Submit Search
Upload
Information Security Lesson 3 - Basics - Eric Vanderburg
•
Download as PPT, PDF
•
0 likes
•
497 views
Eric Vanderburg
Follow
Information Security Lesson 3 - Basics - Eric Vanderburg
Read less
Read more
Technology
Business
Report
Share
Report
Share
1 of 19
Download now
Recommended
IEC and cyber security (June 2018)
IEC and cyber security (June 2018)
International Electrotechnical Commission (IEC)
Pci Req
Pci Req
Namrata Arora
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
AVEVA
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber Attacks
Maurice Dawson
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
Jim Gilsinn
Recommended
IEC and cyber security (June 2018)
IEC and cyber security (June 2018)
International Electrotechnical Commission (IEC)
Pci Req
Pci Req
Namrata Arora
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
AVEVA
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber Attacks
Maurice Dawson
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
Jim Gilsinn
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
Eran Goldstein
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
Secured Communication Infrastructure for Substation Automation
Secured Communication Infrastructure for Substation Automation
Nirmal Thaliyil
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systems
Itex Solutions
Scada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
AVEVA
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
Jim Gilsinn
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Shah Sheikh
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
Security Architecture
Security Architecture
Joben Domingo
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
North Texas Chapter of the ISSA
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
David Spinks
Track 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Agence du Numérique (AdN)
Industrial Control Security USA Sacramento California Oct 13/14
Industrial Control Security USA Sacramento California Oct 13/14
James Nesbitt
Guide scada and_industrial_control_systems_security
Guide scada and_industrial_control_systems_security
Deepakraj Sahu
Contributing to the Development and Application of Cybersecurity Standards
Contributing to the Development and Application of Cybersecurity Standards
Yokogawa1
Securing Industrial Control Systems
Securing Industrial Control Systems
Eric Andresen
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
EnergySec
IoT/M2M Security
IoT/M2M Security
Yu-Hsin Hung
12 steps to_cloud_security
12 steps to_cloud_security
Wisecube AI
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
Eric Vanderburg
20-security.ppt
20-security.ppt
ajajkhan16
More Related Content
What's hot
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
Eran Goldstein
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
Secured Communication Infrastructure for Substation Automation
Secured Communication Infrastructure for Substation Automation
Nirmal Thaliyil
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systems
Itex Solutions
Scada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
AVEVA
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
Jim Gilsinn
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Shah Sheikh
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
Security Architecture
Security Architecture
Joben Domingo
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
North Texas Chapter of the ISSA
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
David Spinks
Track 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Agence du Numérique (AdN)
Industrial Control Security USA Sacramento California Oct 13/14
Industrial Control Security USA Sacramento California Oct 13/14
James Nesbitt
Guide scada and_industrial_control_systems_security
Guide scada and_industrial_control_systems_security
Deepakraj Sahu
Contributing to the Development and Application of Cybersecurity Standards
Contributing to the Development and Application of Cybersecurity Standards
Yokogawa1
Securing Industrial Control Systems
Securing Industrial Control Systems
Eric Andresen
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
EnergySec
IoT/M2M Security
IoT/M2M Security
Yu-Hsin Hung
12 steps to_cloud_security
12 steps to_cloud_security
Wisecube AI
What's hot
(20)
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Secured Communication Infrastructure for Substation Automation
Secured Communication Infrastructure for Substation Automation
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systems
Scada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Security Architecture
Security Architecture
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
Track 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iot
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Industrial Control Security USA Sacramento California Oct 13/14
Industrial Control Security USA Sacramento California Oct 13/14
Guide scada and_industrial_control_systems_security
Guide scada and_industrial_control_systems_security
Contributing to the Development and Application of Cybersecurity Standards
Contributing to the Development and Application of Cybersecurity Standards
Securing Industrial Control Systems
Securing Industrial Control Systems
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
IoT/M2M Security
IoT/M2M Security
12 steps to_cloud_security
12 steps to_cloud_security
Similar to Information Security Lesson 3 - Basics - Eric Vanderburg
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
Eric Vanderburg
20-security.ppt
20-security.ppt
ajajkhan16
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Eric Vanderburg
security in is.pptx
security in is.pptx
selvapriyabiher
ISBB_Chapter6.pptx
ISBB_Chapter6.pptx
AmanSoni665879
Information Security
Information Security
sonykhan3
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
Desmond Devendran
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
MarketingArrowECS_CZ
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
Cisco Security Agent - Eric Vanderburg
Cisco Security Agent - Eric Vanderburg
Eric Vanderburg
Ccna sec 01
Ccna sec 01
EduclentMegasoftel
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
IEC62443.pptx
IEC62443.pptx
233076
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
DEEPAK948083
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Gopal Sakarkar
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
Chapter08
Chapter08
Muhammad Ahad
Similar to Information Security Lesson 3 - Basics - Eric Vanderburg
(20)
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
20-security.ppt
20-security.ppt
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
security in is.pptx
security in is.pptx
ISBB_Chapter6.pptx
ISBB_Chapter6.pptx
Information Security
Information Security
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Cisco Security Agent - Eric Vanderburg
Cisco Security Agent - Eric Vanderburg
Ccna sec 01
Ccna sec 01
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
IEC62443.pptx
IEC62443.pptx
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Chapter08
Chapter08
More from Eric Vanderburg
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT Symposium
Eric Vanderburg
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should Have
Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Eric Vanderburg
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
Mobile Forensics and Cybersecurity
Mobile Forensics and Cybersecurity
Eric Vanderburg
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
Ransomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware Threat
Eric Vanderburg
Emerging Technologies: Japan’s Position
Emerging Technologies: Japan’s Position
Eric Vanderburg
Principles of technology management
Principles of technology management
Eric Vanderburg
Japanese railway technology
Japanese railway technology
Eric Vanderburg
Evaluating japanese technological competitiveness
Evaluating japanese technological competitiveness
Eric Vanderburg
Japanese current and future technology management challenges
Japanese current and future technology management challenges
Eric Vanderburg
Technology management in Japan: Robotics
Technology management in Japan: Robotics
Eric Vanderburg
Incident response table top exercises
Incident response table top exercises
Eric Vanderburg
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
Eric Vanderburg
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance Challenges
Eric Vanderburg
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
Eric Vanderburg
Correct the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric Vanderburg
Eric Vanderburg
Deconstructing website attacks - Eric Vanderburg
Deconstructing website attacks - Eric Vanderburg
Eric Vanderburg
Countering malware threats - Eric Vanderburg
Countering malware threats - Eric Vanderburg
Eric Vanderburg
More from Eric Vanderburg
(20)
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT Symposium
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should Have
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Mobile Forensics and Cybersecurity
Mobile Forensics and Cybersecurity
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Ransomware: 2016's Greatest Malware Threat
Ransomware: 2016's Greatest Malware Threat
Emerging Technologies: Japan’s Position
Emerging Technologies: Japan’s Position
Principles of technology management
Principles of technology management
Japanese railway technology
Japanese railway technology
Evaluating japanese technological competitiveness
Evaluating japanese technological competitiveness
Japanese current and future technology management challenges
Japanese current and future technology management challenges
Technology management in Japan: Robotics
Technology management in Japan: Robotics
Incident response table top exercises
Incident response table top exercises
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
The Prescription for Protection - Avoid Treatment Errors To The Malware Problem
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance Challenges
Hacktivism: Motivations, Tactics and Threats
Hacktivism: Motivations, Tactics and Threats
Correct the most common web development security mistakes - Eric Vanderburg
Correct the most common web development security mistakes - Eric Vanderburg
Deconstructing website attacks - Eric Vanderburg
Deconstructing website attacks - Eric Vanderburg
Countering malware threats - Eric Vanderburg
Countering malware threats - Eric Vanderburg
Recently uploaded
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Training state-of-the-art general text embedding
Training state-of-the-art general text embedding
Zilliz
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Dubai Multi Commodity Centre
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Stephanie Beckett
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
hariprasad279825
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Recently uploaded
(20)
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Training state-of-the-art general text embedding
Training state-of-the-art general text embedding
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Information Security Lesson 3 - Basics - Eric Vanderburg
1.
Information Security Chapter 3 Security
Basics Information Security © 2006 Eric Vanderburg
2.
• Approaches – Bottom-up –
Top-down • Human firewall – a security conscious individual. – Uses strong passwords – Hygienic – Watches for suspicious activity – Aware of changes to their computer Information Security © 2006 Eric Vanderburg
3.
Layering • Many defense
mechanisms are in place surrounding an asset – – – – – – – – Edge firewall Host firewall Intrusion detection system File permissions Required usernames and passwords Segmented network Audit trails Honeypots • Layers should be coordinated so they do not negatively impact one another when implemented Information Security © 2006 Eric Vanderburg
4.
Limiting • You should
only have access to what you need for your role. • Subject – person or a computer program • Object – computer or database • Proper division of duties Information Security © 2006 Eric Vanderburg
5.
Diversity • Layers of
similar security mechanisms are easy to conquer because the same strategy can be used on each. • A breach in one area does not compromise the entire system. Information Security © 2006 Eric Vanderburg
6.
Obscurity • • • • Practices should be
secret Source code should be protected Keep usernames secret Train employees not to reveal information Information Security © 2006 Eric Vanderburg
7.
Simplicity • Simple from
the inside, complex from the outside. – Well structured design – Trained employees – Documented Information Security © 2006 Eric Vanderburg
8.
Authentication • • • • • Proving you are
who you say you are What you know (password, pin, personal info) What you have (card, token, RFID) What you are (biometrics) Username and password – simplest and most common – SSO (Single Sign On) – reduce number of logons because one username/password can be used for all systems and associated databases and logon is transparent once a user logs on to their client system. Information Security © 2006 Eric Vanderburg
9.
Authentication • Token – Magnetic
strip card – RFID card – Number sequencer • Biometrics – – – – – – – Fingerprint Facial scan Retina / Iris scan Hand print Voice Pheromones Blood • Biometrics is expensive, time consuming, error prone, and hard to use. Information Security © 2006 Eric Vanderburg
10.
Authentication • Certificates – Binds
a person to a key – Personal info is provided to obtain the cert – Provided by a trusted CA (Certification Authority) – Encrypted with CA private key for validity and hashed for integrity – Usage will be specified in the certificate – Certificates expire and must be renewed – CTL (Certificate Trust List) – CRL (Certificate Revocation List) Information Security © 2006 Eric Vanderburg
11.
Authentication • Kerberos – Developed
at MIT – AS (Authentication Server) – gives out TGT (Ticket Granting Ticket) and resides on the KDC (Key Distribution Center) – Present the TGT to a TGS (Ticket Granting Service) to receive a service ticket for a resource. – Everything is time stamped Information Security © 2006 Eric Vanderburg
12.
Authentication • CHAP (Challenge
Handshake Authentication Protocol) – Server sends a challenge (piece of data) – Client runs an algorithm using a shared secret on the data and returns it. – The server runs the same algorithm to see if the client knows the shared secret • Mutual Authentication – Client authenticates to server – Server authenticates to client – Helps protect against Man in the middle attacks and hijacking – MSCHAP v2 Information Security © 2006 Eric Vanderburg
13.
Authentication • Multifactor authentication –
Have more than one form of authentication as described before. • What you know • What you have • What you are Information Security © 2006 Eric Vanderburg
14.
Access Control • Controlled
by the OS • ACL (Access Control List) – For each file – Can be configured on network access devices • ACE( Access Control Entry) – row in the ACL with a user and associated permission Information Security © 2006 Eric Vanderburg
15.
Permissions • • • • • • Full Control Modify Read List folder
contents Read & Execute (folder contents & read) Write (Create files and folders) Information Security © 2006 Eric Vanderburg
16.
Access Control • MAC
(Mandatory Access Control) – permissions are rights are specified and cannot be changed. • DAC (Discretionary Access Control) – users can assign permissions as they see fit. • RBAC (Role Based Access Control) – Roles are given permissions and users inherit those permissions by belonging to a role. Groups should mirror a role or functions of a role. Information Security © 2006 Eric Vanderburg
17.
Auditing • Logging –
event viewer (Windows) • System Scanning – Checks to make sure a user does not exceed their permissions Information Security © 2006 Eric Vanderburg
18.
Acronyms • • • • • • • • • ACE, Access Control
Entry AS, Authentication Server CA, Certification Authority CHAP, Challenge Handshake Authentication Protocol CISO, Chief Information Security Officer DAC, Discretionary Access Control MAC, Mandatory Access Control RBAC, Role Based Access Control SSO, Single Sign On Information Security © 2006 Eric Vanderburg
19.
Acronyms • KDC, Key
Distribution Center • TGT, Ticket Granting Ticket • TGS, Ticket Granting Service Information Security © 2006 Eric Vanderburg
Download now