SlideShare a Scribd company logo

Dimitrios Stergiou Shares Expertise on Information Security Compliance and Risk Management

Dimitrios Stergiou
Dimitrios Stergiou

The document provides an overview of Dimitrios Stergiou's background and interests in information security. It discusses his certifications and hobbies, including being an amateur social engineer and World of Warcraft gamer. The document then covers various topics related to information security, including the history of attacks, common issues and risks, and approaches to meeting compliance standards. It notes that while compliance is important, security management must go beyond checklists to be truly effective. The document provides examples of frameworks for security management and risk assessment.

Technology
1 of 45
Download to read offline
Dimitrios Stergiou
About Dimitrios • Has a keen interest in Information Security (10 years and counting) • Currently holds: CISSP, CISA, CISM, BS 7799 LA, CCSP • Newbie Python coder • Amateur social engineer • Loves vendor t-shirts • Avid World of Warcraft gamer
Security and Quantum Computing
So, what do we talk about • History lesson • Threats • Compliance • Information Security • And no, I am not selling anything, don’t panic
What we don’t talk about • ROI (ROSI) – Actually we do • APT • Cyber- • Hacker – Attacker • SSL / PKI
A bit of history • Early Internet era – Exploit vulnerabilities – Take pride • 10 years later – Attack the server – Steal or destroy data • Last 5 years – Attack the application – Steal / hold data – Financial gain
… and more recently
What causes the issues then? 1. Malware 2. Malicious insiders 3. Known vulnerabilities 4. Careless employees 5. Mobile devices 6. Social networking 7. Social engineering 8. Zero-day exploits 9. Cloud computing
Oh well, what now Meet Information Security Compliance Standards
Information Security Compliance • Payment Card Industry Data Security Standard (PCI DSS) • ISO 27000 series • Health Insurance Portability and Accountability Act (HIPAA) • Sarbanes-Oxley Act (SOX) • Federal Information Security Management Act (FISMA) • Bundesamt fur Sicherheit in der Informationstechnik (BSI) • SAS 70 Type 2 • National / other standards
A typical example
How it’s all done Policy Procedure Guideline Audit records
… that now I take you now through the compliance process
(Doing only) Compliance fails
Why? • “Word” engineering • Checklist approach • Baseline becomes “the ceiling” • Snapshot in time • Non-continuous process
The audit has finished… • Management thinks that compliance equals security • Does enough to “pass” the audit • Do not talk security until next audit • Business as usual
Meanwhile, developers…
And Security people… Process / Procedure / Guideline / Standard Instruction / Audit / Vulnerability / Risk Threat / Exploit / Attack Vector / <buzz>
And attackers are efficient! In touch with reality
As a result The “sad” day comes when Or even worse: management realizes that
Bottom line s/YOU/Compliance/g
But Compliance can be the answer if • It comes as a by-product of a security management program • It is used in a bottom-top approach • It can “secure” budget for security • It does not become panacea
Security Management • Reputation • Regulation • Revenue • Resilience • Recession
Do we REALLY need security?
But are you 100% sure we need it?
Könsneutral / Jämställdhet
Security management mini-HOWTO Plan D•C•A Risk management Determination of scope of information Risk assessment security Risk analysis Development Identification Estimation Creation of systematic of Risk Risk of of Risk P D risk threats executive assessment information and evaluation acceptance A C treatment policy method assets vulnerabilities Risk List Risk Risk assessment of analysis assessment procedures assets table report Inventory of assets
The “checklist” approach 1. Device inventory 11. Account monitoring 2. Software inventory 12. Malware defenses 3. Secure system device configuration 13. Control network ports 4. Secure network device configuration 14. Wireless control 5. Boundary defense 15. Data Loss Prevention 6. Monitoring and analysis of audit logs 16. Secure Network Design 7. Application software security 17. Penetration test 8. Control administrative privileges 18. Incident response 9. “Need-to-know” access 19. Data recovery 10. Vulnerability assessment 20. Training
The IT Security field is always in need of new clichés! • Nothing will ever be 100% secure • Know thy risk • Security is the means, not the end • Security yes, obscurity no • Talk to them, not at them
What is that ROI again?
Why we don’t talk about ROI "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. Bruce Schneier
Net Present Value (NPV) C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = discount rate (average cost of capital) • NPV > 0 Go ahead • NPV < 0 Project cancelled • NPV =0 Can do, can ignore, no difference
Net Present Value (Example) Net Present Value (discount rate = 15%) C0 T1 T2 Initial Investment -200,000 Annual benefits 400,000 400,000 Annual operating costs -100,000 -100,000 Net Cash Flow -200,000 300,000 300,000 NPV -200,000 + 300,000 /(1.15)1 300,000 / (1.15)2 NPV -200,000 + 260,870 + 226,843 NPV = 287,713
Internal Rate of Return (IRR) C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = cost of capital • IRR > k Go ahead • IRR < k Project cancelled • IRR =k Can do, can ignore, no difference
Net Present Value (Example) Internal rate of return (k = 15%) C0 T1 T2 Initial Investment -200,000 Annual benefits 400,000 400,000 Annual operating costs -100,000 -100,000 Net Cash Flow -200,000 300,000 300,000 IRR 0 = -200,000 + 300,000 / + 300,000 / (1+IRR)2 (1+IRR) IRR = 118.61 %
Unfortunately Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. “Albert Einstein”
you need 1337 skillz to be hax0r? • Beware of “script kiddies” • Fame seekers • Insider pwnage • Revenge!!! • Demo (3 slides to go)
Good keywords to Google • metasploit • set • w3af • nmap • nessus • beef • sqlmap
Are you talking to me? • Blog: blog.nihilnovo.eu • Twitter: twitter.com/dstergiou • Email:dstergiou@gmail.c om
Demo • Client-side attack with IE • Browser exploitation

Recommended

IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best PracticeDigicomp Academy AG
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementComputer Aid, Inc
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Seema Sheth-Voss
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Smart Cities – The Security Aspects
Smart Cities – The Security AspectsSmart Cities – The Security Aspects
Smart Cities – The Security AspectsPECB
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 

Recommended

IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best PracticeDigicomp Academy AG
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementComputer Aid, Inc
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Seema Sheth-Voss
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Smart Cities – The Security Aspects
Smart Cities – The Security AspectsSmart Cities – The Security Aspects
Smart Cities – The Security AspectsPECB
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetMarcoTechnologies
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216Mitchell Grooms
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk ManagementAhmed Sayed-
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
Data Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachData Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachFlaskdata.io
 
Ta Security
Ta SecurityTa Security
Ta Securityjothsna
 
TA security
TA securityTA security
TA securitykesavars
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
Combating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingCombating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingTim Bass
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummiesIvo Depoorter
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

More Related Content

Similar to Dimitrios Stergiou Shares Expertise on Information Security Compliance and Risk Management

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetMarcoTechnologies
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216Mitchell Grooms
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk ManagementAhmed Sayed-
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
Data Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachData Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachFlaskdata.io
 
Ta Security
Ta SecurityTa Security
Ta Securityjothsna
 
TA security
TA securityTA security
TA securitykesavars
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
Combating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingCombating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingTim Bass
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummiesIvo Depoorter
 

Similar to Dimitrios Stergiou Shares Expertise on Information Security Compliance and Risk Management (20)

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk score
 
Data Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachData Security Metricsa Value Based Approach
Data Security Metricsa Value Based Approach
 
Ta Security
Ta SecurityTa Security
Ta Security
 
TA security
TA securityTA security
TA security
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
Combating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingCombating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event Processing
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Dimitrios Stergiou Shares Expertise on Information Security Compliance and Risk Management

  • 2. About Dimitrios • Has a keen interest in Information Security (10 years and counting) • Currently holds: CISSP, CISA, CISM, BS 7799 LA, CCSP • Newbie Python coder • Amateur social engineer • Loves vendor t-shirts • Avid World of Warcraft gamer
  • 4. So, what do we talk about • History lesson • Threats • Compliance • Information Security • And no, I am not selling anything, don’t panic
  • 5. What we don’t talk about • ROI (ROSI) – Actually we do • APT • Cyber- • Hacker – Attacker • SSL / PKI
  • 6. A bit of history • Early Internet era – Exploit vulnerabilities – Take pride • 10 years later – Attack the server – Steal or destroy data • Last 5 years – Attack the application – Steal / hold data – Financial gain
  • 7. … and more recently
  • 8. What causes the issues then? 1. Malware 2. Malicious insiders 3. Known vulnerabilities 4. Careless employees 5. Mobile devices 6. Social networking 7. Social engineering 8. Zero-day exploits 9. Cloud computing
  • 9. Oh well, what now Meet Information Security Compliance Standards
  • 10. Information Security Compliance • Payment Card Industry Data Security Standard (PCI DSS) • ISO 27000 series • Health Insurance Portability and Accountability Act (HIPAA) • Sarbanes-Oxley Act (SOX) • Federal Information Security Management Act (FISMA) • Bundesamt fur Sicherheit in der Informationstechnik (BSI) • SAS 70 Type 2 • National / other standards
  • 12. How it’s all done Policy Procedure Guideline Audit records
  • 13. … that now I take you now through the compliance process
  • 14.
  • 16. Why? • “Word” engineering • Checklist approach • Baseline becomes “the ceiling” • Snapshot in time • Non-continuous process
  • 17. The audit has finished… • Management thinks that compliance equals security • Does enough to “pass” the audit • Do not talk security until next audit • Business as usual
  • 19. And Security people… Process / Procedure / Guideline / Standard Instruction / Audit / Vulnerability / Risk Threat / Exploit / Attack Vector / <buzz>
  • 20. And attackers are efficient! In touch with reality
  • 21. As a result The “sad” day comes when Or even worse: management realizes that
  • 23. But Compliance can be the answer if • It comes as a by-product of a security management program • It is used in a bottom-top approach • It can “secure” budget for security • It does not become panacea
  • 24. Security Management • Reputation • Regulation • Revenue • Resilience • Recession
  • 25. Do we REALLY need security?
  • 26. But are you 100% sure we need it?
  • 28. Security management mini-HOWTO Plan D•C•A Risk management Determination of scope of information Risk assessment security Risk analysis Development Identification Estimation Creation of systematic of Risk Risk of of Risk P D risk threats executive assessment information and evaluation acceptance A C treatment policy method assets vulnerabilities Risk List Risk Risk assessment of analysis assessment procedures assets table report Inventory of assets
  • 29. The “checklist” approach 1. Device inventory 11. Account monitoring 2. Software inventory 12. Malware defenses 3. Secure system device configuration 13. Control network ports 4. Secure network device configuration 14. Wireless control 5. Boundary defense 15. Data Loss Prevention 6. Monitoring and analysis of audit logs 16. Secure Network Design 7. Application software security 17. Penetration test 8. Control administrative privileges 18. Incident response 9. “Need-to-know” access 19. Data recovery 10. Vulnerability assessment 20. Training
  • 30. The IT Security field is always in need of new clichés! • Nothing will ever be 100% secure • Know thy risk • Security is the means, not the end • Security yes, obscurity no • Talk to them, not at them
  • 31.
  • 32.
  • 33. What is that ROI again?
  • 34. Why we don’t talk about ROI "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. Bruce Schneier
  • 35. Net Present Value (NPV) C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = discount rate (average cost of capital) • NPV > 0 Go ahead • NPV < 0 Project cancelled • NPV =0 Can do, can ignore, no difference
  • 36. Net Present Value (Example) Net Present Value (discount rate = 15%) C0 T1 T2 Initial Investment -200,000 Annual benefits 400,000 400,000 Annual operating costs -100,000 -100,000 Net Cash Flow -200,000 300,000 300,000 NPV -200,000 + 300,000 /(1.15)1 300,000 / (1.15)2 NPV -200,000 + 260,870 + 226,843 NPV = 287,713
  • 37. Internal Rate of Return (IRR) C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = cost of capital • IRR > k Go ahead • IRR < k Project cancelled • IRR =k Can do, can ignore, no difference
  • 38. Net Present Value (Example) Internal rate of return (k = 15%) C0 T1 T2 Initial Investment -200,000 Annual benefits 400,000 400,000 Annual operating costs -100,000 -100,000 Net Cash Flow -200,000 300,000 300,000 IRR 0 = -200,000 + 300,000 / + 300,000 / (1+IRR)2 (1+IRR) IRR = 118.61 %
  • 39. Unfortunately Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. “Albert Einstein”
  • 40.
  • 41. you need 1337 skillz to be hax0r? • Beware of “script kiddies” • Fame seekers • Insider pwnage • Revenge!!! • Demo (3 slides to go)
  • 42.
  • 43. Good keywords to Google • metasploit • set • w3af • nmap • nessus • beef • sqlmap
  • 44. Are you talking to me? • Blog: blog.nihilnovo.eu • Twitter: twitter.com/dstergiou • Email:dstergiou@gmail.c om
  • 45. Demo • Client-side attack with IE • Browser exploitation