Egypt Cloud Day, May2011-- Information Assurance


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Egypt Cloud Day, May2011-- Information Assurance

  1. 1. ٦/١٩/١٤٣٢ Session: Information Assurance the superset of Information Security Speaker: Mahmoud Tawfik p Agenda • Information Assurance. I f ti A • Risk Assessment & Management. • Cryptography • Ethical-Hacking • Recent incidents and news. • Will Egypt plan for a security strategy? • Q&A.١
  2. 2. ٦/١٩/١٤٣٢ IA • Risk Assessment & Management • Strategic Risk Management • Reliability. • GRC (Governance, Risk and Compliance). • Audits and Privacy. • Accounting ,Fraud. • BCP ( Business Continuity Plan). • DRP ( Disaster Recovery Plan). IA Concepts • Defense in Depth ( Multiple layers of defense) • Security through obscurity • CIA ( Confidentiality , Integrity and Availability) • Authenticity • Utility • Non-repudiation٢
  3. 3. ٦/١٩/١٤٣٢ Risk • What is Risk? • Risk = Probability * Impact • What is a Threat? • What is a Vulnerability? • What is an Exploit? Risk Qualitative risk assessment: • Identifying threats. • Identify vulnerabilities T&T to Identify Vulnerabilities: 1. CVE 2. Vulnerability Scanners 3. Penetration test 3 P t ti t t٣
  4. 4. ٦/١٩/١٤٣٢ Risk Quantitative risk assessment Annualized Loss Expectancy (ALE) Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) ALE = SLE * ARO Risk Risk management techniques 1. Avoidance 2. Transference 3. Acceptance 4. Mitigations٤
  5. 5. ٦/١٩/١٤٣٢ Cryptography Symmetric Symmetric cryptography uses the same secret y yp g p y (private) key to encrypt and decrypt data. Asymmetric public key and private key. Access Control Access Control : Control access to critical assets Identification and authentication determine who can log on to a system.٥
  6. 6. ٦/١٩/١٤٣٢ Penetration test Penetration Test aka Ethical Hacking • Reconnaissance (Information Intelligence). • Vulnerability Scanning & Analysis. • Exploitation. • Reporting and Documentation Documentation. Incidents Recent Incidents and News • RSA security breach. • Top-Secret US lab hacked. • Israel planning strategy to defend networks from attacks. • White House Reveals Cyber Security Plan.٦
  7. 7. ٦/١٩/١٤٣٢ Incidents RSA breach Uri Rivner, head of new technologies, identity protection and verification at RSA said "The attacker in this case sent two different phishing emails over a two- day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.” The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls. The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.." Source : Incidents Top secret US lab hacked The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes. Oak Rid National L b t i i a hi hl secretive f ilit l O k Ridge N ti l Laboratories is highly ti facility located i t d in Tennessee that is used for homeland security and military purposes. It is managed by the US Department of Energy and conducts research into nuclear energy, chemical science, and biological systems. Source:٧
  8. 8. ٦/١٩/١٤٣٢ Cyber strategies Israel planning strategy to defend computer networks from attacks A team of experts convened by the prime minister to develop a strategy to defend Israels computer networks against assault from hostile countries and terrorist organizations is expected to submit its recommendations after the Passover holiday. The group, headed by Maj. Gen. (res. ) Isaac Ben-Israel, was formed in November, a few months after foreign media reported on the Stuxnet computer worm - which struck nuclear facilities in Iran, as well as a number of networks around the world world. Various entities in Israel, he revealed, such as banks and major corporations, had not consented to accepting government protection until the Counter- Terrorism Bureau broke into their networks to demonstrate the potential harm they faced. Source: defend-computer-networks-from-attack-1.353722 Cyber strategies White House Reveals Cyber Security Plan A cyber security plan proposed by the Obama administration aims to protect individual privacy, federal computer networks and elements of national critical infrastructure. The proposal includes more stringent penalties for cyber criminals; mandatory data breach reporting for organizations; placing the responsibility for defending federal agency networks from attack in the hands of the Department of Homeland Security (DHS); and improving protection for elements of the countrys critical country s infrastructure. It also would establish guidelines for the government to help companies that suffer cyber incidents, and for information sharing about threats among businesses and state and local governments. Reference : unveils-new-cybersecurity-plan/1٨
  9. 9. ٦/١٩/١٤٣٢ Strategy Will Egypt plan for a security strategy? • More than 10 hacked government websites in 2011. • Government infrastructure relies on Microsoft Windows. • Egypt needs an urgent cyber defense/warfare strategy. Is this possible after 25 Jan revolution ? source:http://zone- Defacements 387 hacked government sites٩
  10. 10. ٦/١٩/١٤٣٢ Thank Th k you! ! Now, it is time for Q&A Email : Twitter : mtawfik5١٠