Your SlideShare is downloading. ×
Supplement V1.2
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Supplement V1.2

855
views

Published on

第一,二,三,四,五天補充資料

第一,二,三,四,五天補充資料

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
855
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. • 本投影片僅供教育訓練用,如有侵權,請留言通 知,將立即刪除,謝謝。 • The slide is for education purpose only. Please leave your comment if there is any copyright infringement. I will delete it immediately. Thank you.
  • 2. 法規名稱:公開發行公司建立內部控制制度處理準則 法規名稱: •二、參考「金融控股公司內部控制及稽核制度實施辦法」 、「銀行內部控制及稽核制 度實施辦法」、「票券商內 部控制及稽核制度實施辦法」及「保險業內部控制及 稽 核制度實施辦法」規定,公開發行公司內部稽核及自行檢 查報告、工作底稿及相關資料保存年限統一為至少保存五 相關資料保存年限統一為至少保存五 年。(修正條文第十三條及第二十二條) •十、為落實公開發行公司內部稽核單位執行年度稽核計畫 之機制,明定公司應依風險評估結果 應依風險評估結果擬訂其年度稽核計畫 應依風險評估結果 ,並確實執行,且其年度稽核計畫之稽核項目範圍應涵蓋 公司於內部控制制度訂定之重要控制作業。 (修正條文第 十三條)
  • 3. Qualitative Risk Analysis Example 教育部 TANet 網路中心導入資訊安全管理制度計畫教育訓練教材 http://cissnet.edu.tw/download_tanet.aspx
  • 4. FMEA Output RPN=SEV x PF x DET PRN: Risk Priority Number SEV:Severity PF:Probability Factor DET:Detection Effectiveness Rers: http://www.siliconfareast.com/fmea_quickref.htm#table
  • 5. Fault Tree Analysis
  • 6. I. Risk Assessment in NIST SP-800 30 source: NIST Sp800-30
  • 7. I. Risk Assessment in NIST SP-800 30 (cont.) source: NIST Sp800-30
  • 8. Risk Management Threats Risk Identification Vulnerabilities Quantitative Analysis Qualitative Analysis Risk Risk Analysis FMEA Assessment FTA OCTAVE Risk Likelihood Management Risk Evaluation Impact Acceptance Reduction Risk Mitigation Transference Avoidance
  • 9. Access Control
  • 10. Access Control Conceptual Diagram Access Control 2007/6/8 Anything You Do Identify Identification Will Be Youself Logged Prove It Accountability Authentication (I need to Verify you) Do What I Authorization Tell You to Do
  • 11. TACACS+ and RADIUS Comparison Criterion TACACS+ RADIUS Transport TCP (reliable; more overhead) UDP (unreliable; higher performance) Authentication Can be separated (more flexible) Combined and Authorization Multiprotocol Supported (IP, Apple, NetBIOS, IP only Support Novell, X.25) Access to Supports two methods to control Not supported Router CLI the authorization of router Commands commands on a per-user or per- group basis Encryption Packet payload Passwords only http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+9.+AAA+Accounting/Diameter+Det ails/
  • 12. RADIUS and Diameter Comparison Characteristic RADIUS Diameter Transport protocol Connectionless (UDP 1812). Connection-oriented (TCP, SCTP, 3868). Transport security Optional IPsec. IPsec or Transport Layer Security (TLS) is required. Architecture Client-Server model Peer-to-peer model State Stateless Stateful(Session ID, transaction status) Authentication Pre-shared key Pre-Shared key, digital certificate PAP, CHAP, EAP PAP, CHAP, EAP Only client to server re- Mutual re-authentication authentication Authorization Bind with re-authentication Re-authorization any time Accounting Real-time accounting Real-time accounting Confidentiality Only encrypt password Encrypt all data, or IP header(IPSec) Integrity Poor Good Scalability Poor Good Extensibility Vendor-specific Public use Security model Supports only hop-by-hop security. Supports end-to-end and hop-to- Every hop can modify information hop security. End-to-end guarantees that cannot be traced to its origin. that information cannot be modified without notice.
  • 13. XACML Policy Sample <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit- overrides“> <!-- This Policy only applies to requests on the SampleServer --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions> </Target> <!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/> </Policy>
  • 14. SPML Scenario http://www.computerworld.com/s/article/86225/SPML
  • 15. Cryptography
  • 16. 2DES Meet-in-the-Middle Attack If DES1 encrypted output equals DES2 decrypted output, then key1 and key2 cracked known known Source: www.giac.org/
  • 17. Keyed Hash HMAC Source: http://www.unixwiz.net/
  • 18. Algebraic Cryptanalysis E E Message E
  • 19. Null Cipher “A re you deaf, Father W illiam !” the young m an said, “D id you hear w hat I told you just now ? “E xcuse m e for shouting! D on’t w aggle your head “Like a blundering, sleepy old cow ! “A little m aid dw elling in W allington Tow n, “Is m y friend, so I beg to rem ark: “D o you think she’d be pleased if a book w ere sent dow n “E ntitled ‘The H unt of the Snark?’” - “Pack it up in brow n paper!” the old m an cried, “A nd seal it w ith olive-and-dove. “I com m and you to do it!” he added w ith pride, “N or forget, m y good fellow , to send her beside “E aster G reetings, and give her m y love.”
  • 20. Diffie-Hellman Key Agreement Operation
  • 21. Diffie-Hellman Key Agreement Operation
  • 22. Security Architecture and Design
  • 23. Zachman Framework An Overview of Enterprise Architecture Framework Deliverables by Frank Goethals
  • 24. DoDAF Framework Enterprise Architecture A-to-Z
  • 25. EAL Stats www.commoncriteriaportal.org
  • 26. Common Criteria Flow an implementation- independent Protection Category of Product statement of security Profile (i.e., “firewalls”) needs for a TOE type. a set of software, firmware and/or Target of Specific Product (i.e., hardware possibly Evaluation Cisco PIX 5xx) accompanied by guidance. Security Vendor claims: an implementation- Specifications and dependent statement Target features of security needs for a specific identified TOE Functional Assurance Requirements Requirements
  • 27. Implementation of Evaluated Products TEST plan based on Evaluation stated requirements EAL Levels 1 Functionally Tested 2 Structurally Tested 3 Methodically Tested 4 Methodically Designed, Tested, Reviewed 5 Semiformal testing 6 Semiformal verification 7 Formal verification and testing Based on production Certification environment Accreditation
  • 28. Storage Systems http://en.wikipedia.org/wiki/Storage_area_network
  • 29. Application Security
  • 30. KDD Process
  • 31. Neural Network
  • 32. Expert System Source:idrinfo.idrc.ca
  • 33. Waterfall Method http://www.softwebsolutions.com/our_process.html
  • 34. Spiral Method http://en.wikipedia.org/wiki/Spiral_model
  • 35. Iterative Method Wikipedia
  • 36. Inheritance Parent Class Animal Virtual Function Talk() Child Class Child Class Cat Dog Function Talk("") Function Talk("")
  • 37. Polymorphism 1. class Animal { 2. virtual public Talk(){ } 3. } 4. class Dog extends Animal { 5. public Talk() { speak "汪" } 6. } 7. class Cat extends Animal { 8. public Talk() { speak "喵" } 9. } 10.Function AnimalTalk( Animal objSomeAnimal) 11.{ 12. objSomeAnimal.Talk; //polymophism; late binding 13.} 14.Animal objCat = new Cat; 15.Animal objDog = new Dog; 16.//Without polymorphism 17.objCat .Talk; //"喵" 18.objDog .Talk; //"汪" 19.//With polymorphism 20.AnimalTalk(objCat); //"喵" 21.AnimalTalk(objDog); //"汪" • 在本範例中,AnimalTalk程序接受 (Accept) 屬於 Animal 型別而名為 objSomeAnimal 的參數,所以我 們可以在 run-time傳送如 Cat或Dog衍生自 Animal 類別的類別。此項設計的優點在於,您可加入衍生 可加入衍生 類別的新類別, 程序中的用戶端程式碼。 自 Animal 類別的新類別,而不需要變更 AnimalTalk程序中的用戶端程式碼 程序中的用戶端程式碼
  • 38. 2-phase commit
  • 39. LRCI
  • 40. EnCase – File System
  • 41. EnCase Timeline
  • 42. 稽核自動化平台
  • 43. Telecommunication and Network Security
  • 44. Attack Tree http://commons.wikimedia.org/wiki/File:Attack_tree_virus.png
  • 45. Honeynet http://www.iu.hio.no/
  • 46. Partial Mesh as HA
  • 47. Link Layer Encryption vs. End-to-end Encryption
  • 48. ISDN Application
  • 49. MPLS http://www.isoc.org/
  • 50. IPSec Mode - Concise http://technet.microsoft.com/en-us/library/cc759130(WS.10).aspx#w2k3tr_ipsec_how_vvlc
  • 51. PPTP and L2TP Data Format
  • 52. Smurf http://www.techexams.net
  • 53. FDDI Dual Counter-Rotating Ring
  • 54. Routing Protocols Open Hop Class Authentica Category Network less tion RIPv1 RFC 15 No None Interior Small 1058 Distance vector RIPv2 RFC 15 Yes Password Interior Small 2453 MD5 Distance vector Medium IGRP Cisco 255 No None Interior Small Distance vector EIGRP Cisco 255 Yes Password Interior Large MD5 Hybrid OSPF RFC none Yes Password Interior Large 2328 MD5 Link-state Hetero ISIS ISO Yes Password Interior Large 10589 Link-state EGP Exterior AS-AS Distance vector BGP RFC CIDR MD5 Exterior AS-AS 1771 Distance vector Cisco® Certified Network Associate Study Guide
  • 55. Subnetting vs. supernetting One Class C 8 contiguous Class C http://medusa.sdsu.edu/network/CS576/Lectures/ch05_Subnetting.pdf
  • 56. VPN – Site to Site
  • 57. NetBios
  • 58. War Dialer - PhoneSweep
  • 59. Finger
  • 60. IPP in IIS http://secunia.com/advisories/32248/
  • 61. LPR in XP https://www.cs.uwaterloo.ca/twiki/view/CF/LprPrintingForWindows
  • 62. Tapping Fiber Optics http://i.techrepublic.com.com/blogs/Figure%20A.jpg
  • 63. SAN http://www.allsan.com/sanoverview.php3
  • 64. Transmission Technology http://www.privateline.com/PCS/Multiplexing.htm
  • 65. BCP
  • 66. BIA Process Owner Impact Business Activity Geographic Timescale Extent MTPD RPO
  • 67. 4.1 INCIDENT RESPONSE STRUCTURE
  • 68. RTO < MTPD(MTD)
  • 69. Trailer
  • 70. Scope
  • 71. BCM is a Balancing Act(cont.) High Cost High Loss recovery strategy disruption Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost Cost Cost Cost Cost Cost Cost Cost Optimal Lose Business Point Time 73
  • 72. Physical Security
  • 73. OS
  • 74. Heat and cool air http://www.adc.com/us/en/Library/Literature/102264AE.pdf
  • 75. Data loss on transportation
  • 76. 從漏洞到攻擊時距縮短→大幅提高攻擊成功率 source:IBM xforce report 2008