SlideShare uma empresa Scribd logo

Information security for dummies

V
V-ICT-OR

Informatieveiligheid voor beginners

EducaçãoTecnologia
1 de 22
Baixar para ler offline
Ivo Depoorter
Whois I  Functions  Sysadmin, DBA, CIO, ADP instructor, SSO, Security consultant  Career (20 y)  NATO – Local government – Youth care  Training  Lots of Microsoft, Linux, networking, programming…  Security: Site Security Officer, CISSP, BCM, Ethical Hacking, network scanning,…
Course outline  Information security?  Security Why?  Security approach  Vocabulary  The weakest link  Real life security sample
Information security? According to Wikipedia, ISO2700x, CISSP, SANS,….  Confidentiality: Classified information must, be protected from unauthorized disclosure.  Integrity: Information must be protected against unauthorized changes and modification.  Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
Information security? Security attributes according to the Belgian privacycommission  Confidentiality  Integrity  Availability +  Accountability  Non-repudiation  Authenticity  Reliability
CIA Exercise Defacing of Belgian Army website
CIA Exercise  Confidentiality  ??  Webserver only hosting public information?  Webserver separated from LAN?  Integrity  Availability  Unauthorized changes!  Information is no longer available
Security Why?  Compliance with law  Protect (valuable) assets  Prevent production breakdowns  Protect reputation, (non-)commercial image  Meet customer & shareholder requirements  Keep personnel happy
Security approach  Both technical and non-technical countermeasures.  Top-management approval and support!  Communicate!  Information security needs a layered approach!!!  Best practices  COBIT Control Objectives for Information and related Technology  ISO 27002 (ISO 17799) Code of practice for information security management  …..
ISO 27002  Section 0 Introduction  Section 1 Scope  Section 2 Terms and Definitions  Section 3 Structure of the Standard  Section 4 Risk Assessment and Treatment  Section 5 Security Policy  Section 6 Organizing Information Security  Section 7 Asset Management  Section 8 Human Resources Security  Section 9 Physical and Environmental Security  Section 10 Communications and Operations Management  Section 11 Access Control  Section 12 Information Systems Acquisition, Development and Maintenance  Section 13 Information Security Incident Management  Section 14 Business Continuity Management  Section 15 Compliance
ISO 27002 - Example 10 9 11 15Procedures Physical access Logical access Security audit local government > 500 employees Technique: Social Engineering Internal audit
Security vocabulary - Threat  A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. (BCI)  Samples:  Fire  Death of a key person (SPOK or Single Point of Knowledge)  Crash of a critical network component e.g. core switch (SPOF: single point of failure)  …
Security vocabulary - Damage  Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness  Damage in information security:  Operational  Financial  Legal  Reputational  Damage defaced Belgian Army website?  Operational: probably (temporary frontpage, patch management,….)  Financial: probably (training personnel, hiring consultancy,….)  Legal: probably (lawsuit against external responsible?)  Reputational: certainly!
Security vocabulary - Risk  Combination of the probability of an event and its consequence.  Risk components  Threat (probability)  Damage (amount)  Example: Damage Process Threat O F L R Max impact Probability Risk Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
The Zen of Risk  What is just the right amount of security?  Seeking Balance between Security (Yin) and Business (Yang) Potential Loss Cost Countermeasures Productivity
Security vocabulary - AAA  Authentication: technologies used to determine the authenticity of users, network nodes, and documents  Authorization: who is allowed to do what?  Accountability: is it possible to find out who has made any operations? • Strong authentication (two-factor or multifactor) • Something you know (password, PIN,…) • Something you have (token,…) • Something you are (fingerprint, …)
The weakest link SEC_RITY is not complete without U! Countermeasures: • Force password policy on server • Train personnel • Use strong authentication • …
The weakest link Amateurs hack systems, professionals hack people! Countermeasures: • Implement security & access policies • Job rotation • Encryption • Employee awareness training • Audit trail of all accesses to documents • ….
Hacking steps Step Countermeasures (short list) 1. Reconnaissance Be careful with information 2. Network mapping Network IDS – block ICMP 3. Exploiting System hardening 4. Keeping access IDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…
Logical security • VLAN’s • Password policy • … Real life security sample High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) Physical security: • Personnel clearance • Physical control • Pc placement (shoulder surfing) • Clean desk policy • Shredder • Lock screen policy • Fiber to pc WWW > 2 m LAN Tempest!!!
We learned….  Security is CIA(+)  Why: law, reputation, production continuity,…  Approach: layered, technical & non-technical, support from CEO, lots of communication  Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability  Risk = threat * damage  Security balance: loss vs. cost & countermeasures vs. productivity  The weakest link is personnel!  A hacker starts with information gathering
Information security for dummies

Recomendados

The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
Ivo Depoorter
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy Invasion
Isaiah Edem
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
SHIVA101531
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
Symosis Security (Previously C-Level Security)
 

Recomendados

The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
Ivo Depoorter
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy Invasion
Isaiah Edem
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
SHIVA101531
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
Symosis Security (Previously C-Level Security)
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Edureka!
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
Andris Soroka
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
Andris Soroka
 
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
hardik soni
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
aletarw
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0
grp362
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
Lukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityLukas - Ancaman E-Health Security
Lukas - Ancaman E-Health Security
Indonesia Honeynet Chapter
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Edureka!
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
Tonex
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
OKsystem
 
Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-
Turgay Dereli
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
Mukesh Chinta
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
James Mulhern
 
Information Security
Information SecurityInformation Security
Information Security
vadapav123
 

Mais conteúdo relacionado

Mais procurados

Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
aletarw
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
Tonex
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
OKsystem
 
Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-
Turgay Dereli
 

Mais procurados (20)

Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
 
Information security
Information securityInformation security
Information security
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
Leo TechnoSoft’s Intelligence Driven SOC is integrated Context-aware Security...
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
 
Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0Isa Chapters Cyber is Hard presentation v1.0
Isa Chapters Cyber is Hard presentation v1.0
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
 
Lukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityLukas - Ancaman E-Health Security
Lukas - Ancaman E-Health Security
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
Smart Cards & Devices Forum 2013 - Protecting enterprise sensitive informatio...
 
Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-Turgay dereli 283286 software eng. ass 2-
Turgay dereli 283286 software eng. ass 2-
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 

Semelhante a Information security for dummies

FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
Napoleon NV
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0
Ferenc Fresz
 

Semelhante a Information security for dummies (20)

What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Information Security
Information SecurityInformation Security
Information Security
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red Hat
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
Top 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptxTop 25 SOC Analyst interview questions that You Should Know.pptx
Top 25 SOC Analyst interview questions that You Should Know.pptx
 
Office 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseOffice 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and Use
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
 
digital strategy and information security
digital strategy and information securitydigital strategy and information security
digital strategy and information security
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Cobit 2
Cobit 2Cobit 2
Cobit 2
 
Main Menu
Main MenuMain Menu
Main Menu
 
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptxRole Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
Role Of Forensic Triage In Cyber Security Trends 2022-UPDATED.pptx
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
APrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of ThingsAPrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of Things
 

Último

Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
saipooja36
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
中 央社
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
中 央社
 
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
MysoreMuleSoftMeetup
 

Último (20)

Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17
 
MichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdfMichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdf
 
Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"
Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"
Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"
 
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General QuizPragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
 
UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024
 
Championnat de France de Tennis de table/
Championnat de France de Tennis de table/Championnat de France de Tennis de table/
Championnat de France de Tennis de table/
 
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH FORM 50 CÂU TRẮC NGHI...
 
philosophy and it's principles based on the life
philosophy and it's principles based on the lifephilosophy and it's principles based on the life
philosophy and it's principles based on the life
 
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
 
Software testing for project report .pdf
Software testing for project report .pdfSoftware testing for project report .pdf
Software testing for project report .pdf
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
 
How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17How to Analyse Profit of a Sales Order in Odoo 17
How to Analyse Profit of a Sales Order in Odoo 17
 
HVAC System | Audit of HVAC System | Audit and regulatory Comploance.pptx
HVAC System | Audit of HVAC System | Audit and regulatory Comploance.pptxHVAC System | Audit of HVAC System | Audit and regulatory Comploance.pptx
HVAC System | Audit of HVAC System | Audit and regulatory Comploance.pptx
 
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
 
size separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceuticssize separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceutics
 
....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf
 
Incoming and Outgoing Shipments in 2 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 2 STEPS Using Odoo 17Incoming and Outgoing Shipments in 2 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 2 STEPS Using Odoo 17
 
Removal Strategy _ FEFO _ Working with Perishable Products in Odoo 17
Removal Strategy _ FEFO _ Working with Perishable Products in Odoo 17Removal Strategy _ FEFO _ Working with Perishable Products in Odoo 17
Removal Strategy _ FEFO _ Working with Perishable Products in Odoo 17
 
ANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptxANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptx
 

Information security for dummies

  • 2. Whois I  Functions  Sysadmin, DBA, CIO, ADP instructor, SSO, Security consultant  Career (20 y)  NATO – Local government – Youth care  Training  Lots of Microsoft, Linux, networking, programming…  Security: Site Security Officer, CISSP, BCM, Ethical Hacking, network scanning,…
  • 3. Course outline  Information security?  Security Why?  Security approach  Vocabulary  The weakest link  Real life security sample
  • 4. Information security? According to Wikipedia, ISO2700x, CISSP, SANS,….  Confidentiality: Classified information must, be protected from unauthorized disclosure.  Integrity: Information must be protected against unauthorized changes and modification.  Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
  • 5. Information security? Security attributes according to the Belgian privacycommission  Confidentiality  Integrity  Availability +  Accountability  Non-repudiation  Authenticity  Reliability
  • 6. CIA Exercise Defacing of Belgian Army website
  • 7. CIA Exercise  Confidentiality  ??  Webserver only hosting public information?  Webserver separated from LAN?  Integrity  Availability  Unauthorized changes!  Information is no longer available
  • 8. Security Why?  Compliance with law  Protect (valuable) assets  Prevent production breakdowns  Protect reputation, (non-)commercial image  Meet customer & shareholder requirements  Keep personnel happy
  • 9. Security approach  Both technical and non-technical countermeasures.  Top-management approval and support!  Communicate!  Information security needs a layered approach!!!  Best practices  COBIT Control Objectives for Information and related Technology  ISO 27002 (ISO 17799) Code of practice for information security management  …..
  • 10. ISO 27002  Section 0 Introduction  Section 1 Scope  Section 2 Terms and Definitions  Section 3 Structure of the Standard  Section 4 Risk Assessment and Treatment  Section 5 Security Policy  Section 6 Organizing Information Security  Section 7 Asset Management  Section 8 Human Resources Security  Section 9 Physical and Environmental Security  Section 10 Communications and Operations Management  Section 11 Access Control  Section 12 Information Systems Acquisition, Development and Maintenance  Section 13 Information Security Incident Management  Section 14 Business Continuity Management  Section 15 Compliance
  • 11. ISO 27002 - Example 10 9 11 15Procedures Physical access Logical access Security audit local government > 500 employees Technique: Social Engineering Internal audit
  • 12. Security vocabulary - Threat  A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. (BCI)  Samples:  Fire  Death of a key person (SPOK or Single Point of Knowledge)  Crash of a critical network component e.g. core switch (SPOF: single point of failure)  …
  • 13. Security vocabulary - Damage  Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness  Damage in information security:  Operational  Financial  Legal  Reputational  Damage defaced Belgian Army website?  Operational: probably (temporary frontpage, patch management,….)  Financial: probably (training personnel, hiring consultancy,….)  Legal: probably (lawsuit against external responsible?)  Reputational: certainly!
  • 14. Security vocabulary - Risk  Combination of the probability of an event and its consequence.  Risk components  Threat (probability)  Damage (amount)  Example: Damage Process Threat O F L R Max impact Probability Risk Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
  • 15. The Zen of Risk  What is just the right amount of security?  Seeking Balance between Security (Yin) and Business (Yang) Potential Loss Cost Countermeasures Productivity
  • 16. Security vocabulary - AAA  Authentication: technologies used to determine the authenticity of users, network nodes, and documents  Authorization: who is allowed to do what?  Accountability: is it possible to find out who has made any operations? • Strong authentication (two-factor or multifactor) • Something you know (password, PIN,…) • Something you have (token,…) • Something you are (fingerprint, …)
  • 17. The weakest link SEC_RITY is not complete without U! Countermeasures: • Force password policy on server • Train personnel • Use strong authentication • …
  • 18. The weakest link Amateurs hack systems, professionals hack people! Countermeasures: • Implement security & access policies • Job rotation • Encryption • Employee awareness training • Audit trail of all accesses to documents • ….
  • 19. Hacking steps Step Countermeasures (short list) 1. Reconnaissance Be careful with information 2. Network mapping Network IDS – block ICMP 3. Exploiting System hardening 4. Keeping access IDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…
  • 20. Logical security • VLAN’s • Password policy • … Real life security sample High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) Physical security: • Personnel clearance • Physical control • Pc placement (shoulder surfing) • Clean desk policy • Shredder • Lock screen policy • Fiber to pc WWW > 2 m LAN Tempest!!!
  • 21. We learned….  Security is CIA(+)  Why: law, reputation, production continuity,…  Approach: layered, technical & non-technical, support from CEO, lots of communication  Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability  Risk = threat * damage  Security balance: loss vs. cost & countermeasures vs. productivity  The weakest link is personnel!  A hacker starts with information gathering