Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic Outline — Information security? — Security Why? — Security approach — Vocabulary — The weakest link — Real life security sample.

Published byDomenic McLaughlin Modified over 9 years ago

Similar presentations

Presentation on theme: "Topic Outline — Information security? — Security Why? — Security approach — Vocabulary — The weakest link — Real life security sample."— Presentation transcript:

1

2 Topic Outline — Information security? — Security Why? — Security approach — Vocabulary — The weakest link — Real life security sample

3 Information security? Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destructioninformation systems

4 Information security? According to Wikipedia, ISO2700x, CISSP, SANS,…. — Confidentiality: Classified information must, be protected from unauthorized disclosure. — Integrity: Information must be protected against unauthorized changes and modification. — Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.

5 Information security? Security attributes according to the Belgian privacy commission — Confidentiality — Integrity — Availability + — Accountability — Non-repudiation — Authenticity — Reliability

6 CIA Exercise Defacing of Belgian Army website

7 Confidentiality ?? Webserver only hosting public information? Webserver separated from LAN? — Integrity Unauthorized changes! — Availability Information is no longer available CIA Exercise

8 Security Why? Compliance with law Protect (valuable) assets —Prevent production breakdowns —Protect reputation, (non-)commercial image —Meet customer & shareholder requirements —Keep personnel happy

9 Security approach Both technical and non-technical countermeasures. —Top-management approval and support! —Communicate! —Information security needs a layered approach!!! Best practices – COBIT Control Objectives for Information and related Technology – ISO 27002 (ISO 17799) Code of practice for information security management – …..

10 ISO27002 Section 0 Introduction Section 1 Scope Section 2 Terms and Definitions Section 3 Structure of the Standard Section 4 Risk Assessment and Treatment Section 5 Security Policy Section 6 Organizing Information Security Section 7 Asset Management Section 8 Human Resources Security Section 9 Physical and Environmental Security Section 10 Communications and Operations Management Section 11 Access Control Section 12 Information Systems Acquisition, Development and Maintenance Section 13 Information Security Incident Management Section 14 Business Continuity Management Section 15 Compliance

11 ISO27002 -Example Security audit local government > 500 employees Technique: Social Engineering

12 Security vocabulary - Threat A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. —Samples: Fire Death of a key person (SPOK or Single Point of Knowledge) Crash of a critical network component e.g. core switch (SPOF: single point of failure)

13 Security vocabulary - Damage Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness — Damage in information security: – Operational – Financial – Legal – Reputational Example: —Damage defaced Belgian Army website? – Operational: probably (temporary frontpage, patch management,….) – Financial: probably (training personnel, hiring consultancy,….) – Legal: probably (lawsuit against external responsible?) – Reputational: certainly!

14 Damage Combination of the probability of an event and its consequence. Risk components Threat (probability) Damage (amount) — Example: Damage ProcessThreatOFLRMax impactProbabilityRisk Food freezingElectricity Failure > 24 h4322428

15 The Zen of Risk What is just the right amount of security? Seeking Balance between Security (Yin) and Business (Yang) CostPotential Loss CountermeasuresProductivity

16 Authentication: technologies used to determine the authenticity of users, network nodes, and documents Authorization: who is allowed to do what? Accountability: is it possible to find out who has made any operations? Strong authentication (two-factor or multifactor) Something you know (password, PIN,…) Something you have (token,…) Something you are (fingerprint, …)

17 The weakest link Countermeasures: Force password policy on server Train personnel Use strong authentication … SEC_RITY is not complete without U!

18 The weakest link Countermeasures: Implement security & access policies Job rotation Encryption Employee awareness training Audit trail of all accesses to documents …. Amateurs hack systems, professionals hack people!

19 Attacks & Countermeasures StepCountermeasures (short list) 1. ReconnaissanceBe careful with information 2. Network mappingNetwork IDS – block ICMP 3. ExploitingSystem hardening 4. Keeping accessIDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…

20 Hacking Steps High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) Physical security: Personnel clearance Physical control Pc placement Clean desk policy Shredder Lock screen policy Fiber to pc Logical security VLAN’s Password policy

21 We LEARNED… Security is CIA(+) Confidentiality, Integrity, Availability + Accountability, Non-repudiation, Authenticity, Reliability —Why: law, reputation, production continuity,… —Approach: layered, technical & non-technical, support from CEO, lots of communication —Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability —Risk = threat * damage —Security balance: loss vs. cost & countermeasures vs. productivity The weakest link is personnel! —A hacker starts with information gathering

22 End of Topic

23 You are INVITED…

Download ppt "Topic Outline — Information security? — Security Why? — Security approach — Vocabulary — The weakest link — Real life security sample."

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Driving Factors Security Risk Mgt Controls Compliance.
Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems

Auditing Computer Systems
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Chapter 3: Information Security Framework

Chapter 3: Information Security Framework
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.

Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.
Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.

Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google