The document provides an overview of information security concepts including definitions of security attributes like confidentiality, integrity and availability. It discusses why security is important for compliance, protecting assets and reputation. The document recommends a layered security approach using best practices and standards like ISO 27002. Key security terms are defined such as threats, damages, risks, and authentication. It emphasizes the importance of managing risks and notes that personnel are often the weakest link for attackers who start with information gathering.

1. Ivo Depoorter

2. Whois I
 Functions
 Sysadmin, DBA, CIO, ADP instructor, SSO,
Security consultant
 Career (20 y)
 NATO – Local government – Youth care
 Training
 Lots of Microsoft, Linux, networking,
programming…
 Security: Site Security Officer, CISSP, BCM,
Ethical Hacking, network scanning,…

3. Course outline
 Information security?
 Security Why?
 Security approach
 Vocabulary
 The weakest link
 Real life security sample

4. Information security?
According to Wikipedia, ISO2700x, CISSP,
SANS,….
 Confidentiality: Classified information must, be protected
from unauthorized disclosure.
 Integrity: Information must be protected against
unauthorized changes and modification.
 Availability: the information processed, and the services
provided must be protected from deliberate or accidental
loss, destruction, or interruption of services.

5. Information security?
Security attributes according to the Belgian
privacycommission
 Confidentiality
 Integrity
 Availability
+
 Accountability
 Non-repudiation
 Authenticity
 Reliability

6. CIA Exercise
Defacing of Belgian Army website

7. CIA Exercise
 Confidentiality
 ??
 Webserver only hosting public information?
 Webserver separated from LAN?
 Integrity
 Unauthorized changes!
 Availability
 Information is no longer available

8. Security Why?
 Compliance with law
 Protect (valuable) assets
 Prevent production breakdowns
 Protect reputation, (non-)commercial image
 Meet customer & shareholder requirements
 Keep personnel happy

9. Security approach
 Both technical and non-technical countermeasures.
 Top-management approval and support!
 Communicate!
 Information security needs a
layered approach!!!
 Best practices
 COBIT
Control Objectives for Information and related Technology
 ISO 27002 (ISO 17799)
Code of practice for information security management
 …..

10. ISO 27002
 Section 0 Introduction
 Section 1 Scope
 Section 2 Terms and Definitions
 Section 3 Structure of the Standard
 Section 4 Risk Assessment and Treatment
 Section 5 Security Policy
 Section 6 Organizing Information Security
 Section 7 Asset Management
 Section 8 Human Resources Security
 Section 9 Physical and Environmental Security
 Section 10 Communications and Operations Management
 Section 11 Access Control
 Section 12 Information Systems Acquisition, Development and
Maintenance
 Section 13 Information Security Incident Management
 Section 14 Business Continuity Management
 Section 15 Compliance

11. ISO 27002 - Example
Security audit local government > 500 employees
Technique: Social Engineering
10 Procedures 9 Physical access 11 Logical access 15 Internal audit

12. Security vocabulary - Threat
 A potential cause of an unwanted incident, which may
result in harm to individuals, assets, a system or
organization, the environment, or the community.
(BCI)
 Samples:
 Fire
 Death of a key person (SPOK or Single Point of Knowledge)
 Crash of a critical network component e.g. core switch (SPOF: single
point of failure)
 …

13. Security vocabulary - Damage
 Harm or injury to property or a person, resulting in loss of
value or the impairment of usefulness
 Damage in information security:
 Operational
 Financial
 Legal
 Reputational
 Damage defaced Belgian Army website?
 Operational: probably (temporary frontpage, patch management,….)
 Financial: probably (training personnel, hiring consultancy,….)
 Legal: probably (lawsuit against external responsible?)
 Reputational: certainly!

14. Security vocabulary - Risk
 Combination of the probability of an event and its
consequence.
 Risk components
 Threat (probability)
 Damage (amount)
 Example:
Damage
Process Threat O F L R Max impact Probability Risk
Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8

15. The Zen of Risk
 What is just the right amount of security?
 Seeking Balance between
Security (Yin) and Business (Yang)
Potential Loss Cost
Countermeasures Productivity

16. Security vocabulary - AAA
 Authentication: technologies used to determine the
authenticity of users, network nodes, and documents
 Authorization: who is allowed to do what?
 Accountability: is it possible to find out who has made
any operations?
• Strong authentication
(two-factor or multifactor)
• Something you know (password, PIN,…)
• Something you have (token,…)
• Something you are (fingerprint, …)

17. The weakest link
Countermeasures:
• Force password policy on
server
• Train personnel
• Use strong authentication
• …
SEC_RITY is not complete without U!

18. The weakest link
Countermeasures:
• Implement security & access
policies
• Job rotation
• Encryption
• Employee awareness training
• Audit trail of all accesses to
documents
• ….
Amateurs hack systems, professionals hack people!

19. Hacking steps
Step Countermeasures (short list)
1. Reconnaissance Be careful with information
2. Network mapping Network IDS – block ICMP
3. Exploiting System hardening
4. Keeping access IDS – Antivirus – rootkit scanners
5. Covering Tracks
Reconnaissance (information gathering):
Searching interesting information on discussion groups/forum,
social networks, customer reference lists, Google hacks…

20. Real life security sample
High security (war)zone
Illiterate (local) cleaning
personnel
(Use opportunities!!!)
LAN WWW
Physical security:
• Personnel clearance >2m
• Physical control
• Pc placement (shoulder surfing)
• Clean desk policy
• Shredder Tempest!!!
• Lock screen policy
Logical security
• Fiber to pc
• VLAN’s
• Password policy
• …

21. We learned….
 Security is CIA(+)
 Why: law, reputation, production continuity,…
 Approach: layered, technical & non-technical, support
from CEO, lots of communication
 Vocabulary: threat, damage, risk, (strong)authentication,
authorization, accountability
 Risk = threat * damage
 Security balance: loss vs. cost
& countermeasures vs. productivity
 The weakest link is personnel!
 A hacker starts with information gathering