SlideShare uma empresa Scribd logo

Dancyrityshy 1foundatioieh

Anne Starr
Anne Starr

i

Educação
1 de 40
WITH Leo Lourdes FOUNDATION IN
CYBER SECURITY THE OBJECTIVE To prevent or mitigate harm to or destruction of Computer Networks, Applications, Devices, and Data.
Trainer Profile LEO LOURDES (MBA IT Management, BoM Hons. HRM) Implementer of ISO 20000-1:2011 Certified in COBIT® 5 Certified in ISO 9001 Auditor (PECB) Certified in PRINCE2® in Project Management Certified in ITIL® Practitioner Certified in ITIL® Intermediate Certificate in IT Service Operation Certified in ITIL Information Security based on ISO/IEC 27002 Certified in ITIL for Cloud Computing Certified in ITIL IT Service Management Certified in Coaching and Calibration Skills for Call Center Certified in Delivering Learning / Teaching by City & Guilds, United Kingdom wecare@thinkleosolutions.com ++6016-349 1793 Experience: Management Representative (MR) ISO 20000-1: 2011 IT Service Management (Incident, Problem, Change) Manager Security, Compliance & Risk Management Senior CRM Delivery Analyst Certified Trainer Certified IT Auditor & Consultant
• The CIA Triad • Security Governance • Risk Management • Cyber Threats CYBER SECURITY AWARENESS : DAY 1
Availability CIA Triad
Confidentiality Terms Term Definition Sensitivity The level of damage or harm that could occur if the asset is revealed or disclosed. Discretion The ability for a person to control the level of access to, or disclosure of, an asset. Criticality The level of importance of an asset to the mission or objective. Concealment The act of hiding or preventing disclosure of an asset. Secrecy The practice of preventing or limiting information disclosure. Privacy The protection of confidential or personal information. Seclusion The act of storing something in a location that is out of the way, and thus not easily observed or found. Isolation The act of keeping something separate from other things that are similar in nature.
Term Definition Accuracy The degree to which the data is correct and precise. Truthfulness The quality of a source of information being factual and realistic. Validity The quality of an asset being factually or logically sound. Authenticity The quality of an asset being genuine. Accountability The condition of a person or entity being held responsible for their actions. Responsibility The obligation of a person or entity to take ownership of their actions. Completeness The quality of an asset that has all its necessary parts or components. Comprehensiveness The quality of an asset being complete in scope, and fully inclusive of all relevant elements. Integrity Terms
Term Definition Usability The degree to which an asset can be easily learned, understood, utilized, or controlled by a subject. Accessibility The assurance that an asset can, under the widest range of circumstances, be used by a subject, regardless of their capabilities or limitations. Timeliness The quality of an asset, particularly information, being prompt and available within a reasonable time frame, and with low latency. Availability Terms
Term Definition Asset Anything of value that could be compromised, stolen, or harmed, including information, systems, personnel, physical resources, and reputation. Threat Any event or action that could potentially cause damage to an asset or an interruption of services. Threat actor A person, group, or other entity that could potentially attack, damage, or otherwise compromise a system or resource. Vulnerability A condition that leaves the system and its assets open to harm— including such things as software bugs, insecure passwords, inadequate physical security, poorly designed networks, or insufficient user training and awareness. Exploit A technique that takes advantage of a vulnerability to perform an attack. Risk The likelihood of a threat occurring, as well as its potential damage to assets. Control A countermeasure that you put in place to avoid, mitigate, or counteract security risks due to threats or attacks; also known as a safeguard. Common Security Terms (Slide 1 of 2)
Common Security Terms (Slide 2 of 2) Term Definition Attack The active attempt by a threat actor to break into and exploit a vulnerable system, data, or other resource. Breach The result of a successful attack. Can include theft, destruction, or loss of availability of data, a system, or other resources. Exposure The level, usually expressed in percentage, to which a resource is at direct risk of attack. Social engineering The practice of using deception and trickery against human beings as a method of attack. Defense in depth The practice of providing security in multiple layers for more comprehensive protection against attack.
• Methods of exercising control and management over an organization. • Seeks to mitigate security risk. • Turns a reactionary security culture into a proactive one. • Supports business objectives to minimize cost and disruption. • A major objective is compliance. • Compliance assures that the organization operates within regulatory requirements. Security Governance
• Strategic alignment of information security with business strategies to support organizational objectives. • Risk management by risk mitigation and reducing potential impact on resources. • Resource management by use of information security knowledge and infrastructures. • Performance measurement by evaluating, monitoring, and reporting information security governance metrics to achieve objectives. • Value delivery by optimizing information security investments that support organizational objectives. Governance Requirements
Security Goal Categories Goal Description Strategic • Align with business and information technology goals. • Long horizon (3-5 years or more). • Ex: establish security policies and ensure all users understand responsibilities. Tactical • Provide broad initiatives necessary to support goals of strategic plan. • May consist of multiple projects. • Usually 6-18 month time period. • Ex: implement disaster recovery programs and customer relationship management. Operational • Specific short-term goals. • Put tactical plan into practice. • Ensure that individual projects are completed with milestones. • Ex: perform project-wise risk assessment and development of security policies.
Privacy Issues • Personally identifiable information (PII) could be used to identify an individual. • Only a few pieces of information can expose a person’s identity. • Criminals can use PII for extortion, fraud, or shaming. • Ex: • Names • Social Security numbers • Addresses • Personal characteristics • PII, once exposed, may not be “recoverable”.
Data Breach • An incident that results in release or potential exposure of secure information. • Can be true test of legal compliance. • If organization performs due care to comply with laws, breach’s effects may be mitigated. • Organization can also avoid severe legal penalties. • Especially a concern with privacy laws, as many breaches expose customer PII. • Consequences for compliance failure are magnified under a breach. • Most laws require timely notification in the event of a breach.
IT/Information Security Standard Description PCI DSS • Specifies how organizations handle information security for major card brands. • Compliance validated on annual basis. • Organizations or merchants that accept, transmit, or store cardholder data from these brands must comply. NIST SP 800 series • Various publications establish computer security standards, including: • SP 800-12: An Introduction to Computer Security: The NIST Handbook • SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems • SP 800-33: Underlying Technical Models for Information Technology Security • SP 800-53: Security and Privacy Controls in Federal Information Systems and Organizations Industry Standards (Slide 1 of 2)
Industry Standards (Slide 2 of 2) IT/Information Security Standard Description COBIT 5 Standards for IT management and governance, promoting five principles: • Meeting stakeholder needs. • Covering the enterprise end-to-end. • Applying a single, integrated framework. • Enabling a holistic approach. • Separating governance from management. ISO/IEC 27001 Focuses on topics in information security management: • Responsibilities and procedures. • Reporting information security events. • Reporting information security weaknesses. • Assessment of and decision on information security events. • Response to information security incidents. • Learning from information security incidents. • Collection of evidence.
• The organization’s principles, proper conduct, and system of moral values. • Code of ethics helps professionals cooperate and pursue common goals. • Code can guard against competitive pressures to act unscrupulously. • Provides a guide for what other professionals will do. The Purpose of Ethics
• Organizations often document ethical expectations. • May also be bound by ethics outlined in laws and standards. • Ethical codes can also minimize risk. • Employees with a track record of ethical behavior can help organization avoid harm. • Organizations are also responsible for acting ethically to their employees, customers, and other stakeholders. Organizational Ethics
• Lack of documentation creates organizational chaos. • Documentation provides a framework for people to work together in achieving organizational goals. • Security documentation can also act as a road map to governance. The Value of Security Documentation
Security Document Types Security Document Type Description Policy High-level statement of management intentions. Contains purpose, scope, and compliance expected of every employee. Example: Information security will ensure the protection of information by implementing security best practices. Standard Required implementation or use of tools. Example: The corporation must implement 802.1x security for all wireless networks. Guideline Recommended or suggested action or best practice. Example: When travelling with laptops, users should use safety precautions to prevent laptop theft, damage, or data loss. Procedure Step-by-step description of how to implement a system or process. Example: Toimplement Secure Shell (SSH) on the router, enter the enable mode and then enter the appropriate commands for the router. Baseline Minimum security required for a system or process. Example: Trivial File Transfer Protocol (TFTP) must be disabled in all servers except for those specifically used for the TFTP service.
• Objectives that security policies can fulfill: • Inform employees about their security-related duties and responsibilities. • Define an organization’s security goals. • Outline a computer system's security requirements. • Objectives depend on the organization’s specific requirements. • Policies should be long enough to explain but short enough to be understood. • All employees should have access to the policy. Security Policy Objectives
What Is Risk? • Building damage • Data loss • Loss of productivity • Loss of life • Loss of equipment • Access to system by malicious individual
Risk Management Risk Analysis Prioritization Response Monitoring
Integrating Governance, Compliance, and Risk Management
The Risk Analysis Process Risk Analysis Process Phase Description Asset identification and valuation Identifying assets that require protection and determining value of the assets, including data, data systems, buildings, and employees. Vulnerability identification Identifying vulnerabilities so analyst can confirm where problems exist. Threat assessment Determining what threats may exploit identified vulnerabilities. Risk assessment Assessing the probability that threats will exploit vulnerabilities. Can be quantitative (numbers-based) or qualitative (words-based). Financial impact evaluation Once probabilities are determined, evaluating potential financial impact of risks.
• Comprehensively identify all assets in the organization. • Waiting until it’s too late will make it harder to recover an asset. • If you don’t identify an asset, you may not even know when it’s compromised. • Describe assets in terms of: • Basic characteristics. • Value to the company. • Use on a daily basis. • Replaceability. Asset Identification
• What effort was required to develop or obtain it? • What does it cost to maintain and protect it? • How much will we lose in operational functionality if the asset is misplaced or damaged? • What would it cost to replace it? • What enemies might pay for it? • What liability penalties might occur if the asset is compromised? Asset Valuation
Asset Valuation Methods Asset Valuation Method Description Asset management system Contains a detailed record of corporate property and similar assets, including facilities, furniture, computers, and other real property. Accounting system Contains additional financial information about assets, such as expensing the cost to develop software packages. Insurance valuation Good source of asset valuation due to rigorous analysis of risk of loss. Qualitative valuation Narrative descriptions capture expert judgement about asset value.
Areas of Vulnerability Vulnerability Area Example Threat and Risk Physical structure Window accessibility in a room where secure information is stored can expose vulnerabilities and create a venue for sudden intrusion threats. Electrical Failure of a vulnerable electrical feed can threaten system data. Software Worms, viruses, and Trojans threaten systems. Network Unencrypted data on network can be vulnerable to interception and exploit. Personnel Key trained personnel must be available to deal with critical events to avoid corporate-wide vulnerabilities. Hardware Losses due to theft and physical damage generate costs for replacement and lost productivity. Documentation If poorly written, can cause confusion and impair decision making. Organization must protect integrity and confidentiality of sensitive documentation. Process Outdated or inefficient processes can impair business operations; poor security processes weaken defenses and increase risk.
Identify Threats Threat Type Description Natural disasters • Earthquakes • Wildfires • Flooding • Excessive snowfalls • Tsunamis • Hurricanes • Tornados • Landslides Man-made disasters Intentional: • Arson • Terrorist attacks • Political unrest • Break-ins • Theft of equipment and/or data • Equipment damage • File destruction •Information disclosure Unintentional: • Employee mistakes • Power outages • Excessive employee illnesses or epidemics • Information disclosure
• CRAMM (CCTA Risk Analysis and Management Method) • Failure Modes and Effect Analysis (FMEA) • FRAP (Facilitated Risk Analysis Process) • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) • Security Officers Management and Analysis Project (SOMAP) Risk Assessment Methodologies
• Likelihood: How likely is it that the threat occurs? • Impact: What kind of damage will the threat cause? Risk Assessment Determination Factors
Residual Risk • Risk that remains even after controls are in place. • You can’t account for every risk, no matter how hard you try. • Some risks are not worth the cost of the countermeasure. • Identifying residual risk can help you assess the effectiveness of your controls. • The acceptable response to residual risk is to have a solid disaster recovery plan. • Controls gap is the amount of risk that countermeasures do not cover. • Expressed in percentages • Correlates to residual risk Controls gap = total risk – countermeasures Controls Inherent Risk Residual Risk
• Not just simple pass-fail results or generating paperwork for an audit. • Well-executed assessment determines validity and effectiveness of controls. • Can expose strengths and weaknesses of current systems. • Helps identify a plan for correcting weaknesses. Monitoring and Measuring
• Ongoing effort to optimize policies and processes. • A function of risk management. • Includes best practices: • Continuously seek to discover new vulnerabilities. • Be context aware in your risk analysis. • Prioritize your efforts to vulnerabilities that actually pose a significant risk. • Determine patchability. Continuous Improvement
Threat Types (Slide 1 of 2) Threat Type Description Phishing and social engineering • Attackers use psychological tactics to manipulate victims into disclosing information or performing an action that they shouldn’t. • Phishing is the most common form. • Uses email with malicious attachments or links. Insider threat • Disgruntled employees and others with internal access. • Use their access privilege or knowledge to steal data or damage systems. • Can also be accidental/unintentional. Malware • Any software intended to damage a computer system. • Can be distributed through email, websites, file sharing, social media, even legitimate published software. • Includes viruses, worms, Trojans, keyloggers, rootkits, bootkits, ransomware, spyware, etc. Session Hijacking/ Man-in-the- Middle • Attacker takes over legitimate network connection, often after user has authenticated.
Threat Types (Slide 2 of 2) Threat Type Description Denial of service • Any attack that consumes computer or network resources so the system cannot service legitimate client requests. • Can be conducted against: • Network • CPU • RAM • Disk space • Maximum allowed connections Unauthorized network access • Deliberate or accidental. • Normal security controls are bypassed. Injection and Cross-Site commands • Malicious commands hide inside normal browser activity. • Includes command and SQL injection, XSS, and XSRF. • E.g: • <IMG SRC=javascript:alert(“XSS”)> • Encoded <IMG SRC=javascript:alert(&quot;XSS&quot;)>
• Basic categories of remediation: • Good security policy and management commitment to security. • Fix vulnerable code. • Properly configure systems. • Change business processes. • Improve security culture through training and awareness. • Effective threat remediation involves all personnel working together. • Implementing of technical controls and management of good business processes. • Various security departments should coordinate in remediation efforts. • Remediation policy should reflect risk tolerance. • Strategies and controls should be consistently evaluated for their effectiveness. Threat Remediation
END

Recomendados

The red book
The red book The red book
The red book habiba Elmasry
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 
Ch01 Introduction to Security
Ch01 Introduction to SecurityCh01 Introduction to Security
Ch01 Introduction to SecurityInformation Technology
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 

Recomendados

The red book
The red book The red book
The red book habiba Elmasry
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 
Ch01 Introduction to Security
Ch01 Introduction to SecurityCh01 Introduction to Security
Ch01 Introduction to SecurityInformation Technology
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Kabul Education University
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5FRSecure
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & PrivacyNawanan Theera-Ampornpunt
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01ITNet
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2Kabul Education University
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017FRSecure
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionPECB
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
What's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceWhat's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceCengage Learning
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1securityAnne Starr
 
)k
)k)k
)kAnne Starr
 

Mais conteúdo relacionado

Mais procurados

Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5FRSecure
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01ITNet
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017FRSecure
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionPECB
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
What's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceWhat's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceCengage Learning
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 

Mais procurados (20)

Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2
 
Incident response
Incident responseIncident response
Incident response
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentals
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 
Information security management
Information security managementInformation security management
Information security management
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
What's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceWhat's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing Conference
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 

Semelhante a Dancyrityshy 1foundatioieh

Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1securityAnne Starr
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1Anne Starr
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMatthew Rosenquist
 
Final Exam Case Study (3)
Final Exam Case Study (3)Final Exam Case Study (3)
Final Exam Case Study (3)Kathy_67
 
Case Study
Case StudyCase Study
Case Studylneut03
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
My_notes_part1.pdf
My_notes_part1.pdfMy_notes_part1.pdf
My_notes_part1.pdfPhilLopez4
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingTory Quinton
 

Semelhante a Dancyrityshy 1foundatioieh (20)

Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
)k
)k)k
)k
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Testing
TestingTesting
Testing
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of Interest
 
Final Exam Case Study (3)
Final Exam Case Study (3)Final Exam Case Study (3)
Final Exam Case Study (3)
 
Topic11
Topic11Topic11
Topic11
 
Case Study
Case StudyCase Study
Case Study
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security background
Information security backgroundInformation security background
Information security background
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
My_notes_part1.pdf
My_notes_part1.pdfMy_notes_part1.pdf
My_notes_part1.pdf
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 

Mais de Anne Starr

I01letor20so201leutor2020
I01letor20so201leutor2020I01letor20so201leutor2020
I01letor20so201leutor2020Anne Starr
 
Iso27001leadauditor2020
Iso27001leadauditor2020Iso27001leadauditor2020
Iso27001leadauditor2020Anne Starr
 
Dncybersecurity
DncybersecurityDncybersecurity
DncybersecurityAnne Starr
 
2 slides(2ndvariadaystion)
2 slides(2ndvariadaystion)2 slides(2ndvariadaystion)
2 slides(2ndvariadaystion)Anne Starr
 
Awtitioneressentialsdeckscloudprac401-577
Awtitioneressentialsdeckscloudprac401-577Awtitioneressentialsdeckscloudprac401-577
Awtitioneressentialsdeckscloudprac401-577Anne Starr
 
01wslouAsentialsdeck2dpractitioneres-400
01wslouAsentialsdeck2dpractitioneres-40001wslouAsentialsdeck2dpractitioneres-400
01wslouAsentialsdeck2dpractitioneres-400Anne Starr
 
uderessAwscloentialsdeck1-2ion00
uderessAwscloentialsdeck1-2ion00uderessAwscloentialsdeck1-2ion00
uderessAwscloentialsdeck1-2ion00Anne Starr
 
Cloudhnologysstecociat
CloudhnologysstecociatCloudhnologysstecociat
CloudhnologysstecociatAnne Starr
 
Cmbysantocsddsh
CmbysantocsddshCmbysantocsddsh
CmbysantocsddshAnne Starr
 
Cddmbysantcsosh
CddmbysantcsoshCddmbysantcsosh
CddmbysantcsoshAnne Starr
 
Ccbysantsddosh
Ccbysantsddosh Ccbysantsddosh
Ccbysantsddosh Anne Starr
 
Ccsdbyhday1santodms
Ccsdbyhday1santodmsCcsdbyhday1santodms
Ccsdbyhday1santodmsAnne Starr
 
Serskmanagvicedeement
SerskmanagvicedeementSerskmanagvicedeement
SerskmanagvicedeementAnne Starr
 

Mais de Anne Starr (20)

I01letor20so201leutor2020
I01letor20so201leutor2020I01letor20so201leutor2020
I01letor20so201leutor2020
 
Iso27001leadauditor2020
Iso27001leadauditor2020Iso27001leadauditor2020
Iso27001leadauditor2020
 
Ccsddm5days
Ccsddm5daysCcsddm5days
Ccsddm5days
 
Dayblic
DayblicDayblic
Dayblic
 
Day1cspbeblic
Day1cspbeblicDay1cspbeblic
Day1cspbeblic
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
2 slides(2ndvariadaystion)
2 slides(2ndvariadaystion)2 slides(2ndvariadaystion)
2 slides(2ndvariadaystion)
 
Sec4
Sec4Sec4
Sec4
 
Secuntialesse
SecuntialesseSecuntialesse
Secuntialesse
 
Securityic2
Securityic2Securityic2
Securityic2
 
inte
inteinte
inte
 
Awtitioneressentialsdeckscloudprac401-577
Awtitioneressentialsdeckscloudprac401-577Awtitioneressentialsdeckscloudprac401-577
Awtitioneressentialsdeckscloudprac401-577
 
01wslouAsentialsdeck2dpractitioneres-400
01wslouAsentialsdeck2dpractitioneres-40001wslouAsentialsdeck2dpractitioneres-400
01wslouAsentialsdeck2dpractitioneres-400
 
uderessAwscloentialsdeck1-2ion00
uderessAwscloentialsdeck1-2ion00uderessAwscloentialsdeck1-2ion00
uderessAwscloentialsdeck1-2ion00
 
Cloudhnologysstecociat
CloudhnologysstecociatCloudhnologysstecociat
Cloudhnologysstecociat
 
Cmbysantocsddsh
CmbysantocsddshCmbysantocsddsh
Cmbysantocsddsh
 
Cddmbysantcsosh
CddmbysantcsoshCddmbysantcsosh
Cddmbysantcsosh
 
Ccbysantsddosh
Ccbysantsddosh Ccbysantsddosh
Ccbysantsddosh
 
Ccsdbyhday1santodms
Ccsdbyhday1santodmsCcsdbyhday1santodms
Ccsdbyhday1santodms
 
Serskmanagvicedeement
SerskmanagvicedeementSerskmanagvicedeement
Serskmanagvicedeement
 

Último

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 

Último (20)

Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 

Dancyrityshy 1foundatioieh

  • 2. CYBER SECURITY THE OBJECTIVE To prevent or mitigate harm to or destruction of Computer Networks, Applications, Devices, and Data.
  • 3. Trainer Profile LEO LOURDES (MBA IT Management, BoM Hons. HRM) Implementer of ISO 20000-1:2011 Certified in COBIT® 5 Certified in ISO 9001 Auditor (PECB) Certified in PRINCE2® in Project Management Certified in ITIL® Practitioner Certified in ITIL® Intermediate Certificate in IT Service Operation Certified in ITIL Information Security based on ISO/IEC 27002 Certified in ITIL for Cloud Computing Certified in ITIL IT Service Management Certified in Coaching and Calibration Skills for Call Center Certified in Delivering Learning / Teaching by City & Guilds, United Kingdom wecare@thinkleosolutions.com ++6016-349 1793 Experience: Management Representative (MR) ISO 20000-1: 2011 IT Service Management (Incident, Problem, Change) Manager Security, Compliance & Risk Management Senior CRM Delivery Analyst Certified Trainer Certified IT Auditor & Consultant
  • 4. • The CIA Triad • Security Governance • Risk Management • Cyber Threats CYBER SECURITY AWARENESS : DAY 1
  • 6. Confidentiality Terms Term Definition Sensitivity The level of damage or harm that could occur if the asset is revealed or disclosed. Discretion The ability for a person to control the level of access to, or disclosure of, an asset. Criticality The level of importance of an asset to the mission or objective. Concealment The act of hiding or preventing disclosure of an asset. Secrecy The practice of preventing or limiting information disclosure. Privacy The protection of confidential or personal information. Seclusion The act of storing something in a location that is out of the way, and thus not easily observed or found. Isolation The act of keeping something separate from other things that are similar in nature.
  • 7. Term Definition Accuracy The degree to which the data is correct and precise. Truthfulness The quality of a source of information being factual and realistic. Validity The quality of an asset being factually or logically sound. Authenticity The quality of an asset being genuine. Accountability The condition of a person or entity being held responsible for their actions. Responsibility The obligation of a person or entity to take ownership of their actions. Completeness The quality of an asset that has all its necessary parts or components. Comprehensiveness The quality of an asset being complete in scope, and fully inclusive of all relevant elements. Integrity Terms
  • 8. Term Definition Usability The degree to which an asset can be easily learned, understood, utilized, or controlled by a subject. Accessibility The assurance that an asset can, under the widest range of circumstances, be used by a subject, regardless of their capabilities or limitations. Timeliness The quality of an asset, particularly information, being prompt and available within a reasonable time frame, and with low latency. Availability Terms
  • 9. Term Definition Asset Anything of value that could be compromised, stolen, or harmed, including information, systems, personnel, physical resources, and reputation. Threat Any event or action that could potentially cause damage to an asset or an interruption of services. Threat actor A person, group, or other entity that could potentially attack, damage, or otherwise compromise a system or resource. Vulnerability A condition that leaves the system and its assets open to harm— including such things as software bugs, insecure passwords, inadequate physical security, poorly designed networks, or insufficient user training and awareness. Exploit A technique that takes advantage of a vulnerability to perform an attack. Risk The likelihood of a threat occurring, as well as its potential damage to assets. Control A countermeasure that you put in place to avoid, mitigate, or counteract security risks due to threats or attacks; also known as a safeguard. Common Security Terms (Slide 1 of 2)
  • 10. Common Security Terms (Slide 2 of 2) Term Definition Attack The active attempt by a threat actor to break into and exploit a vulnerable system, data, or other resource. Breach The result of a successful attack. Can include theft, destruction, or loss of availability of data, a system, or other resources. Exposure The level, usually expressed in percentage, to which a resource is at direct risk of attack. Social engineering The practice of using deception and trickery against human beings as a method of attack. Defense in depth The practice of providing security in multiple layers for more comprehensive protection against attack.
  • 11. • Methods of exercising control and management over an organization. • Seeks to mitigate security risk. • Turns a reactionary security culture into a proactive one. • Supports business objectives to minimize cost and disruption. • A major objective is compliance. • Compliance assures that the organization operates within regulatory requirements. Security Governance
  • 12. • Strategic alignment of information security with business strategies to support organizational objectives. • Risk management by risk mitigation and reducing potential impact on resources. • Resource management by use of information security knowledge and infrastructures. • Performance measurement by evaluating, monitoring, and reporting information security governance metrics to achieve objectives. • Value delivery by optimizing information security investments that support organizational objectives. Governance Requirements
  • 13. Security Goal Categories Goal Description Strategic • Align with business and information technology goals. • Long horizon (3-5 years or more). • Ex: establish security policies and ensure all users understand responsibilities. Tactical • Provide broad initiatives necessary to support goals of strategic plan. • May consist of multiple projects. • Usually 6-18 month time period. • Ex: implement disaster recovery programs and customer relationship management. Operational • Specific short-term goals. • Put tactical plan into practice. • Ensure that individual projects are completed with milestones. • Ex: perform project-wise risk assessment and development of security policies.
  • 14. Privacy Issues • Personally identifiable information (PII) could be used to identify an individual. • Only a few pieces of information can expose a person’s identity. • Criminals can use PII for extortion, fraud, or shaming. • Ex: • Names • Social Security numbers • Addresses • Personal characteristics • PII, once exposed, may not be “recoverable”.
  • 15. Data Breach • An incident that results in release or potential exposure of secure information. • Can be true test of legal compliance. • If organization performs due care to comply with laws, breach’s effects may be mitigated. • Organization can also avoid severe legal penalties. • Especially a concern with privacy laws, as many breaches expose customer PII. • Consequences for compliance failure are magnified under a breach. • Most laws require timely notification in the event of a breach.
  • 16. IT/Information Security Standard Description PCI DSS • Specifies how organizations handle information security for major card brands. • Compliance validated on annual basis. • Organizations or merchants that accept, transmit, or store cardholder data from these brands must comply. NIST SP 800 series • Various publications establish computer security standards, including: • SP 800-12: An Introduction to Computer Security: The NIST Handbook • SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems • SP 800-33: Underlying Technical Models for Information Technology Security • SP 800-53: Security and Privacy Controls in Federal Information Systems and Organizations Industry Standards (Slide 1 of 2)
  • 17. Industry Standards (Slide 2 of 2) IT/Information Security Standard Description COBIT 5 Standards for IT management and governance, promoting five principles: • Meeting stakeholder needs. • Covering the enterprise end-to-end. • Applying a single, integrated framework. • Enabling a holistic approach. • Separating governance from management. ISO/IEC 27001 Focuses on topics in information security management: • Responsibilities and procedures. • Reporting information security events. • Reporting information security weaknesses. • Assessment of and decision on information security events. • Response to information security incidents. • Learning from information security incidents. • Collection of evidence.
  • 18. • The organization’s principles, proper conduct, and system of moral values. • Code of ethics helps professionals cooperate and pursue common goals. • Code can guard against competitive pressures to act unscrupulously. • Provides a guide for what other professionals will do. The Purpose of Ethics
  • 19. • Organizations often document ethical expectations. • May also be bound by ethics outlined in laws and standards. • Ethical codes can also minimize risk. • Employees with a track record of ethical behavior can help organization avoid harm. • Organizations are also responsible for acting ethically to their employees, customers, and other stakeholders. Organizational Ethics
  • 20. • Lack of documentation creates organizational chaos. • Documentation provides a framework for people to work together in achieving organizational goals. • Security documentation can also act as a road map to governance. The Value of Security Documentation
  • 21. Security Document Types Security Document Type Description Policy High-level statement of management intentions. Contains purpose, scope, and compliance expected of every employee. Example: Information security will ensure the protection of information by implementing security best practices. Standard Required implementation or use of tools. Example: The corporation must implement 802.1x security for all wireless networks. Guideline Recommended or suggested action or best practice. Example: When travelling with laptops, users should use safety precautions to prevent laptop theft, damage, or data loss. Procedure Step-by-step description of how to implement a system or process. Example: Toimplement Secure Shell (SSH) on the router, enter the enable mode and then enter the appropriate commands for the router. Baseline Minimum security required for a system or process. Example: Trivial File Transfer Protocol (TFTP) must be disabled in all servers except for those specifically used for the TFTP service.
  • 22. • Objectives that security policies can fulfill: • Inform employees about their security-related duties and responsibilities. • Define an organization’s security goals. • Outline a computer system's security requirements. • Objectives depend on the organization’s specific requirements. • Policies should be long enough to explain but short enough to be understood. • All employees should have access to the policy. Security Policy Objectives
  • 23. What Is Risk? • Building damage • Data loss • Loss of productivity • Loss of life • Loss of equipment • Access to system by malicious individual
  • 25. Integrating Governance, Compliance, and Risk Management
  • 26. The Risk Analysis Process Risk Analysis Process Phase Description Asset identification and valuation Identifying assets that require protection and determining value of the assets, including data, data systems, buildings, and employees. Vulnerability identification Identifying vulnerabilities so analyst can confirm where problems exist. Threat assessment Determining what threats may exploit identified vulnerabilities. Risk assessment Assessing the probability that threats will exploit vulnerabilities. Can be quantitative (numbers-based) or qualitative (words-based). Financial impact evaluation Once probabilities are determined, evaluating potential financial impact of risks.
  • 27. • Comprehensively identify all assets in the organization. • Waiting until it’s too late will make it harder to recover an asset. • If you don’t identify an asset, you may not even know when it’s compromised. • Describe assets in terms of: • Basic characteristics. • Value to the company. • Use on a daily basis. • Replaceability. Asset Identification
  • 28. • What effort was required to develop or obtain it? • What does it cost to maintain and protect it? • How much will we lose in operational functionality if the asset is misplaced or damaged? • What would it cost to replace it? • What enemies might pay for it? • What liability penalties might occur if the asset is compromised? Asset Valuation
  • 29. Asset Valuation Methods Asset Valuation Method Description Asset management system Contains a detailed record of corporate property and similar assets, including facilities, furniture, computers, and other real property. Accounting system Contains additional financial information about assets, such as expensing the cost to develop software packages. Insurance valuation Good source of asset valuation due to rigorous analysis of risk of loss. Qualitative valuation Narrative descriptions capture expert judgement about asset value.
  • 30. Areas of Vulnerability Vulnerability Area Example Threat and Risk Physical structure Window accessibility in a room where secure information is stored can expose vulnerabilities and create a venue for sudden intrusion threats. Electrical Failure of a vulnerable electrical feed can threaten system data. Software Worms, viruses, and Trojans threaten systems. Network Unencrypted data on network can be vulnerable to interception and exploit. Personnel Key trained personnel must be available to deal with critical events to avoid corporate-wide vulnerabilities. Hardware Losses due to theft and physical damage generate costs for replacement and lost productivity. Documentation If poorly written, can cause confusion and impair decision making. Organization must protect integrity and confidentiality of sensitive documentation. Process Outdated or inefficient processes can impair business operations; poor security processes weaken defenses and increase risk.
  • 31. Identify Threats Threat Type Description Natural disasters • Earthquakes • Wildfires • Flooding • Excessive snowfalls • Tsunamis • Hurricanes • Tornados • Landslides Man-made disasters Intentional: • Arson • Terrorist attacks • Political unrest • Break-ins • Theft of equipment and/or data • Equipment damage • File destruction •Information disclosure Unintentional: • Employee mistakes • Power outages • Excessive employee illnesses or epidemics • Information disclosure
  • 32. • CRAMM (CCTA Risk Analysis and Management Method) • Failure Modes and Effect Analysis (FMEA) • FRAP (Facilitated Risk Analysis Process) • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) • Security Officers Management and Analysis Project (SOMAP) Risk Assessment Methodologies
  • 33. • Likelihood: How likely is it that the threat occurs? • Impact: What kind of damage will the threat cause? Risk Assessment Determination Factors
  • 34. Residual Risk • Risk that remains even after controls are in place. • You can’t account for every risk, no matter how hard you try. • Some risks are not worth the cost of the countermeasure. • Identifying residual risk can help you assess the effectiveness of your controls. • The acceptable response to residual risk is to have a solid disaster recovery plan. • Controls gap is the amount of risk that countermeasures do not cover. • Expressed in percentages • Correlates to residual risk Controls gap = total risk – countermeasures Controls Inherent Risk Residual Risk
  • 35. • Not just simple pass-fail results or generating paperwork for an audit. • Well-executed assessment determines validity and effectiveness of controls. • Can expose strengths and weaknesses of current systems. • Helps identify a plan for correcting weaknesses. Monitoring and Measuring
  • 36. • Ongoing effort to optimize policies and processes. • A function of risk management. • Includes best practices: • Continuously seek to discover new vulnerabilities. • Be context aware in your risk analysis. • Prioritize your efforts to vulnerabilities that actually pose a significant risk. • Determine patchability. Continuous Improvement
  • 37. Threat Types (Slide 1 of 2) Threat Type Description Phishing and social engineering • Attackers use psychological tactics to manipulate victims into disclosing information or performing an action that they shouldn’t. • Phishing is the most common form. • Uses email with malicious attachments or links. Insider threat • Disgruntled employees and others with internal access. • Use their access privilege or knowledge to steal data or damage systems. • Can also be accidental/unintentional. Malware • Any software intended to damage a computer system. • Can be distributed through email, websites, file sharing, social media, even legitimate published software. • Includes viruses, worms, Trojans, keyloggers, rootkits, bootkits, ransomware, spyware, etc. Session Hijacking/ Man-in-the- Middle • Attacker takes over legitimate network connection, often after user has authenticated.
  • 38. Threat Types (Slide 2 of 2) Threat Type Description Denial of service • Any attack that consumes computer or network resources so the system cannot service legitimate client requests. • Can be conducted against: • Network • CPU • RAM • Disk space • Maximum allowed connections Unauthorized network access • Deliberate or accidental. • Normal security controls are bypassed. Injection and Cross-Site commands • Malicious commands hide inside normal browser activity. • Includes command and SQL injection, XSS, and XSRF. • E.g: • <IMG SRC=javascript:alert(“XSS”)> • Encoded <IMG SRC=javascript:alert(&quot;XSS&quot;)>
  • 39. • Basic categories of remediation: • Good security policy and management commitment to security. • Fix vulnerable code. • Properly configure systems. • Change business processes. • Improve security culture through training and awareness. • Effective threat remediation involves all personnel working together. • Implementing of technical controls and management of good business processes. • Various security departments should coordinate in remediation efforts. • Remediation policy should reflect risk tolerance. • Strategies and controls should be consistently evaluated for their effectiveness. Threat Remediation
  • 40. END