecure interaction

Copyright Justin C. Klein Keane Vulnerability Synergy Linking one vulnerability to another Chains of low risk, or low significant vulnerabilities can lead to a serious vulnerability Even if highest risk bugs are all patched, a combination of low risk bugs could lead to compromise

Copyright Justin C. Klein Keane Sisyphean Task A sufficiently resourced and motivated attacker will always compromise security Defenders must be right 100% of the time, attackers need only succeed once You can't possibly defend against everything Attacker motivation is unknowable

Copyright Justin C. Klein Keane Protect, Detect, React The security lifecycle, also known as the security hamster wheel of pain EVERY step is critical Detection is dependent on observation and reporting Logs are some of the best places to do detection More on each step later

Copyright Justin C. Klein Keane How can we get ahead? The protect/detect/react cycle often requires an incident to move from detect/react to better protection It is important to keep the cycle moving independently of a security incident Collecting metrics is key to making informed decisions Start with security first...

Copyright Justin C. Klein Keane Threat modeling Maximize ROI with high impact, low cost, mitigations Good authentication, authorization and audit Fault tolerance or Rugged Design Applications should protect against unexpected actions This includes good exception handling Test driven design, with tests that should fail Secure Application Development Lifecycle (SDLC) Secure Design

Copyright Justin C. Klein Keane Penetration Testing Actively attacking your own systems Can reveal flaws in protection, including gaps Can proactively identify vulnerabilities (prevent 0 day) Helps more accurately frame risk assessment

Copyright Justin C. Klein Keane Application Security Testing Black box Penetration testing Gray box Some level of access and documentation available White box Full code review, often combined with other testing tools

Copyright Justin C. Klein Keane Using Automation Automation is critical for a timely review Automation can lead to false positives Automated tools without skilled human operators can be useless Deluge of false positives Poor risk assignment

Copyright Justin C. Klein Keane Gold Standard for Security Reporting Security reporting after a review should include: List of vulnerabilities, ranked/grouped by severity Demonstration of exploit List of suggested mitigation and work around strategies List of patches and/or fixes for the issue A good security test should be repeatable

Copyright Justin C. Klein Keane Resource Allocation In the real world resources are limited Given the scope of security it is impossible to cover all fronts How does one make smart resource allocation decisions?

Copyright Justin C. Klein Keane Risk Calculations Risk can be used to draw comparisons Risk generally calculated: Risk = Likelihood x Severity Good risk ratings allow you to compare apples to apples Can focus attention and resources to greatest need How can we baseline these without METRICS?

Copyright Justin C. Klein Keane Flaw in Risk Calculation Likelihood can never actually be measured because it is within the attackers control How can you quantify what you don't know? Severity may hinge on unknown consequences or attacker motivation Some resources may escape risk calculation

Copyright Justin C. Klein Keane Non Technical Threats Risk calculation involves assessing threats Some threats are not strictly system related: Reputational damage Misinformation Business risks (ex: grant funding)

Copyright Justin C. Klein Keane Typical Poor Risk Calculation Home user doesn't protect their machine because they have no data of value Risk = medium likelihood x low impact Home user may not understand full impact: Attacker can use webcam Attacker can use mic to record conversations Attacker can use connection to compromise wireless router to allow anonymous wireless

Copyright Justin C. Klein Keane Linchpin in Most Flaws Many risk calculations fail because the assessor measures risk based on: Perceived attacker motivation Without understanding what an attacker is after there is no effective way to protect resources “Industry best practice” may provide a guide

Copyright Justin C. Klein Keane Moving Forward Goal is an adaptive, metrics based information security program Resources should be fluid, and allocated based on actual need Reactive capabilities should be maximized Reduction of misguided protective measures Constant metrics gathering and reevaluation Learn, grow, share

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.