SlideShare une entreprise Scribd logo

Overview of Information Security & Privacy

Nawanan Theera-Ampornpunt
Nawanan Theera-Ampornpunt

This document provides an overview of information security and privacy presented by Nawanan Theera-Ampornpunt. It covers topics such as protecting information privacy and security, user security, software security, cryptography, malware, and security standards. Specific threats to information security in Thailand are discussed such as hackers, viruses, insider threats, and natural disasters. The consequences of security attacks on information, operations, individuals, and organizations are also reviewed.

Technologie
1  sur  98
Télécharger pour lire hors ligne
Overview of Information Security & Privacy Nawanan Theera-Ampornpunt, M.D., Ph.D. Faculty of Medicine Ramathibodi Hospital Mahidol University July 17, 2015 http://www.SlideShare.net/Nawanan
 Introduction to Information Privacy & Security  Protecting Information Privacy & Security  User Security  Software Security  Cryptography  Malware  Security Standards Outline
Introduction to Information Privacy & Security
Malware Threats to Information Security
Security Threats & Thailand https://www.thaicert.or.th/downloads/files/ThaiCERT_Annual_Report_th_2013.pdf ThaiCERT (2013)
Security Threats & Thailand https://www.thaicert.or.th/downloads/files/ThaiCERT_Annual_Report_th_2013.pdf ThaiCERT (2013)
Security Threats & Thailand https://www.thaicert.or.th/downloads/files/ThaiCERT_Annual_Report_th_2013.pdf ThaiCERT (2013)
Security Threats & Thailand https://www.facebook.com/longhackz
Security Threats & Thailand (Top) http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/ (Bottom) http://www.bloomberg.com/news/articles/2014-12-07/sony-s-darkseoul-breach-stretched-from-thai-hotel- to-hollywood
Security Threats & Health Care http://usatoday30.usatoday.com/life/people/2007-10-10-clooney_N.htm
Security Threats & Health Care http://news.sanook.com/1262964/
Sources of the Threats  Hackers  Viruses & Malware  Poorly-designed systems  Insiders (Employees)  People’s ignorance & lack of knowledge  Disasters & other incidents affecting information systems
 Information risks  Unauthorized access & disclosure of confidential information  Unauthorized addition, deletion, or modification of information  Operational risks  System not functional (Denial of Service - DoS)  System wrongly operated  Personal risks  Identity thefts  Financial losses  Disclosure of information that may affect employment or other personal aspects (e.g. health information)  Physical/psychological harms  Organizational risks  Financial losses  Damage to reputation & trust  Etc. Consequences of Security Attacks
 Privacy: “The ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.” (Wikipedia)  Security: “The degree of protection to safeguard ... person against danger, damage, loss, and crime.” (Wikipedia)  Information Security: “Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction” (Wikipedia) Privacy & Security
Security & Privacy http://en.wikipedia.org/wiki/A._S._Bradford_House Security & Privacy
Information Security  Confidentiality  Integrity  Availability
Examples of Confidentiality Risks http://usatoday30.usatoday.com/life/people/2007-10-10-clooney_N.htm
Examples of Integrity Risks http://www.wired.com/threatlevel/2010/03/source-code-hacks/ http://en.wikipedia.org/wiki/Operation_Aurora “Operation Aurora” Alleged Targets: Google, Adobe, Juniper Networks, Yahoo!, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical Goal: To gain access to and potentially modify source code repositories at high tech, security & defense contractor companies
Examples of Integrity Risks http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml Web Defacements
Examples of Availability Risks http://en.wikipedia.org/wiki/Blaster_worm Viruses/worms that led to instability & system restart (e.g. Blaster worm)
Examples of Availability Risks http://en.wikipedia.org/wiki/Ariane_5_Flight_501 Ariane 5 Flight 501 Rocket Launch Failure Cause: Software bug on rocket acceleration due to data conversion from a 64-bit floating point number to a 16-bit signed integer without proper checks, leading to arithmatic overflow
Interesting Resources  http://en.wikipedia.org/wiki/List_of_software_bugs  http://en.wikipedia.org/wiki/Notable_computer_viruses_a nd_worms  http://en.wikipedia.org/wiki/Hacktivism  http://en.wikipedia.org/wiki/Website_defacement  http://en.wikipedia.org/wiki/Hacker_(computer_security)  http://en.wikipedia.org/wiki/List_of_hackers
Protecting Information Privacy & Security
http://www.aclu.org/ordering-pizza Privacy Protections: Why?
บทความใน JAMA เร็วๆ นี้ JAMA. 2015 Apr 14;313(14). Recent JAMA Article
 Attack  An attempt to breach system security  Threat  A scenario that can harm a system  Vulnerability  The “hole” that is used in the attack Common Security Terms
 Identify some possible means an attacker could use to conduct a security attack Class Exercise
Alice Simplified Attack Scenarios Server Bob Eve/Mallory
Alice Simplified Attack Scenarios Server Bob - Physical access to client computer - Electronic access (password) - Tricking user into doing something (malware, phishing & social engineering) Eve/Mallory
Alice Simplified Attack Scenarios Server Bob - Intercepting (eavesdropping or “sniffing”) data in transit - Modifying data (“Man-in-the- middle” attacks) - “Replay” attacks Eve/Mallory
Alice Simplified Attack Scenarios Server Bob - Unauthorized access to servers through - Physical means - User accounts & privileges - Attacks through software vulnerabilities - Attacks using protocol weaknesses - DoS / DDoS attacks Eve/Mallory
Alice Simplified Attack Scenarios Server Bob Other & newer forms of attacks possible Eve/Mallory
Alice Safeguarding Against Attacks Server Bob Administrative Security - Security & privacy policy - Governance of security risk management & response - Uniform enforcement of policy & monitoring - Disaster recovery planning (DRP) & Business continuity planning/management (BCP/BCM) - Legal obligations, requirements & disclaimers
Alice Safeguarding Against Attacks Server Bob Physical Security - Protecting physical access of clients & servers - Locks & chains, locked rooms, security cameras - Mobile device security - Secure storage & secure disposition of storage devices
Alice Safeguarding Against Attacks Server Bob User Security - User account management - Strong p/w policy (length, complexity, expiry, no meaning) - Principle of Least Privilege - “Clear desk, clear screen policy” - Audit trails - Education, awareness building & policy enforcement - Alerts & education about phishing & social engineering
Alice Safeguarding Against Attacks Server Bob System Security - Antivirus, antispyware, personal firewall, intrusion detection/prevention system (IDS/IPS), log files, monitoring - Updates, patches, fixes of operating system vulnerabilities & application vulnerabilities - Redundancy (avoid “Single Point of Failure”) - Honeypots
Alice Safeguarding Against Attacks Server Bob Software Security - Software (clients & servers) that is secure by design - Software testing against failures, bugs, invalid inputs, performance issues & attacks - Updates to patch vulnerabilities
Alice Safeguarding Against Attacks Server Bob Network Security - Access control (physical & electronic) to network devices - Use of secure network protocols if possible - Data encryption during transit if possible - Bandwidth monitoring & control
Alice Safeguarding Against Attacks Server Bob Database Security - Access control to databases & storage devices - Encryption of data stored in databases if necessary - Secure destruction of data after use - Access control to queries/reports - Security features of database management systems (DBMS)
Privacy Safeguards Image: http://www.nurseweek.com/news/images/privacy.jpg  Security safeguards  Informed consent  Privacy culture  User awareness building & education  Organizational policy & regulations  Enforcement  Ongoing privacy & security assessments, monitoring, and protection
User Security
Need for Strong Password Policy So, two informaticians walk into a bar... The bouncer says, "What's the password." One says, "Password?" The bouncer lets them in. Credits: @RossMartin & AMIA (2012)
 Access control  Selective restriction of access to the system  Role-based access control  Access control based on the person’s role (rather than identity)  Audit trails  Logs/records that provide evidence of sequence of activities User Security
 Identification  Identifying who you are  Usually done by user IDs or some other unique codes  Authentication  Confirming that you truly are who you identify  Usually done by keys, PIN, passwords or biometrics  Authorization  Specifying/verifying how much you have access  Determined based on system owner’s policy & system configurations  “Principle of Least Privilege” User Security
 Nonrepudiation  Proving integrity, origin, & performer of an activity without the person’s ability to refute his actions  Most common form: signatures  Electronic signatures offer varying degrees of nonrepudiation  PIN/password vs. biometrics  Digital certificates (in public key infrastructure - PKI) often used to ascertain nonrepudiation User Security
User Account Security https://www.thaicert.or.th/downloads/files/BROCHURE_security_awareness.png
 Multiple-Factor Authentication  Two-Factor Authentication  Use of multiple means (“factors”) for authentication  Types of Authentication Factors  Something you know  Password, PIN, etc.  Something you have  Keys, cards, tokens, devices (e.g. mobile phones)  Something you are  Biometrics User Security
Recommended Password Policy  Length  8 characters or more (to slow down brute-force attacks)  Complexity (to slow down brute-force attacks)  Consists of 3 of 4 categories of characters  Uppercase letters  Lowercase letters  Numbers  Symbols (except symbols that have special uses by the system or that can be used to hack system, e.g. SQL Injection)  No meaning (“Dictionary Attacks”)  Not simple patterns (12345678, 11111111) (to slow down brute- force attacks & prevent dictionary attacks)  Not easy to guess (birthday, family names, etc.) (to prevent unknown & known persons from guessing) Personal opinion. No legal responsibility assumed.
Recommended Password Policy  Expiration (to make brute-force attacks not possible)  6-8 months  Decreasing over time because of increasing computer’s speed  But be careful! Too short duration will force users to write passwords down  Secure password storage in database or system (encrypted or store only password hashes)  Secure password confirmation  Secure “forget password” policy  Different password for each account. Create variations to help remember. If not possible, have different sets of accounts for differing security needs (e.g., bank accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
Dictionary Attack: เรื่องเล่าจากการเรียน การ Hack ระบบ ที่ USA
Clear Desk, Clear Screen Policy http://pixabay.com/en/post-it-sticky-note-note-corner-148282/
Techniques to Remember Passwords  http://www.wikihow.com/Create-a-Password-You-Can- Remember  Note that some of the techniques are less secure!  One easy & secure way: password mnemonic  Think of a full sentence that you can remember  Ideally the sentence should have 8 or more words, with numbers and symbols  Use first character of each word as password  Sentence: I love reading all 7 Harry Potter books!  Password: Ilra7HPb!  Voila! Personal opinion. No legal responsibility assumed.
Password Sharing อย่าแชร์ Password กับคนอื่น
Password Expiration เปลี่ยน Password ทุกๆ 3-6 เดือน
Keylogger Attack: เรื่องเล่าจากกิจกรรมชมรม สมัยเป็นนักศึกษาแพทย์
Rogue Wi-Fi Router: จอมขโมย Password ที่ทุกคนต้องระวัง
Logout After Use อย่าลืม Logout หลังใช้งาน เสมอ โดยเฉพาะเครื่องสาธารณะ (หากไม่อยู่ที่หน้าจอ แม้เพียงชั่วครู่ ให้ Lock Screen เสมอ)
Mobile Security https://www.thaicert.or.th/downloads/files/BROCHURE_mobile_malware.png
Mobile Security  ตั้ง PIN สาหรับ Lock Screen เอาไว้  ไม่เก็บข้อมูลสาคัญเอาไว้  ระวังไม่ให้สูญหาย หากสูญหายรีบแจ้งระงับ
Online (Shopping) Security https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Online-Shopping-Tips.jpg  ดูแลบัตรเครดิต และข้อมูล หมายเลขบัตรให้ดี  ใช้เฉพาะกับเว็บที่เชื่อถือได้  สมัครบริการ SMS แจ้งเตือน เมื่อมีการรูดบัตร  ดู statement และ ตรวจสอบธุรกรรมเสมอ
E-mail Security https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Mail-Scam.jpg
E-mail Security https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Mail-Scam.jpg
E-mail & Online Security (Phishing) https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing.jpg
https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing.jpg E-mail & Online Security (Phishing)
Secure Log-in สาหรับเว็บที่สาคัญ Microsoft Internet Explorer
Mozilla Firefox Google Chrome Secure Log-in สาหรับเว็บที่สาคัญ
Phishing Web Site
Phishing E-mail
Phishing E-mail
Phishing E-mail
Phishing E-mail
Ransomware
ลักษณะสาคัญที่ควรสงสัย Phishing  Grammar ห่วยแตก  ตัวสะกดผิดเยอะ  พยายามอย่างยิ่งให้เปิดไฟล์แนบ หรือกด link หรือตอบเมล แต่ไม่ค่อยให้รายละเอียด  E-mail ที่มาจากคนรู้จัก ไม่ได้ปลอดภัย เสมอไป
 Don’t be too trusting of people  Always be suspicious & alert  An e-mail with your friend’s name & info doesn’t have to come from him/her  Look for signs of phishing attacks  Don’t open attachments unless you expect them  Scan for viruses before opening attachments  Don’t click links in e-mail. Directly type in browser using known & trusted URLs  Especially cautioned if ask for passwords, bank accounts, credit card numbers, social security numbers, etc. Ways to Protect against Phishing
{ Phishing Attack: เรื่องเล่าจากชีวิต ประธานนักเรียนไทยใน Minnesota
PC Security, Virus & Malware https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing_Malicious-Code.jpg
https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing_Malicious-Code.jpg PC Security, Virus & Malware
{ File Sharing: เรื่องเล่าจากชีวิต นักศึกษาแพทย์รามาธิบดี (ที่อยากรู้อยากเห็น)
Virus/Malware Attack & Windows Update: เรื่องเล่าจากบทบาท Chief IT Admin รามาธิบดี (ที่ต้องดูแลระบบล่ม)
Back-up Your Data: เรื่องเล่าจากคนงานเยอะ
Software Security
 Most common reason for security bugs is invalid programming assumptions that attackers will look for  Weak input checking  Buffer overflow  Integer overflow  Race condition (Time of Check / Time of Use vulnerabilities)  Running programs in new environments Software Security Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
 Feeping creaturism (Creeping featurism)  Log files that contain sensitive information  Configuration bugs  Unnecessary privileges  Monoculture  Security bypass Software Security Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
 Consider a log-in form on a web page Example of Weak Input Checking: SQL Injection  Source code would look something like this: statement = "SELECT * FROM users WHERE name = '" + userName + "';"  Attacker would enter as username: ' or '1'='1  Which leads to this always-true query:  statement = "SELECT * FROM users WHERE name = '" + "' or '1'='1" + "';" statement = "SELECT * FROM users WHERE name = '' or '1'='1';" http://en.wikipedia.org/wiki/SQL_injection
 Economy of Mechanism  Design should be small & simple  Fail-safe default  Complete mediation  Check every access to every object  Open design  Separation of privilege / Least Privilege Secure Software Design Principles Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
 Least common mechanism  Minimize complexity of shared components  Psychological acceptability  If users don’t buy in to security mechanism or don’t understand how to use it, system is insecure  Work factor  Cost of attack should exceed resources attacker will spend Secure Software Design Principles Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
 Compromise recording  If too expensive to prevent a compromise, record it  Tamper evident vs. tamperproof  Log files Secure Software Design Principles Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 Image source: http://www.flickr.com/photos/goobelyga/2340650133/
 Defense in Depth  Multiple layers of security defense are placed throughout a system to provide redundancy in the event a security control fails  Secure the weakest link  Promote privacy  Trust no one Secure Software Design Principles Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
 Modular design  Check error conditions on return values  Validate inputs (whitelist vs. blacklist)  Avoid infinite loops, memory leaks  Check for integer overflows  Language/library choices  Development processes Secure Software Best Practices Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Malware
 Malicious software - Any code with intentional, undesirable side effects  Virus  Worm  Trojan  Spyware  Logic Bomb/Time Bomb  Backdoor/Trapdoor  Rootkit  Botnet Malware
 Virus  Propagating malware that requires user action to propagate  Infects executable files, data files with executable contents (e.g. Macro), boot sectors  Worm  Self-propagating malware  Trojan  A legitimate program with additional, hidden functionality Malware
 Spyware  Trojan that spies for & steals personal information  Logic Bomb/Time Bomb  Malware that triggers under certain conditions  Backdoor/Trapdoor  A hole left behind by malware for future access Malware
 Rogue Antispyware (Ransomware)  Software that tricks or forces users to pay before fixing (real or hoax) spyware detected  Rootkit  A stealth program designed to hide existence of certain processes or programs from detection  Botnet  A collection of Internet-connected computers that have been compromised (bots) which controller of the botnet can use to do something (e.g. do DDoS attacks) Malware
 Installed & updated antivirus, antispyware, & personal firewall  Check for known signatures  Check for improper file changes (integrity failures)  Check for generic patterns of malware (for unknown malware): “Heuristics scan”  Firewall: Block certain network traffic in and out  Sandboxing  Network monitoring & containment  User education  Software patches, more secure protocols Defense Against Malware
 Social media spams/scams/clickjacking  Social media privacy issues  User privacy settings  Location services  Mobile device malware & other privacy risks  Stuxnet (advanced malware targeting certain countries)  Advanced persistent threats (APT) by governments & corporations against specific targets Newer Threats
 US-CERT  U.S. Computer Emergency Readiness Team  http://www.us-cert.gov/  Subscribe to alerts & news  Microsoft Security Resources  http://technet.microsoft.com/en-us/security  http://technet.microsoft.com/en- us/security/bulletin  Common Vulnerabilities & Exposures  http://cve.mitre.org/ More Information
Q & A

Recommandé

Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
The information security audit
The information security auditThe information security audit
The information security audit
Dhani Ahmad
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Basics of Network Security
Basics of Network SecurityBasics of Network Security
Basics of Network Security
Dushyant Singh
 
Network Security and Firewall
Network Security and FirewallNetwork Security and Firewall
Network Security and Firewall
ShafeeqaFarsana
 
Security technologies
Security technologiesSecurity technologies
Security technologies
Dhani Ahmad
 
System security
System securitySystem security
System security
sommerville-videos
 

Recommandé

Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
The information security audit
The information security auditThe information security audit
The information security audit
Dhani Ahmad
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Basics of Network Security
Basics of Network SecurityBasics of Network Security
Basics of Network Security
Dushyant Singh
 
Network Security and Firewall
Network Security and FirewallNetwork Security and Firewall
Network Security and Firewall
ShafeeqaFarsana
 
Security technologies
Security technologiesSecurity technologies
Security technologies
Dhani Ahmad
 
System security
System securitySystem security
System security
sommerville-videos
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
Online
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 
information security technology
information security technologyinformation security technology
information security technology
garimasagar
 
Chapter 12 Access Management
Chapter 12 Access ManagementChapter 12 Access Management
Chapter 12 Access Management
Dr. Ahmed Al Zaidy
 
Security Threats at OSI layers
Security Threats at OSI layersSecurity Threats at OSI layers
Security Threats at OSI layers
Department of Computer Science
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
Allan Pratt MBA
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
Amandeep Kaur
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
learnt
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Shahid Beheshti University
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
Vamsee Krishna Kiran
 
cyber security
cyber security cyber security
cyber security
NiharikaVoleti
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Security Measures
Security MeasuresSecurity Measures
Security Measures
Syazzey Waniey II
 
LAN Security
LAN Security LAN Security
LAN Security
Syed Ubaid Ali Jafri
 
Information security
Information security Information security
Information security
razendar79
 
Ethics and information security 2
Ethics and information security 2Ethics and information security 2
Ethics and information security 2
PT Bank Syariah Mandiri
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 

Contenu connexe

Tendances

Information security management
Information security managementInformation security management
Information security management
UMaine
 
information security technology
information security technologyinformation security technology
information security technology
garimasagar
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
Amandeep Kaur
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
learnt
 

Tendances (20)

Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
Information security management
Information security managementInformation security management
Information security management
 
information security technology
information security technologyinformation security technology
information security technology
 
Chapter 12 Access Management
Chapter 12 Access ManagementChapter 12 Access Management
Chapter 12 Access Management
 
Security Threats at OSI layers
Security Threats at OSI layersSecurity Threats at OSI layers
Security Threats at OSI layers
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
 
cyber security
cyber security cyber security
cyber security
 
Information security
Information securityInformation security
Information security
 
Security Measures
Security MeasuresSecurity Measures
Security Measures
 
LAN Security
LAN Security LAN Security
LAN Security
 
Information security
Information security Information security
Information security
 

En vedette

Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
Nalneesh Gaur
 
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
Cédric Laurant
 
Highlights of the Singapore Personal Data Protection Act 2012
Highlights of the Singapore Personal Data Protection Act 2012Highlights of the Singapore Personal Data Protection Act 2012
Highlights of the Singapore Personal Data Protection Act 2012
Fuji Xerox Singapore
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
pgpmikey
 

En vedette (20)

Ethics and information security 2
Ethics and information security 2Ethics and information security 2
Ethics and information security 2
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
Outsourcing and transfer of personal data - Titta Penttilä - TeliaSonera
Outsourcing and transfer of personal data - Titta Penttilä - TeliaSoneraOutsourcing and transfer of personal data - Titta Penttilä - TeliaSonera
Outsourcing and transfer of personal data - Titta Penttilä - TeliaSonera
 
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
 
Applying the Personal Data Protection Act (Singapore)
Applying the Personal Data Protection Act (Singapore)Applying the Personal Data Protection Act (Singapore)
Applying the Personal Data Protection Act (Singapore)
 
Data Protection & Privacy in Malaysian Total Hospital Information System
Data Protection & Privacy in Malaysian Total Hospital Information SystemData Protection & Privacy in Malaysian Total Hospital Information System
Data Protection & Privacy in Malaysian Total Hospital Information System
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochurePersonal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochure
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network security
 
Highlights of the Singapore Personal Data Protection Act 2012
Highlights of the Singapore Personal Data Protection Act 2012Highlights of the Singapore Personal Data Protection Act 2012
Highlights of the Singapore Personal Data Protection Act 2012
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
 
Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planing
 
Computer , Internet and physical security.
Computer , Internet and physical security.Computer , Internet and physical security.
Computer , Internet and physical security.
 
Lecture #1 - Introduction to Information System
Lecture #1 - Introduction to Information SystemLecture #1 - Introduction to Information System
Lecture #1 - Introduction to Information System
 

Similaire à Overview of Information Security & Privacy

CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief inCYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
OllieShoresna
 
Mis presentation by suraj vaidya
Mis presentation by suraj vaidyaMis presentation by suraj vaidya
Mis presentation by suraj vaidya
Suraj Vaidya
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
DefCamp
 

Similaire à Overview of Information Security & Privacy (20)

Health Information Privacy and Security (October 30, 2019)
Health Information Privacy and Security (October 30, 2019)Health Information Privacy and Security (October 30, 2019)
Health Information Privacy and Security (October 30, 2019)
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)
 
Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)
 
Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)
 
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief inCYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief in
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
Network security
Network securityNetwork security
Network security
 
Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar
Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar
Protect Your Infrastructure: Basics of Cloud Security | Fpwebinar
 
Mis presentation by suraj vaidya
Mis presentation by suraj vaidyaMis presentation by suraj vaidya
Mis presentation by suraj vaidya
 
SCADA and HMI Security in InduSoft Web Studio
SCADA and HMI Security in InduSoft Web StudioSCADA and HMI Security in InduSoft Web Studio
SCADA and HMI Security in InduSoft Web Studio
 
Legal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsLegal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing Informatics
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Module 6.pdf
Module 6.pdfModule 6.pdf
Module 6.pdf
 
Module 6.Security in Evolving Technology
Module 6.Security in Evolving TechnologyModule 6.Security in Evolving Technology
Module 6.Security in Evolving Technology
 

Plus de Nawanan Theera-Ampornpunt

Plus de Nawanan Theera-Ampornpunt (20)

Health Informatics for Health Service Systems (March 11, 2024)
Health Informatics for Health Service Systems (March 11, 2024)Health Informatics for Health Service Systems (March 11, 2024)
Health Informatics for Health Service Systems (March 11, 2024)
 
Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)
Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)
Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)
 
Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)
Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)
Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)
 
Case Study PDPA Workshop (September 15, 2023)
Case Study PDPA Workshop (September 15, 2023)Case Study PDPA Workshop (September 15, 2023)
Case Study PDPA Workshop (September 15, 2023)
 
Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)
Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)
Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)
 
Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)
Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)
Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)
 
Relationship Between Thailand's Official Information Act and Personal Data Pr...
Relationship Between Thailand's Official Information Act and Personal Data Pr...Relationship Between Thailand's Official Information Act and Personal Data Pr...
Relationship Between Thailand's Official Information Act and Personal Data Pr...
 
Social Media - PDPA: Is There A Way Out? (October 19, 2022)
Social Media - PDPA: Is There A Way Out? (October 19, 2022)Social Media - PDPA: Is There A Way Out? (October 19, 2022)
Social Media - PDPA: Is There A Way Out? (October 19, 2022)
 
Do's and Don'ts on PDPA for Doctors (May 31, 2022)
Do's and Don'ts on PDPA for Doctors (May 31, 2022)Do's and Don'ts on PDPA for Doctors (May 31, 2022)
Do's and Don'ts on PDPA for Doctors (May 31, 2022)
 
Telemedicine: A Health Informatician's Point of View
Telemedicine: A Health Informatician's Point of ViewTelemedicine: A Health Informatician's Point of View
Telemedicine: A Health Informatician's Point of View
 
Meeting Management (March 2, 2022)
Meeting Management (March 2, 2022)Meeting Management (March 2, 2022)
Meeting Management (March 2, 2022)
 
การบริหารความเสี่ยงคณะฯ (February 9, 2022)
การบริหารความเสี่ยงคณะฯ (February 9, 2022)การบริหารความเสี่ยงคณะฯ (February 9, 2022)
การบริหารความเสี่ยงคณะฯ (February 9, 2022)
 
จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)
จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)
จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)
 
พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)
พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)
พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)
 
Digital Health Transformation for Health Executives (January 18, 2022)
Digital Health Transformation for Health Executives (January 18, 2022)Digital Health Transformation for Health Executives (January 18, 2022)
Digital Health Transformation for Health Executives (January 18, 2022)
 
Updates on Privacy & Security Laws (November 26, 2021)
Updates on Privacy & Security Laws (November 26, 2021)Updates on Privacy & Security Laws (November 26, 2021)
Updates on Privacy & Security Laws (November 26, 2021)
 
Hospital Informatics (November 26, 2021)
Hospital Informatics (November 26, 2021)Hospital Informatics (November 26, 2021)
Hospital Informatics (November 26, 2021)
 
Health Informatics for Clinical Research (November 25, 2021)
Health Informatics for Clinical Research (November 25, 2021)Health Informatics for Clinical Research (November 25, 2021)
Health Informatics for Clinical Research (November 25, 2021)
 
Research Ethics and Ethics for Health Informaticians (November 15, 2021)
Research Ethics and Ethics for Health Informaticians (November 15, 2021)Research Ethics and Ethics for Health Informaticians (November 15, 2021)
Research Ethics and Ethics for Health Informaticians (November 15, 2021)
 
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Overview of Information Security & Privacy

  • 1. Overview of Information Security & Privacy Nawanan Theera-Ampornpunt, M.D., Ph.D. Faculty of Medicine Ramathibodi Hospital Mahidol University July 17, 2015 http://www.SlideShare.net/Nawanan
  • 2.  Introduction to Information Privacy & Security  Protecting Information Privacy & Security  User Security  Software Security  Cryptography  Malware  Security Standards Outline
  • 5. Security Threats & Thailand https://www.thaicert.or.th/downloads/files/ThaiCERT_Annual_Report_th_2013.pdf ThaiCERT (2013)
  • 6. Security Threats & Thailand https://www.thaicert.or.th/downloads/files/ThaiCERT_Annual_Report_th_2013.pdf ThaiCERT (2013)
  • 7. Security Threats & Thailand https://www.thaicert.or.th/downloads/files/ThaiCERT_Annual_Report_th_2013.pdf ThaiCERT (2013)
  • 8. Security Threats & Thailand https://www.facebook.com/longhackz
  • 9. Security Threats & Thailand (Top) http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/ (Bottom) http://www.bloomberg.com/news/articles/2014-12-07/sony-s-darkseoul-breach-stretched-from-thai-hotel- to-hollywood
  • 10. Security Threats & Health Care http://usatoday30.usatoday.com/life/people/2007-10-10-clooney_N.htm
  • 11. Security Threats & Health Care http://news.sanook.com/1262964/
  • 12. Sources of the Threats  Hackers  Viruses & Malware  Poorly-designed systems  Insiders (Employees)  People’s ignorance & lack of knowledge  Disasters & other incidents affecting information systems
  • 13.  Information risks  Unauthorized access & disclosure of confidential information  Unauthorized addition, deletion, or modification of information  Operational risks  System not functional (Denial of Service - DoS)  System wrongly operated  Personal risks  Identity thefts  Financial losses  Disclosure of information that may affect employment or other personal aspects (e.g. health information)  Physical/psychological harms  Organizational risks  Financial losses  Damage to reputation & trust  Etc. Consequences of Security Attacks
  • 14.  Privacy: “The ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.” (Wikipedia)  Security: “The degree of protection to safeguard ... person against danger, damage, loss, and crime.” (Wikipedia)  Information Security: “Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction” (Wikipedia) Privacy & Security
  • 16. Information Security  Confidentiality  Integrity  Availability
  • 17. Examples of Confidentiality Risks http://usatoday30.usatoday.com/life/people/2007-10-10-clooney_N.htm
  • 18. Examples of Integrity Risks http://www.wired.com/threatlevel/2010/03/source-code-hacks/ http://en.wikipedia.org/wiki/Operation_Aurora “Operation Aurora” Alleged Targets: Google, Adobe, Juniper Networks, Yahoo!, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical Goal: To gain access to and potentially modify source code repositories at high tech, security & defense contractor companies
  • 19. Examples of Integrity Risks http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml Web Defacements
  • 20. Examples of Availability Risks http://en.wikipedia.org/wiki/Blaster_worm Viruses/worms that led to instability & system restart (e.g. Blaster worm)
  • 21. Examples of Availability Risks http://en.wikipedia.org/wiki/Ariane_5_Flight_501 Ariane 5 Flight 501 Rocket Launch Failure Cause: Software bug on rocket acceleration due to data conversion from a 64-bit floating point number to a 16-bit signed integer without proper checks, leading to arithmatic overflow
  • 22. Interesting Resources  http://en.wikipedia.org/wiki/List_of_software_bugs  http://en.wikipedia.org/wiki/Notable_computer_viruses_a nd_worms  http://en.wikipedia.org/wiki/Hacktivism  http://en.wikipedia.org/wiki/Website_defacement  http://en.wikipedia.org/wiki/Hacker_(computer_security)  http://en.wikipedia.org/wiki/List_of_hackers
  • 25. บทความใน JAMA เร็วๆ นี้ JAMA. 2015 Apr 14;313(14). Recent JAMA Article
  • 26.  Attack  An attempt to breach system security  Threat  A scenario that can harm a system  Vulnerability  The “hole” that is used in the attack Common Security Terms
  • 27.  Identify some possible means an attacker could use to conduct a security attack Class Exercise
  • 29. Alice Simplified Attack Scenarios Server Bob - Physical access to client computer - Electronic access (password) - Tricking user into doing something (malware, phishing & social engineering) Eve/Mallory
  • 30. Alice Simplified Attack Scenarios Server Bob - Intercepting (eavesdropping or “sniffing”) data in transit - Modifying data (“Man-in-the- middle” attacks) - “Replay” attacks Eve/Mallory
  • 31. Alice Simplified Attack Scenarios Server Bob - Unauthorized access to servers through - Physical means - User accounts & privileges - Attacks through software vulnerabilities - Attacks using protocol weaknesses - DoS / DDoS attacks Eve/Mallory
  • 32. Alice Simplified Attack Scenarios Server Bob Other & newer forms of attacks possible Eve/Mallory
  • 33. Alice Safeguarding Against Attacks Server Bob Administrative Security - Security & privacy policy - Governance of security risk management & response - Uniform enforcement of policy & monitoring - Disaster recovery planning (DRP) & Business continuity planning/management (BCP/BCM) - Legal obligations, requirements & disclaimers
  • 34. Alice Safeguarding Against Attacks Server Bob Physical Security - Protecting physical access of clients & servers - Locks & chains, locked rooms, security cameras - Mobile device security - Secure storage & secure disposition of storage devices
  • 35. Alice Safeguarding Against Attacks Server Bob User Security - User account management - Strong p/w policy (length, complexity, expiry, no meaning) - Principle of Least Privilege - “Clear desk, clear screen policy” - Audit trails - Education, awareness building & policy enforcement - Alerts & education about phishing & social engineering
  • 36. Alice Safeguarding Against Attacks Server Bob System Security - Antivirus, antispyware, personal firewall, intrusion detection/prevention system (IDS/IPS), log files, monitoring - Updates, patches, fixes of operating system vulnerabilities & application vulnerabilities - Redundancy (avoid “Single Point of Failure”) - Honeypots
  • 37. Alice Safeguarding Against Attacks Server Bob Software Security - Software (clients & servers) that is secure by design - Software testing against failures, bugs, invalid inputs, performance issues & attacks - Updates to patch vulnerabilities
  • 38. Alice Safeguarding Against Attacks Server Bob Network Security - Access control (physical & electronic) to network devices - Use of secure network protocols if possible - Data encryption during transit if possible - Bandwidth monitoring & control
  • 39. Alice Safeguarding Against Attacks Server Bob Database Security - Access control to databases & storage devices - Encryption of data stored in databases if necessary - Secure destruction of data after use - Access control to queries/reports - Security features of database management systems (DBMS)
  • 40. Privacy Safeguards Image: http://www.nurseweek.com/news/images/privacy.jpg  Security safeguards  Informed consent  Privacy culture  User awareness building & education  Organizational policy & regulations  Enforcement  Ongoing privacy & security assessments, monitoring, and protection
  • 42. Need for Strong Password Policy So, two informaticians walk into a bar... The bouncer says, "What's the password." One says, "Password?" The bouncer lets them in. Credits: @RossMartin & AMIA (2012)
  • 43.  Access control  Selective restriction of access to the system  Role-based access control  Access control based on the person’s role (rather than identity)  Audit trails  Logs/records that provide evidence of sequence of activities User Security
  • 44.  Identification  Identifying who you are  Usually done by user IDs or some other unique codes  Authentication  Confirming that you truly are who you identify  Usually done by keys, PIN, passwords or biometrics  Authorization  Specifying/verifying how much you have access  Determined based on system owner’s policy & system configurations  “Principle of Least Privilege” User Security
  • 45.  Nonrepudiation  Proving integrity, origin, & performer of an activity without the person’s ability to refute his actions  Most common form: signatures  Electronic signatures offer varying degrees of nonrepudiation  PIN/password vs. biometrics  Digital certificates (in public key infrastructure - PKI) often used to ascertain nonrepudiation User Security
  • 47.  Multiple-Factor Authentication  Two-Factor Authentication  Use of multiple means (“factors”) for authentication  Types of Authentication Factors  Something you know  Password, PIN, etc.  Something you have  Keys, cards, tokens, devices (e.g. mobile phones)  Something you are  Biometrics User Security
  • 48. Recommended Password Policy  Length  8 characters or more (to slow down brute-force attacks)  Complexity (to slow down brute-force attacks)  Consists of 3 of 4 categories of characters  Uppercase letters  Lowercase letters  Numbers  Symbols (except symbols that have special uses by the system or that can be used to hack system, e.g. SQL Injection)  No meaning (“Dictionary Attacks”)  Not simple patterns (12345678, 11111111) (to slow down brute- force attacks & prevent dictionary attacks)  Not easy to guess (birthday, family names, etc.) (to prevent unknown & known persons from guessing) Personal opinion. No legal responsibility assumed.
  • 49. Recommended Password Policy  Expiration (to make brute-force attacks not possible)  6-8 months  Decreasing over time because of increasing computer’s speed  But be careful! Too short duration will force users to write passwords down  Secure password storage in database or system (encrypted or store only password hashes)  Secure password confirmation  Secure “forget password” policy  Different password for each account. Create variations to help remember. If not possible, have different sets of accounts for differing security needs (e.g., bank accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
  • 51. Clear Desk, Clear Screen Policy http://pixabay.com/en/post-it-sticky-note-note-corner-148282/
  • 52. Techniques to Remember Passwords  http://www.wikihow.com/Create-a-Password-You-Can- Remember  Note that some of the techniques are less secure!  One easy & secure way: password mnemonic  Think of a full sentence that you can remember  Ideally the sentence should have 8 or more words, with numbers and symbols  Use first character of each word as password  Sentence: I love reading all 7 Harry Potter books!  Password: Ilra7HPb!  Voila! Personal opinion. No legal responsibility assumed.
  • 56. Rogue Wi-Fi Router: จอมขโมย Password ที่ทุกคนต้องระวัง
  • 57. Logout After Use อย่าลืม Logout หลังใช้งาน เสมอ โดยเฉพาะเครื่องสาธารณะ (หากไม่อยู่ที่หน้าจอ แม้เพียงชั่วครู่ ให้ Lock Screen เสมอ)
  • 59. Mobile Security  ตั้ง PIN สาหรับ Lock Screen เอาไว้  ไม่เก็บข้อมูลสาคัญเอาไว้  ระวังไม่ให้สูญหาย หากสูญหายรีบแจ้งระงับ
  • 60. Online (Shopping) Security https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Online-Shopping-Tips.jpg  ดูแลบัตรเครดิต และข้อมูล หมายเลขบัตรให้ดี  ใช้เฉพาะกับเว็บที่เชื่อถือได้  สมัครบริการ SMS แจ้งเตือน เมื่อมีการรูดบัตร  ดู statement และ ตรวจสอบธุรกรรมเสมอ
  • 63. E-mail & Online Security (Phishing) https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing.jpg
  • 66. Mozilla Firefox Google Chrome Secure Log-in สาหรับเว็บที่สาคัญ
  • 73. ลักษณะสาคัญที่ควรสงสัย Phishing  Grammar ห่วยแตก  ตัวสะกดผิดเยอะ  พยายามอย่างยิ่งให้เปิดไฟล์แนบ หรือกด link หรือตอบเมล แต่ไม่ค่อยให้รายละเอียด  E-mail ที่มาจากคนรู้จัก ไม่ได้ปลอดภัย เสมอไป
  • 74.  Don’t be too trusting of people  Always be suspicious & alert  An e-mail with your friend’s name & info doesn’t have to come from him/her  Look for signs of phishing attacks  Don’t open attachments unless you expect them  Scan for viruses before opening attachments  Don’t click links in e-mail. Directly type in browser using known & trusted URLs  Especially cautioned if ask for passwords, bank accounts, credit card numbers, social security numbers, etc. Ways to Protect against Phishing
  • 76. PC Security, Virus & Malware https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing_Malicious-Code.jpg
  • 79. Virus/Malware Attack & Windows Update: เรื่องเล่าจากบทบาท Chief IT Admin รามาธิบดี (ที่ต้องดูแลระบบล่ม)
  • 82.  Most common reason for security bugs is invalid programming assumptions that attackers will look for  Weak input checking  Buffer overflow  Integer overflow  Race condition (Time of Check / Time of Use vulnerabilities)  Running programs in new environments Software Security Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 83.  Feeping creaturism (Creeping featurism)  Log files that contain sensitive information  Configuration bugs  Unnecessary privileges  Monoculture  Security bypass Software Security Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 84.  Consider a log-in form on a web page Example of Weak Input Checking: SQL Injection  Source code would look something like this: statement = "SELECT * FROM users WHERE name = '" + userName + "';"  Attacker would enter as username: ' or '1'='1  Which leads to this always-true query:  statement = "SELECT * FROM users WHERE name = '" + "' or '1'='1" + "';" statement = "SELECT * FROM users WHERE name = '' or '1'='1';" http://en.wikipedia.org/wiki/SQL_injection
  • 85.  Economy of Mechanism  Design should be small & simple  Fail-safe default  Complete mediation  Check every access to every object  Open design  Separation of privilege / Least Privilege Secure Software Design Principles Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 86.  Least common mechanism  Minimize complexity of shared components  Psychological acceptability  If users don’t buy in to security mechanism or don’t understand how to use it, system is insecure  Work factor  Cost of attack should exceed resources attacker will spend Secure Software Design Principles Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 87.  Compromise recording  If too expensive to prevent a compromise, record it  Tamper evident vs. tamperproof  Log files Secure Software Design Principles Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 Image source: http://www.flickr.com/photos/goobelyga/2340650133/
  • 88.  Defense in Depth  Multiple layers of security defense are placed throughout a system to provide redundancy in the event a security control fails  Secure the weakest link  Promote privacy  Trust no one Secure Software Design Principles Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
  • 89.  Modular design  Check error conditions on return values  Validate inputs (whitelist vs. blacklist)  Avoid infinite loops, memory leaks  Check for integer overflows  Language/library choices  Development processes Secure Software Best Practices Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 91.  Malicious software - Any code with intentional, undesirable side effects  Virus  Worm  Trojan  Spyware  Logic Bomb/Time Bomb  Backdoor/Trapdoor  Rootkit  Botnet Malware
  • 92.  Virus  Propagating malware that requires user action to propagate  Infects executable files, data files with executable contents (e.g. Macro), boot sectors  Worm  Self-propagating malware  Trojan  A legitimate program with additional, hidden functionality Malware
  • 93.  Spyware  Trojan that spies for & steals personal information  Logic Bomb/Time Bomb  Malware that triggers under certain conditions  Backdoor/Trapdoor  A hole left behind by malware for future access Malware
  • 94.  Rogue Antispyware (Ransomware)  Software that tricks or forces users to pay before fixing (real or hoax) spyware detected  Rootkit  A stealth program designed to hide existence of certain processes or programs from detection  Botnet  A collection of Internet-connected computers that have been compromised (bots) which controller of the botnet can use to do something (e.g. do DDoS attacks) Malware
  • 95.  Installed & updated antivirus, antispyware, & personal firewall  Check for known signatures  Check for improper file changes (integrity failures)  Check for generic patterns of malware (for unknown malware): “Heuristics scan”  Firewall: Block certain network traffic in and out  Sandboxing  Network monitoring & containment  User education  Software patches, more secure protocols Defense Against Malware
  • 96.  Social media spams/scams/clickjacking  Social media privacy issues  User privacy settings  Location services  Mobile device malware & other privacy risks  Stuxnet (advanced malware targeting certain countries)  Advanced persistent threats (APT) by governments & corporations against specific targets Newer Threats
  • 97.  US-CERT  U.S. Computer Emergency Readiness Team  http://www.us-cert.gov/  Subscribe to alerts & news  Microsoft Security Resources  http://technet.microsoft.com/en-us/security  http://technet.microsoft.com/en- us/security/bulletin  Common Vulnerabilities & Exposures  http://cve.mitre.org/ More Information
  • 98. Q & A