• 本投影片僅供教育訓練用,如有侵權,請留言通
  知,將立即刪除,謝謝。


• The slide is for education purpose only. Please leave
  your comment if there is...
法規名稱:公開發行公司建立內部控制制度處理準則
法規名稱:

•二、參考「金融控股公司內部控制及稽核制度實施辦法」
 、「銀行內部控制及稽核制 度實施辦法」、「票券商內
 部控制及稽核制度實施辦法」及「保險業內部控制及 稽
 核制度實施辦法」規...
Qualitative Risk Analysis Example




教育部 TANet 網路中心導入資訊安全管理制度計畫教育訓練教材
http://cissnet.edu.tw/download_tanet.aspx
FMEA Output

           RPN=SEV x PF x DET
           PRN: Risk Priority Number
           SEV:Severity
           PF:Prob...
Fault Tree Analysis
I. Risk Assessment in NIST SP-800 30




   source: NIST Sp800-30
I. Risk Assessment in NIST SP-800 30
                                   (cont.)




   source: NIST Sp800-30
Risk Management
                                                      Threats
                                      Risk
 ...
Access Control
Access Control Conceptual Diagram

                            Access Control
                                          20...
TACACS+ and RADIUS Comparison

     Criterion                       TACACS+                                               ...
RADIUS and Diameter Comparison
Characteristic       RADIUS                            Diameter
Transport protocol   Connec...
XACML Policy Sample
<Policy PolicyId="SamplePolicy"
      RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-...
SPML Scenario




http://www.computerworld.com/s/article/86225/SPML
Cryptography
2DES Meet-in-the-Middle Attack

If DES1 encrypted output equals DES2 decrypted output, then key1 and key2 cracked



     ...
Keyed Hash HMAC




  Source: http://www.unixwiz.net/
Algebraic Cryptanalysis




                  E            E


Message



                   E
Null Cipher
    “A re you deaf, Father W illiam !” the young m an said,
     “D id you hear w hat I told you just now ?
  ...
Diffie-Hellman Key Agreement Operation
Diffie-Hellman Key Agreement Operation
Security Architecture and Design
Zachman Framework




An Overview of Enterprise Architecture Framework Deliverables by Frank Goethals
DoDAF Framework




Enterprise Architecture A-to-Z
EAL Stats




www.commoncriteriaportal.org
Common Criteria Flow

an implementation-
independent               Protection           Category of Product
statement of s...
Implementation of Evaluated Products
                                               TEST plan based on
                   ...
Storage Systems




http://en.wikipedia.org/wiki/Storage_area_network
Application Security
KDD Process
Neural Network
Expert System




     Source:idrinfo.idrc.ca
Waterfall Method




        http://www.softwebsolutions.com/our_process.html
Spiral Method




      http://en.wikipedia.org/wiki/Spiral_model
Iterative Method




        Wikipedia
Inheritance

                   Parent Class
                      Animal
              Virtual Function Talk()




    Ch...
Polymorphism
1. class Animal {
2. virtual public Talk(){ }
3. }
4. class Dog extends Animal {
5. public Talk() { speak "汪"...
2-phase commit
LRCI
EnCase – File System
EnCase Timeline
稽核自動化平台
Telecommunication and Network Security
Attack Tree




http://commons.wikimedia.org/wiki/File:Attack_tree_virus.png
Honeynet




http://www.iu.hio.no/
Partial Mesh as HA
Link Layer Encryption vs. End-to-end Encryption
ISDN Application
MPLS




       http://www.isoc.org/
IPSec Mode - Concise




http://technet.microsoft.com/en-us/library/cc759130(WS.10).aspx#w2k3tr_ipsec_how_vvlc
PPTP and L2TP Data Format
Smurf




        http://www.techexams.net
FDDI Dual Counter-Rotating Ring
Routing Protocols
                         Open Hop                Class Authentica Category           Network
           ...
Subnetting vs. supernetting




                  One Class C




  8 contiguous Class C




http://medusa.sdsu.edu/networ...
VPN – Site to Site
NetBios
War Dialer - PhoneSweep
Finger
IPP in IIS




http://secunia.com/advisories/32248/
LPR in XP




https://www.cs.uwaterloo.ca/twiki/view/CF/LprPrintingForWindows
Tapping Fiber Optics




http://i.techrepublic.com.com/blogs/Figure%20A.jpg
SAN




http://www.allsan.com/sanoverview.php3
Transmission Technology




http://www.privateline.com/PCS/Multiplexing.htm
BCP
BIA Process


        Owner                            Impact




                   Business Activity



                ...
4.1 INCIDENT RESPONSE STRUCTURE
RTO < MTPD(MTD)
Trailer
Scope
BCM is a Balancing Act(cont.)

             High Cost                      High Loss


               recovery
           ...
Physical Security
OS
Heat and cool air




http://www.adc.com/us/en/Library/Literature/102264AE.pdf
Data loss on transportation
從漏洞到攻擊時距縮短→大幅提高攻擊成功率




source:IBM xforce report 2008
Supplement V1.2
Supplement V1.2
Upcoming SlideShare
Loading in …5
×

Supplement V1.2

1,336 views

Published on

第一,二,三,四,五天補充資料

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,336
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Supplement V1.2

  1. 1. • 本投影片僅供教育訓練用,如有侵權,請留言通 知,將立即刪除,謝謝。 • The slide is for education purpose only. Please leave your comment if there is any copyright infringement. I will delete it immediately. Thank you.
  2. 2. 法規名稱:公開發行公司建立內部控制制度處理準則 法規名稱: •二、參考「金融控股公司內部控制及稽核制度實施辦法」 、「銀行內部控制及稽核制 度實施辦法」、「票券商內 部控制及稽核制度實施辦法」及「保險業內部控制及 稽 核制度實施辦法」規定,公開發行公司內部稽核及自行檢 查報告、工作底稿及相關資料保存年限統一為至少保存五 相關資料保存年限統一為至少保存五 年。(修正條文第十三條及第二十二條) •十、為落實公開發行公司內部稽核單位執行年度稽核計畫 之機制,明定公司應依風險評估結果 應依風險評估結果擬訂其年度稽核計畫 應依風險評估結果 ,並確實執行,且其年度稽核計畫之稽核項目範圍應涵蓋 公司於內部控制制度訂定之重要控制作業。 (修正條文第 十三條)
  3. 3. Qualitative Risk Analysis Example 教育部 TANet 網路中心導入資訊安全管理制度計畫教育訓練教材 http://cissnet.edu.tw/download_tanet.aspx
  4. 4. FMEA Output RPN=SEV x PF x DET PRN: Risk Priority Number SEV:Severity PF:Probability Factor DET:Detection Effectiveness Rers: http://www.siliconfareast.com/fmea_quickref.htm#table
  5. 5. Fault Tree Analysis
  6. 6. I. Risk Assessment in NIST SP-800 30 source: NIST Sp800-30
  7. 7. I. Risk Assessment in NIST SP-800 30 (cont.) source: NIST Sp800-30
  8. 8. Risk Management Threats Risk Identification Vulnerabilities Quantitative Analysis Qualitative Analysis Risk Risk Analysis FMEA Assessment FTA OCTAVE Risk Likelihood Management Risk Evaluation Impact Acceptance Reduction Risk Mitigation Transference Avoidance
  9. 9. Access Control
  10. 10. Access Control Conceptual Diagram Access Control 2007/6/8 Anything You Do Identify Identification Will Be Youself Logged Prove It Accountability Authentication (I need to Verify you) Do What I Authorization Tell You to Do
  11. 11. TACACS+ and RADIUS Comparison Criterion TACACS+ RADIUS Transport TCP (reliable; more overhead) UDP (unreliable; higher performance) Authentication Can be separated (more flexible) Combined and Authorization Multiprotocol Supported (IP, Apple, NetBIOS, IP only Support Novell, X.25) Access to Supports two methods to control Not supported Router CLI the authorization of router Commands commands on a per-user or per- group basis Encryption Packet payload Passwords only http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+9.+AAA+Accounting/Diameter+Det ails/
  12. 12. RADIUS and Diameter Comparison Characteristic RADIUS Diameter Transport protocol Connectionless (UDP 1812). Connection-oriented (TCP, SCTP, 3868). Transport security Optional IPsec. IPsec or Transport Layer Security (TLS) is required. Architecture Client-Server model Peer-to-peer model State Stateless Stateful(Session ID, transaction status) Authentication Pre-shared key Pre-Shared key, digital certificate PAP, CHAP, EAP PAP, CHAP, EAP Only client to server re- Mutual re-authentication authentication Authorization Bind with re-authentication Re-authorization any time Accounting Real-time accounting Real-time accounting Confidentiality Only encrypt password Encrypt all data, or IP header(IPSec) Integrity Poor Good Scalability Poor Good Extensibility Vendor-specific Public use Security model Supports only hop-by-hop security. Supports end-to-end and hop-to- Every hop can modify information hop security. End-to-end guarantees that cannot be traced to its origin. that information cannot be modified without notice.
  13. 13. XACML Policy Sample <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit- overrides“> <!-- This Policy only applies to requests on the SampleServer --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions> </Target> <!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/> </Policy>
  14. 14. SPML Scenario http://www.computerworld.com/s/article/86225/SPML
  15. 15. Cryptography
  16. 16. 2DES Meet-in-the-Middle Attack If DES1 encrypted output equals DES2 decrypted output, then key1 and key2 cracked known known Source: www.giac.org/
  17. 17. Keyed Hash HMAC Source: http://www.unixwiz.net/
  18. 18. Algebraic Cryptanalysis E E Message E
  19. 19. Null Cipher “A re you deaf, Father W illiam !” the young m an said, “D id you hear w hat I told you just now ? “E xcuse m e for shouting! D on’t w aggle your head “Like a blundering, sleepy old cow ! “A little m aid dw elling in W allington Tow n, “Is m y friend, so I beg to rem ark: “D o you think she’d be pleased if a book w ere sent dow n “E ntitled ‘The H unt of the Snark?’” - “Pack it up in brow n paper!” the old m an cried, “A nd seal it w ith olive-and-dove. “I com m and you to do it!” he added w ith pride, “N or forget, m y good fellow , to send her beside “E aster G reetings, and give her m y love.”
  20. 20. Diffie-Hellman Key Agreement Operation
  21. 21. Diffie-Hellman Key Agreement Operation
  22. 22. Security Architecture and Design
  23. 23. Zachman Framework An Overview of Enterprise Architecture Framework Deliverables by Frank Goethals
  24. 24. DoDAF Framework Enterprise Architecture A-to-Z
  25. 25. EAL Stats www.commoncriteriaportal.org
  26. 26. Common Criteria Flow an implementation- independent Protection Category of Product statement of security Profile (i.e., “firewalls”) needs for a TOE type. a set of software, firmware and/or Target of Specific Product (i.e., hardware possibly Evaluation Cisco PIX 5xx) accompanied by guidance. Security Vendor claims: an implementation- Specifications and dependent statement Target features of security needs for a specific identified TOE Functional Assurance Requirements Requirements
  27. 27. Implementation of Evaluated Products TEST plan based on Evaluation stated requirements EAL Levels 1 Functionally Tested 2 Structurally Tested 3 Methodically Tested 4 Methodically Designed, Tested, Reviewed 5 Semiformal testing 6 Semiformal verification 7 Formal verification and testing Based on production Certification environment Accreditation
  28. 28. Storage Systems http://en.wikipedia.org/wiki/Storage_area_network
  29. 29. Application Security
  30. 30. KDD Process
  31. 31. Neural Network
  32. 32. Expert System Source:idrinfo.idrc.ca
  33. 33. Waterfall Method http://www.softwebsolutions.com/our_process.html
  34. 34. Spiral Method http://en.wikipedia.org/wiki/Spiral_model
  35. 35. Iterative Method Wikipedia
  36. 36. Inheritance Parent Class Animal Virtual Function Talk() Child Class Child Class Cat Dog Function Talk("") Function Talk("")
  37. 37. Polymorphism 1. class Animal { 2. virtual public Talk(){ } 3. } 4. class Dog extends Animal { 5. public Talk() { speak "汪" } 6. } 7. class Cat extends Animal { 8. public Talk() { speak "喵" } 9. } 10.Function AnimalTalk( Animal objSomeAnimal) 11.{ 12. objSomeAnimal.Talk; //polymophism; late binding 13.} 14.Animal objCat = new Cat; 15.Animal objDog = new Dog; 16.//Without polymorphism 17.objCat .Talk; //"喵" 18.objDog .Talk; //"汪" 19.//With polymorphism 20.AnimalTalk(objCat); //"喵" 21.AnimalTalk(objDog); //"汪" • 在本範例中,AnimalTalk程序接受 (Accept) 屬於 Animal 型別而名為 objSomeAnimal 的參數,所以我 們可以在 run-time傳送如 Cat或Dog衍生自 Animal 類別的類別。此項設計的優點在於,您可加入衍生 可加入衍生 類別的新類別, 程序中的用戶端程式碼。 自 Animal 類別的新類別,而不需要變更 AnimalTalk程序中的用戶端程式碼 程序中的用戶端程式碼
  38. 38. 2-phase commit
  39. 39. LRCI
  40. 40. EnCase – File System
  41. 41. EnCase Timeline
  42. 42. 稽核自動化平台
  43. 43. Telecommunication and Network Security
  44. 44. Attack Tree http://commons.wikimedia.org/wiki/File:Attack_tree_virus.png
  45. 45. Honeynet http://www.iu.hio.no/
  46. 46. Partial Mesh as HA
  47. 47. Link Layer Encryption vs. End-to-end Encryption
  48. 48. ISDN Application
  49. 49. MPLS http://www.isoc.org/
  50. 50. IPSec Mode - Concise http://technet.microsoft.com/en-us/library/cc759130(WS.10).aspx#w2k3tr_ipsec_how_vvlc
  51. 51. PPTP and L2TP Data Format
  52. 52. Smurf http://www.techexams.net
  53. 53. FDDI Dual Counter-Rotating Ring
  54. 54. Routing Protocols Open Hop Class Authentica Category Network less tion RIPv1 RFC 15 No None Interior Small 1058 Distance vector RIPv2 RFC 15 Yes Password Interior Small 2453 MD5 Distance vector Medium IGRP Cisco 255 No None Interior Small Distance vector EIGRP Cisco 255 Yes Password Interior Large MD5 Hybrid OSPF RFC none Yes Password Interior Large 2328 MD5 Link-state Hetero ISIS ISO Yes Password Interior Large 10589 Link-state EGP Exterior AS-AS Distance vector BGP RFC CIDR MD5 Exterior AS-AS 1771 Distance vector Cisco® Certified Network Associate Study Guide
  55. 55. Subnetting vs. supernetting One Class C 8 contiguous Class C http://medusa.sdsu.edu/network/CS576/Lectures/ch05_Subnetting.pdf
  56. 56. VPN – Site to Site
  57. 57. NetBios
  58. 58. War Dialer - PhoneSweep
  59. 59. Finger
  60. 60. IPP in IIS http://secunia.com/advisories/32248/
  61. 61. LPR in XP https://www.cs.uwaterloo.ca/twiki/view/CF/LprPrintingForWindows
  62. 62. Tapping Fiber Optics http://i.techrepublic.com.com/blogs/Figure%20A.jpg
  63. 63. SAN http://www.allsan.com/sanoverview.php3
  64. 64. Transmission Technology http://www.privateline.com/PCS/Multiplexing.htm
  65. 65. BCP
  66. 66. BIA Process Owner Impact Business Activity Geographic Timescale Extent MTPD RPO
  67. 67. 4.1 INCIDENT RESPONSE STRUCTURE
  68. 68. RTO < MTPD(MTD)
  69. 69. Trailer
  70. 70. Scope
  71. 71. BCM is a Balancing Act(cont.) High Cost High Loss recovery strategy disruption Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost/Loss Cost Cost Cost Cost Cost Cost Cost Cost Optimal Lose Business Point Time 73
  72. 72. Physical Security
  73. 73. OS
  74. 74. Heat and cool air http://www.adc.com/us/en/Library/Literature/102264AE.pdf
  75. 75. Data loss on transportation
  76. 76. 從漏洞到攻擊時距縮短→大幅提高攻擊成功率 source:IBM xforce report 2008

×