Thomas Levy

Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security 7.Security Architecture & Design

Agenda Continued 7.Business Continuity & Disaster Recovery Planning 8.Telecommunications & Network Security 9.Application Security 10.Operations Security 11.Legal, Regulations, Compliance & Investigations 12.Summary

Aims: CIAN To be able to protect information assets ensuring: Confidentiality Integrity Availability Non – repudiation

Common Business Attacks DNS BGP XSS XSRF DoS Injection

Information Security & Risk Management Security Baselines Audit Frameworks Reporting Risk Management

Access Control Information & User Classification Access Control Categories and Types Threats to Access Control Access Control Assurance

Cryptography Confidentiality, Integrity & Authenticity Data Storage Data Transmission Symmetric vs Asymmetric Digital Signatures & Envelopes End to End Encryption

Physical Security Additional layers of security which work in conjunction with the technical layers to provide a greater defence in depth

Security Architecture & Design Software Hardware

Business Continuity & Disaster Recovery Planning Failure to prepare is preparing to fail Revenue Loss Additional Expenses Damaged Reputation

Telecommunications & Network Security OSI model TCP / IP model

Application Security Buffer Overflows Malicious Software Social Engineering Trapdoors

Operations Security Misuse prevention Continuity of operations Fault tolerance Data protection Configuration management Patch management

Legal, Regulations, Compliance & Investigations Privacy Liability Computer Crime Incident Handling & Response Capability

Summary 1.Secure the weakest link 2.Practise defence in depth 3.Fail securely 4.Follow the principle of least privilege 5.Compartmentalise 6.Keep it simple 7.Promote privacy 8.Remember that hiding secrets is hard 9.Be reluctant to trust 10.Use your community resources