SlideShare uma empresa Scribd logo

Information security for dummies

V
V-ICT-OR

Informatieveiligheid voor beginners

EducaçãoTecnologia
1 de 22
Baixar para ler offline
Ivo Depoorter
Whois I  Functions  Sysadmin, DBA, CIO, ADP instructor, SSO, Security consultant  Career (20 y)  NATO – Local government – Youth care  Training  Lots of Microsoft, Linux, networking, programming…  Security: Site Security Officer, CISSP, BCM, Ethical Hacking, network scanning,…
Course outline  Information security?  Security Why?  Security approach  Vocabulary  The weakest link  Real life security sample
Information security? According to Wikipedia, ISO2700x, CISSP, SANS,….  Confidentiality: Classified information must, be protected from unauthorized disclosure.  Integrity: Information must be protected against unauthorized changes and modification.  Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
Information security? Security attributes according to the Belgian privacycommission  Confidentiality  Integrity  Availability +  Accountability  Non-repudiation  Authenticity  Reliability
CIA Exercise Defacing of Belgian Army website
CIA Exercise  Confidentiality  ??  Webserver only hosting public information?  Webserver separated from LAN?  Integrity  Availability  Unauthorized changes!  Information is no longer available
Security Why?  Compliance with law  Protect (valuable) assets  Prevent production breakdowns  Protect reputation, (non-)commercial image  Meet customer & shareholder requirements  Keep personnel happy
Security approach  Both technical and non-technical countermeasures.  Top-management approval and support!  Communicate!  Information security needs a layered approach!!!  Best practices  COBIT Control Objectives for Information and related Technology  ISO 27002 (ISO 17799) Code of practice for information security management  …..
ISO 27002  Section 0 Introduction  Section 1 Scope  Section 2 Terms and Definitions  Section 3 Structure of the Standard  Section 4 Risk Assessment and Treatment  Section 5 Security Policy  Section 6 Organizing Information Security  Section 7 Asset Management  Section 8 Human Resources Security  Section 9 Physical and Environmental Security  Section 10 Communications and Operations Management  Section 11 Access Control  Section 12 Information Systems Acquisition, Development and Maintenance  Section 13 Information Security Incident Management  Section 14 Business Continuity Management  Section 15 Compliance
ISO 27002 - Example 10 9 11 15Procedures Physical access Logical access Security audit local government > 500 employees Technique: Social Engineering Internal audit
Security vocabulary - Threat  A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. (BCI)  Samples:  Fire  Death of a key person (SPOK or Single Point of Knowledge)  Crash of a critical network component e.g. core switch (SPOF: single point of failure)  …
Security vocabulary - Damage  Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness  Damage in information security:  Operational  Financial  Legal  Reputational  Damage defaced Belgian Army website?  Operational: probably (temporary frontpage, patch management,….)  Financial: probably (training personnel, hiring consultancy,….)  Legal: probably (lawsuit against external responsible?)  Reputational: certainly!
Security vocabulary - Risk  Combination of the probability of an event and its consequence.  Risk components  Threat (probability)  Damage (amount)  Example: Damage Process Threat O F L R Max impact Probability Risk Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
The Zen of Risk  What is just the right amount of security?  Seeking Balance between Security (Yin) and Business (Yang) Potential Loss Cost Countermeasures Productivity
Security vocabulary - AAA  Authentication: technologies used to determine the authenticity of users, network nodes, and documents  Authorization: who is allowed to do what?  Accountability: is it possible to find out who has made any operations? • Strong authentication (two-factor or multifactor) • Something you know (password, PIN,…) • Something you have (token,…) • Something you are (fingerprint, …)
The weakest link SEC_RITY is not complete without U! Countermeasures: • Force password policy on server • Train personnel • Use strong authentication • …
The weakest link Amateurs hack systems, professionals hack people! Countermeasures: • Implement security & access policies • Job rotation • Encryption • Employee awareness training • Audit trail of all accesses to documents • ….
Hacking steps Step Countermeasures (short list) 1. Reconnaissance Be careful with information 2. Network mapping Network IDS – block ICMP 3. Exploiting System hardening 4. Keeping access IDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…
Logical security • VLAN’s • Password policy • … Real life security sample High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) Physical security: • Personnel clearance • Physical control • Pc placement (shoulder surfing) • Clean desk policy • Shredder • Lock screen policy • Fiber to pc WWW > 2 m LAN Tempest!!!
We learned….  Security is CIA(+)  Why: law, reputation, production continuity,…  Approach: layered, technical & non-technical, support from CEO, lots of communication  Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability  Risk = threat * damage  Security balance: loss vs. cost & countermeasures vs. productivity  The weakest link is personnel!  A hacker starts with information gathering
Information security for dummies

Recomendados

The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
Ivo Depoorter
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy Invasion
Isaiah Edem
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
SHIVA101531
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
Symosis Security (Previously C-Level Security)
 

Recomendados

The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
Ivo Depoorter
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy Invasion
Isaiah Edem
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
SHIVA101531
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
Symosis Security (Previously C-Level Security)
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Edureka!
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
Andris Soroka
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
Andris Soroka
 
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
hardik soni
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
aletarw
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0
grp362
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
Lukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityLukas - Ancaman E-Health Security
Lukas - Ancaman E-Health Security
Indonesia Honeynet Chapter
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Edureka!
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
Tonex
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
OKsystem
 
Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-
Turgay Dereli
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
Mukesh Chinta
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
James Mulhern
 
Information Security
Information SecurityInformation Security
Information Security
vadapav123
 

Mais conteúdo relacionado

Mais procurados

Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
aletarw
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
Tonex
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
OKsystem
 
Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-
Turgay Dereli
 

Mais procurados (20)

Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
 
Information security
Information securityInformation security
Information security
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 
Lukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityLukas - Ancaman E-Health Security
Lukas - Ancaman E-Health Security
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
 
Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 

Semelhante a Information security for dummies

FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
Napoleon NV
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0
Ferenc Fresz
 

Semelhante a Information security for dummies (20)

What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Information Security
Information SecurityInformation Security
Information Security
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red Hat
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
Top 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxTop 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptx
 
Office 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseOffice 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and Use
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
 
digital strategy and information security
digital strategy and information securitydigital strategy and information security
digital strategy and information security
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Main Menu
Main MenuMain Menu
Main Menu
 
Cobit 2
Cobit 2Cobit 2
Cobit 2
 
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptxRole Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
APrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of ThingsAPrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of Things
 

Último

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 

Último (20)

Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 

Information security for dummies

  • 2. Whois I  Functions  Sysadmin, DBA, CIO, ADP instructor, SSO, Security consultant  Career (20 y)  NATO – Local government – Youth care  Training  Lots of Microsoft, Linux, networking, programming…  Security: Site Security Officer, CISSP, BCM, Ethical Hacking, network scanning,…
  • 3. Course outline  Information security?  Security Why?  Security approach  Vocabulary  The weakest link  Real life security sample
  • 4. Information security? According to Wikipedia, ISO2700x, CISSP, SANS,….  Confidentiality: Classified information must, be protected from unauthorized disclosure.  Integrity: Information must be protected against unauthorized changes and modification.  Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
  • 5. Information security? Security attributes according to the Belgian privacycommission  Confidentiality  Integrity  Availability +  Accountability  Non-repudiation  Authenticity  Reliability
  • 6. CIA Exercise Defacing of Belgian Army website
  • 7. CIA Exercise  Confidentiality  ??  Webserver only hosting public information?  Webserver separated from LAN?  Integrity  Availability  Unauthorized changes!  Information is no longer available
  • 8. Security Why?  Compliance with law  Protect (valuable) assets  Prevent production breakdowns  Protect reputation, (non-)commercial image  Meet customer & shareholder requirements  Keep personnel happy
  • 9. Security approach  Both technical and non-technical countermeasures.  Top-management approval and support!  Communicate!  Information security needs a layered approach!!!  Best practices  COBIT Control Objectives for Information and related Technology  ISO 27002 (ISO 17799) Code of practice for information security management  …..
  • 10. ISO 27002  Section 0 Introduction  Section 1 Scope  Section 2 Terms and Definitions  Section 3 Structure of the Standard  Section 4 Risk Assessment and Treatment  Section 5 Security Policy  Section 6 Organizing Information Security  Section 7 Asset Management  Section 8 Human Resources Security  Section 9 Physical and Environmental Security  Section 10 Communications and Operations Management  Section 11 Access Control  Section 12 Information Systems Acquisition, Development and Maintenance  Section 13 Information Security Incident Management  Section 14 Business Continuity Management  Section 15 Compliance
  • 11. ISO 27002 - Example 10 9 11 15Procedures Physical access Logical access Security audit local government > 500 employees Technique: Social Engineering Internal audit
  • 12. Security vocabulary - Threat  A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. (BCI)  Samples:  Fire  Death of a key person (SPOK or Single Point of Knowledge)  Crash of a critical network component e.g. core switch (SPOF: single point of failure)  …
  • 13. Security vocabulary - Damage  Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness  Damage in information security:  Operational  Financial  Legal  Reputational  Damage defaced Belgian Army website?  Operational: probably (temporary frontpage, patch management,….)  Financial: probably (training personnel, hiring consultancy,….)  Legal: probably (lawsuit against external responsible?)  Reputational: certainly!
  • 14. Security vocabulary - Risk  Combination of the probability of an event and its consequence.  Risk components  Threat (probability)  Damage (amount)  Example: Damage Process Threat O F L R Max impact Probability Risk Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
  • 15. The Zen of Risk  What is just the right amount of security?  Seeking Balance between Security (Yin) and Business (Yang) Potential Loss Cost Countermeasures Productivity
  • 16. Security vocabulary - AAA  Authentication: technologies used to determine the authenticity of users, network nodes, and documents  Authorization: who is allowed to do what?  Accountability: is it possible to find out who has made any operations? • Strong authentication (two-factor or multifactor) • Something you know (password, PIN,…) • Something you have (token,…) • Something you are (fingerprint, …)
  • 17. The weakest link SEC_RITY is not complete without U! Countermeasures: • Force password policy on server • Train personnel • Use strong authentication • …
  • 18. The weakest link Amateurs hack systems, professionals hack people! Countermeasures: • Implement security & access policies • Job rotation • Encryption • Employee awareness training • Audit trail of all accesses to documents • ….
  • 19. Hacking steps Step Countermeasures (short list) 1. Reconnaissance Be careful with information 2. Network mapping Network IDS – block ICMP 3. Exploiting System hardening 4. Keeping access IDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…
  • 20. Logical security • VLAN’s • Password policy • … Real life security sample High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) Physical security: • Personnel clearance • Physical control • Pc placement (shoulder surfing) • Clean desk policy • Shredder • Lock screen policy • Fiber to pc WWW > 2 m LAN Tempest!!!
  • 21. We learned….  Security is CIA(+)  Why: law, reputation, production continuity,…  Approach: layered, technical & non-technical, support from CEO, lots of communication  Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability  Risk = threat * damage  Security balance: loss vs. cost & countermeasures vs. productivity  The weakest link is personnel!  A hacker starts with information gathering