SlideShare uma empresa Scribd logo

Security.ppt

Transferir como PPT, PDF
S
ssuser50c54b

This document discusses network security assessment and policies. It provides an overview of security trends seen in surveys, including many organizations experiencing security breaches. It then discusses starting an assessment from nothing, identifying assets, risks, threats, and how attacks may occur. The document outlines policies and procedures needed for security, including training and implementing tools for defense. It discusses principles like integrity, confidentiality and accountability. The policy process involves definition, implementation and compliance reporting. The implementation process assesses against policy, and then plans and makes fixes. Reasons for policy failure include lack of support, complexity and organizational politics.

Educação
1 de 26
BindView BindView BindView BindView BindView BindView Scott Blake Mark Loveless Day 2: Morning Starting from Nothing Security Policies Afternoon Intrusion Detection
Overview • Security and networks • Assessment – Understand the what, who, and how • Technology and Policy – Problem specifics change at internet speed – Ways of coping don’t
Security and Networks • From 643 Respondents to the “2000 Computer Crime and Security Survey” (CSI/FBI): – 90% Detected security breaches – 74% Acknowledged financial loss – 25% Detected system penetration for outside the organization – 19% Reported 10 or more incidents
What the Statistics Mean • We don’t really know the prevalence of computer security breaches • Low response rate to surveys • Corps and Govn’ts won’t share information • Successful attacks come from inside • Actual financial losses are probably overstated
The Latest Trends • Old ideas get new life – Yet Another DDoS Tool: Trinity – More Viruses • Alternative Streams • Mobile Devices – Web Page Hacks • Front Page still insecure • Database insecurities
Assessment • Starting from Nothing – Assets - What are you protecting? – Risks - What can be wrong? – Threat Vectors - Who might attack? – Methods - How do they attack?
What are you protecting? • Each component of the network – Web servers – Routers – Accounting systems – Mail Servers – Modem Banks • Don’t forget the data
What can be wrong? • Poor software configuration • Missing patches • Bad passwords • No logs • No sysadmin attention
Who might attack you? • Hackers – A few talented people provide tools for thousands of kids – rootshell.com, insecure.org contain hundreds of tools – Opportunity targets • Customers – Themselves – Through stolen/guessed passwords
Who might attack you? (2) • Insiders – Through malice – Carelessness – Overwork • Competitors – “Denial of Service” attacks make you look bad – Customer lists for marketing
How Outsiders Attack • Look for known weaknesses – Misconfigured Software – Lots of sw has “more secure” configuration which is not turned on out of the box – Outdated software with known problems – Bad passwords
How outsiders attack (2) • Scanning tools (SATAN, sscan) – Make finding problems easy • Exploit tools – Make taking advantage of problems easy • Stealth tools – Make erasing logs easy
How insiders attack • Exactly the same as outsiders – Except that they are more effective
What to do about it? • Policies and Procedures for Security – What are you protecting? – What's in place to protect it? • Training and knowledge throughout the organization – Do system managers know that security is a priority? – Do they have the skills and training to execute?
What to do about it? • Design for Defense – Separation of Responsibility – Least Privilege Required • Tools – Software to Implement
Governing Principles • Integrity – Strong internal controls on security of the applications and data • Confidentiality – Strong security on user access and data transmissions • Availability – Failsafe components, error tolerance, internal availability monitoring • Accountability – Full internal auditing, tie-ins to change control systems
The Policy Process 1. Policy Definition 2. Implementation 3. Compliance Reporting
The Policy Process • High level security process • Begins with policy definition • Implementation forms a separate low level process • Compliance reporting summarizes status viz-a-viz defined policy
The Implementation Process 1. Assess 2. Planning (Reporting) 3. Fix
The Implementation Process • Lower level IT process • Assess against pre-defined policy • Results inform remediation planning • Implement fixes • Repeat
Policies • Know what you want to protect, and why – This lets you do cost benefit analysis • Know who you want to protect it from – This lets you design your defenses • Know what to do – Policies need to define actions
Policies • Involve the Stakeholders – Managers to focus on business case – Technical staff to focus on what's possible, effective – Everyone to commit to goals
Why Do Policies Fail? • Lack of stakeholder support • Too much complexity • Organizational politics
Organizational Politics • Common Organization – Centralized security body – Distributed system administration • Results in tensions, cross-purposes
Questions?
A Distributed Organization

Recomendados

Cloud Security.pptx
Cloud Security.pptxCloud Security.pptx
Cloud Security.pptxBinod Rimal
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPtRishabhAgrawal695188
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
CASE STUDY: How to Defend the Compromised Network?
CASE STUDY: How to Defend the Compromised Network?CASE STUDY: How to Defend the Compromised Network?
CASE STUDY: How to Defend the Compromised Network?PECB
 

Recomendados

Cloud Security.pptx
Cloud Security.pptxCloud Security.pptx
Cloud Security.pptxBinod Rimal
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPtRishabhAgrawal695188
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
CASE STUDY: How to Defend the Compromised Network?
CASE STUDY: How to Defend the Compromised Network?CASE STUDY: How to Defend the Compromised Network?
CASE STUDY: How to Defend the Compromised Network?PECB
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
Seurity policy
Seurity policySeurity policy
Seurity policyHari Sarda
 
Seurity policy
Seurity policySeurity policy
Seurity policyHari Sarda
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghNapier University
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
The myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISThe myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISSaazan Shrestha
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsBilalMehmood44
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
Incident Response
Incident ResponseIncident Response
Incident Responseprimeteacher32
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 
9 - Security
9 - Security9 - Security
9 - SecurityRaymond Gao
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachEast Midlands Cyber Security Forum
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowkCura_Relativity
 
CHAPTER8.PPT
CHAPTER8.PPTCHAPTER8.PPT
CHAPTER8.PPTssuser50c54b
 
CHAPTER7.PPT
CHAPTER7.PPTCHAPTER7.PPT
CHAPTER7.PPTssuser50c54b
 

Mais conteúdo relacionado

Semelhante a Security.ppt

Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
Seurity policy
Seurity policySeurity policy
Seurity policyHari Sarda
 
Seurity policy
Seurity policySeurity policy
Seurity policyHari Sarda
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghNapier University
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
The myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISThe myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISSaazan Shrestha
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsBilalMehmood44
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowkCura_Relativity
 

Semelhante a Security.ppt (20)

Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
 
Seurity policy
Seurity policySeurity policy
Seurity policy
 
Seurity policy
Seurity policySeurity policy
Seurity policy
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
The myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISThe myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MIS
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
9 - Security
9 - Security9 - Security
9 - Security
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breach
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to Know
 

Mais de ssuser50c54b

Mais de ssuser50c54b (15)

CHAPTER8.PPT
CHAPTER8.PPTCHAPTER8.PPT
CHAPTER8.PPT
 
CHAPTER7.PPT
CHAPTER7.PPTCHAPTER7.PPT
CHAPTER7.PPT
 
CHAPTER6.PPT
CHAPTER6.PPTCHAPTER6.PPT
CHAPTER6.PPT
 
CHAPTER5.PPT
CHAPTER5.PPTCHAPTER5.PPT
CHAPTER5.PPT
 
CHAPTER4.PPT
CHAPTER4.PPTCHAPTER4.PPT
CHAPTER4.PPT
 
CHAPTER3.PPT
CHAPTER3.PPTCHAPTER3.PPT
CHAPTER3.PPT
 
CHAPTER2.PPT
CHAPTER2.PPTCHAPTER2.PPT
CHAPTER2.PPT
 
CHAPTER1.PPT
CHAPTER1.PPTCHAPTER1.PPT
CHAPTER1.PPT
 
NET7.PPT
NET7.PPTNET7.PPT
NET7.PPT
 
NET6.PPT
NET6.PPTNET6.PPT
NET6.PPT
 
NET5.PPT
NET5.PPTNET5.PPT
NET5.PPT
 
NET4.PPT
NET4.PPTNET4.PPT
NET4.PPT
 
NET3.PPT
NET3.PPTNET3.PPT
NET3.PPT
 
NET2.PPT
NET2.PPTNET2.PPT
NET2.PPT
 
NET1.PPT
NET1.PPTNET1.PPT
NET1.PPT
 

Último

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 

Último (20)

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 

Security.ppt

  • 1. BindView BindView BindView BindView BindView BindView Scott Blake Mark Loveless Day 2: Morning Starting from Nothing Security Policies Afternoon Intrusion Detection
  • 2. Overview • Security and networks • Assessment – Understand the what, who, and how • Technology and Policy – Problem specifics change at internet speed – Ways of coping don’t
  • 3. Security and Networks • From 643 Respondents to the “2000 Computer Crime and Security Survey” (CSI/FBI): – 90% Detected security breaches – 74% Acknowledged financial loss – 25% Detected system penetration for outside the organization – 19% Reported 10 or more incidents
  • 4. What the Statistics Mean • We don’t really know the prevalence of computer security breaches • Low response rate to surveys • Corps and Govn’ts won’t share information • Successful attacks come from inside • Actual financial losses are probably overstated
  • 5. The Latest Trends • Old ideas get new life – Yet Another DDoS Tool: Trinity – More Viruses • Alternative Streams • Mobile Devices – Web Page Hacks • Front Page still insecure • Database insecurities
  • 6. Assessment • Starting from Nothing – Assets - What are you protecting? – Risks - What can be wrong? – Threat Vectors - Who might attack? – Methods - How do they attack?
  • 7. What are you protecting? • Each component of the network – Web servers – Routers – Accounting systems – Mail Servers – Modem Banks • Don’t forget the data
  • 8. What can be wrong? • Poor software configuration • Missing patches • Bad passwords • No logs • No sysadmin attention
  • 9. Who might attack you? • Hackers – A few talented people provide tools for thousands of kids – rootshell.com, insecure.org contain hundreds of tools – Opportunity targets • Customers – Themselves – Through stolen/guessed passwords
  • 10. Who might attack you? (2) • Insiders – Through malice – Carelessness – Overwork • Competitors – “Denial of Service” attacks make you look bad – Customer lists for marketing
  • 11. How Outsiders Attack • Look for known weaknesses – Misconfigured Software – Lots of sw has “more secure” configuration which is not turned on out of the box – Outdated software with known problems – Bad passwords
  • 12. How outsiders attack (2) • Scanning tools (SATAN, sscan) – Make finding problems easy • Exploit tools – Make taking advantage of problems easy • Stealth tools – Make erasing logs easy
  • 13. How insiders attack • Exactly the same as outsiders – Except that they are more effective
  • 14. What to do about it? • Policies and Procedures for Security – What are you protecting? – What's in place to protect it? • Training and knowledge throughout the organization – Do system managers know that security is a priority? – Do they have the skills and training to execute?
  • 15. What to do about it? • Design for Defense – Separation of Responsibility – Least Privilege Required • Tools – Software to Implement
  • 16. Governing Principles • Integrity – Strong internal controls on security of the applications and data • Confidentiality – Strong security on user access and data transmissions • Availability – Failsafe components, error tolerance, internal availability monitoring • Accountability – Full internal auditing, tie-ins to change control systems
  • 17. The Policy Process 1. Policy Definition 2. Implementation 3. Compliance Reporting
  • 18. The Policy Process • High level security process • Begins with policy definition • Implementation forms a separate low level process • Compliance reporting summarizes status viz-a-viz defined policy
  • 19. The Implementation Process 1. Assess 2. Planning (Reporting) 3. Fix
  • 20. The Implementation Process • Lower level IT process • Assess against pre-defined policy • Results inform remediation planning • Implement fixes • Repeat
  • 21. Policies • Know what you want to protect, and why – This lets you do cost benefit analysis • Know who you want to protect it from – This lets you design your defenses • Know what to do – Policies need to define actions
  • 22. Policies • Involve the Stakeholders – Managers to focus on business case – Technical staff to focus on what's possible, effective – Everyone to commit to goals
  • 23. Why Do Policies Fail? • Lack of stakeholder support • Too much complexity • Organizational politics
  • 24. Organizational Politics • Common Organization – Centralized security body – Distributed system administration • Results in tensions, cross-purposes