2. !!EXAMS!!
• About 2/3 done
correcting
• Mostly pretty
good
• Those that
were not good,
please don’t
worry. We can
do some extra
credit
• You are all
good students!
3. Good News and Bad News
• The good news
is that your
exams look
great! Well
done! I am so
proud of all of
you!
• The bad news
is that this
course will not
be offered next
semester
• The scary news
is that I might
be entering the
PhD program
4. Look at all the topics we have
covered!
• The Confidentiality, Availability and Integrity Triad
• The five pillars of information security Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
• cyberwar Sarbanes-Oxley Act
• cyber espionage USA PATRIOT Act
• technical controls Counterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”)
• administrative controls Electronic Communications Privacy Act (“ECPA”)
• spoofing data and source integrity FERPA
• check digits and checksums software vulnerabilities
• data classification software bugs
• data loss prevention unchecked user input
• content scanning full disclosure
• enterprise management tools limited disclosure
• authentication responsible disclosure
• paswords security through obscurity
• dual factor authentication Buffer overflows
• multi factor authentication Dangling pointers
• knowledge based authentication Input validation errors, such as:
• biometrics Format string bugs
• shared secrets Improperly handling shell metacharacters so they are interpreted
• digital certificates for authentiction purposes SQL injection
• initial credentialing Code injection
• single sign on E-mail injection
• wireless authentication Directory traversal
• hybrid authentication solutions Cross-site scripting in web applications
• symmetric encryption Race conditions, such as:
• asymmetric encryption Time-of-check-to-time-of-use bugs
• steganography Symlink races
• digital certificates for encryption Privilege-confusion bugs, such as:
• non-repudiation
Cross-site request forgery in web applications
• information privacy Privilege escalation
• privacy enhancing technologies User interface failures, such as:
• social engineering definition Warning fatigue or user conditioning
• social engineering methods Blaming the Victim Prompting a user to make a security decision without giving the user enough
• social engineering real life example information to answer it.
• social engineering defenses Race Conditions
• pretexting physical security
• phishing the 4 layers of physical security
• road apples elements of network security
• quid pro quo change control / change management
• digital forensics risks of outsourcing information systems in relation to security concerns
5. So Now What?
• Exams? No more!
• Quizzes? Yeah, I owe you a few of
those
• How about a class project?
• You know, something that requires
some team effort!
• Something that leverages all that
knowledge you have gained
6. Security Audit
• Security audit
of ANY
company which
is publicly
traded on the
NYSE or
NASDAQ
• Requirements:
company must
have
international
operations
7. What to do
• Meet your team
mate!
• Pick your company
• Read their annual
report, ignore the
financial
information if you
want to. I’m more
interested in the
qualitative stuff
• Work through the
template, item by
item
8. What to do
• Write a 5 page Executive
Summary, outlining your
findings and suggestions in
the following areas:
• Security Policy,
Organizational Security,
Asset Classification and
Control, Personnel
Security, Physical and
Environmental Security,
Communications and
Operations Management,
Access Control, System
Development and
Maintenance, Business
Continuity Management,
Compliance.
9. What About Standards?
• The nice thing
about
standards is
that there are
so many to
choose from!
10. Why This Security Audit?
• The 'ISO/IEC 27000 series' is an
information security standard
published by the International
Organization for Standardization
(ISO)
11. Standards
• ISO/IEC
27002 has
directly
equivalent
national
standards in
several
countries.
12. This Security Audit is Compliant
• Australia
• New Zealand
• BrazilI
• Denmark
• Estonia
• Japan
• Lithuania
• Netherlands
• Peru
• SpainUNE
• SwedenSS
• United Kingdom
• Uruguay
13. Components of a Security Audit
• Risk assessment
• Security policy - management direction
• Organization of information security -
governance of information security
• Asset management - inventory and
classification of information assets
• Human resources security - security
aspects for employees joining, moving
and leaving an organization
• Physical and environmental security -
protection of the computer facilities
• Communications and operations
management - management of technical
security controls in systems and networks
14. Components of a Security Audit
• Access control - restriction of access
rights to networks, systems, applications,
functions and data
• Information systems acquisition,
development and maintenance - building
security into applications
• Information security incident
management - anticipating and
responding appropriately to information
security breaches
• Business continuity management -
protecting, maintaining and recovering
business-critical processes and systems
• Compliance - ensuring conformance with
information security policies, standards,
laws and regulations