SlideShare uma empresa Scribd logo

A guide to Sustainable Cyber Security

Transferir como PPTX, PDF
Ernest Staats
Ernest Staats

The IT Pros Guide to Sustainable Security

Liderança e gerenciamento
1 de 42
Ernest Staats MSIA, CISSP, CEH… estaats@Networkpaladin.org https://networkpaladin.org https://tinyurl.com/y5jx76cw
LEGAL DISCLAIMER: Nothing in this handout or presentation constitutes legal advice. The information in this presentation was compiled from sources believed to be reliable for informational purposes only. Any and all information contained herein is not intended to constitute legal advice. You should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication including any information, methods or safety suggestions contained herein.
SUSTAINABLE CYBERSECURIT Y Starts at Administration & is: Cultural not technical Based on need not vendor features Iterative & Continuous Built around accountability Repeatable & scalable Balanced – cost/risk vs reward Documented & auditable
DATA PROTECTION STEERING COMMITTEE See TOR & Policy Templates Treasury Legal Compliance HR Marketing IT/InfoSec Departments / Missions affected Who will lead the security and the privacy elements
5 Reduce reliance and burden on people Responsibilities Must be understood Policies Set the Framework to align People, Process and Technology Processes Reflect need of People in relation to policies & Technology SUSTAINABILITY RELIES ON: Process People Technology
LESS IS MORE 50% of organizations use anywhere from 6 to 20 security vendors Gaps in detections are largely due to an "overabundance of alerts” Look for overlaps and eliminate
CART BEFORE … Rather than evaluating the solution provided by vendors, leaders should assess the value of a product in relation to their People, Process & Risk. Build your list of needs / requirements and evaluate all venders based on your needs not their special sauce Prioritize security in the context of Ministry enablement, financial costs, & risk mitigation to justify investments
NO BUSINESS VALUE = NO VALUE • Know what business value you have had in the last 6 months • What have you done that has impacted how a department works • Not Maintenance or security value
A-I-C ORDER MATTERS Availability a guarantee of reliable access to the information by authorized people Integritythe assurance that the information is trustworthy and accurate Confidentialitya set of rules that limits access to information
THE ANSWER A Standard & Drills (verification) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework, NIST Risk Management Framework http://www.nist.gov/ 1 Center for Internet Security (CIS) CIS Critical Security Controls http://www.cisecurity.org/ 2 International Organization for Standardization (ISO) ISO 27000-series publications http://www.iso.org/ 3 CySAFE Combines NIST, CIS, and ISO taking best of each without duplication Edits: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharin g 4
YOUR FRAMEWORK Support Mission – Business Goals Sufficient detail to support regulation & compliance requirements Be implementable Be measurable Be documentable Be defensible (auditable)
CIS FRIST 6 Prevent up to 90% of attacks Control 1: Inventory and Control of Hardware Assets Control 2: Inventory and Control of Software Assets Control 3: Continuous Vulnerability Management Control 4: Controlled Use of Administrative Privilege Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Control 6: Maintenance, Monitoring and Analysis of Audit Logs
SELF ASSESSMENT: “CYSAFE” OR CIS TOP 20 CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharing CIS Top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh
RISK MANAGEMENT SHOULD: • Support the strategic objectives • Enhance institutional decision-making • Create a “risk-aware” culture • Reduce operational surprises and losses • Assure greater business continuity • Improve use of funding by aligning resources with objectives • Bridge departmental silos Observe: Identify Risk Orient: Categorize & Prioritize Decide: Select & Implement Controls Act: Manage, Assess, & Monitor
FACTORS THAT CAN CAUSE FAILURE Complexity (Overlapping Solutions) Focus on Technology (Bright Shiny Object Disease) Lack of Understanding of Risk (Fear vs Reality) Lack of Cyber Security Staff
CONTROLS TO BUILD YOUR FRAMEWORD • HAVE A Plan & Document your plan • Change Management Example https://tinyurl.com/yyq6feyz • Freedcamp • Reading ideas “Phoenix Project” “Extreme Ownership” “Radical Candor”
1. No business impact when determining courses of action 2. Lack cross-organizational considerations 3. Limited data classification 4. Ill-defined processes (aka “pre-thought use cases”) 5. No defined step-by-step procedures 6. No defined event terminology between responders 7. No defined thresholds between events and incidents 8. No pre-determined (aka “pre-canned”) external communications 9. Lack of exercise of “memory muscle” Top Cyber Incident Pain Points
MY TYPICAL RECOMMENDATIONS • Password / Privilege Access Management • Train Users • Monitor and Log Everything • Pick a frame work (NIST OR CIS OR CySAFE) • Check Firewall ports (Outgoing) • Assess & Document your world • Server Vulnerability (SVA) & a Network Vulnerability (NVA) Assessments • Know what is being leaked IoT & Shadow IT https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing
BETTER LEADERSHIP • Empower through conversations • Use mission terminology • Define metrics • Find Root (Toyota “5-Whys”) • Tech is a TOOL, not a purpose • Try device-free meetings • Control interruptions • Find time to daydream
DELIVERABLES Firewall & Network setups https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp= sharing Cloud security https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing Protocols and ports that need attention https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing Authentication best practices: https://drive.google.com/file/d/1TyMTbghiOSqtuZv7c- CqmurPiqcPdRpV/view?usp=sharing Server and network rights https://drive.google.com/file/d/130tcLpGBPE2Q4aYjknG7xaiIkK0CJPsq/view?usp=sha ring Servers: https://drive.google.com/file/d/197jsrcHo4Izx9pWw7nv3dj01BIf0LiNl/view?usp=shari
TOOL TIME: Root Folder on G-Drive https://drive.google.com/drive/folders/1t4zZbe3bZb7yuZFNRZnSYOpfru_uzHpP?usp=s haring Throughput Testing https://drive.google.com/drive/folders/1qcGAwBGfRB8-BV34kZjY6uPE- _gK9qL6?usp=sharing Network Mapping resources https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=s haring CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp= sharing CIS top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh 3rd Party Vendor Vetting: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp=
PERSONAL DATA PRIVACY HANDOUT https://tinyurl.com/DataPri TIPS FOR HOTEL SECURITY https://www.youtube.com/watch?v=M0GGHIjShh4
HOW TO LEAD LIKE A SUPERHERO • Listen harder than normal people do • Help people even if you do not know them • Focus on the needs of others more than your own • Be creative in your efforts to save the day • Be relentlessly optimistic • Maintain a great sense of urgency • Never tolerate bullies • Don't stop trying until the job is done • Know your Achilles Heel
“LIVING OFF THE LAND” • “Living off the land” • Windows 10 PowerShell, WMI, the Windows Scripting Host • Microsoft Office “macros”
2018 TRENDS TO KNOW
WHAT DO WE SEE • Stolen (reused bad passwords) • Phishing - Email is King • ADMINS to many
IOT HACKED DEVICES AND PORTS
FIGURE 1-1 COMPONENTS OF INFORMATION SECURITY
30 FOUNDATION FOR PROTECTING INFORMATION Security/Privacy Program Data Discovery / Classification Monitor & Breach Response
DESIGN: DATA PRIVACY (1/2) •Impact of GDPR on financial services – •PCI FAQ – •Reading level calculator – (also MS Office tools) Additional resourcesWhere should I go to understand critical regulation? How can I check whether my disclosures work? •Industry •Local •Multinational •Ask them •Reading level calculator
DATA PRIVACY (2/2) What does “good” look like when it comes to data privacy? Overall Best Practices Capture Usage Retention & Erasure Be extremely transparent People don’t typically read disclosures • Always obtain consent to access and use personal data • When obtaining consent, think of the people – easy to read, jargon- free, mobile friendly • Share how providing data helps the them – • High-level and detailed versions • Tell customers what data will be retained, for how long, and in what form: - De-identified vs. identified - Single data pull vs. ongoing feed - Physical vs. electronic Keep all data confidential Especially with personal data, maintaining confidentiality preserves trust • Check personal disclosures of data acquired from partners • Highlight confidentiality when acquiring data • Be particularly careful with identity • Proactively notify people when sharing their data with 3rd parties • Only use the data for its intended purpose – • Upon erasure, ensure data is completely deleted across where it’s stored – incl. with partners, redundant servers, etc. Let customers “own” their data Whether or not this is legally the case. To maintain their trust, act as if their data is their own • Where possible, allow people to opt-out of specific data access • Where possible, allow people to opt-out of specific data uses – • Have a process for people to request updates to, correction of, or erasure of their information • Have a process to withdraw consent Take, keep, and use only what’s valuable All data carries risk, • Don’t collect all data for all people – identify the pieces which drive the most value, and don’t collect the rest • Be particularly conscious of regulation when using sensitive classifications • “Sunshine test” • Set a retention policy for customer data – • Have a “what data should we keep” process
SOFTWARE SECURITY •OWASP Top 10 2017 •Balancing speed & security •Security 101 for startups •Security testing types •Security fatigue Additional resources How do I balance speed and security? What types of security testing should I be using? •Focus on the right level of technical security for your stage •See “Balancing Speed & Security” article  •Automated – before you deploy •Black box 2x/year •White box every 2years What are the most common & dangerous software security risks? •See OWASP Top 10 article 
INFRASTRUCTURE SECURITY (1/2) •Full Infrastructure Checklist •AWS security features and AWS security best practices whitepaper •Azure security features •Cisco Checklist •OWASP Top 10 2017 Additional resourcesIs outsourcing infrastructure or insourcing more secure? If I do outsource how can I ensure I’m protected? •Often, outsourcing will be best •Specific situations may change this •Cloud providers offer: -Logging and monitoring with controls -Identity & access management -Encryption of data at-rest •See the “AWS Security features” 
INFRASTRUCTURE SECURITY (2/2) What are some general best-practices for infrastructure security? General infrastructu re • Enable cloud infrastructure default security options • Back up data at minimum daily, but limit redundancies • Encrypt data while at rest and while in-transit • Periodically purge data • Have a BC/DR technology solution and plan • Implement patches for known vulnerabilities as soon as possible Passwords & network access • Use a password manager • Password reset • Tiered access levels • Require a secure VPN Scanning & monitoring • Implement a simple logging function • Include relevant data • Create lockout thresholds
PARTNER MANAGEMENT •Best practices to reduce third-party cybersecurity risk •Approaching data security in a fintech- friendly world •Steps to mitigate 3rd party cybersecurity threats Additional resourcesSteps for partner vetting •Pre-contract checks -What are their encryption practice? -Have they ever had a breach? -Service-level agreements (SLAs) -SLAs should be included in data policy -Ability to audit & request specific security standardsHow do I ensure my partner management is successful? •Learn from partners’ suggestions •Continuous monitoring & review Vendor Industry Templates: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing
CULTURE What does a best in class data protection culture look like? Key beliefs Practices to reinforce All of users need to be aware and careful of Security issues • Data protection newsletter – - Current events – share one article and how it relates to the company - Employee highlight – public recognition for those who surface issues • Accountable executive for data protection is not just responsible for technology - Have non-technical (i.e. not IT) people train employees on data protection Be open and transparent • Celebrate employees who surface issues – publicly recognize people • Don’t punish people Data protection is an ongoing effort • Blame-free post-mortems • Ongoing “security tracker” More sharing = more risk • Limit partner integrations
DATA MANAGEMENT •Security 101 for startups •What is social engineering? Additional resources What are some best practice processes for data protection? Development • Regular penetration testing (3-6mo black box, 12mo white box) • Security review as part of SDLC Hiring and firing • Do reference checks on developers and employees • Ensure digital “locks changed” when employees leave Reviews • Hold regular data protection reviews (quarterly) Miscellaneous • Do not use USB drives • Encourage auto-lock of laptops (after 5 minutes) • Have automatic locks on your office doors and server rooms • Train employees to not use risky websites
TRAINING What content should I include in my data protection trainings? All staff • Our data security culture - Why it’s important - Key processes to prevent + report issues - Key components of the data policy - Role-based guidelines - Initial data privacy training • Types of threats and how we mitigate • Key data elements • To be conducted on a regular basis • Regular trainings: • After a breach: - Cover post-mortem of breach's - Opportunity for Q&A Engineerin g, IT, Data science In addition to the above: • Legislative & regulatory environment • Communication & feedback loops • Where security sits in all processes • Roles & responsibilities • Monitoring and maintenance • Updates to data architecture and procedures • Changing Data security procedures • Legislative or regulatory changes ONBOARDING ONGOING
Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (1/3) •Data breaches 101 •Detailed guide for cybersecurity event recovery Additional resourcesWhat is a data security breach? What should be included in a security breach response plan? • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes Communication • Plan and execute communication to employees and external parties 21 4 3 •What is a Breach? •Can be done locally or remotely
Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (2/3) • Understand extent of breach - What personal data - What was the cause - How many people • Assess risks from breach - What potential for harm - Strategic & financial risks? - Legal or compliance risks? - Reputational risks? - Financial risks? • Form team to lead resolution - Who will be accountable - Employees needed? - How often will the team meet? • Contain breach, limit damage - Are we still vulnerable? - What systems changes? - What process changes - How to recover data? • Review causes of breach – “post- mortem” - Vulnerabilities enabled the breach - What other similar vulnerabilities? • Understand consequences - What consequences occurred • Make process, tech changes - Tech solutions or process changes - Need to modify our data policy - What training is needed? - What is the cost to make these changes • Initial identification of severity may be incomplete, so be thorough • Key people to include on team: - Executive - Legal counsel • Don’t limit evaluation and improvements • Blame-free post-mortems • Include people from across the What are best practices in each phase of a breach response? Best practices 21 3 Keyquesitons
BREACH RESPONSE (3/3) What communication is appropriate at each stage of breach response? External Intern al 4 Identification & Risk Assessment Containment & Resolution Evaluation & Improvement • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes • Notify groups who interact with external parties; • Include critical teams - C-Suite, Legal, Technology, PR (if applicable) - Board of directors • Communicate to employees • Provide regular updates to leadership, legal until issues are resolved • Post-mortem is non- punitive • Include description of what happened • Communicate about process and technology changes • Be careful about what you communicate • Speak to all relevant external parties • Always review with legal • When you communicate, include all key information - Data involved - Action taken - Specific and clear advice • Provide ongoing

Recomendados

Fraud Detection with Amazon Machine Learning on AWS
Fraud Detection with Amazon Machine Learning on AWSFraud Detection with Amazon Machine Learning on AWS
Fraud Detection with Amazon Machine Learning on AWSAmazon Web Services
 
Segmentation on azure platform
Segmentation on azure platformSegmentation on azure platform
Segmentation on azure platformRachata Watthanawong
 
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoringAz 104 session 8 azure monitoring
Az 104 session 8 azure monitoringAzureEzy1
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesKarthikeyan Anbarasan (AK)
 
Azure vm introduction
Azure vm introductionAzure vm introduction
Azure vm introductionLalit Rawat
 
Designing Scalable SAN using MDS 9396S
Designing Scalable SAN using MDS 9396SDesigning Scalable SAN using MDS 9396S
Designing Scalable SAN using MDS 9396STony Antony
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and ManagementAllen Brokken
 
ITOC Cloud Adoption Roadmap
ITOC Cloud Adoption RoadmapITOC Cloud Adoption Roadmap
ITOC Cloud Adoption RoadmapShaun Pearse
 

Recomendados

Fraud Detection with Amazon Machine Learning on AWS
Fraud Detection with Amazon Machine Learning on AWSFraud Detection with Amazon Machine Learning on AWS
Fraud Detection with Amazon Machine Learning on AWSAmazon Web Services
 
Segmentation on azure platform
Segmentation on azure platformSegmentation on azure platform
Segmentation on azure platformRachata Watthanawong
 
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoringAz 104 session 8 azure monitoring
Az 104 session 8 azure monitoringAzureEzy1
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesKarthikeyan Anbarasan (AK)
 
Azure vm introduction
Azure vm introductionAzure vm introduction
Azure vm introductionLalit Rawat
 
Designing Scalable SAN using MDS 9396S
Designing Scalable SAN using MDS 9396SDesigning Scalable SAN using MDS 9396S
Designing Scalable SAN using MDS 9396STony Antony
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and ManagementAllen Brokken
 
ITOC Cloud Adoption Roadmap
ITOC Cloud Adoption RoadmapITOC Cloud Adoption Roadmap
ITOC Cloud Adoption RoadmapShaun Pearse
 
Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management Padma Jella
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security ChallengesYateesh Yadav
 
Network and IT Operations
Network and IT OperationsNetwork and IT Operations
Network and IT OperationsNeo4j
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Teri Radichel
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Hybrid Cloud Solutions to Transform Your Organization
Hybrid Cloud Solutions to Transform Your OrganizationHybrid Cloud Solutions to Transform Your Organization
Hybrid Cloud Solutions to Transform Your OrganizationAmazon Web Services
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacytmather
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud ServicesDavid J Rosenthal
 
VXLAN Overlay Networks with Open vSwitch
VXLAN Overlay Networks with Open vSwitchVXLAN Overlay Networks with Open vSwitch
VXLAN Overlay Networks with Open vSwitchI Putu Hariyadi
 
AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개
AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개
AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개Amazon Web Services Korea
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure PlatformDavid Chou
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Cloud security
Cloud security Cloud security
Cloud security Mohamed Shalash
 
Cloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloudCloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloudSourabh Saxena
 
Az 104 session 5: Azure networking
Az 104 session 5: Azure networkingAz 104 session 5: Azure networking
Az 104 session 5: Azure networkingAzureEzy1
 
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdfOpen Source Consulting
 
Cloud Computing Design Considerations
Cloud Computing Design ConsiderationsCloud Computing Design Considerations
Cloud Computing Design ConsiderationsMike Kavis
 
Hot tutorials
Hot tutorialsHot tutorials
Hot tutorialsKanagaraj M
 
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...Edureka!
 
Get started With Microsoft Azure Virtual Machine
Get started With Microsoft Azure Virtual MachineGet started With Microsoft Azure Virtual Machine
Get started With Microsoft Azure Virtual MachineLai Yoong Seng
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 

Mais conteúdo relacionado

Mais procurados

Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management Padma Jella
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security ChallengesYateesh Yadav
 
Network and IT Operations
Network and IT OperationsNetwork and IT Operations
Network and IT OperationsNeo4j
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Teri Radichel
 
Hybrid Cloud Solutions to Transform Your Organization
Hybrid Cloud Solutions to Transform Your OrganizationHybrid Cloud Solutions to Transform Your Organization
Hybrid Cloud Solutions to Transform Your OrganizationAmazon Web Services
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacytmather
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud ServicesDavid J Rosenthal
 
VXLAN Overlay Networks with Open vSwitch
VXLAN Overlay Networks with Open vSwitchVXLAN Overlay Networks with Open vSwitch
VXLAN Overlay Networks with Open vSwitchI Putu Hariyadi
 
AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개
AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개
AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개Amazon Web Services Korea
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure PlatformDavid Chou
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Cloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloudCloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloudSourabh Saxena
 
Az 104 session 5: Azure networking
Az 104 session 5: Azure networkingAz 104 session 5: Azure networking
Az 104 session 5: Azure networkingAzureEzy1
 
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdfOpen Source Consulting
 
Cloud Computing Design Considerations
Cloud Computing Design ConsiderationsCloud Computing Design Considerations
Cloud Computing Design ConsiderationsMike Kavis
 
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...Edureka!
 
Get started With Microsoft Azure Virtual Machine
Get started With Microsoft Azure Virtual MachineGet started With Microsoft Azure Virtual Machine
Get started With Microsoft Azure Virtual MachineLai Yoong Seng
 

Mais procurados (20)

Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security Challenges
 
Network and IT Operations
Network and IT OperationsNetwork and IT Operations
Network and IT Operations
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Hybrid Cloud Solutions to Transform Your Organization
Hybrid Cloud Solutions to Transform Your OrganizationHybrid Cloud Solutions to Transform Your Organization
Hybrid Cloud Solutions to Transform Your Organization
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacy
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud Services
 
VXLAN Overlay Networks with Open vSwitch
VXLAN Overlay Networks with Open vSwitchVXLAN Overlay Networks with Open vSwitch
VXLAN Overlay Networks with Open vSwitch
 
AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개
AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개
AWS Summit Seoul 2023 | 금융 디지털 서비스 혁신을 리딩하는 교보정보통신의 클라우드 마이그레이션 사례 소개
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Cloud security
Cloud security Cloud security
Cloud security
 
Cloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloudCloud computing and migration strategies to cloud
Cloud computing and migration strategies to cloud
 
Az 104 session 5: Azure networking
Az 104 session 5: Azure networkingAz 104 session 5: Azure networking
Az 104 session 5: Azure networking
 
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
[오픈테크넷서밋2022] 국내 PaaS(Kubernetes) Best Practice 및 DevOps 환경 구축 사례.pdf
 
Cloud Computing Design Considerations
Cloud Computing Design ConsiderationsCloud Computing Design Considerations
Cloud Computing Design Considerations
 
Hot tutorials
Hot tutorialsHot tutorials
Hot tutorials
 
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
 
Get started With Microsoft Azure Virtual Machine
Get started With Microsoft Azure Virtual MachineGet started With Microsoft Azure Virtual Machine
Get started With Microsoft Azure Virtual Machine
 

Semelhante a A guide to Sustainable Cyber Security

Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber SecurityMisha Hanin
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
Breakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsBreakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsDrew Madelung
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Innovators
 
Secure Your High Risk Data
Secure Your High Risk Data Secure Your High Risk Data
Secure Your High Risk Data Naveed Ahmed
 
Seattle Tech4Good meetup: Data Security and Privacy
Seattle Tech4Good meetup: Data Security and PrivacySeattle Tech4Good meetup: Data Security and Privacy
Seattle Tech4Good meetup: Data Security and PrivacySabra Goldick
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups Marc Gallardo
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
 

Semelhante a A guide to Sustainable Cyber Security (20)

Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
Breakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsBreakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview Solutions
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015
 
Secure Your High Risk Data
Secure Your High Risk Data Secure Your High Risk Data
Secure Your High Risk Data
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
Seattle Tech4Good meetup: Data Security and Privacy
Seattle Tech4Good meetup: Data Security and PrivacySeattle Tech4Good meetup: Data Security and Privacy
Seattle Tech4Good meetup: Data Security and Privacy
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 
CYBER SECURITY.pdf
CYBER SECURITY.pdfCYBER SECURITY.pdf
CYBER SECURITY.pdf
 

Mais de Ernest Staats

Information security trends and steps for (OSAC) Middle East divsion
Information security trends and steps for (OSAC) Middle East divsion Information security trends and steps for (OSAC) Middle East divsion
Information security trends and steps for (OSAC) Middle East divsion Ernest Staats
 
IT Staff NDA Template Employee Confidentiality Agreement
IT Staff NDA Template Employee Confidentiality AgreementIT Staff NDA Template Employee Confidentiality Agreement
IT Staff NDA Template Employee Confidentiality AgreementErnest Staats
 
Cy safe 2.0_workbook
Cy safe 2.0_workbookCy safe 2.0_workbook
Cy safe 2.0_workbookErnest Staats
 
Parenting and the media challenge
Parenting and the media challengeParenting and the media challenge
Parenting and the media challengeErnest Staats
 
How to use technology in ministry & parenting
How to use technology in ministry & parentingHow to use technology in ministry & parenting
How to use technology in ministry & parentingErnest Staats
 
Idwg bimonthly security exchange cyber only section
Idwg bimonthly security exchange cyber only sectionIdwg bimonthly security exchange cyber only section
Idwg bimonthly security exchange cyber only sectionErnest Staats
 
Data Detox Kit Optimized
Data Detox Kit Optimized Data Detox Kit Optimized
Data Detox Kit Optimized Ernest Staats
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewErnest Staats
 
Compter Forensics Intro for Students
Compter Forensics Intro for Students Compter Forensics Intro for Students
Compter Forensics Intro for Students Ernest Staats
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Ernest Staats
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidErnest Staats
 
Securely Erase your Device
Securely Erase your DeviceSecurely Erase your Device
Securely Erase your DeviceErnest Staats
 
Border crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tipsBorder crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tipsErnest Staats
 
Social & mobile security
Social & mobile securitySocial & mobile security
Social & mobile securityErnest Staats
 
Social mobile safety
Social mobile safetySocial mobile safety
Social mobile safetyErnest Staats
 
Using social media to boost your ministrys online presence
Using social media to boost your ministrys online presence Using social media to boost your ministrys online presence
Using social media to boost your ministrys online presence Ernest Staats
 
Social media How to Step by Step
Social media How to Step by StepSocial media How to Step by Step
Social media How to Step by StepErnest Staats
 

Mais de Ernest Staats (20)

Information security trends and steps for (OSAC) Middle East divsion
Information security trends and steps for (OSAC) Middle East divsion Information security trends and steps for (OSAC) Middle East divsion
Information security trends and steps for (OSAC) Middle East divsion
 
IT Staff NDA Template Employee Confidentiality Agreement
IT Staff NDA Template Employee Confidentiality AgreementIT Staff NDA Template Employee Confidentiality Agreement
IT Staff NDA Template Employee Confidentiality Agreement
 
Cy safe 2.0_workbook
Cy safe 2.0_workbookCy safe 2.0_workbook
Cy safe 2.0_workbook
 
Parenting and the media challenge
Parenting and the media challengeParenting and the media challenge
Parenting and the media challenge
 
How to use technology in ministry & parenting
How to use technology in ministry & parentingHow to use technology in ministry & parenting
How to use technology in ministry & parenting
 
Idwg bimonthly security exchange cyber only section
Idwg bimonthly security exchange cyber only sectionIdwg bimonthly security exchange cyber only section
Idwg bimonthly security exchange cyber only section
 
Data Detox Kit Optimized
Data Detox Kit Optimized Data Detox Kit Optimized
Data Detox Kit Optimized
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
 
Compter Forensics Intro for Students
Compter Forensics Intro for Students Compter Forensics Intro for Students
Compter Forensics Intro for Students
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vid
 
Securely Erase your Device
Securely Erase your DeviceSecurely Erase your Device
Securely Erase your Device
 
Border crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tipsBorder crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tips
 
Social & mobile security
Social & mobile securitySocial & mobile security
Social & mobile security
 
Social mobile safety
Social mobile safetySocial mobile safety
Social mobile safety
 
Using social media to boost your ministrys online presence
Using social media to boost your ministrys online presence Using social media to boost your ministrys online presence
Using social media to boost your ministrys online presence
 
Social media How to Step by Step
Social media How to Step by StepSocial media How to Step by Step
Social media How to Step by Step
 

Último

Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampPLCLeadershipDevelop
 
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...Pooja Nehwal
 
Continuous Improvement Infographics for Learning
Continuous Improvement Infographics for LearningContinuous Improvement Infographics for Learning
Continuous Improvement Infographics for LearningCIToolkit
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic managementharfimakarim
 
operational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementoperational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementTulsiDhidhi1
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girladitipandeya
 
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, MumbaiPooja Nehwal
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Pooja Nehwal
 
Does Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxDoes Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxSaqib Mansoor Ahmed
 
situational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima Ssituational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima Smisbafathima9940
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxAss.Prof. Dr. Mogeeb Mosleh
 

Último (20)

Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC Bootcamp
 
Leadership in Crisis - Helio Vogas, Risk & Leadership Keynote Speaker
Leadership in Crisis - Helio Vogas, Risk & Leadership Keynote SpeakerLeadership in Crisis - Helio Vogas, Risk & Leadership Keynote Speaker
Leadership in Crisis - Helio Vogas, Risk & Leadership Keynote Speaker
 
Peak Performance & Resilience - Dr Dorian Dugmore
Peak Performance & Resilience - Dr Dorian DugmorePeak Performance & Resilience - Dr Dorian Dugmore
Peak Performance & Resilience - Dr Dorian Dugmore
 
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdfImagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
 
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
Call now : 9892124323 Nalasopara Beautiful Call Girls Vasai virar Best Call G...
 
Continuous Improvement Infographics for Learning
Continuous Improvement Infographics for LearningContinuous Improvement Infographics for Learning
Continuous Improvement Infographics for Learning
 
internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic management
 
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdfImagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
 
operational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementoperational plan ppt.pptx nursing management
operational plan ppt.pptx nursing management
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls Ameerpet high-profile Call Girl
 
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
 
Becoming an Inclusive Leader - Bernadette Thompson
Becoming an Inclusive Leader - Bernadette ThompsonBecoming an Inclusive Leader - Bernadette Thompson
Becoming an Inclusive Leader - Bernadette Thompson
 
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
Call Now Pooja Mehta : 7738631006 Door Step Call Girls Rate 100% Satisfactio...
 
LoveLocalGov - Chris Twigg, Inner Circle
LoveLocalGov - Chris Twigg, Inner CircleLoveLocalGov - Chris Twigg, Inner Circle
LoveLocalGov - Chris Twigg, Inner Circle
 
Does Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxDoes Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptx
 
situational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima Ssituational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima S
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 

A guide to Sustainable Cyber Security

  • 1. Ernest Staats MSIA, CISSP, CEH… estaats@Networkpaladin.org https://networkpaladin.org https://tinyurl.com/y5jx76cw
  • 2. LEGAL DISCLAIMER: Nothing in this handout or presentation constitutes legal advice. The information in this presentation was compiled from sources believed to be reliable for informational purposes only. Any and all information contained herein is not intended to constitute legal advice. You should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication including any information, methods or safety suggestions contained herein.
  • 3. SUSTAINABLE CYBERSECURIT Y Starts at Administration & is: Cultural not technical Based on need not vendor features Iterative & Continuous Built around accountability Repeatable & scalable Balanced – cost/risk vs reward Documented & auditable
  • 4. DATA PROTECTION STEERING COMMITTEE See TOR & Policy Templates Treasury Legal Compliance HR Marketing IT/InfoSec Departments / Missions affected Who will lead the security and the privacy elements
  • 5. 5 Reduce reliance and burden on people Responsibilities Must be understood Policies Set the Framework to align People, Process and Technology Processes Reflect need of People in relation to policies & Technology SUSTAINABILITY RELIES ON: Process People Technology
  • 6. LESS IS MORE 50% of organizations use anywhere from 6 to 20 security vendors Gaps in detections are largely due to an "overabundance of alerts” Look for overlaps and eliminate
  • 7.
  • 8. CART BEFORE … Rather than evaluating the solution provided by vendors, leaders should assess the value of a product in relation to their People, Process & Risk. Build your list of needs / requirements and evaluate all venders based on your needs not their special sauce Prioritize security in the context of Ministry enablement, financial costs, & risk mitigation to justify investments
  • 9. NO BUSINESS VALUE = NO VALUE • Know what business value you have had in the last 6 months • What have you done that has impacted how a department works • Not Maintenance or security value
  • 10. A-I-C ORDER MATTERS Availability a guarantee of reliable access to the information by authorized people Integritythe assurance that the information is trustworthy and accurate Confidentialitya set of rules that limits access to information
  • 11. THE ANSWER A Standard & Drills (verification) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework, NIST Risk Management Framework http://www.nist.gov/ 1 Center for Internet Security (CIS) CIS Critical Security Controls http://www.cisecurity.org/ 2 International Organization for Standardization (ISO) ISO 27000-series publications http://www.iso.org/ 3 CySAFE Combines NIST, CIS, and ISO taking best of each without duplication Edits: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharin g 4
  • 12. YOUR FRAMEWORK Support Mission – Business Goals Sufficient detail to support regulation & compliance requirements Be implementable Be measurable Be documentable Be defensible (auditable)
  • 13. CIS FRIST 6 Prevent up to 90% of attacks Control 1: Inventory and Control of Hardware Assets Control 2: Inventory and Control of Software Assets Control 3: Continuous Vulnerability Management Control 4: Controlled Use of Administrative Privilege Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Control 6: Maintenance, Monitoring and Analysis of Audit Logs
  • 14. SELF ASSESSMENT: “CYSAFE” OR CIS TOP 20 CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharing CIS Top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh
  • 15. RISK MANAGEMENT SHOULD: • Support the strategic objectives • Enhance institutional decision-making • Create a “risk-aware” culture • Reduce operational surprises and losses • Assure greater business continuity • Improve use of funding by aligning resources with objectives • Bridge departmental silos Observe: Identify Risk Orient: Categorize & Prioritize Decide: Select & Implement Controls Act: Manage, Assess, & Monitor
  • 16. FACTORS THAT CAN CAUSE FAILURE Complexity (Overlapping Solutions) Focus on Technology (Bright Shiny Object Disease) Lack of Understanding of Risk (Fear vs Reality) Lack of Cyber Security Staff
  • 17. CONTROLS TO BUILD YOUR FRAMEWORD • HAVE A Plan & Document your plan • Change Management Example https://tinyurl.com/yyq6feyz • Freedcamp • Reading ideas “Phoenix Project” “Extreme Ownership” “Radical Candor”
  • 18. 1. No business impact when determining courses of action 2. Lack cross-organizational considerations 3. Limited data classification 4. Ill-defined processes (aka “pre-thought use cases”) 5. No defined step-by-step procedures 6. No defined event terminology between responders 7. No defined thresholds between events and incidents 8. No pre-determined (aka “pre-canned”) external communications 9. Lack of exercise of “memory muscle” Top Cyber Incident Pain Points
  • 19. MY TYPICAL RECOMMENDATIONS • Password / Privilege Access Management • Train Users • Monitor and Log Everything • Pick a frame work (NIST OR CIS OR CySAFE) • Check Firewall ports (Outgoing) • Assess & Document your world • Server Vulnerability (SVA) & a Network Vulnerability (NVA) Assessments • Know what is being leaked IoT & Shadow IT https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing
  • 20. BETTER LEADERSHIP • Empower through conversations • Use mission terminology • Define metrics • Find Root (Toyota “5-Whys”) • Tech is a TOOL, not a purpose • Try device-free meetings • Control interruptions • Find time to daydream
  • 21. DELIVERABLES Firewall & Network setups https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp= sharing Cloud security https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing Protocols and ports that need attention https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing Authentication best practices: https://drive.google.com/file/d/1TyMTbghiOSqtuZv7c- CqmurPiqcPdRpV/view?usp=sharing Server and network rights https://drive.google.com/file/d/130tcLpGBPE2Q4aYjknG7xaiIkK0CJPsq/view?usp=sha ring Servers: https://drive.google.com/file/d/197jsrcHo4Izx9pWw7nv3dj01BIf0LiNl/view?usp=shari
  • 22. TOOL TIME: Root Folder on G-Drive https://drive.google.com/drive/folders/1t4zZbe3bZb7yuZFNRZnSYOpfru_uzHpP?usp=s haring Throughput Testing https://drive.google.com/drive/folders/1qcGAwBGfRB8-BV34kZjY6uPE- _gK9qL6?usp=sharing Network Mapping resources https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=s haring CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp= sharing CIS top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh 3rd Party Vendor Vetting: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp=
  • 23. PERSONAL DATA PRIVACY HANDOUT https://tinyurl.com/DataPri TIPS FOR HOTEL SECURITY https://www.youtube.com/watch?v=M0GGHIjShh4
  • 24. HOW TO LEAD LIKE A SUPERHERO • Listen harder than normal people do • Help people even if you do not know them • Focus on the needs of others more than your own • Be creative in your efforts to save the day • Be relentlessly optimistic • Maintain a great sense of urgency • Never tolerate bullies • Don't stop trying until the job is done • Know your Achilles Heel
  • 25. “LIVING OFF THE LAND” • “Living off the land” • Windows 10 PowerShell, WMI, the Windows Scripting Host • Microsoft Office “macros”
  • 27. WHAT DO WE SEE • Stolen (reused bad passwords) • Phishing - Email is King • ADMINS to many
  • 28. IOT HACKED DEVICES AND PORTS
  • 29. FIGURE 1-1 COMPONENTS OF INFORMATION SECURITY
  • 30. 30 FOUNDATION FOR PROTECTING INFORMATION Security/Privacy Program Data Discovery / Classification Monitor & Breach Response
  • 31. DESIGN: DATA PRIVACY (1/2) •Impact of GDPR on financial services – •PCI FAQ – •Reading level calculator – (also MS Office tools) Additional resourcesWhere should I go to understand critical regulation? How can I check whether my disclosures work? •Industry •Local •Multinational •Ask them •Reading level calculator
  • 32. DATA PRIVACY (2/2) What does “good” look like when it comes to data privacy? Overall Best Practices Capture Usage Retention & Erasure Be extremely transparent People don’t typically read disclosures • Always obtain consent to access and use personal data • When obtaining consent, think of the people – easy to read, jargon- free, mobile friendly • Share how providing data helps the them – • High-level and detailed versions • Tell customers what data will be retained, for how long, and in what form: - De-identified vs. identified - Single data pull vs. ongoing feed - Physical vs. electronic Keep all data confidential Especially with personal data, maintaining confidentiality preserves trust • Check personal disclosures of data acquired from partners • Highlight confidentiality when acquiring data • Be particularly careful with identity • Proactively notify people when sharing their data with 3rd parties • Only use the data for its intended purpose – • Upon erasure, ensure data is completely deleted across where it’s stored – incl. with partners, redundant servers, etc. Let customers “own” their data Whether or not this is legally the case. To maintain their trust, act as if their data is their own • Where possible, allow people to opt-out of specific data access • Where possible, allow people to opt-out of specific data uses – • Have a process for people to request updates to, correction of, or erasure of their information • Have a process to withdraw consent Take, keep, and use only what’s valuable All data carries risk, • Don’t collect all data for all people – identify the pieces which drive the most value, and don’t collect the rest • Be particularly conscious of regulation when using sensitive classifications • “Sunshine test” • Set a retention policy for customer data – • Have a “what data should we keep” process
  • 33. SOFTWARE SECURITY •OWASP Top 10 2017 •Balancing speed & security •Security 101 for startups •Security testing types •Security fatigue Additional resources How do I balance speed and security? What types of security testing should I be using? •Focus on the right level of technical security for your stage •See “Balancing Speed & Security” article  •Automated – before you deploy •Black box 2x/year •White box every 2years What are the most common & dangerous software security risks? •See OWASP Top 10 article 
  • 34. INFRASTRUCTURE SECURITY (1/2) •Full Infrastructure Checklist •AWS security features and AWS security best practices whitepaper •Azure security features •Cisco Checklist •OWASP Top 10 2017 Additional resourcesIs outsourcing infrastructure or insourcing more secure? If I do outsource how can I ensure I’m protected? •Often, outsourcing will be best •Specific situations may change this •Cloud providers offer: -Logging and monitoring with controls -Identity & access management -Encryption of data at-rest •See the “AWS Security features” 
  • 35. INFRASTRUCTURE SECURITY (2/2) What are some general best-practices for infrastructure security? General infrastructu re • Enable cloud infrastructure default security options • Back up data at minimum daily, but limit redundancies • Encrypt data while at rest and while in-transit • Periodically purge data • Have a BC/DR technology solution and plan • Implement patches for known vulnerabilities as soon as possible Passwords & network access • Use a password manager • Password reset • Tiered access levels • Require a secure VPN Scanning & monitoring • Implement a simple logging function • Include relevant data • Create lockout thresholds
  • 36. PARTNER MANAGEMENT •Best practices to reduce third-party cybersecurity risk •Approaching data security in a fintech- friendly world •Steps to mitigate 3rd party cybersecurity threats Additional resourcesSteps for partner vetting •Pre-contract checks -What are their encryption practice? -Have they ever had a breach? -Service-level agreements (SLAs) -SLAs should be included in data policy -Ability to audit & request specific security standardsHow do I ensure my partner management is successful? •Learn from partners’ suggestions •Continuous monitoring & review Vendor Industry Templates: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing
  • 37. CULTURE What does a best in class data protection culture look like? Key beliefs Practices to reinforce All of users need to be aware and careful of Security issues • Data protection newsletter – - Current events – share one article and how it relates to the company - Employee highlight – public recognition for those who surface issues • Accountable executive for data protection is not just responsible for technology - Have non-technical (i.e. not IT) people train employees on data protection Be open and transparent • Celebrate employees who surface issues – publicly recognize people • Don’t punish people Data protection is an ongoing effort • Blame-free post-mortems • Ongoing “security tracker” More sharing = more risk • Limit partner integrations
  • 38. DATA MANAGEMENT •Security 101 for startups •What is social engineering? Additional resources What are some best practice processes for data protection? Development • Regular penetration testing (3-6mo black box, 12mo white box) • Security review as part of SDLC Hiring and firing • Do reference checks on developers and employees • Ensure digital “locks changed” when employees leave Reviews • Hold regular data protection reviews (quarterly) Miscellaneous • Do not use USB drives • Encourage auto-lock of laptops (after 5 minutes) • Have automatic locks on your office doors and server rooms • Train employees to not use risky websites
  • 39. TRAINING What content should I include in my data protection trainings? All staff • Our data security culture - Why it’s important - Key processes to prevent + report issues - Key components of the data policy - Role-based guidelines - Initial data privacy training • Types of threats and how we mitigate • Key data elements • To be conducted on a regular basis • Regular trainings: • After a breach: - Cover post-mortem of breach's - Opportunity for Q&A Engineerin g, IT, Data science In addition to the above: • Legislative & regulatory environment • Communication & feedback loops • Where security sits in all processes • Roles & responsibilities • Monitoring and maintenance • Updates to data architecture and procedures • Changing Data security procedures • Legislative or regulatory changes ONBOARDING ONGOING
  • 40. Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (1/3) •Data breaches 101 •Detailed guide for cybersecurity event recovery Additional resourcesWhat is a data security breach? What should be included in a security breach response plan? • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes Communication • Plan and execute communication to employees and external parties 21 4 3 •What is a Breach? •Can be done locally or remotely
  • 41. Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (2/3) • Understand extent of breach - What personal data - What was the cause - How many people • Assess risks from breach - What potential for harm - Strategic & financial risks? - Legal or compliance risks? - Reputational risks? - Financial risks? • Form team to lead resolution - Who will be accountable - Employees needed? - How often will the team meet? • Contain breach, limit damage - Are we still vulnerable? - What systems changes? - What process changes - How to recover data? • Review causes of breach – “post- mortem” - Vulnerabilities enabled the breach - What other similar vulnerabilities? • Understand consequences - What consequences occurred • Make process, tech changes - Tech solutions or process changes - Need to modify our data policy - What training is needed? - What is the cost to make these changes • Initial identification of severity may be incomplete, so be thorough • Key people to include on team: - Executive - Legal counsel • Don’t limit evaluation and improvements • Blame-free post-mortems • Include people from across the What are best practices in each phase of a breach response? Best practices 21 3 Keyquesitons
  • 42. BREACH RESPONSE (3/3) What communication is appropriate at each stage of breach response? External Intern al 4 Identification & Risk Assessment Containment & Resolution Evaluation & Improvement • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes • Notify groups who interact with external parties; • Include critical teams - C-Suite, Legal, Technology, PR (if applicable) - Board of directors • Communicate to employees • Provide regular updates to leadership, legal until issues are resolved • Post-mortem is non- punitive • Include description of what happened • Communicate about process and technology changes • Be careful about what you communicate • Speak to all relevant external parties • Always review with legal • When you communicate, include all key information - Data involved - Action taken - Specific and clear advice • Provide ongoing