1. Ivo Depoorter

2. Whois I
 Functions
 Sysadmin, DBA, CIO, ADP instructor, SSO,
Security consultant
 Career (20 y)
 NATO – Local government – Youth care
 Training
 Lots of Microsoft, Linux, networking,
programming…
 Security: Site Security Officer, CISSP, BCM,
Ethical Hacking, network scanning,…

3. Course outline
 Information security?
 Security Why?
 Security approach
 Vocabulary
 The weakest link
 Real life security sample

4. Information security?
According to Wikipedia, ISO2700x, CISSP,
SANS,….
 Confidentiality: Classified information must, be protected
from unauthorized disclosure.
 Integrity: Information must be protected against
unauthorized changes and modification.
 Availability: the information processed, and the services
provided must be protected from deliberate or accidental
loss, destruction, or interruption of services.

5. Information security?
Security attributes according to the Belgian
privacycommission
 Confidentiality
 Integrity
 Availability
+
 Accountability
 Non-repudiation
 Authenticity
 Reliability

6. CIA Exercise
Defacing of Belgian Army website

7. CIA Exercise
 Confidentiality
 ??
 Webserver only hosting public information?
 Webserver separated from LAN?
 Integrity
 Unauthorized changes!
 Availability
 Information is no longer available

8. Security Why?
 Compliance with law
 Protect (valuable) assets
 Prevent production breakdowns
 Protect reputation, (non-)commercial image
 Meet customer & shareholder requirements
 Keep personnel happy

9. Security approach
 Both technical and non-technical countermeasures.
 Top-management approval and support!
 Communicate!
 Information security needs a
layered approach!!!
 Best practices
 COBIT
Control Objectives for Information and related Technology
 ISO 27002 (ISO 17799)
Code of practice for information security management
 …..

10. ISO 27002
 Section 0 Introduction
 Section 1 Scope
 Section 2 Terms and Definitions
 Section 3 Structure of the Standard
 Section 4 Risk Assessment and Treatment
 Section 5 Security Policy
 Section 6 Organizing Information Security
 Section 7 Asset Management
 Section 8 Human Resources Security
 Section 9 Physical and Environmental Security
 Section 10 Communications and Operations Management
 Section 11 Access Control
 Section 12 Information Systems Acquisition, Development and
Maintenance
 Section 13 Information Security Incident Management
 Section 14 Business Continuity Management
 Section 15 Compliance

11. ISO 27002 - Example
Security audit local government > 500 employees
Technique: Social Engineering
10 Procedures 9 Physical access 11 Logical access 15 Internal audit

12. Security vocabulary - Threat
 A potential cause of an unwanted incident, which may
result in harm to individuals, assets, a system or
organization, the environment, or the community.
(BCI)
 Samples:
 Fire
 Death of a key person (SPOK or Single Point of Knowledge)
 Crash of a critical network component e.g. core switch (SPOF: single
point of failure)
 …

13. Security vocabulary - Damage
 Harm or injury to property or a person, resulting in loss of
value or the impairment of usefulness
 Damage in information security:
 Operational
 Financial
 Legal
 Reputational
 Damage defaced Belgian Army website?
 Operational: probably (temporary frontpage, patch management,….)
 Financial: probably (training personnel, hiring consultancy,….)
 Legal: probably (lawsuit against external responsible?)
 Reputational: certainly!

14. Security vocabulary - Risk
 Combination of the probability of an event and its
consequence.
 Risk components
 Threat (probability)
 Damage (amount)
 Example:
Damage
Process Threat O F L R Max impact Probability Risk
Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8

15. The Zen of Risk
 What is just the right amount of security?
 Seeking Balance between
Security (Yin) and Business (Yang)
Potential Loss Cost
Countermeasures Productivity

16. Security vocabulary - AAA
 Authentication: technologies used to determine the
authenticity of users, network nodes, and documents
 Authorization: who is allowed to do what?
 Accountability: is it possible to find out who has made
any operations?
• Strong authentication
(two-factor or multifactor)
• Something you know (password, PIN,…)
• Something you have (token,…)
• Something you are (fingerprint, …)

17. The weakest link
Countermeasures:
• Force password policy on
server
• Train personnel
• Use strong authentication
• …
SEC_RITY is not complete without U!

18. The weakest link
Countermeasures:
• Implement security & access
policies
• Job rotation
• Encryption
• Employee awareness training
• Audit trail of all accesses to
documents
• ….
Amateurs hack systems, professionals hack people!

19. Hacking steps
Step Countermeasures (short list)
1. Reconnaissance Be careful with information
2. Network mapping Network IDS – block ICMP
3. Exploiting System hardening
4. Keeping access IDS – Antivirus – rootkit scanners
5. Covering Tracks
Reconnaissance (information gathering):
Searching interesting information on discussion groups/forum,
social networks, customer reference lists, Google hacks…

20. Real life security sample
High security (war)zone
Illiterate (local) cleaning
personnel
(Use opportunities!!!)
LAN WWW
Physical security:
• Personnel clearance >2m
• Physical control
• Pc placement (shoulder surfing)
• Clean desk policy
• Shredder Tempest!!!
• Lock screen policy
Logical security
• Fiber to pc
• VLAN’s
• Password policy
• …

21. We learned….
 Security is CIA(+)
 Why: law, reputation, production continuity,…
 Approach: layered, technical & non-technical, support
from CEO, lots of communication
 Vocabulary: threat, damage, risk, (strong)authentication,
authorization, accountability
 Risk = threat * damage
 Security balance: loss vs. cost
& countermeasures vs. productivity
 The weakest link is personnel!
 A hacker starts with information gathering