SlideShare a Scribd company logo

What is Information Security and why you should care ...

Download as PPTX, PDF
J
James Mulhern

An interactive introduction to Information Security and Cyber Security for BTEC students studying IT at Swindon College in the UK. The session illustrates the breadth and diversity of the subject and opportunities it can offer. The session illustrates things might not always be as they seem and the impacts can be far more reaching than at first imagined.

Technology
1 of 39
What is Information Security? and why you should care…
Information Security is like … a Salt Lake… Because it’s about a mile wide and about 4cms deep
So in the next 30 minutes… • Explain what Information Security is • Encourage you to look into it further • May be think of it as future career
But first, just another day
What is Information Security? “Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.” SANS Institute: Information Security Resources More simply: “Protecting the Confidentiality, Integrity and Availability of your information”.
The CIA Triad … • What Confidentiality, Integrity and Availability? • Confidentiality – keeping information “secret” or “private” • Integrity – ensuring Information is accurate • Availability – ensuring information is available
Example … Confidentiality Integrity AvailabilityConfidentiality Integrity Availability
Latest Data breaches … as of 15th November Courtesy of: www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Why do this matter? • Because there’s a data collection explosion going on: • 2.5 exabytes of data harvested daily • 90% of the world’s data has been collected in the last 2 years • By 2020 estimate 40 Zettabytes per day • Much of that data is about you … • 5.7TB of data on each of you every day by 2020 • Most of that data is collected by 4 companies
But it’s not a matter of life or death • Or is it: • DDoS building heating systems – Finland • Malware North Lincolnshire NHS led to hundreds of operations being cancelled. • Cyber attacks threatening national security doubled in a year • UK facing up to seven serious cyber assaults every day
How do you go about protecting information? • Not useful to the business , not useful to you • Information security is about enabling the business and ensuring that bad things don’t jeopardise the business • Needs to be proportionate to the risk Easy … But:
Business Impact Assessment • Understand what data or information you have or need = Information Assets • Understand the value of the information to your business • Understand the impact if there was an incident or compromise. • e.g an impact to the C, I or A.
Assess risk • What is a risk? “The likelihood of a threat or vulnerability having an adverse impact to the confidentiality, integrity or availability of an information asset.” • Likelihood – won’t happen-> extremely likely to happen • Threat e.g. a criminal breaks into your house/ A hacker breaks into your website. • Vulnerability .e.g. leaving your house unlocked/not patching a security weakness in your website • Impact e.g. your xbox is stolen / the personal health records of 10K people are stolen
Example Here’s a bald tyre… what’s the risk?
A volunteer
So you have a risk, • what are you going to do about it? What’s your risk appetite? How does this stack up against your other risks, which should you prioritise? What is the business benefit or reward?
Risk treatment You can
A web application vulnerability in your web site could be exploited by a hacker to steal patient record data: Tolerate it do nothing and accept the risk of being hacked … Terminate it switch it off and deny patients from getting the necessary treatment … Treat it reduce the likelihood by: • encrypting the data, • fixing the vulnerability in the code Transfer it contract a 3rd party: • to protect the website using a web application firewall service • to provide cyber insurance
In business … • Risk almost always comes down to: • Financial risk – how much am I going to lose ? what is the cost to repair? • Reputational risk – How is this going to affect my brand? • As an InfoSec professional it’s important to: • be able to translate “technical risk” into “business speak” • Assess and prioritise the risk • ensure that any risk approach is proportionate • Understand that some risks can’t avoided and that both: • Preventive measures are needed – e.g. antivirus • Corrective measures – e.g. virus removal are necessary • Be prepared for an incident – Cyber Resilience
Cyber Security – Hot topic! • Recognised as one of the greatest threats to business globally • Global cost of crimes in cyberspace $445 billion (estimate from World Economic Forum’s 2016 Global Risks Report). • In the news daily • Nothing new?
Cyber Security…. Cyber threats How long have there been PC viruses? Brain is 30 years old
Major Cyber threats Malware and weak endpoints Data loss/leakage/theft Distributed Denial of Service Attacks Impersonation, Cybersquatting Interception MiTM Human Error Social Engineering Web application attacks Cyber crime, Cyber fraud, Cyber theft Cyber warfare, Cyber terrorism Defacement / Reputational damage Cyber bullying, blackmail and extortion, ransomware Identity theft Industrial espionage Intellectual property theft, Copyright infringement
Web vulnerabilities – OWASP top 10 (2013) Injection e.g SQL injection Broken Authentication and Session management Cross Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive data exposure Missing function level access control Cross site request forgery (CSRF) Using known vunerable components Unvalidated Redirects and Forwards
What’s the link?
Threat Actors • Organised Criminals – 2nd most reported economic crime • Foreign Intelligence Services e.g Stuxnet • Hacktivists e.g. Anonymous, Lulzsec • “Script Kiddies” • Insiders e.g. Disgruntled employees and former employees, Errors. • Bots – your PC, phone, TV, web cam, router - IoT
Most “sophisticated” attacks start simple… Dr Ian Levy – Director of the National Cyber Security Centre
7 stages of an attack Reconnaissance •Identify Scanning •and enumeration Infiltrate •Access and Escalation Exfiltrate • Data collection Sustain – •lateral movement, back channels/doors, rootkits, C&C Attack/Assault •Damaging Obfuscate • hide actions, distract , confuse
Bit like breaking and entering… Front door •Web Application vulnerability •Typically Sql Injection Back door •Phishing email (Spearphishing, Whaling) •Social Engineering credential harvesting •Malware invoice Gain a foothold and then: • Escalate - get a privileged access • Move laterally to get to more sensitive assets • Set up a “reverse shell” join a command and control network
RIO – Olympic Athletes TUE Records breach • “Sophisticated” attack • Release of health records • 29+ Olympic athletes • Russian Fancy Bear group • Allegedly Russian Government revenge • “Sophisticated” == phishing email
So we learnt that… • There are lots of threats and “attack vectors” • It’s a serious organised business driven by money • Often attacks don’t need to sophisticated to begin • But once in the attacker can rely on an evolving array of sophisticate tools and techniques to get further
Time to go back to the experts
Approaches • Old approaches • Citadel approach • Defence in depth • Both take an outside in approach • Today neither sufficient • Cyber attacks today are : • As much to do with breaking out as much as breaking in • As much to with privilege escalation and lateral movement • Security controls today need to take an inside out approach
So what can you do? SANS 20 CIS 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configuration of End-User Devices 4 Continuous Vulnerability Assessment & Remediation 5 Controlled Use of Administrative Privileges 6 Maintenance, Monitoring, and Analysis of Audit Logs 7 Email and Web Browser Protections 8 Malware Defense 9 Limitation & Control of Network Ports, Protocols, and Service 10 Data Recovery Capability 11 Secure Configuration of Network Devices 12 Boundary Defense 13 Data Protection 14 Controlled Access Based on Need to Know 15 Wireless Access Control 16 Account Monitoring and Control 17 Security Skills Assessment and Appropriate Training 18 Application Software Security 19 Incident Response and Management 20 Penetration Tests and Red Team Exercises
The really important stuff Cryptography •Establish trust: •Authenticity •non-repudiation • veracity • privacy Boundary defence •Not just firewalls •Controlling and inspecting traffic in and out. •Email and web filtering Protective Monitoring •Help detect and investigate incident Secure Endpoints •Lockdown •Patching •Malware protection •Security testing Incident management •Incidents will happen •Rehearsal == preparedness Application security •Input/output verification/validation •Parameterisation EATS •Education •Awareness •Training •Skillz •Human’s get hacked
National Cyber Security Strategy “The UK will be one of the safest places in the world to do business, with a world-class cyber security industry and workforce thanks to a new plan underpinned by £1.9 billion of investment”. • Automated defences to safeguard citizens and businesses against growing cyber threats • Support growing cyber security industry • Develop a world-class cyber workforce • Deter cyber-attacks from criminals and hostile actors … retaliate.
You are that future workforce • Lots of skills and personalities are suited to information security • Even with these questionable attributes: • If you’re good at breaking things and finding loopholes… • If you like taking things a part … • If you like sticking odd things together… • If you can’t help poking your nose in … • If you can’t help judging things and point out peoples mistakes … • If you think you know best all the time … Penetration tester Security researcher CISO Auditor Security Architect Intrusion Analyst
The strategy == opportunity for you… • Builds on a range of skills and education initiatives: • cyber apprentices • retraining schemes • advanced cyber security teaching in schools • Creating Cyber security Innovation Centre in Cheltenham • Launching a Cyber Innovation Fund • develop innovate technologies and products • Funding training and support for cyber start-ups and academics • help commercialise research and attract private sector investment
Swindon … A unique position …
Remember • Salt lakes are attractive • Are rich ecosystems • But, it’s easy to lose your footing • If you fall through the crust • Smells awful • Gets under your skin • And stings like hell… (for a while)

Recommended

Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research dataTomppa Järvinen
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White PapaerKristyn Greenwood
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Peter Procházka
 

Recommended

Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research dataTomppa Järvinen
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White PapaerKristyn Greenwood
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Peter Procházka
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance Dovetail Software
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetupIshay Tentser
 
Privacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyPrivacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyIshay Tentser
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small BusinessJulius Clark, CISSP, CISA
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artJames Mulhern
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayDan Michaluk
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social mediaProf. Jacques Folon (Ph.D)
 
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By DesignGDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By DesignJohn Eckman
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prezDan Michaluk
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breachDan Michaluk
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013Dan Michaluk
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Trish McGinity, CCSK
 
Cyber
CyberCyber
Cyberpooja kumari
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 

More Related Content

What's hot

#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance Dovetail Software
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetupIshay Tentser
 
Privacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyPrivacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyIshay Tentser
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artJames Mulhern
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayDan Michaluk
 
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By DesignGDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By DesignJohn Eckman
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breachDan Michaluk
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013Dan Michaluk
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Trish McGinity, CCSK
 

What's hot (20)

#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breach
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
 
Privacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyPrivacy by design for startups: legal and technology
Privacy by design for startups: legal and technology
 
Data protection within development
Data protection within developmentData protection within development
Data protection within development
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys today
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
 
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By DesignGDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
 
How to manage a data breach
How to manage a data breachHow to manage a data breach
How to manage a data breach
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
 

Similar to What is Information Security and why you should care ...

Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
Cyber Secure Center.pptx
Cyber Secure Center.pptxCyber Secure Center.pptx
Cyber Secure Center.pptxmanishmanish97
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering BasicsLuke Rusten
 
Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Hannah Jane del Castillo
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyCyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyJames Mulhern
 
Scot Secure 2017
Scot Secure 2017Scot Secure 2017
Scot Secure 2017Ray Bugg
 
Contextual Cyber Security for IoT
Contextual Cyber Security for IoTContextual Cyber Security for IoT
Contextual Cyber Security for IoTMONICA-Project
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Insurance Cyber Risks Presentation
Insurance Cyber Risks PresentationInsurance Cyber Risks Presentation
Insurance Cyber Risks PresentationNeville Cartwright
 
Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...XeniT Solutions nv
 

Similar to What is Information Security and why you should care ... (20)

Cyber
CyberCyber
Cyber
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
IT Security Summit 2016
IT Security Summit 2016IT Security Summit 2016
IT Security Summit 2016
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
 
Cyber Secure Center.pptx
Cyber Secure Center.pptxCyber Secure Center.pptx
Cyber Secure Center.pptx
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
 
Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyCyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
 
Scot Secure 2017
Scot Secure 2017Scot Secure 2017
Scot Secure 2017
 
Showreel ICSA Technology Conference
Showreel ICSA Technology ConferenceShowreel ICSA Technology Conference
Showreel ICSA Technology Conference
 
Contextual Cyber Security for IoT
Contextual Cyber Security for IoTContextual Cyber Security for IoT
Contextual Cyber Security for IoT
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Insurance Cyber Risks Presentation
Insurance Cyber Risks PresentationInsurance Cyber Risks Presentation
Insurance Cyber Risks Presentation
 
Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

What is Information Security and why you should care ...

  • 1. What is Information Security? and why you should care…
  • 2. Information Security is like … a Salt Lake… Because it’s about a mile wide and about 4cms deep
  • 3. So in the next 30 minutes… • Explain what Information Security is • Encourage you to look into it further • May be think of it as future career
  • 4. But first, just another day
  • 5. What is Information Security? “Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.” SANS Institute: Information Security Resources More simply: “Protecting the Confidentiality, Integrity and Availability of your information”.
  • 6. The CIA Triad … • What Confidentiality, Integrity and Availability? • Confidentiality – keeping information “secret” or “private” • Integrity – ensuring Information is accurate • Availability – ensuring information is available
  • 7. Example … Confidentiality Integrity AvailabilityConfidentiality Integrity Availability
  • 8. Latest Data breaches … as of 15th November Courtesy of: www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  • 9. Why do this matter? • Because there’s a data collection explosion going on: • 2.5 exabytes of data harvested daily • 90% of the world’s data has been collected in the last 2 years • By 2020 estimate 40 Zettabytes per day • Much of that data is about you … • 5.7TB of data on each of you every day by 2020 • Most of that data is collected by 4 companies
  • 10. But it’s not a matter of life or death • Or is it: • DDoS building heating systems – Finland • Malware North Lincolnshire NHS led to hundreds of operations being cancelled. • Cyber attacks threatening national security doubled in a year • UK facing up to seven serious cyber assaults every day
  • 11. How do you go about protecting information? • Not useful to the business , not useful to you • Information security is about enabling the business and ensuring that bad things don’t jeopardise the business • Needs to be proportionate to the risk Easy … But:
  • 12. Business Impact Assessment • Understand what data or information you have or need = Information Assets • Understand the value of the information to your business • Understand the impact if there was an incident or compromise. • e.g an impact to the C, I or A.
  • 13. Assess risk • What is a risk? “The likelihood of a threat or vulnerability having an adverse impact to the confidentiality, integrity or availability of an information asset.” • Likelihood – won’t happen-> extremely likely to happen • Threat e.g. a criminal breaks into your house/ A hacker breaks into your website. • Vulnerability .e.g. leaving your house unlocked/not patching a security weakness in your website • Impact e.g. your xbox is stolen / the personal health records of 10K people are stolen
  • 14. Example Here’s a bald tyre… what’s the risk?
  • 16. So you have a risk, • what are you going to do about it? What’s your risk appetite? How does this stack up against your other risks, which should you prioritise? What is the business benefit or reward?
  • 18. A web application vulnerability in your web site could be exploited by a hacker to steal patient record data: Tolerate it do nothing and accept the risk of being hacked … Terminate it switch it off and deny patients from getting the necessary treatment … Treat it reduce the likelihood by: • encrypting the data, • fixing the vulnerability in the code Transfer it contract a 3rd party: • to protect the website using a web application firewall service • to provide cyber insurance
  • 19. In business … • Risk almost always comes down to: • Financial risk – how much am I going to lose ? what is the cost to repair? • Reputational risk – How is this going to affect my brand? • As an InfoSec professional it’s important to: • be able to translate “technical risk” into “business speak” • Assess and prioritise the risk • ensure that any risk approach is proportionate • Understand that some risks can’t avoided and that both: • Preventive measures are needed – e.g. antivirus • Corrective measures – e.g. virus removal are necessary • Be prepared for an incident – Cyber Resilience
  • 20. Cyber Security – Hot topic! • Recognised as one of the greatest threats to business globally • Global cost of crimes in cyberspace $445 billion (estimate from World Economic Forum’s 2016 Global Risks Report). • In the news daily • Nothing new?
  • 21. Cyber Security…. Cyber threats How long have there been PC viruses? Brain is 30 years old
  • 22. Major Cyber threats Malware and weak endpoints Data loss/leakage/theft Distributed Denial of Service Attacks Impersonation, Cybersquatting Interception MiTM Human Error Social Engineering Web application attacks Cyber crime, Cyber fraud, Cyber theft Cyber warfare, Cyber terrorism Defacement / Reputational damage Cyber bullying, blackmail and extortion, ransomware Identity theft Industrial espionage Intellectual property theft, Copyright infringement
  • 23. Web vulnerabilities – OWASP top 10 (2013) Injection e.g SQL injection Broken Authentication and Session management Cross Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive data exposure Missing function level access control Cross site request forgery (CSRF) Using known vunerable components Unvalidated Redirects and Forwards
  • 25. Threat Actors • Organised Criminals – 2nd most reported economic crime • Foreign Intelligence Services e.g Stuxnet • Hacktivists e.g. Anonymous, Lulzsec • “Script Kiddies” • Insiders e.g. Disgruntled employees and former employees, Errors. • Bots – your PC, phone, TV, web cam, router - IoT
  • 26. Most “sophisticated” attacks start simple… Dr Ian Levy – Director of the National Cyber Security Centre
  • 27. 7 stages of an attack Reconnaissance •Identify Scanning •and enumeration Infiltrate •Access and Escalation Exfiltrate • Data collection Sustain – •lateral movement, back channels/doors, rootkits, C&C Attack/Assault •Damaging Obfuscate • hide actions, distract , confuse
  • 28. Bit like breaking and entering… Front door •Web Application vulnerability •Typically Sql Injection Back door •Phishing email (Spearphishing, Whaling) •Social Engineering credential harvesting •Malware invoice Gain a foothold and then: • Escalate - get a privileged access • Move laterally to get to more sensitive assets • Set up a “reverse shell” join a command and control network
  • 29. RIO – Olympic Athletes TUE Records breach • “Sophisticated” attack • Release of health records • 29+ Olympic athletes • Russian Fancy Bear group • Allegedly Russian Government revenge • “Sophisticated” == phishing email
  • 30. So we learnt that… • There are lots of threats and “attack vectors” • It’s a serious organised business driven by money • Often attacks don’t need to sophisticated to begin • But once in the attacker can rely on an evolving array of sophisticate tools and techniques to get further
  • 31. Time to go back to the experts
  • 32. Approaches • Old approaches • Citadel approach • Defence in depth • Both take an outside in approach • Today neither sufficient • Cyber attacks today are : • As much to do with breaking out as much as breaking in • As much to with privilege escalation and lateral movement • Security controls today need to take an inside out approach
  • 33. So what can you do? SANS 20 CIS 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configuration of End-User Devices 4 Continuous Vulnerability Assessment & Remediation 5 Controlled Use of Administrative Privileges 6 Maintenance, Monitoring, and Analysis of Audit Logs 7 Email and Web Browser Protections 8 Malware Defense 9 Limitation & Control of Network Ports, Protocols, and Service 10 Data Recovery Capability 11 Secure Configuration of Network Devices 12 Boundary Defense 13 Data Protection 14 Controlled Access Based on Need to Know 15 Wireless Access Control 16 Account Monitoring and Control 17 Security Skills Assessment and Appropriate Training 18 Application Software Security 19 Incident Response and Management 20 Penetration Tests and Red Team Exercises
  • 34. The really important stuff Cryptography •Establish trust: •Authenticity •non-repudiation • veracity • privacy Boundary defence •Not just firewalls •Controlling and inspecting traffic in and out. •Email and web filtering Protective Monitoring •Help detect and investigate incident Secure Endpoints •Lockdown •Patching •Malware protection •Security testing Incident management •Incidents will happen •Rehearsal == preparedness Application security •Input/output verification/validation •Parameterisation EATS •Education •Awareness •Training •Skillz •Human’s get hacked
  • 35. National Cyber Security Strategy “The UK will be one of the safest places in the world to do business, with a world-class cyber security industry and workforce thanks to a new plan underpinned by £1.9 billion of investment”. • Automated defences to safeguard citizens and businesses against growing cyber threats • Support growing cyber security industry • Develop a world-class cyber workforce • Deter cyber-attacks from criminals and hostile actors … retaliate.
  • 36. You are that future workforce • Lots of skills and personalities are suited to information security • Even with these questionable attributes: • If you’re good at breaking things and finding loopholes… • If you like taking things a part … • If you like sticking odd things together… • If you can’t help poking your nose in … • If you can’t help judging things and point out peoples mistakes … • If you think you know best all the time … Penetration tester Security researcher CISO Auditor Security Architect Intrusion Analyst
  • 37. The strategy == opportunity for you… • Builds on a range of skills and education initiatives: • cyber apprentices • retraining schemes • advanced cyber security teaching in schools • Creating Cyber security Innovation Centre in Cheltenham • Launching a Cyber Innovation Fund • develop innovate technologies and products • Funding training and support for cyber start-ups and academics • help commercialise research and attract private sector investment
  • 38. Swindon … A unique position …
  • 39. Remember • Salt lakes are attractive • Are rich ecosystems • But, it’s easy to lose your footing • If you fall through the crust • Smells awful • Gets under your skin • And stings like hell… (for a while)

Editor's Notes

  1. Figures from 2012 An Exabyte is a quintillion bytes 2.5 exabytes is 2.5 billion gigabytes ~41,000 Exabytes
  2. Likelihood – the probability Threat – something nasty Vulnerability – a weakness Impact – the consequence