SlideShare une entreprise Scribd logo

Information security for dummies

V
V-ICT-OR

Informatieveiligheid voor beginners

FormationTechnologie
1  sur  22
Télécharger pour lire hors ligne
Ivo Depoorter
Whois I  Functions  Sysadmin, DBA, CIO, ADP instructor, SSO, Security consultant  Career (20 y)  NATO – Local government – Youth care  Training  Lots of Microsoft, Linux, networking, programming…  Security: Site Security Officer, CISSP, BCM, Ethical Hacking, network scanning,…
Course outline  Information security?  Security Why?  Security approach  Vocabulary  The weakest link  Real life security sample
Information security? According to Wikipedia, ISO2700x, CISSP, SANS,….  Confidentiality: Classified information must, be protected from unauthorized disclosure.  Integrity: Information must be protected against unauthorized changes and modification.  Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
Information security? Security attributes according to the Belgian privacycommission  Confidentiality  Integrity  Availability +  Accountability  Non-repudiation  Authenticity  Reliability
CIA Exercise Defacing of Belgian Army website
CIA Exercise  Confidentiality  ??  Webserver only hosting public information?  Webserver separated from LAN?  Integrity  Availability  Unauthorized changes!  Information is no longer available
Security Why?  Compliance with law  Protect (valuable) assets  Prevent production breakdowns  Protect reputation, (non-)commercial image  Meet customer & shareholder requirements  Keep personnel happy
Security approach  Both technical and non-technical countermeasures.  Top-management approval and support!  Communicate!  Information security needs a layered approach!!!  Best practices  COBIT Control Objectives for Information and related Technology  ISO 27002 (ISO 17799) Code of practice for information security management  …..
ISO 27002  Section 0 Introduction  Section 1 Scope  Section 2 Terms and Definitions  Section 3 Structure of the Standard  Section 4 Risk Assessment and Treatment  Section 5 Security Policy  Section 6 Organizing Information Security  Section 7 Asset Management  Section 8 Human Resources Security  Section 9 Physical and Environmental Security  Section 10 Communications and Operations Management  Section 11 Access Control  Section 12 Information Systems Acquisition, Development and Maintenance  Section 13 Information Security Incident Management  Section 14 Business Continuity Management  Section 15 Compliance
ISO 27002 - Example 10 9 11 15Procedures Physical access Logical access Security audit local government > 500 employees Technique: Social Engineering Internal audit
Security vocabulary - Threat  A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. (BCI)  Samples:  Fire  Death of a key person (SPOK or Single Point of Knowledge)  Crash of a critical network component e.g. core switch (SPOF: single point of failure)  …
Security vocabulary - Damage  Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness  Damage in information security:  Operational  Financial  Legal  Reputational  Damage defaced Belgian Army website?  Operational: probably (temporary frontpage, patch management,….)  Financial: probably (training personnel, hiring consultancy,….)  Legal: probably (lawsuit against external responsible?)  Reputational: certainly!
Security vocabulary - Risk  Combination of the probability of an event and its consequence.  Risk components  Threat (probability)  Damage (amount)  Example: Damage Process Threat O F L R Max impact Probability Risk Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
The Zen of Risk  What is just the right amount of security?  Seeking Balance between Security (Yin) and Business (Yang) Potential Loss Cost Countermeasures Productivity
Security vocabulary - AAA  Authentication: technologies used to determine the authenticity of users, network nodes, and documents  Authorization: who is allowed to do what?  Accountability: is it possible to find out who has made any operations? • Strong authentication (two-factor or multifactor) • Something you know (password, PIN,…) • Something you have (token,…) • Something you are (fingerprint, …)
The weakest link SEC_RITY is not complete without U! Countermeasures: • Force password policy on server • Train personnel • Use strong authentication • …
The weakest link Amateurs hack systems, professionals hack people! Countermeasures: • Implement security & access policies • Job rotation • Encryption • Employee awareness training • Audit trail of all accesses to documents • ….
Hacking steps Step Countermeasures (short list) 1. Reconnaissance Be careful with information 2. Network mapping Network IDS – block ICMP 3. Exploiting System hardening 4. Keeping access IDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…
Logical security • VLAN’s • Password policy • … Real life security sample High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) Physical security: • Personnel clearance • Physical control • Pc placement (shoulder surfing) • Clean desk policy • Shredder • Lock screen policy • Fiber to pc WWW > 2 m LAN Tempest!!!
We learned….  Security is CIA(+)  Why: law, reputation, production continuity,…  Approach: layered, technical & non-technical, support from CEO, lots of communication  Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability  Risk = threat * damage  Security balance: loss vs. cost & countermeasures vs. productivity  The weakest link is personnel!  A hacker starts with information gathering
Information security for dummies

Recommandé

The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummiesIvo Depoorter
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionIsaiah Edem
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiSHIVA101531
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidSymosis Security (Previously C-Level Security)
 

Recommandé

The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummiesIvo Depoorter
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionIsaiah Edem
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiSHIVA101531
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidSymosis Security (Previously C-Level Security)
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Edureka!
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)Andris Soroka
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
 
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...hardik soni
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chainaletarw
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysisCarlo Dapino
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0grp362
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionPECB
 
Lukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityLukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityIndonesia Honeynet Chapter
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaEdureka!
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On TrainingTonex
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...OKsystem
 
Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay Dereli
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Mukesh Chinta
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to securityMukesh Chinta
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Information Security
Information SecurityInformation Security
Information Securityvadapav123
 

Contenu connexe

Tendances

Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Edureka!
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)Andris Soroka
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
 
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...hardik soni
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chainaletarw
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysisCarlo Dapino
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0grp362
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionPECB
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaEdureka!
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On TrainingTonex
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...OKsystem
 
Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay Dereli
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Mukesh Chinta
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to securityMukesh Chinta
 

Tendances (20)

Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
 
Information security
Information securityInformation security
Information security
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 
Lukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityLukas - Ancaman E-Health Security
Lukas - Ancaman E-Health Security
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
 
Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 

Similaire à Information security for dummies

What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Information Security
Information SecurityInformation Security
Information Securityvadapav123
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxMukesh Pant
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxNapoleon NV
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Ferenc Fresz
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
Top 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxTop 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxInfosectrain3
 
Office 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseOffice 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseTechSoup
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxharigopala
 
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptxRole Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptxAmrit Chhetri
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Bonagiri Rajitha
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
 
APrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of ThingsAPrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of ThingsAPNIC
 

Similaire à Information security for dummies (20)

What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Information Security
Information SecurityInformation Security
Information Security
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red Hat
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
Top 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxTop 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptx
 
Office 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseOffice 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and Use
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
 
digital strategy and information security
digital strategy and information securitydigital strategy and information security
digital strategy and information security
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Cobit 2
Cobit 2Cobit 2
Cobit 2
 
Main Menu
Main MenuMain Menu
Main Menu
 
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptxRole Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
APrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of ThingsAPrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of Things
 

Dernier

ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxElton John Embodo
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxJanEmmanBrigoli
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 

Dernier (20)

ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Project
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docx
 
Millenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptxMillenials and Fillennials (Ethical Challenge and Responses).pptx
Millenials and Fillennials (Ethical Challenge and Responses).pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 

Information security for dummies

  • 2. Whois I  Functions  Sysadmin, DBA, CIO, ADP instructor, SSO, Security consultant  Career (20 y)  NATO – Local government – Youth care  Training  Lots of Microsoft, Linux, networking, programming…  Security: Site Security Officer, CISSP, BCM, Ethical Hacking, network scanning,…
  • 3. Course outline  Information security?  Security Why?  Security approach  Vocabulary  The weakest link  Real life security sample
  • 4. Information security? According to Wikipedia, ISO2700x, CISSP, SANS,….  Confidentiality: Classified information must, be protected from unauthorized disclosure.  Integrity: Information must be protected against unauthorized changes and modification.  Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
  • 5. Information security? Security attributes according to the Belgian privacycommission  Confidentiality  Integrity  Availability +  Accountability  Non-repudiation  Authenticity  Reliability
  • 6. CIA Exercise Defacing of Belgian Army website
  • 7. CIA Exercise  Confidentiality  ??  Webserver only hosting public information?  Webserver separated from LAN?  Integrity  Availability  Unauthorized changes!  Information is no longer available
  • 8. Security Why?  Compliance with law  Protect (valuable) assets  Prevent production breakdowns  Protect reputation, (non-)commercial image  Meet customer & shareholder requirements  Keep personnel happy
  • 9. Security approach  Both technical and non-technical countermeasures.  Top-management approval and support!  Communicate!  Information security needs a layered approach!!!  Best practices  COBIT Control Objectives for Information and related Technology  ISO 27002 (ISO 17799) Code of practice for information security management  …..
  • 10. ISO 27002  Section 0 Introduction  Section 1 Scope  Section 2 Terms and Definitions  Section 3 Structure of the Standard  Section 4 Risk Assessment and Treatment  Section 5 Security Policy  Section 6 Organizing Information Security  Section 7 Asset Management  Section 8 Human Resources Security  Section 9 Physical and Environmental Security  Section 10 Communications and Operations Management  Section 11 Access Control  Section 12 Information Systems Acquisition, Development and Maintenance  Section 13 Information Security Incident Management  Section 14 Business Continuity Management  Section 15 Compliance
  • 11. ISO 27002 - Example 10 9 11 15Procedures Physical access Logical access Security audit local government > 500 employees Technique: Social Engineering Internal audit
  • 12. Security vocabulary - Threat  A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. (BCI)  Samples:  Fire  Death of a key person (SPOK or Single Point of Knowledge)  Crash of a critical network component e.g. core switch (SPOF: single point of failure)  …
  • 13. Security vocabulary - Damage  Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness  Damage in information security:  Operational  Financial  Legal  Reputational  Damage defaced Belgian Army website?  Operational: probably (temporary frontpage, patch management,….)  Financial: probably (training personnel, hiring consultancy,….)  Legal: probably (lawsuit against external responsible?)  Reputational: certainly!
  • 14. Security vocabulary - Risk  Combination of the probability of an event and its consequence.  Risk components  Threat (probability)  Damage (amount)  Example: Damage Process Threat O F L R Max impact Probability Risk Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
  • 15. The Zen of Risk  What is just the right amount of security?  Seeking Balance between Security (Yin) and Business (Yang) Potential Loss Cost Countermeasures Productivity
  • 16. Security vocabulary - AAA  Authentication: technologies used to determine the authenticity of users, network nodes, and documents  Authorization: who is allowed to do what?  Accountability: is it possible to find out who has made any operations? • Strong authentication (two-factor or multifactor) • Something you know (password, PIN,…) • Something you have (token,…) • Something you are (fingerprint, …)
  • 17. The weakest link SEC_RITY is not complete without U! Countermeasures: • Force password policy on server • Train personnel • Use strong authentication • …
  • 18. The weakest link Amateurs hack systems, professionals hack people! Countermeasures: • Implement security & access policies • Job rotation • Encryption • Employee awareness training • Audit trail of all accesses to documents • ….
  • 19. Hacking steps Step Countermeasures (short list) 1. Reconnaissance Be careful with information 2. Network mapping Network IDS – block ICMP 3. Exploiting System hardening 4. Keeping access IDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…
  • 20. Logical security • VLAN’s • Password policy • … Real life security sample High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) Physical security: • Personnel clearance • Physical control • Pc placement (shoulder surfing) • Clean desk policy • Shredder • Lock screen policy • Fiber to pc WWW > 2 m LAN Tempest!!!
  • 21. We learned….  Security is CIA(+)  Why: law, reputation, production continuity,…  Approach: layered, technical & non-technical, support from CEO, lots of communication  Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability  Risk = threat * damage  Security balance: loss vs. cost & countermeasures vs. productivity  The weakest link is personnel!  A hacker starts with information gathering