Information security for dummies
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Information security for dummies

  • 418 views
Uploaded on

Informatieveiligheid voor beginners

Informatieveiligheid voor beginners

More in: Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
418
On Slideshare
418
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Ivo Depoorter
  • 2. Whois I Functions Sysadmin, DBA, CIO, ADP instructor, SSO,Security consultant Career (20 y) NATO – Local government – Youth care Training Lots of Microsoft, Linux, networking,programming… Security: Site Security Officer, CISSP, BCM,Ethical Hacking, network scanning,…
  • 3. Course outline Information security? Security Why? Security approach Vocabulary The weakest link Real life security sample
  • 4. Information security?According to Wikipedia, ISO2700x, CISSP,SANS,…. Confidentiality: Classified information must, be protectedfrom unauthorized disclosure. Integrity: Information must be protected againstunauthorized changes and modification. Availability: the information processed, and the servicesprovided must be protected from deliberate or accidentalloss, destruction, or interruption of services.
  • 5. Information security?Security attributes according to the Belgianprivacycommission Confidentiality Integrity Availability+ Accountability Non-repudiation Authenticity Reliability
  • 6. CIA ExerciseDefacing of Belgian Army website
  • 7. CIA Exercise Confidentiality ?? Webserver only hosting public information? Webserver separated from LAN? Integrity Availability Unauthorized changes! Information is no longer available
  • 8. Security Why? Compliance with law Protect (valuable) assets Prevent production breakdowns Protect reputation, (non-)commercial image Meet customer & shareholder requirements Keep personnel happy
  • 9. Security approach Both technical and non-technical countermeasures. Top-management approval and support! Communicate! Information security needs alayered approach!!! Best practices COBITControl Objectives for Information and related Technology ISO 27002 (ISO 17799)Code of practice for information security management …..
  • 10. ISO 27002 Section 0 Introduction Section 1 Scope Section 2 Terms and Definitions Section 3 Structure of the Standard Section 4 Risk Assessment and Treatment Section 5 Security Policy Section 6 Organizing Information Security Section 7 Asset Management Section 8 Human Resources Security Section 9 Physical and Environmental Security Section 10 Communications and Operations Management Section 11 Access Control Section 12 Information Systems Acquisition, Development andMaintenance Section 13 Information Security Incident Management Section 14 Business Continuity Management Section 15 Compliance
  • 11. ISO 27002 - Example10 9 11 15Procedures Physical access Logical accessSecurity audit local government > 500 employeesTechnique: Social EngineeringInternal audit
  • 12. Security vocabulary - Threat A potential cause of an unwanted incident, which mayresult in harm to individuals, assets, a system ororganization, the environment, or the community.(BCI) Samples: Fire Death of a key person (SPOK or Single Point of Knowledge) Crash of a critical network component e.g. core switch (SPOF: singlepoint of failure) …
  • 13. Security vocabulary - Damage Harm or injury to property or a person, resulting in loss ofvalue or the impairment of usefulness Damage in information security: Operational Financial Legal Reputational Damage defaced Belgian Army website? Operational: probably (temporary frontpage, patch management,….) Financial: probably (training personnel, hiring consultancy,….) Legal: probably (lawsuit against external responsible?) Reputational: certainly!
  • 14. Security vocabulary - Risk Combination of the probability of an event and itsconsequence. Risk components Threat (probability) Damage (amount) Example:DamageProcess Threat O F L R Max impact Probability RiskFood freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
  • 15. The Zen of Risk What is just the right amount of security? Seeking Balance betweenSecurity (Yin) and Business (Yang)Potential Loss CostCountermeasures Productivity
  • 16. Security vocabulary - AAA Authentication: technologies used to determine theauthenticity of users, network nodes, and documents Authorization: who is allowed to do what? Accountability: is it possible to find out who has madeany operations?• Strong authentication(two-factor or multifactor)• Something you know (password, PIN,…)• Something you have (token,…)• Something you are (fingerprint, …)
  • 17. The weakest linkSEC_RITY is not complete without U!Countermeasures:• Force password policy onserver• Train personnel• Use strong authentication• …
  • 18. The weakest linkAmateurs hack systems, professionals hack people!Countermeasures:• Implement security & accesspolicies• Job rotation• Encryption• Employee awareness training• Audit trail of all accesses todocuments• ….
  • 19. Hacking stepsStep Countermeasures (short list)1. Reconnaissance Be careful with information2. Network mapping Network IDS – block ICMP3. Exploiting System hardening4. Keeping access IDS – Antivirus – rootkit scanners5. Covering TracksReconnaissance (information gathering):Searching interesting information on discussion groups/forum,social networks, customer reference lists, Google hacks…
  • 20. Logical security• VLAN’s• Password policy• …Real life security sampleHigh security (war)zoneIlliterate (local) cleaningpersonnel(Use opportunities!!!)Physical security:• Personnel clearance• Physical control• Pc placement (shoulder surfing)• Clean desk policy• Shredder• Lock screen policy• Fiber to pcWWW> 2 mLANTempest!!!
  • 21. We learned…. Security is CIA(+) Why: law, reputation, production continuity,… Approach: layered, technical & non-technical, supportfrom CEO, lots of communication Vocabulary: threat, damage, risk, (strong)authentication,authorization, accountability Risk = threat * damage Security balance: loss vs. cost& countermeasures vs. productivity The weakest link is personnel! A hacker starts with information gathering