Module0&1 intro-foundations-b


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This diagram represents risk as the intersection of the threat-vulnerability pair (a splotch). Where there is a splotch, there is a risk. A threat without a corresponding vulnerability is not a risk. Likewise, a vulnerability without a threat is not a risk. Keep in mind, a threat can exploit more than one vulnerability.
  • Content Notes The actual Maxus website from which he conducted business… Presentation Notes
  • Content Notes The actual Maxus website from which he conducted business… Presentation Notes
  • Our critical infrastructures are illustrated here. As you can see, these infrastructures play a crucial role in our society and daily lives. As such, the destruction or degradation of one or more of these infrastructures could cause serious harm to our economic and national security. The President has recognized this potential threat and has ordered that steps be taken to protect our infrastructures from an attack. In the past, threats to our nation’s infrastructures were mainly physical in nature. We used to be concerned primarily about threats from terrorist groups and hostile nations. Now, criminal groups, terrorists, and hostile nations can interrupt critical infrastructures through cyber attacks on crucial automation systems. As our society becomes more global and utilizes technology to increase the efficiency of our enterprises, our nation’s critical infrastructures are becoming increasingly interdependent — within an enterprise, across several enterprises, even across industries. For example, the financial services industry depends on the availability and reliability of the telecommunications infrastructure, which in turn relies on electric power. Hence, future attacks against one infrastructure could have cascading effects in the operations of others…. within one enterprise, across several enterprises, or industries, and potentially all over the world.
  • Matrix: 3a POINTS OUT HOW EASY IT IS TO GET, AND USE HACKER TOOLS. ALSO POINTS OUT “POINT AND CLICK” HACKER TOOLS ARE UNSOPHISTICATED. Fact: Hackers post 30-40 new tools to Internet hacking sites every month, according to NIST (National Institute of Standards and Technology). Even an unsophisticated hacker can search the Internet, find and download exploitable tools, and then "point and click" to start a hack. REMINDER: Hacking for “fun” or to “see how it’s done” is against the law & Entity Policy. The Entity has no obligation to defend you under such circumstances. REMINDER IS OPTIONAL , DEPENDING ON YOUR POLICY, AND YOU COUNSEL’S OPINION. Legal Decision Box: Consult with legal counsel when developing your network policy to include hacking and use of hacker tools and sanctions that will be applied for not following the policy. Decision Box: Is hacking and use of hacker tools addressed in your network policy?
  • Content Notes This is a site where you can enter the name and address of a computer and have the site itself try to break in to it. URL: html Presentation Notes
  • Content Notes Presentation Notes
  • IT Security Acronyms:
  • Module0&1 intro-foundations-b

    1. 1. Your Instructor(s): David Amsler IT Security Awareness Training
    2. 2. Introductions Module 0
    3. 3. Introductions <ul><li>David Amsler, CIO, Foreground Security - CISSP, CISM, CCNA, CCSP, MCSE, MCT, NSA IAM/IEM, Security+, CCSA, CCSE, CEH, ECSA </li></ul>Module 0
    4. 4. Our Goals <ul><li>Understanding the basics of IT Security </li></ul><ul><li>Basic IT Security terms, procedures, and policies </li></ul><ul><li>Security risks, issues and attacker techniques </li></ul><ul><li>Watermark Policies, Procedures, and Expectations </li></ul><ul><li>You ARE IMPORTANT! </li></ul>Module 0
    5. 5. Course Materials <ul><li>Student Course Book </li></ul><ul><ul><li>Slides, Notes, and Presentations </li></ul></ul><ul><li>Home Security Guide </li></ul><ul><ul><li>Detailed guide on steps to secure your home computer </li></ul></ul>Module 0
    6. 6. Class Rules <ul><li>Ask questions at any time! </li></ul><ul><li>This is an open and interactive class! </li></ul><ul><li>If you don’t understand a concept, say so! </li></ul><ul><li>We can demonstrate, explain, or illustrate in different ways to help you better understand! </li></ul>Module 0
    7. 7. Course Outline <ul><li>IT Security Training Awareness </li></ul><ul><li>Modules: </li></ul><ul><ul><li>Module 0 - Introductions </li></ul></ul><ul><ul><li>Module 1 - Foundations of IT Security </li></ul></ul><ul><ul><ul><li>Essential terminology </li></ul></ul></ul><ul><ul><ul><li>Defining security </li></ul></ul></ul><ul><ul><ul><li>Need for security </li></ul></ul></ul><ul><ul><ul><li>Cyber crime </li></ul></ul></ul><ul><ul><ul><li>Information Security statistics </li></ul></ul></ul><ul><ul><ul><li>Security myths </li></ul></ul></ul>Module 0
    8. 8. Course Outline <ul><li>Module 2 - Recognizing Security Threats and attacks </li></ul><ul><ul><ul><li>Phishing and its countermeasures </li></ul></ul></ul><ul><ul><ul><li>Virus </li></ul></ul></ul><ul><ul><ul><li>Trojan Horse </li></ul></ul></ul><ul><ul><ul><li>Worms </li></ul></ul></ul><ul><ul><ul><li>Spyware </li></ul></ul></ul><ul><ul><ul><li>Adware </li></ul></ul></ul><ul><ul><ul><li>Keylogger </li></ul></ul></ul><ul><ul><ul><li>Social engineering </li></ul></ul></ul><ul><ul><ul><li>Denial of Service </li></ul></ul></ul><ul><ul><ul><li>Spamming </li></ul></ul></ul><ul><ul><ul><li>Port Scanning </li></ul></ul></ul><ul><ul><ul><li>Password cracking </li></ul></ul></ul><ul><ul><ul><li>Countermeasures </li></ul></ul></ul>Module 0
    9. 9. <ul><li>Module 3 – Social Engineering </li></ul><ul><ul><li>Social engineering techniques </li></ul></ul><ul><ul><li>Recognizing social engineering </li></ul></ul><ul><ul><li>What to do/How to respond </li></ul></ul><ul><li>Module 4 - Basic Security Policies & Procedures </li></ul><ul><ul><li>Introduction </li></ul></ul><ul><ul><li>Watermark Specific Policies & Procedures </li></ul></ul><ul><li>Module 5 – Desktop/Laptop Security </li></ul><ul><ul><li>Encryption of Data </li></ul></ul><ul><ul><li>Loss of Laptop </li></ul></ul><ul><ul><li>Remote connections (VPN) Issues </li></ul></ul>Module 0
    10. 10. <ul><li>Module 6 - Secure Internet Access </li></ul><ul><ul><li>Internet Security Issues </li></ul></ul><ul><ul><li>Identity Theft </li></ul></ul><ul><ul><li>File Sharing </li></ul></ul><ul><ul><li>Downloading Programs </li></ul></ul><ul><ul><li>Secure Internet Practices </li></ul></ul><ul><li>Module 7 – Wireless Security </li></ul><ul><ul><li>Wi-Fi Security Issues </li></ul></ul><ul><ul><li>Bluetooth </li></ul></ul><ul><ul><li>Cell Phone Policy and Procedures </li></ul></ul>Module 0
    11. 11. <ul><li>Module 8 - Incident Response </li></ul><ul><ul><li>How to spot an incident </li></ul></ul><ul><ul><li>What to do if you spot an incident </li></ul></ul><ul><ul><ul><li>Response </li></ul></ul></ul><ul><ul><ul><li>Contact </li></ul></ul></ul><ul><ul><ul><li>Document </li></ul></ul></ul><ul><ul><ul><li>What else </li></ul></ul></ul>Module 0
    12. 12. Quiz <ul><li>What is a hacker? </li></ul><ul><li>Describe a typical hacker. </li></ul><ul><li>What do hackers want? </li></ul><ul><li>How do they get it? </li></ul>
    13. 13. The Real Hackers <ul><li>Brian Kernighan, Dennis Ritchie, Bill Joy and Ken Thompson C Programming Language, Unix </li></ul><ul><li>Bill Gates Microsoft </li></ul><ul><li>Richard Stallman GNU Project / Free Software Movement </li></ul><ul><li>Steve Wozniak, Steve Jobs Apple </li></ul><ul><li>Linus Torvalds, Alan Cox, Bruce Perens, Eric S. Raymond Linux </li></ul>
    14. 14. Well Known Attackers <ul><li>PhiberOptik </li></ul><ul><li>Robert Morris </li></ul><ul><li>Kevin Mitnick </li></ul><ul><li>Mafiaboy </li></ul><ul><li>Kevin Poulsen </li></ul><ul><li>Vladimir Levin </li></ul><ul><li>Today’s attackers are… </li></ul><ul><li>Students </li></ul><ul><li>IT Professionals </li></ul><ul><li>The Office Janitor </li></ul><ul><li>Your Nextdoor Neighboor! </li></ul>
    15. 15. Module 1 Foundations of Security Module 1
    16. 17. Module Objectives <ul><li>This module will familiarize you with the following: </li></ul><ul><ul><ul><li>Essential terminology </li></ul></ul></ul><ul><ul><ul><li>Defining security </li></ul></ul></ul><ul><ul><ul><li>Need for security </li></ul></ul></ul><ul><ul><ul><li>Cyber crime </li></ul></ul></ul><ul><ul><ul><li>Information Security statistics </li></ul></ul></ul><ul><ul><ul><li>Security myths </li></ul></ul></ul>Module 1
    17. 18. Terminology Module 1
    18. 19. CIA of Security Module 1
    19. 20. Risk <ul><li>A risk is the loss potential that exists as the result of threat-vulnerability pairs </li></ul>Key: Threats Vulnerabilities Risks
    20. 21. Security Triangle Module 1
    21. 22. Countermeasures Module 1
    22. 23. Graphics
    23. 24. <ul><li>The number of internet attacks has doubled every 6 months for the last two years. The cost of these attacks has cost businesses an estimated $98 billion dollars in the first 8 months of 2007. CERT </li></ul><ul><li>A computer will be scanned or attacked within 5 seconds of connecting to the internet. Gartner </li></ul><ul><li>A substantial percentage of attacks (39 percent) appeared to be deliberately targeted at a specific organization . Internetnews </li></ul>
    24. 25. <ul><li>Every five seconds another person is a victim of identity theft or fraud. </li></ul><ul><li>In 2007, identity theft and fraud cost US consumers $64 billion. </li></ul><ul><li>85% of all computer users have some form of a virus, trojan horse, or spyware program and don’t even know it. </li></ul><ul><li>70% of all corporate attacks come from internal users (employees, contractors, etc.). CSI </li></ul><ul><li>There were over 4 Million computer intrusions in 2007. (CSI/FBI survey) </li></ul>
    25. 26. <ul><li>GENERAL MISUSE of the Internet </li></ul><ul><ul><li>One-third of time spent online at work is non-work-related. (Websense, IDC) </li></ul></ul><ul><ul><li>Internet misuse at work is costing American corporations more than $85 billion annually in lost productivity. (Websense) </li></ul></ul><ul><ul><li>80 percent of companies reported that employees had abused Internet privileges, such as downloading pornography or pirated software. (CSI/FBI Computer Crime and Security Survey) </li></ul></ul><ul><li>PEER-TO-PEER FILE-SHARING </li></ul><ul><ul><li>Forty-five percent of the executable files downloaded through Kazaa contain malicious code. (Trusecure) </li></ul></ul><ul><ul><li>73 percent of all movie searches on file-sharing networks were for pornography. (Palisade Systems) </li></ul></ul><ul><ul><li>A company can be liable for up to $150K per pirated work if it is allowing employees to use the corporate network to download copyrighted material. (RIAA) </li></ul></ul>
    26. 27. <ul><li>SPYWARE </li></ul><ul><ul><li>1 in 3 companies have detected spyware on their network. (Websense UK Survey) </li></ul></ul><ul><ul><li>There more than 7,000 spyware programs. (Aberdeen Group) </li></ul></ul><ul><li>VIRUSES/MALICIOUS CODE </li></ul><ul><ul><ul><ul><ul><li>Although 99% of companies use antivirus software, 82% of them were hit by viruses and worms. (CSI/FBI) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Blended threats made up 54 percent of the top 10 malicious code submissions over the last six months of 2003. (Symantec Internet Security Threat Report) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The number of malicious code attacks with backdoors, which are often used to steal confidential data, rose nearly 50% in the last year. (Symantec) </li></ul></ul></ul></ul>
    27. 29. Who are the Attackers? <ul><li>Who are these threat agents? </li></ul><ul><li>Teenage pranksters </li></ul><ul><li>Hacker junkies </li></ul><ul><li>Disgruntled employees </li></ul><ul><li>Terrorists (disruption of services) </li></ul><ul><li>Criminals (selling information) </li></ul><ul><li>Foreign intelligence agents </li></ul>
    28. 30. Movie
    29. 31. Movie
    30. 33. How easy is it to hack?   <ul><li>Fact: Hackers post 30-40 new tools to the Internet every month </li></ul><ul><li>Anyone can search the Internet, find exploitable tools, &quot;point and click&quot; and start to hack. </li></ul><ul><li>REMINDER: Any Hacking be it for “fun” or to “see how it’s done” is against the law. </li></ul>
    31. 35. Their common target? You!
    32. 41. IT Security Acronyms <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>See the Book for a complete list </li></ul>