SlideShare uma empresa Scribd logo

Supplement V1.2

C
cissp taiwan

第一,二,三,四,五天補充資料

Tecnologia
1 de 78
Baixar para ler offline
• 本投影片僅供教育訓練用,如有侵權,請留言通 知,將立即刪除,謝謝。 • The slide is for education purpose only. Please leave your comment if there is any copyright infringement. I will delete it immediately. Thank you.
法規名稱:公開發行公司建立內部控制制度處理準則 法規名稱: •二、參考「金融控股公司內部控制及稽核制度實施辦法」 、「銀行內部控制及稽核制 度實施辦法」、「票券商內 部控制及稽核制度實施辦法」及「保險業內部控制及 稽 核制度實施辦法」規定,公開發行公司內部稽核及自行檢 查報告、工作底稿及相關資料保存年限統一為至少保存五 相關資料保存年限統一為至少保存五 年。(修正條文第十三條及第二十二條) •十、為落實公開發行公司內部稽核單位執行年度稽核計畫 之機制,明定公司應依風險評估結果 應依風險評估結果擬訂其年度稽核計畫 應依風險評估結果 ,並確實執行,且其年度稽核計畫之稽核項目範圍應涵蓋 公司於內部控制制度訂定之重要控制作業。 (修正條文第 十三條)
Qualitative Risk Analysis Example 教育部 TANet 網路中心導入資訊安全管理制度計畫教育訓練教材 http://cissnet.edu.tw/download_tanet.aspx
FMEA Output RPN=SEV x PF x DET PRN: Risk Priority Number SEV:Severity PF:Probability Factor DET:Detection Effectiveness Rers: http://www.siliconfareast.com/fmea_quickref.htm#table
Fault Tree Analysis
I. Risk Assessment in NIST SP-800 30 source: NIST Sp800-30
I. Risk Assessment in NIST SP-800 30 (cont.) source: NIST Sp800-30
Risk Management Threats Risk Identification Vulnerabilities Quantitative Analysis Qualitative Analysis Risk Risk Analysis FMEA Assessment FTA OCTAVE Risk Likelihood Management Risk Evaluation Impact Acceptance Reduction Risk Mitigation Transference Avoidance
Access Control
Access Control Conceptual Diagram Access Control 2007/6/8 Anything You Do Identify Identification Will Be Youself Logged Prove It Accountability Authentication (I need to Verify you) Do What I Authorization Tell You to Do
TACACS+ and RADIUS Comparison Criterion TACACS+ RADIUS Transport TCP (reliable; more overhead) UDP (unreliable; higher performance) Authentication Can be separated (more flexible) Combined and Authorization Multiprotocol Supported (IP, Apple, NetBIOS, IP only Support Novell, X.25) Access to Supports two methods to control Not supported Router CLI the authorization of router Commands commands on a per-user or per- group basis Encryption Packet payload Passwords only http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+9.+AAA+Accounting/Diameter+Det ails/
RADIUS and Diameter Comparison Characteristic RADIUS Diameter Transport protocol Connectionless (UDP 1812). Connection-oriented (TCP, SCTP, 3868). Transport security Optional IPsec. IPsec or Transport Layer Security (TLS) is required. Architecture Client-Server model Peer-to-peer model State Stateless Stateful(Session ID, transaction status) Authentication Pre-shared key Pre-Shared key, digital certificate PAP, CHAP, EAP PAP, CHAP, EAP Only client to server re- Mutual re-authentication authentication Authorization Bind with re-authentication Re-authorization any time Accounting Real-time accounting Real-time accounting Confidentiality Only encrypt password Encrypt all data, or IP header(IPSec) Integrity Poor Good Scalability Poor Good Extensibility Vendor-specific Public use Security model Supports only hop-by-hop security. Supports end-to-end and hop-to- Every hop can modify information hop security. End-to-end guarantees that cannot be traced to its origin. that information cannot be modified without notice.
XACML Policy Sample <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit- overrides“> <!-- This Policy only applies to requests on the SampleServer --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions> </Target> <!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/> </Policy>
SPML Scenario http://www.computerworld.com/s/article/86225/SPML
Cryptography
2DES Meet-in-the-Middle Attack If DES1 encrypted output equals DES2 decrypted output, then key1 and key2 cracked known known Source: www.giac.org/
Keyed Hash HMAC Source: http://www.unixwiz.net/
Algebraic Cryptanalysis E E Message E
Null Cipher “A re you deaf, Father W illiam !” the young m an said, “D id you hear w hat I told you just now ? “E xcuse m e for shouting! D on’t w aggle your head “Like a blundering, sleepy old cow ! “A little m aid dw elling in W allington Tow n, “Is m y friend, so I beg to rem ark: “D o you think she’d be pleased if a book w ere sent dow n “E ntitled ‘The H unt of the Snark?’” - “Pack it up in brow n paper!” the old m an cried, “A nd seal it w ith olive-and-dove. “I com m and you to do it!” he added w ith pride, “N or forget, m y good fellow , to send her beside “E aster G reetings, and give her m y love.”
Diffie-Hellman Key Agreement Operation
Diffie-Hellman Key Agreement Operation
Security Architecture and Design
Zachman Framework An Overview of Enterprise Architecture Framework Deliverables by Frank Goethals
DoDAF Framework Enterprise Architecture A-to-Z
EAL Stats www.commoncriteriaportal.org
Common Criteria Flow an implementation- independent Protection Category of Product statement of security Profile (i.e., “firewalls”) needs for a TOE type. a set of software, firmware and/or Target of Specific Product (i.e., hardware possibly Evaluation Cisco PIX 5xx) accompanied by guidance. Security Vendor claims: an implementation- Specifications and dependent statement Target features of security needs for a specific identified TOE Functional Assurance Requirements Requirements
Implementation of Evaluated Products TEST plan based on Evaluation stated requirements EAL Levels 1 Functionally Tested 2 Structurally Tested 3 Methodically Tested 4 Methodically Designed, Tested, Reviewed 5 Semiformal testing 6 Semiformal verification 7 Formal verification and testing Based on production Certification environment Accreditation
Storage Systems http://en.wikipedia.org/wiki/Storage_area_network
Application Security
KDD Process
Neural Network
Expert System Source:idrinfo.idrc.ca
Waterfall Method http://www.softwebsolutions.com/our_process.html
Spiral Method http://en.wikipedia.org/wiki/Spiral_model
Iterative Method Wikipedia
Inheritance Parent Class Animal Virtual Function Talk() Child Class Child Class Cat Dog Function Talk("") Function Talk("")
Polymorphism 1. class Animal { 2. virtual public Talk(){ } 3. } 4. class Dog extends Animal { 5. public Talk() { speak "汪" } 6. } 7. class Cat extends Animal { 8. public Talk() { speak "喵" } 9. } 10.Function AnimalTalk( Animal objSomeAnimal) 11.{ 12. objSomeAnimal.Talk; //polymophism; late binding 13.} 14.Animal objCat = new Cat; 15.Animal objDog = new Dog; 16.//Without polymorphism 17.objCat .Talk; //"喵" 18.objDog .Talk; //"汪" 19.//With polymorphism 20.AnimalTalk(objCat); //"喵" 21.AnimalTalk(objDog); //"汪" • 在本範例中,AnimalTalk程序接受 (Accept) 屬於 Animal 型別而名為 objSomeAnimal 的參數,所以我 們可以在 run-time傳送如 Cat或Dog衍生自 Animal 類別的類別。此項設計的優點在於,您可加入衍生 可加入衍生 類別的新類別, 程序中的用戶端程式碼。 自 Animal 類別的新類別,而不需要變更 AnimalTalk程序中的用戶端程式碼 程序中的用戶端程式碼
2-phase commit
LRCI
EnCase – File System
EnCase Timeline
稽核自動化平台
Telecommunication and Network Security
Attack Tree http://commons.wikimedia.org/wiki/File:Attack_tree_virus.png
Honeynet http://www.iu.hio.no/
Partial Mesh as HA
Link Layer Encryption vs. End-to-end Encryption
ISDN Application
MPLS http://www.isoc.org/
IPSec Mode - Concise http://technet.microsoft.com/en-us/library/cc759130(WS.10).aspx#w2k3tr_ipsec_how_vvlc
PPTP and L2TP Data Format
Smurf http://www.techexams.net
FDDI Dual Counter-Rotating Ring
Routing Protocols Open Hop Class Authentica Category Network less tion RIPv1 RFC 15 No None Interior Small 1058 Distance vector RIPv2 RFC 15 Yes Password Interior Small 2453 MD5 Distance vector Medium IGRP Cisco 255 No None Interior Small Distance vector EIGRP Cisco 255 Yes Password Interior Large MD5 Hybrid OSPF RFC none Yes Password Interior Large 2328 MD5 Link-state Hetero ISIS ISO Yes Password Interior Large 10589 Link-state EGP Exterior AS-AS Distance vector BGP RFC CIDR MD5 Exterior AS-AS 1771 Distance vector Cisco® Certified Network Associate Study Guide
Subnetting vs. supernetting One Class C 8 contiguous Class C http://medusa.sdsu.edu/network/CS576/Lectures/ch05_Subnetting.pdf
VPN – Site to Site
NetBios
War Dialer - PhoneSweep
Finger
IPP in IIS http://secunia.com/advisories/32248/
LPR in XP https://www.cs.uwaterloo.ca/twiki/view/CF/LprPrintingForWindows
Tapping Fiber Optics http://i.techrepublic.com.com/blogs/Figure%20A.jpg
SAN http://www.allsan.com/sanoverview.php3
Transmission Technology http://www.privateline.com/PCS/Multiplexing.htm
BCP
BIA Process Owner Impact Business Activity Geographic Timescale Extent MTPD RPO
4.1 INCIDENT RESPONSE STRUCTURE
RTO < MTPD(MTD)
Trailer
Scope
BCM is a Balancing Act(cont.) High Cost High Loss recovery strategy disruption Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost Cost Cost Cost Cost Cost Cost Cost Optimal Lose Business Point Time 73
Physical Security
OS
Heat and cool air http://www.adc.com/us/en/Library/Literature/102264AE.pdf
Data loss on transportation
從漏洞到攻擊時距縮短→大幅提高攻擊成功率 source:IBM xforce report 2008

Recomendados

Soc july-2012-dmitri-botvich
Soc july-2012-dmitri-botvichSoc july-2012-dmitri-botvich
Soc july-2012-dmitri-botvichAniketos EU FP7 Project
 
Hadoop World 2011: Raptor: Real-time Analytics on Hadoop - Soundararajan Velu...
Hadoop World 2011: Raptor: Real-time Analytics on Hadoop - Soundararajan Velu...Hadoop World 2011: Raptor: Real-time Analytics on Hadoop - Soundararajan Velu...
Hadoop World 2011: Raptor: Real-time Analytics on Hadoop - Soundararajan Velu...Cloudera, Inc.
 
中英對照表 V1.7
中英對照表 V1.7中英對照表 V1.7
中英對照表 V1.7cissp taiwan
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioDenim Group
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 

Recomendados

Soc july-2012-dmitri-botvich
Soc july-2012-dmitri-botvichSoc july-2012-dmitri-botvich
Soc july-2012-dmitri-botvichAniketos EU FP7 Project
 
Hadoop World 2011: Raptor: Real-time Analytics on Hadoop - Soundararajan Velu...
Hadoop World 2011: Raptor: Real-time Analytics on Hadoop - Soundararajan Velu...Hadoop World 2011: Raptor: Real-time Analytics on Hadoop - Soundararajan Velu...
Hadoop World 2011: Raptor: Real-time Analytics on Hadoop - Soundararajan Velu...Cloudera, Inc.
 
中英對照表 V1.7
中英對照表 V1.7中英對照表 V1.7
中英對照表 V1.7cissp taiwan
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioDenim Group
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudScientia Groups
 
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYCYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYjmical
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
55502459 swe631 atsadang
55502459 swe631 atsadang55502459 swe631 atsadang
55502459 swe631 atsadangDea Kaiser
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentationsaddepalli
 
2012-12-12 Seminar McAfee Risk Management
2012-12-12 Seminar McAfee Risk Management2012-12-12 Seminar McAfee Risk Management
2012-12-12 Seminar McAfee Risk ManagementPinewood
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02Bố Su
 
Secure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseSecure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseJoel Amoussou
 
S series presentation
S series presentationS series presentation
S series presentationSergey Marunich
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeSamuele Reghenzi
 
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Amazon Web Services
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1OracleIDM
 
Pay Forum Conference
Pay Forum ConferencePay Forum Conference
Pay Forum Conferencehagero
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Seema Sheth-Voss
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Mais conteúdo relacionado

Semelhante a Supplement V1.2

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudScientia Groups
 
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYCYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYjmical
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
55502459 swe631 atsadang
55502459 swe631 atsadang55502459 swe631 atsadang
55502459 swe631 atsadangDea Kaiser
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentationsaddepalli
 
2012-12-12 Seminar McAfee Risk Management
2012-12-12 Seminar McAfee Risk Management2012-12-12 Seminar McAfee Risk Management
2012-12-12 Seminar McAfee Risk ManagementPinewood
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02Bố Su
 
Secure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseSecure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseJoel Amoussou
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeSamuele Reghenzi
 
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Amazon Web Services
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1OracleIDM
 
Pay Forum Conference
Pay Forum ConferencePay Forum Conference
Pay Forum Conferencehagero
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Seema Sheth-Voss
 

Semelhante a Supplement V1.2 (20)

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the Cloud
 
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYCYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Balding
 
55502459 swe631 atsadang
55502459 swe631 atsadang55502459 swe631 atsadang
55502459 swe631 atsadang
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
 
Intoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture PresentationIntoto Linley Tech Utm Architecture Presentation
Intoto Linley Tech Utm Architecture Presentation
 
2012-12-12 Seminar McAfee Risk Management
2012-12-12 Seminar McAfee Risk Management2012-12-12 Seminar McAfee Risk Management
2012-12-12 Seminar McAfee Risk Management
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02
 
Secure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseSecure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health Enterprise
 
S series presentation
S series presentationS series presentation
S series presentation
 
App Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In CodeApp Sec Eu08 Sec Frm Not In Code
App Sec Eu08 Sec Frm Not In Code
 
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1
 
Pay Forum Conference
Pay Forum ConferencePay Forum Conference
Pay Forum Conference
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
 

Último

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Supplement V1.2

  • 1. • 本投影片僅供教育訓練用,如有侵權,請留言通 知,將立即刪除,謝謝。 • The slide is for education purpose only. Please leave your comment if there is any copyright infringement. I will delete it immediately. Thank you.
  • 2.
  • 3. 法規名稱:公開發行公司建立內部控制制度處理準則 法規名稱: •二、參考「金融控股公司內部控制及稽核制度實施辦法」 、「銀行內部控制及稽核制 度實施辦法」、「票券商內 部控制及稽核制度實施辦法」及「保險業內部控制及 稽 核制度實施辦法」規定,公開發行公司內部稽核及自行檢 查報告、工作底稿及相關資料保存年限統一為至少保存五 相關資料保存年限統一為至少保存五 年。(修正條文第十三條及第二十二條) •十、為落實公開發行公司內部稽核單位執行年度稽核計畫 之機制,明定公司應依風險評估結果 應依風險評估結果擬訂其年度稽核計畫 應依風險評估結果 ,並確實執行,且其年度稽核計畫之稽核項目範圍應涵蓋 公司於內部控制制度訂定之重要控制作業。 (修正條文第 十三條)
  • 4. Qualitative Risk Analysis Example 教育部 TANet 網路中心導入資訊安全管理制度計畫教育訓練教材 http://cissnet.edu.tw/download_tanet.aspx
  • 5. FMEA Output RPN=SEV x PF x DET PRN: Risk Priority Number SEV:Severity PF:Probability Factor DET:Detection Effectiveness Rers: http://www.siliconfareast.com/fmea_quickref.htm#table
  • 7. I. Risk Assessment in NIST SP-800 30 source: NIST Sp800-30
  • 8. I. Risk Assessment in NIST SP-800 30 (cont.) source: NIST Sp800-30
  • 9. Risk Management Threats Risk Identification Vulnerabilities Quantitative Analysis Qualitative Analysis Risk Risk Analysis FMEA Assessment FTA OCTAVE Risk Likelihood Management Risk Evaluation Impact Acceptance Reduction Risk Mitigation Transference Avoidance
  • 11. Access Control Conceptual Diagram Access Control 2007/6/8 Anything You Do Identify Identification Will Be Youself Logged Prove It Accountability Authentication (I need to Verify you) Do What I Authorization Tell You to Do
  • 12. TACACS+ and RADIUS Comparison Criterion TACACS+ RADIUS Transport TCP (reliable; more overhead) UDP (unreliable; higher performance) Authentication Can be separated (more flexible) Combined and Authorization Multiprotocol Supported (IP, Apple, NetBIOS, IP only Support Novell, X.25) Access to Supports two methods to control Not supported Router CLI the authorization of router Commands commands on a per-user or per- group basis Encryption Packet payload Passwords only http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+9.+AAA+Accounting/Diameter+Det ails/
  • 13. RADIUS and Diameter Comparison Characteristic RADIUS Diameter Transport protocol Connectionless (UDP 1812). Connection-oriented (TCP, SCTP, 3868). Transport security Optional IPsec. IPsec or Transport Layer Security (TLS) is required. Architecture Client-Server model Peer-to-peer model State Stateless Stateful(Session ID, transaction status) Authentication Pre-shared key Pre-Shared key, digital certificate PAP, CHAP, EAP PAP, CHAP, EAP Only client to server re- Mutual re-authentication authentication Authorization Bind with re-authentication Re-authorization any time Accounting Real-time accounting Real-time accounting Confidentiality Only encrypt password Encrypt all data, or IP header(IPSec) Integrity Poor Good Scalability Poor Good Extensibility Vendor-specific Public use Security model Supports only hop-by-hop security. Supports end-to-end and hop-to- Every hop can modify information hop security. End-to-end guarantees that cannot be traced to its origin. that information cannot be modified without notice.
  • 14. XACML Policy Sample <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit- overrides“> <!-- This Policy only applies to requests on the SampleServer --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions> </Target> <!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/> </Policy>
  • 17. 2DES Meet-in-the-Middle Attack If DES1 encrypted output equals DES2 decrypted output, then key1 and key2 cracked known known Source: www.giac.org/
  • 18. Keyed Hash HMAC Source: http://www.unixwiz.net/
  • 19. Algebraic Cryptanalysis E E Message E
  • 20. Null Cipher “A re you deaf, Father W illiam !” the young m an said, “D id you hear w hat I told you just now ? “E xcuse m e for shouting! D on’t w aggle your head “Like a blundering, sleepy old cow ! “A little m aid dw elling in W allington Tow n, “Is m y friend, so I beg to rem ark: “D o you think she’d be pleased if a book w ere sent dow n “E ntitled ‘The H unt of the Snark?’” - “Pack it up in brow n paper!” the old m an cried, “A nd seal it w ith olive-and-dove. “I com m and you to do it!” he added w ith pride, “N or forget, m y good fellow , to send her beside “E aster G reetings, and give her m y love.”
  • 24. Zachman Framework An Overview of Enterprise Architecture Framework Deliverables by Frank Goethals
  • 27. Common Criteria Flow an implementation- independent Protection Category of Product statement of security Profile (i.e., “firewalls”) needs for a TOE type. a set of software, firmware and/or Target of Specific Product (i.e., hardware possibly Evaluation Cisco PIX 5xx) accompanied by guidance. Security Vendor claims: an implementation- Specifications and dependent statement Target features of security needs for a specific identified TOE Functional Assurance Requirements Requirements
  • 28. Implementation of Evaluated Products TEST plan based on Evaluation stated requirements EAL Levels 1 Functionally Tested 2 Structurally Tested 3 Methodically Tested 4 Methodically Designed, Tested, Reviewed 5 Semiformal testing 6 Semiformal verification 7 Formal verification and testing Based on production Certification environment Accreditation
  • 33. Expert System Source:idrinfo.idrc.ca
  • 34. Waterfall Method http://www.softwebsolutions.com/our_process.html
  • 35. Spiral Method http://en.wikipedia.org/wiki/Spiral_model
  • 36. Iterative Method Wikipedia
  • 37. Inheritance Parent Class Animal Virtual Function Talk() Child Class Child Class Cat Dog Function Talk("") Function Talk("")
  • 38. Polymorphism 1. class Animal { 2. virtual public Talk(){ } 3. } 4. class Dog extends Animal { 5. public Talk() { speak "汪" } 6. } 7. class Cat extends Animal { 8. public Talk() { speak "喵" } 9. } 10.Function AnimalTalk( Animal objSomeAnimal) 11.{ 12. objSomeAnimal.Talk; //polymophism; late binding 13.} 14.Animal objCat = new Cat; 15.Animal objDog = new Dog; 16.//Without polymorphism 17.objCat .Talk; //"喵" 18.objDog .Talk; //"汪" 19.//With polymorphism 20.AnimalTalk(objCat); //"喵" 21.AnimalTalk(objDog); //"汪" • 在本範例中,AnimalTalk程序接受 (Accept) 屬於 Animal 型別而名為 objSomeAnimal 的參數,所以我 們可以在 run-time傳送如 Cat或Dog衍生自 Animal 類別的類別。此項設計的優點在於,您可加入衍生 可加入衍生 類別的新類別, 程序中的用戶端程式碼。 自 Animal 類別的新類別,而不需要變更 AnimalTalk程序中的用戶端程式碼 程序中的用戶端程式碼
  • 40. LRCI
  • 41. EnCase – File System
  • 48. Link Layer Encryption vs. End-to-end Encryption
  • 50. MPLS http://www.isoc.org/
  • 51. IPSec Mode - Concise http://technet.microsoft.com/en-us/library/cc759130(WS.10).aspx#w2k3tr_ipsec_how_vvlc
  • 52. PPTP and L2TP Data Format
  • 53. Smurf http://www.techexams.net
  • 55. Routing Protocols Open Hop Class Authentica Category Network less tion RIPv1 RFC 15 No None Interior Small 1058 Distance vector RIPv2 RFC 15 Yes Password Interior Small 2453 MD5 Distance vector Medium IGRP Cisco 255 No None Interior Small Distance vector EIGRP Cisco 255 Yes Password Interior Large MD5 Hybrid OSPF RFC none Yes Password Interior Large 2328 MD5 Link-state Hetero ISIS ISO Yes Password Interior Large 10589 Link-state EGP Exterior AS-AS Distance vector BGP RFC CIDR MD5 Exterior AS-AS 1771 Distance vector Cisco® Certified Network Associate Study Guide
  • 56. Subnetting vs. supernetting One Class C 8 contiguous Class C http://medusa.sdsu.edu/network/CS576/Lectures/ch05_Subnetting.pdf
  • 57. VPN – Site to Site
  • 59. War Dialer - PhoneSweep
  • 66. BCP
  • 67. BIA Process Owner Impact Business Activity Geographic Timescale Extent MTPD RPO
  • 69.
  • 72. Scope
  • 73. BCM is a Balancing Act(cont.) High Cost High Loss recovery strategy disruption Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost Cost Cost Cost Cost Cost Cost Cost Optimal Lose Business Point Time 73
  • 75. OS
  • 76. Heat and cool air http://www.adc.com/us/en/Library/Literature/102264AE.pdf
  • 77. Data loss on transportation