Thomas Levy
Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security 7.Security Architecture & Design
Agenda Continued 7.Business Continuity & Disaster Recovery Planning 8.Telecommunications & Network Security 9.Application Security 10.Operations Security 11.Legal, Regulations, Compliance & Investigations 12.Summary
Aims: CIAN To be able to protect information assets ensuring: Confidentiality Integrity Availability Non – repudiation
Common Business Attacks DNS BGP XSS XSRF DoS Injection
Information Security & Risk Management Security Baselines Audit Frameworks Reporting Risk Management
Access Control Information & User Classification Access Control Categories and Types Threats to Access Control Access Control Assurance
Cryptography Confidentiality, Integrity & Authenticity Data Storage Data Transmission Symmetric vs Asymmetric Digital Signatures & Envelopes End to End Encryption
Physical Security Additional layers of security which work in conjunction with the technical layers to provide a greater defence in depth
Security Architecture & Design Software Hardware
Business Continuity & Disaster Recovery Planning Failure to prepare is preparing to fail Revenue Loss Additional Expenses Damaged Reputation
Telecommunications & Network Security OSI model TCP / IP model
Application Security Buffer Overflows Malicious Software Social Engineering Trapdoors
Operations Security Misuse prevention Continuity of operations Fault tolerance Data protection Configuration management Patch management
Legal, Regulations, Compliance & Investigations Privacy Liability Computer Crime Incident Handling & Response Capability
Summary 1.Secure the weakest link 2.Practise defence in depth 3.Fail securely 4.Follow the principle of least privilege 5.Compartmentalise 6.Keep it simple 7.Promote privacy 8.Remember that hiding secrets is hard 9.Be reluctant to trust 10.Use your community resources