SlideShare une entreprise Scribd logo

Information Technology Security Basics

Télécharger en tant que PPT, PDF
M
Mohan Jadhav

Information security fundamentals

Direction et management
1  sur  47
IT Security Basics 1
WIIFY 1. Why Security? 2. What are the sources of compromise? 3. Four virtues of Security. 4. The 9 rules of Security. 5. What is Information Security, it’s goal and impact. 6. Common Security definitions/terms. 7. 10 Security Domains by ‘International Information Systems Security Certification Consortium’ (ISC)2. 8. 3 Steps to success in Security. 9. Resources on web. 10.What do I do as a user? 11.Q&A. 2
Why Security? 3 • Case 1 The City of Joburg on 25 Oct night announced a breach of its network and shut down its website and all e-services as a precautionary measure. Key city systems were shut down, including online services, bill payments, and more. • Case 2 Database of Debit Card Payment System of Middle East Bank is hacked. The organized gang alters the available balances of card holders and duplicates the cards. The cash withdrawn from 17 countries is small amounts was in total US $18 Million in 2 days.
Serious Matters We all are at risk. This statement is not meant to instill fear, but simply to properly represent the state of IT in our modern world. Security can no longer be a question. It can no longer be ignored, dismissed, or treated like thorn in our side. At any given moment, an adequate amount of security is all that stands between our precious data and that wave of relentless and talented intruders striking out at our valuable resources. “Why would anyone hack us?’ is no longer a defense, and, “Do we really need to secure ourselves?” is no longer a question. We all are targets. We all are vulnerable. We are under attack, and without security, the only questions are where and when will we be struck, and just how badly will it hurt. 4
Don’t be so Sure! Usual pretext for not paying attention to Security. • I have antivirus installed. • I do not buy anything online. • We have nothing important stored except Client’s data. • It will never happen to me. • I am online for very short time just for checking emails. • Why someone will steal my data and what are they going to do with it. We’ll pull them in the court? 5
IT Security Areas • Information Security • Network Security • Cyber/Internet Security • Physical Security • Application Security • Database Security • Cloud Security • Mobile Security • Telecom Security • Software Security • Storage Security • Web Security 6
What are the sources of compromise? • Inside Job: 32% from internal employees, 28% ex-employees and partners and 50% from employees misusing access privileges. • Spyware: Most spyware comes in as direct result of user behavior. • Desktop/Laptop/Smart Devices: It’s like locking the doors and windows of the house - with the burglar still in the basement. • Put simply, to keep the burglar out of the basement, organizations need to remove the ability of employees to let the burglars in, in the first place. They need to implement tamper-proof solutions that users cannot easily evade – no matter what the external inducements. Do you know you are tracked? Big Data Analytics Organizations and Cyber criminals are watching. Install the Collusion for your browser and experience how you are tracked. 7
The four virtues of Security 1. Daily Consideration – Security MUST be a daily consideration in every area. 2. Community Effort – Security MUST be a community effort. 3. Higher Focus – Security practices MUST maintain a generalized focus. 4. Education – Security practices MUST include some measure of training for everyone. How do we practice these virtues?  Make security a continual thought. Encourage others to be continually mindful of security. Formally include security in all new projects and project implementations.  Keep informed. Inform others. Keep up-to-date. Inform end-users. Make group- based decisions.  Learn and share the concepts. Think in terms of the bigger picture. Follow the practices of higher security. Follow the concept of the written practice.  Good software installation practices. Good awareness practice. Good web browsing practice. Good confidentiality practices. 8
The nine rules of Security 1. Rule of Least Privilege. 2. Rule of Change. 3. Rule of Zero Trust. 4. Rule of the Weakest Link. 5. Rule of Separation. 6. Rule of the Three-Fold Process (IMM). 7. Rule of Preventive Action. 8. Rule of Immediate and Proper Response. 9. Rule of Encryption 9
What is Information Security (InfoSec)? 10  InfoSec is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.  Program/Process and not a project.  Never is 100%.  Risk Management to maintain and improve Security Posture.  Changing Security Landscape.  Threats.  Countermeasures.
GOAL and Impact of Information Security 11 GOAL - To ensure the Confidentiality, Integrity and Availability (CIA) of critical systems and confidential information. Impact due to information security failure:  Service Liability  Financial Liability  Legal Issues  Adverse impact on Image  Adverse impact on Brand  Adverse business impact
Common Security Definitions 12 Vulnerability is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. Threat is any potential danger to information or systems. The threat is that someone or something, will identify a specific vulnerability and use it against the company or individual. Threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a file’s integrity. Risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. Exposure is an instance of being exposed to losses from a threat agent. Countermeasure or safeguard, is put into place to mitigate the potential risk. .
Common Security Terms • Anti-Virus - A security program that can run on a computer or mobile device and protects you by identifying and stopping the spread of malware on your system. • Drive-by Download - These attacks exploit vulnerabilities in your browser or it's plugins and helper applications when you simply surf to an attacker- controlled website. • Exploit Code that is designed to take advantage of a vulnerability. An exploit is designed to give an attacker the ability to execute additional malicious programs on the compromised system. • Firewall - A security program that filters inbound and outbound network connections. • Malware Stands for 'malicious software'. It is any type of code or program cyber attackers use to perform malicious actions. • Patch is an update to a vulnerable program or system. • Phishing is a social engineering technique where cyber attackers attempt to fool you into taking an action in response to an email. 13
Security Components Flowchart 14 .
Security Domains - (ISC)2 15 1. Access Control. 2. Application Security. 3. Business Continuity and Disaster Recovery Planning. 4. Cryptography. 5. Information Security and Risk Management. 6. Legal, Regulations, Compliance, and Investigations. 7. Operations Security. 8. Physical (Environmental) Security. 9. Security Models and Architecture. 10. Telecommunications and Network Security.
Access Control Access controls are security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. Aim of Access Controls:  Identification : Method of establishing the subject (e.g. Username, any other public information, systems, etc). Authentication : Method of proving ones identify (e.g. use of biometric, passphrase token, private information, etc). Authorization : Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources. Access Control Models: DAC, MAC, RBAC. Access Control Layers: Administrative, Physical, Technical/Logical. 16
Access Control – Quick Test 1. The basic functionality of a malicious code is to… a. Upgrade the operating system b. Execute itself in the client system c. Spoof d. Denial of Service 2. What is AAA of access control system? a. Access, Accept and Apply. b. Authorization, Authentication and Accountability. c. Authentication, Authorization and Accountability. d. Application, Acceptance and Approval. 17
Application Security 18 Applications are usually developed with functionality in mind and not security. Security and Functionality need to be incorporated during design and development. Both application and environment controls need to be used to ensure application security. ‘Security by Design’ should be the mantra for robust and secure applications. Application Controls Data modeling. Object oriented programming. Reusable and disturbed codes. Client/ Server Model. Data Types, Format and Length. Environment Controls Database modeling / Database management. Relational databases and database interfaces. DMZ – De military zones. Access restriction. Change Management. Software (code) Escrow.
Application Security… 19 Application Life Cycle Phases Project initiation. Functional design analysis and planning. System design and specifications. Software development. Installation / implementation. Operations / maintenance. Disposal. Software development methods Waterfall method. Spiral method. Joint analysis development. Rapid application development. Clean room development.
Application Security – Quick Test 1. An attack is a… a. Vulnerability b. Threat c. Technique d. Compromise 2. Encapsulation is a … a. Wrapper b. Threat c. Software application d. Class 20
Business Continuity and Disaster Recovery Plan  Checklist review  Structured walk-through  Simulation test  Parallel test  Full interruption test 21 The goal of disaster recovery is to minimize the effects of a disaster and take the necessary steps to ensure that the critical resources, personnel, and business processes are able to resume operation in a timely manner. The goal of business continuity planning is to provide methods and procedures for dealing with longer-term outages and disasters to ensure business is back to normal. Business Impact Analysis (BIA) is the crucial first step for business continuity and disaster recovery planning. This encompasses a detailed risk assessment and risk analysis. Qualitative and quantitative information needed to gathered and then properly analyzed and interpreted. Phases of plan development : Phases of plan implementation:  Identify business critical resources  Estimate potential disasters  Selecting planning strategies  Implementing strategies  Testing and revising the plan
Business Continuity and Disaster Recovery Plan – Quick test 22 1. The primary focus of the Business Continuity Plan is… a. Integrity b. Authenticity c. Availability d. Business growth 2. The Recovery Point Objective (RPO) estimates… a. The timeframe within which to resume operations b. The data recovery point c. The resources required for business continuity d. The time required to develop a BCP
Cryptography 23 Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. It is considered a science of protecting information by encoding it into an unreadable format. Goal of Cryptosystems: Confidentiality : Unauthorized parties cannot access the information. Authenticity : Validating the source of the message to ensure that the sender is properly identified. Integrity : Provides an assurance that the data was not modified during transmission. Nonrepudiation : Prevents the denial of actions by sender and receiver. Cryptographic Standards: Encryption, Hashing, Digital Signatures, PKI. Common Cryptography Systems: TLS, SET, IPSec, PGP, S/MIME, SSH, S-HTTP, Kerberos, Steganography, Digital Watermarking, SecureID, WAP, WPA, WEP. The goal of designing an encryption technology is to make compromising it too expensive or too time consuming.
Cryptography – Quick Test 1. IEEE 802.11 is a set of standards for … a. Wired Local Area Network b. Hyper Text Transport Protocol c. Secure Transport Layer d. Wireless Local Area Network 2. Steganography is a… a. Public Key Infrastructure b. Private Key c. Concealing Message d. Watermarking 24
Information Security and Risk Management Information Security and Risk Management are analogous to each other. Information security is to preserve CIA of organizational assets. Risk Management is to identify the threats and vulnerabilities that could impact the information security and devise suitable controls to mitigate these risks. 25 To ensure that information and vital services are accessible for use when required. To ensure the accuracy and completeness of information to protect university business processes. To ensure protection against unauthorized access to or use of confidential information. transmission
Information Security and Risk Management - 90/10 Rule Process Technology People 26 10% 90%
Information Security and Risk Management – Quick Test 1. In order to have an effective security within the organization, it is important that the people or personnel are aware of… a. Security requirements b. Security policies and procedures c. Roles and responsibilities d. All of the above 2. Which one of the following is a common type of classification in Government as well as private/public sector organizations? a. Top secret b. Confidential c. Unclassified d. Public 27
Legal, Regulations, Compliance, and Investigation 28 IT is need to be aware of various legal and regulatory requirements pertaining to the ethical usage of computers, compliance frameworks across the world, and investigative mechanisms to identify, protect, and preserve any evidence from computer crimes. The law and regulations depend on the state or country of operation. Laws are usually based on ethics and are put in place to ensure that others act in an ethical way. MOM of a Crime: Motive is the “Who” and “Why” of a crime. Opportunity is the “where” and “when” of a crime. Means is the capabilities a criminal would need to be successful. Some common types of computer crimes: Salami – Small crimes with the hope that the larger crime will go unnoticed. Data diddling – Alteration of existing data. Password sniffing – Sniff network traffic for passwords. IP Spoofing – Changing the attackers IP. Emanations capturing – Capturing electrical pulses and making meaning from them. Social reengineering – Faking somebody’s identity.
Legal, Regulations, Compliance, and Investigation… 29 Assets that Organizations are trying to protect: Intellectual Property Trade Secrets Copyrights Trademark Patents Software piracy Privacy Some Acts you will come across: Health Insurance Portability and Accountability Act Sarbanes-Oxley Act (SOX) 2001 Gramm-Leach-Bliley Act (GLBA) 1999 Data Protection Act (DPA) Computer Fraud and Abuse Act Federal Privacy Act 1972
Legal, Regulations, Compliance, and Investigation – Quick Test 1. Cyber Crime is using… a. Communication networks to perpetrate crime b. Phishing techniques c. Spam emails d. Unauthorized access 2. The primary objective of a Denial-of-Service attack is to… a. Authenticity b. Availability c. Authorization d. Access Control 30
Operations Security 31 Operational security has to do with keeping up with implemented solutions, keeping track of changes, properly maintaining systems, continually enforcing necessary standards and following through with security practices and tasks. This includes the continual maintenance of an environment and the activities that should take place on a day-to-day basis. Administrative Management Separation of duties. Rotation of duties / Job rotation. Least privilege access / shared access. Mandatory vacations. Accountability Access revalidation. Health checks. Capturing and monitoring audit logs. Auditing.
Operations Security… 32 Security Operations and Product Evaluation Operational assurance. Life cycle assurance. Change Management Control Request for change. Change approval. Change documentation. Change testing and presented. Change implementation. Change reporting. Media Controls : Media management “cradle to grave”. System Controls : Selected tasks can be performed only by “elevated access”. Trusted Recovery : System reboots and restarts. Input and Output Controls : Garbage In, Garbage Out.
Operations Security – Quick Test 1. A systematic and procedural way of managing incidents in known as… a. Configuration management b. Incident management c. Change management d. System management 2. If an event could possibly violate information security, then such an event is known as … a. Problem b. Confidentiality breach c. Incident d. Integrity breach 33
Physical (Environmental) Security 34 Physical and Environmental security encompasses a different set of threats, vulnerabilities and risks than the other types of security. Physical security mechanisms include site design and layout, environmental components, emergency response readiness, training, access control, intrusion detection, and power and fire protection. Physical security mechanisms protect people, data, equipment, systems, facilities and a long list of company assets. Type of threats:  Natural Environment : Floods, earthquake, storms, etc.  Supply System : Power distribution outages, interruptions, etc.  Man made : Unauthorized access, employee error and accidents, damage, etc.  Politically motivated : Strikes, riots, civil disobedience, etc. Solutions are planned and designed for:  Prevention  Detection  Suppression / Response
35
Physical (Environmental) Security – Quick Test 1. Which of the following needs to be considered while designing controls for physical security… a. Physical facility b. Geographic location c. Supporting facilities d. All of the above 2. Evacuation procedures should primarily address… a. Network b. Furniture c. People d. Computers 36
Security Architecture and Design 37 Two fundamental concepts in computers and information security are Policy and Security Model. While the Policy outlines how data is accessed, the level of security required and the actions that need to be taken when the requirements are not met, the Security Model is a statement that outlines the requirements necessary to properly support and implement the policy. Architecture defines how they are implemented. Some basic security models: Bell-LaPadula: [Protects Confidentiality] A subject cannot read data at a higher security level, a subject cannot write data to a lower security level, a subject that has read & write capability can perform these functions at the same security level. Biba: [Protects Integrity] A subject cannot read data at a lower security level, a subject cannot modify data to a higher security level, a subject cannot modify an object in a higher integrity level. Clark Wilson: Subjects can only access objects through authorized programs , separation of duties is enforced and auditing is required.
Security Architecture and Design – Quick Test 1. A trusted computer system should have… a. A well-defined security policy b. Accountability c. Assurance mechanisms d. All the above three 2. A security label is NOT… a. A classification mechanism b. A labeling of low, medium, high based on security c. A computer model d. Used for defining protection mechanisms 38
Telecommunications and Network Security 39 IT deals with the security of voice and data communications through local area, wide area, and remote access networking. The electrical transmission of data amongst systems, whether through analog, digital or wireless transmission types, various devices, software and protocols.
Telecommunication and Network Security – Quick Test 1. A protocol is a … a. Data encryption standard b. Layered architecture c. Communication standard d. Data link 2. The Internet Protocol (IP) operates in the … a. Physical layer b. Network layer c. Application layer d. Communication layer 40
The three steps to Success 1. Think about Security. 2. Do something (while still thinking about Security). 3. Continue to think about Security. Security cannot be afterthought. Do your best. Adopt good practices else trust in God! 41
10 Essentials of Security 1. THINK before you click. 2. Protect passwords. 3. Know if your job requires higher security standards. 4. Register all computers and devices used for business. 5. Connect to networks safely. 6. Manage and store client and company data securely. 7. Backup and encrypt data wherever it’s stored. 8. Keep your security settings and software up to date. 9. Manage your online privacy settings and THINK before sharing information. 10.Report security incidents immediately. 42
What to do for Security? (No more No less) • Make security a headline everyday. • ManageMenTactfully, Totally, Thoughtfully, Talkatively, Task fully, Thankfully, with respect to Trust, Time, Technology. • Communicate, Follow-up, Document, and Update. • Lead by example. • Expect unexpected. • Respond promptly but thoughtfully. Avoid reaction. • Delegate however empower and support. 43
Resources: • National Institute of Standards and Technology (NIST) – www.nist.gov • http://www.sourcesecurity.com/ • National Vulnerability Database http://web.nvd.nist.gov/view/vuln/search • Department of Electronics and Information Technology http://deity.gov.in/ • Latest IT News and Articles http://www.informationweek.in/home.aspx • IT Security Experts https://www.isc2.org/ • Information Systems Audit and Control Association http://www.isaca.org/about-isaca/Pages/default.aspx • https://www.us-cert.gov/about-us • https://www.nist.gov/ • https://www.cisecurity.org/ 44
Homework An ISF Threat Horizon Report 2019-2021: Recommended read at your leisure time 45 ISF_Threat Horizon 2021_Report.pdf
Summary  Why security is important and what are the sources of compromise.  Four virtues and eight rules of security.  What is information security, CIA and BIA.  Common security definitions and terms. 10 Security domains by (ISC)2.  3 Steps for success in security.  What to do for security. 46
THANK YOU for Watching Securely! 47

Recommandé

Crisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksCrisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksPECB
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Managementn|u - The Open Security Community
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Chapter 6 Presentation
Chapter 6 PresentationChapter 6 Presentation
Chapter 6 PresentationAmy McMullin
 

Recommandé

Crisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksCrisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksPECB
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Managementn|u - The Open Security Community
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Chapter 6 Presentation
Chapter 6 PresentationChapter 6 Presentation
Chapter 6 PresentationAmy McMullin
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Workplace Security Awareness-Part 1
Workplace Security Awareness-Part 1Workplace Security Awareness-Part 1
Workplace Security Awareness-Part 1David Santiago
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 

Contenu connexe

Tendances

Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Workplace Security Awareness-Part 1
Workplace Security Awareness-Part 1Workplace Security Awareness-Part 1
Workplace Security Awareness-Part 1David Santiago
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 

Tendances (20)

Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Workplace Security Awareness-Part 1
Workplace Security Awareness-Part 1Workplace Security Awareness-Part 1
Workplace Security Awareness-Part 1
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
 
Network Security
Network SecurityNetwork Security
Network Security
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 

Similaire à Information Technology Security Basics

Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackamrutharam
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
Cyber Security vs.pdf
Cyber Security vs.pdfCyber Security vs.pdf
Cyber Security vs.pdfMing Man Chan
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developerstechtutorus
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptxKnownId
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultSOCVault
 
Ethicalhackingalicencetohack 120223062548-phpapp01
Ethicalhackingalicencetohack 120223062548-phpapp01Ethicalhackingalicencetohack 120223062548-phpapp01
Ethicalhackingalicencetohack 120223062548-phpapp01rajkumar jonuboyena
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfTop_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfinfosec train
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfShivamSharma909
 
New Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: HowlandNew Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: Howlandnado-web
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedBule Hora University
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
 
All About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptxAll About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptxInfosectrain3
 

Similaire à Information Technology Security Basics (20)

Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
Cyber Security vs.pdf
Cyber Security vs.pdfCyber Security vs.pdf
Cyber Security vs.pdf
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
Ethicalhackingalicencetohack 120223062548-phpapp01
Ethicalhackingalicencetohack 120223062548-phpapp01Ethicalhackingalicencetohack 120223062548-phpapp01
Ethicalhackingalicencetohack 120223062548-phpapp01
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfTop_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdf
 
New Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: HowlandNew Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: Howland
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 
All About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptxAll About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptx
 

Dernier

Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field ArtilleryKennethSwanberg
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxssuserf63bd7
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNitya salvi
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownSandaliGurusinghe2
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdfAlejandromexEspino
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdfArtiSrivastava23
 
Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.aruny7087
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentNimot Muili
 
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siligurimeghakumariji156
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxAaron Stannard
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalWilliam (Bill) H. Bender, FCSI
 
Information Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docxInformation Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docxssuserf63bd7
 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamraAllTops
 

Dernier (14)

Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdf
 
Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
 
Information Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docxInformation Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docx
 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 

Information Technology Security Basics

  • 2. WIIFY 1. Why Security? 2. What are the sources of compromise? 3. Four virtues of Security. 4. The 9 rules of Security. 5. What is Information Security, it’s goal and impact. 6. Common Security definitions/terms. 7. 10 Security Domains by ‘International Information Systems Security Certification Consortium’ (ISC)2. 8. 3 Steps to success in Security. 9. Resources on web. 10.What do I do as a user? 11.Q&A. 2
  • 3. Why Security? 3 • Case 1 The City of Joburg on 25 Oct night announced a breach of its network and shut down its website and all e-services as a precautionary measure. Key city systems were shut down, including online services, bill payments, and more. • Case 2 Database of Debit Card Payment System of Middle East Bank is hacked. The organized gang alters the available balances of card holders and duplicates the cards. The cash withdrawn from 17 countries is small amounts was in total US $18 Million in 2 days.
  • 4. Serious Matters We all are at risk. This statement is not meant to instill fear, but simply to properly represent the state of IT in our modern world. Security can no longer be a question. It can no longer be ignored, dismissed, or treated like thorn in our side. At any given moment, an adequate amount of security is all that stands between our precious data and that wave of relentless and talented intruders striking out at our valuable resources. “Why would anyone hack us?’ is no longer a defense, and, “Do we really need to secure ourselves?” is no longer a question. We all are targets. We all are vulnerable. We are under attack, and without security, the only questions are where and when will we be struck, and just how badly will it hurt. 4
  • 5. Don’t be so Sure! Usual pretext for not paying attention to Security. • I have antivirus installed. • I do not buy anything online. • We have nothing important stored except Client’s data. • It will never happen to me. • I am online for very short time just for checking emails. • Why someone will steal my data and what are they going to do with it. We’ll pull them in the court? 5
  • 6. IT Security Areas • Information Security • Network Security • Cyber/Internet Security • Physical Security • Application Security • Database Security • Cloud Security • Mobile Security • Telecom Security • Software Security • Storage Security • Web Security 6
  • 7. What are the sources of compromise? • Inside Job: 32% from internal employees, 28% ex-employees and partners and 50% from employees misusing access privileges. • Spyware: Most spyware comes in as direct result of user behavior. • Desktop/Laptop/Smart Devices: It’s like locking the doors and windows of the house - with the burglar still in the basement. • Put simply, to keep the burglar out of the basement, organizations need to remove the ability of employees to let the burglars in, in the first place. They need to implement tamper-proof solutions that users cannot easily evade – no matter what the external inducements. Do you know you are tracked? Big Data Analytics Organizations and Cyber criminals are watching. Install the Collusion for your browser and experience how you are tracked. 7
  • 8. The four virtues of Security 1. Daily Consideration – Security MUST be a daily consideration in every area. 2. Community Effort – Security MUST be a community effort. 3. Higher Focus – Security practices MUST maintain a generalized focus. 4. Education – Security practices MUST include some measure of training for everyone. How do we practice these virtues?  Make security a continual thought. Encourage others to be continually mindful of security. Formally include security in all new projects and project implementations.  Keep informed. Inform others. Keep up-to-date. Inform end-users. Make group- based decisions.  Learn and share the concepts. Think in terms of the bigger picture. Follow the practices of higher security. Follow the concept of the written practice.  Good software installation practices. Good awareness practice. Good web browsing practice. Good confidentiality practices. 8
  • 9. The nine rules of Security 1. Rule of Least Privilege. 2. Rule of Change. 3. Rule of Zero Trust. 4. Rule of the Weakest Link. 5. Rule of Separation. 6. Rule of the Three-Fold Process (IMM). 7. Rule of Preventive Action. 8. Rule of Immediate and Proper Response. 9. Rule of Encryption 9
  • 10. What is Information Security (InfoSec)? 10  InfoSec is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.  Program/Process and not a project.  Never is 100%.  Risk Management to maintain and improve Security Posture.  Changing Security Landscape.  Threats.  Countermeasures.
  • 11. GOAL and Impact of Information Security 11 GOAL - To ensure the Confidentiality, Integrity and Availability (CIA) of critical systems and confidential information. Impact due to information security failure:  Service Liability  Financial Liability  Legal Issues  Adverse impact on Image  Adverse impact on Brand  Adverse business impact
  • 12. Common Security Definitions 12 Vulnerability is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. Threat is any potential danger to information or systems. The threat is that someone or something, will identify a specific vulnerability and use it against the company or individual. Threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a file’s integrity. Risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. Exposure is an instance of being exposed to losses from a threat agent. Countermeasure or safeguard, is put into place to mitigate the potential risk. .
  • 13. Common Security Terms • Anti-Virus - A security program that can run on a computer or mobile device and protects you by identifying and stopping the spread of malware on your system. • Drive-by Download - These attacks exploit vulnerabilities in your browser or it's plugins and helper applications when you simply surf to an attacker- controlled website. • Exploit Code that is designed to take advantage of a vulnerability. An exploit is designed to give an attacker the ability to execute additional malicious programs on the compromised system. • Firewall - A security program that filters inbound and outbound network connections. • Malware Stands for 'malicious software'. It is any type of code or program cyber attackers use to perform malicious actions. • Patch is an update to a vulnerable program or system. • Phishing is a social engineering technique where cyber attackers attempt to fool you into taking an action in response to an email. 13
  • 15. Security Domains - (ISC)2 15 1. Access Control. 2. Application Security. 3. Business Continuity and Disaster Recovery Planning. 4. Cryptography. 5. Information Security and Risk Management. 6. Legal, Regulations, Compliance, and Investigations. 7. Operations Security. 8. Physical (Environmental) Security. 9. Security Models and Architecture. 10. Telecommunications and Network Security.
  • 16. Access Control Access controls are security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. Aim of Access Controls:  Identification : Method of establishing the subject (e.g. Username, any other public information, systems, etc). Authentication : Method of proving ones identify (e.g. use of biometric, passphrase token, private information, etc). Authorization : Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources. Access Control Models: DAC, MAC, RBAC. Access Control Layers: Administrative, Physical, Technical/Logical. 16
  • 17. Access Control – Quick Test 1. The basic functionality of a malicious code is to… a. Upgrade the operating system b. Execute itself in the client system c. Spoof d. Denial of Service 2. What is AAA of access control system? a. Access, Accept and Apply. b. Authorization, Authentication and Accountability. c. Authentication, Authorization and Accountability. d. Application, Acceptance and Approval. 17
  • 18. Application Security 18 Applications are usually developed with functionality in mind and not security. Security and Functionality need to be incorporated during design and development. Both application and environment controls need to be used to ensure application security. ‘Security by Design’ should be the mantra for robust and secure applications. Application Controls Data modeling. Object oriented programming. Reusable and disturbed codes. Client/ Server Model. Data Types, Format and Length. Environment Controls Database modeling / Database management. Relational databases and database interfaces. DMZ – De military zones. Access restriction. Change Management. Software (code) Escrow.
  • 19. Application Security… 19 Application Life Cycle Phases Project initiation. Functional design analysis and planning. System design and specifications. Software development. Installation / implementation. Operations / maintenance. Disposal. Software development methods Waterfall method. Spiral method. Joint analysis development. Rapid application development. Clean room development.
  • 20. Application Security – Quick Test 1. An attack is a… a. Vulnerability b. Threat c. Technique d. Compromise 2. Encapsulation is a … a. Wrapper b. Threat c. Software application d. Class 20
  • 21. Business Continuity and Disaster Recovery Plan  Checklist review  Structured walk-through  Simulation test  Parallel test  Full interruption test 21 The goal of disaster recovery is to minimize the effects of a disaster and take the necessary steps to ensure that the critical resources, personnel, and business processes are able to resume operation in a timely manner. The goal of business continuity planning is to provide methods and procedures for dealing with longer-term outages and disasters to ensure business is back to normal. Business Impact Analysis (BIA) is the crucial first step for business continuity and disaster recovery planning. This encompasses a detailed risk assessment and risk analysis. Qualitative and quantitative information needed to gathered and then properly analyzed and interpreted. Phases of plan development : Phases of plan implementation:  Identify business critical resources  Estimate potential disasters  Selecting planning strategies  Implementing strategies  Testing and revising the plan
  • 22. Business Continuity and Disaster Recovery Plan – Quick test 22 1. The primary focus of the Business Continuity Plan is… a. Integrity b. Authenticity c. Availability d. Business growth 2. The Recovery Point Objective (RPO) estimates… a. The timeframe within which to resume operations b. The data recovery point c. The resources required for business continuity d. The time required to develop a BCP
  • 23. Cryptography 23 Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. It is considered a science of protecting information by encoding it into an unreadable format. Goal of Cryptosystems: Confidentiality : Unauthorized parties cannot access the information. Authenticity : Validating the source of the message to ensure that the sender is properly identified. Integrity : Provides an assurance that the data was not modified during transmission. Nonrepudiation : Prevents the denial of actions by sender and receiver. Cryptographic Standards: Encryption, Hashing, Digital Signatures, PKI. Common Cryptography Systems: TLS, SET, IPSec, PGP, S/MIME, SSH, S-HTTP, Kerberos, Steganography, Digital Watermarking, SecureID, WAP, WPA, WEP. The goal of designing an encryption technology is to make compromising it too expensive or too time consuming.
  • 24. Cryptography – Quick Test 1. IEEE 802.11 is a set of standards for … a. Wired Local Area Network b. Hyper Text Transport Protocol c. Secure Transport Layer d. Wireless Local Area Network 2. Steganography is a… a. Public Key Infrastructure b. Private Key c. Concealing Message d. Watermarking 24
  • 25. Information Security and Risk Management Information Security and Risk Management are analogous to each other. Information security is to preserve CIA of organizational assets. Risk Management is to identify the threats and vulnerabilities that could impact the information security and devise suitable controls to mitigate these risks. 25 To ensure that information and vital services are accessible for use when required. To ensure the accuracy and completeness of information to protect university business processes. To ensure protection against unauthorized access to or use of confidential information. transmission
  • 26. Information Security and Risk Management - 90/10 Rule Process Technology People 26 10% 90%
  • 27. Information Security and Risk Management – Quick Test 1. In order to have an effective security within the organization, it is important that the people or personnel are aware of… a. Security requirements b. Security policies and procedures c. Roles and responsibilities d. All of the above 2. Which one of the following is a common type of classification in Government as well as private/public sector organizations? a. Top secret b. Confidential c. Unclassified d. Public 27
  • 28. Legal, Regulations, Compliance, and Investigation 28 IT is need to be aware of various legal and regulatory requirements pertaining to the ethical usage of computers, compliance frameworks across the world, and investigative mechanisms to identify, protect, and preserve any evidence from computer crimes. The law and regulations depend on the state or country of operation. Laws are usually based on ethics and are put in place to ensure that others act in an ethical way. MOM of a Crime: Motive is the “Who” and “Why” of a crime. Opportunity is the “where” and “when” of a crime. Means is the capabilities a criminal would need to be successful. Some common types of computer crimes: Salami – Small crimes with the hope that the larger crime will go unnoticed. Data diddling – Alteration of existing data. Password sniffing – Sniff network traffic for passwords. IP Spoofing – Changing the attackers IP. Emanations capturing – Capturing electrical pulses and making meaning from them. Social reengineering – Faking somebody’s identity.
  • 29. Legal, Regulations, Compliance, and Investigation… 29 Assets that Organizations are trying to protect: Intellectual Property Trade Secrets Copyrights Trademark Patents Software piracy Privacy Some Acts you will come across: Health Insurance Portability and Accountability Act Sarbanes-Oxley Act (SOX) 2001 Gramm-Leach-Bliley Act (GLBA) 1999 Data Protection Act (DPA) Computer Fraud and Abuse Act Federal Privacy Act 1972
  • 30. Legal, Regulations, Compliance, and Investigation – Quick Test 1. Cyber Crime is using… a. Communication networks to perpetrate crime b. Phishing techniques c. Spam emails d. Unauthorized access 2. The primary objective of a Denial-of-Service attack is to… a. Authenticity b. Availability c. Authorization d. Access Control 30
  • 31. Operations Security 31 Operational security has to do with keeping up with implemented solutions, keeping track of changes, properly maintaining systems, continually enforcing necessary standards and following through with security practices and tasks. This includes the continual maintenance of an environment and the activities that should take place on a day-to-day basis. Administrative Management Separation of duties. Rotation of duties / Job rotation. Least privilege access / shared access. Mandatory vacations. Accountability Access revalidation. Health checks. Capturing and monitoring audit logs. Auditing.
  • 32. Operations Security… 32 Security Operations and Product Evaluation Operational assurance. Life cycle assurance. Change Management Control Request for change. Change approval. Change documentation. Change testing and presented. Change implementation. Change reporting. Media Controls : Media management “cradle to grave”. System Controls : Selected tasks can be performed only by “elevated access”. Trusted Recovery : System reboots and restarts. Input and Output Controls : Garbage In, Garbage Out.
  • 33. Operations Security – Quick Test 1. A systematic and procedural way of managing incidents in known as… a. Configuration management b. Incident management c. Change management d. System management 2. If an event could possibly violate information security, then such an event is known as … a. Problem b. Confidentiality breach c. Incident d. Integrity breach 33
  • 34. Physical (Environmental) Security 34 Physical and Environmental security encompasses a different set of threats, vulnerabilities and risks than the other types of security. Physical security mechanisms include site design and layout, environmental components, emergency response readiness, training, access control, intrusion detection, and power and fire protection. Physical security mechanisms protect people, data, equipment, systems, facilities and a long list of company assets. Type of threats:  Natural Environment : Floods, earthquake, storms, etc.  Supply System : Power distribution outages, interruptions, etc.  Man made : Unauthorized access, employee error and accidents, damage, etc.  Politically motivated : Strikes, riots, civil disobedience, etc. Solutions are planned and designed for:  Prevention  Detection  Suppression / Response
  • 35. 35
  • 36. Physical (Environmental) Security – Quick Test 1. Which of the following needs to be considered while designing controls for physical security… a. Physical facility b. Geographic location c. Supporting facilities d. All of the above 2. Evacuation procedures should primarily address… a. Network b. Furniture c. People d. Computers 36
  • 37. Security Architecture and Design 37 Two fundamental concepts in computers and information security are Policy and Security Model. While the Policy outlines how data is accessed, the level of security required and the actions that need to be taken when the requirements are not met, the Security Model is a statement that outlines the requirements necessary to properly support and implement the policy. Architecture defines how they are implemented. Some basic security models: Bell-LaPadula: [Protects Confidentiality] A subject cannot read data at a higher security level, a subject cannot write data to a lower security level, a subject that has read & write capability can perform these functions at the same security level. Biba: [Protects Integrity] A subject cannot read data at a lower security level, a subject cannot modify data to a higher security level, a subject cannot modify an object in a higher integrity level. Clark Wilson: Subjects can only access objects through authorized programs , separation of duties is enforced and auditing is required.
  • 38. Security Architecture and Design – Quick Test 1. A trusted computer system should have… a. A well-defined security policy b. Accountability c. Assurance mechanisms d. All the above three 2. A security label is NOT… a. A classification mechanism b. A labeling of low, medium, high based on security c. A computer model d. Used for defining protection mechanisms 38
  • 39. Telecommunications and Network Security 39 IT deals with the security of voice and data communications through local area, wide area, and remote access networking. The electrical transmission of data amongst systems, whether through analog, digital or wireless transmission types, various devices, software and protocols.
  • 40. Telecommunication and Network Security – Quick Test 1. A protocol is a … a. Data encryption standard b. Layered architecture c. Communication standard d. Data link 2. The Internet Protocol (IP) operates in the … a. Physical layer b. Network layer c. Application layer d. Communication layer 40
  • 41. The three steps to Success 1. Think about Security. 2. Do something (while still thinking about Security). 3. Continue to think about Security. Security cannot be afterthought. Do your best. Adopt good practices else trust in God! 41
  • 42. 10 Essentials of Security 1. THINK before you click. 2. Protect passwords. 3. Know if your job requires higher security standards. 4. Register all computers and devices used for business. 5. Connect to networks safely. 6. Manage and store client and company data securely. 7. Backup and encrypt data wherever it’s stored. 8. Keep your security settings and software up to date. 9. Manage your online privacy settings and THINK before sharing information. 10.Report security incidents immediately. 42
  • 43. What to do for Security? (No more No less) • Make security a headline everyday. • ManageMenTactfully, Totally, Thoughtfully, Talkatively, Task fully, Thankfully, with respect to Trust, Time, Technology. • Communicate, Follow-up, Document, and Update. • Lead by example. • Expect unexpected. • Respond promptly but thoughtfully. Avoid reaction. • Delegate however empower and support. 43
  • 44. Resources: • National Institute of Standards and Technology (NIST) – www.nist.gov • http://www.sourcesecurity.com/ • National Vulnerability Database http://web.nvd.nist.gov/view/vuln/search • Department of Electronics and Information Technology http://deity.gov.in/ • Latest IT News and Articles http://www.informationweek.in/home.aspx • IT Security Experts https://www.isc2.org/ • Information Systems Audit and Control Association http://www.isaca.org/about-isaca/Pages/default.aspx • https://www.us-cert.gov/about-us • https://www.nist.gov/ • https://www.cisecurity.org/ 44
  • 45. Homework An ISF Threat Horizon Report 2019-2021: Recommended read at your leisure time 45 ISF_Threat Horizon 2021_Report.pdf
  • 46. Summary  Why security is important and what are the sources of compromise.  Four virtues and eight rules of security.  What is information security, CIA and BIA.  Common security definitions and terms. 10 Security domains by (ISC)2.  3 Steps for success in security.  What to do for security. 46
  • 47. THANK YOU for Watching Securely! 47