Presentation on Cybersecurity and demonstration of security tools, conducted by Vicky Fernandes on 10th September 2019 at Don Bosco Institute of Technology, Mumbai.

1. CYBER SECURITY AND DEMONSTRATION
OF SECURITY TOOLS
Vicky Fernandes

3. OVERVIEW
A. Cyber Security:
•Market Value of Cyber Security
•Cyber Crime Statistics
•What is Cyber Security?
•The CIA Triad of Information Security
•Cyber Security Careers

4. B. Demonstration of Security Tools:
•Understanding CVE, CWE, CVSS, OWASP Top 10, SANS Top 25.
•Wireshark demonstration.
•Nmap demonstration.
•Nessus – Vulnerability Assessment scanning tool.

5. MARKET VALUE OF CYBER SECURITY
•According to the Gartner Press
release in 2018, the Cyber
Security market is forecast to
grow 8.7 percent to $124
billion.

7. •By 2024, the value of Cyber
Security market is anticipated
to reach $300 Billion.
(Source: Press release 2019 by
Global Market Insights Inc.
https://www.prnewswire.com/n
ews-releases/cybersecurity-
market-worth-over-300bn-by-
2024-global-market-insights-
inc--863930577.html )

8. WHO’S SPENDING BIG IN CYBER SECURITY?
•According to the 2019 President’s
Budget released by the White
House, the U.S. government plans
to spend on cybersecurity-related
activities this year — a 4.1%
increase ($583.4 million) over the
2018 budget.
•However, according to the budget
document, the caveat is that “Due
to the sensitive nature of some
activities, this amount does not
represent the entire cyber
budget.”

9. •According to the firm Cybersecurity Ventures, it is predicted that
global spending on cybersecurity products and services will
exceed $1 trillion cumulatively over the next five years, from
2017 to 2021.
•If considered as a whole, 12-15 percent year-over-year
cybersecurity market growth is anticipated through 2021.

10. BUT WHY ARE GOVERNMENTS & ORGANIZATIONS
SPENDING SO MUCH ON CYBER SECURITY?

11. TO PROTECT THEMSELVES FROM CYBER CRIME

12. CYBER CRIME STATISTICS
•According to McAfee’s Economic Impact of Cyber
Crime (February 2018), 780,000 records were lost per day in
2017.
•According to Cisco’s 2018 Annual Cybersecurity Report, 38% of
malicious file extensions used were Office formats.
•According to Varonis’s 2018 Global Data Risk Report, 6.2 billion
files were analyzed. These files contained credit card information,
health records, etc. 21% of these files were open for global
access. Furthermore, 41% of companies have more than 1000
sensitive files open to everyone.

13. •According to the information-
age.com, If cybercrime was a
country it would have the 13th
highest GDP in the world.
•Global cybercrime economy
generates over $1.5TN profit.
•In 2015, Juniper Networks
conducted a study and found that
global cybercrime takes in larger
profits than the illegal drug trade.

14. •According to the National
Cyber Security Alliance 60
percent of small and midsized
businesses that are hacked go
out of business within six months.
(Source: inc.com)

15. •In 2016, 3 billion Yahoo
accounts were hacked in one of
the biggest breaches of all
time.
•In 2016, Uber reported that
hackers stole the information of
over 57 million riders and
drivers.
•In 2017, 147.9 million
consumers were affected by the
Equifax Breach
•In 2017, Deloitte faced a
Cyber attack on it’s Email
servers.

16. WHAT IS CYBER SECURITY?

17. WHAT IS CYBER SECURITY?
•Cybersecurity is the protection of internet-connected systems,
including hardware, software and data, from cyberattacks.
•In a computing context, security comprises cybersecurity and
physical security -- both are used by enterprises to protect against
unauthorized access to data centers and other computerized
systems.
•Information security, which is designed to maintain the
confidentiality, integrity and availability of data, is a subset of
cybersecurity.

18. THE CIA TRIAD OF INFORMATION SECURITY
•Confidentiality: Ensures that data or
an information system is accessed by
only an authorized person.
•Integrity: Integrity assures that the
data or information system can be
trusted. Ensures that it is edited by
only authorized persons and remains
in its original state when at rest.
•Availability: Data and information
systems are available when
required.

19. SECURITY & PRIVACY
•Privacy relates to any rights you have to
control your personal information and
how it’s used.
•Example: Privacy Policies.
•Security refers to how your personal
information is protected.

20. CYBER SECURITY CAREERS
1. Security Software Developer:
•Security Software Developers build security software and integrate
security into applications software during the design and development
process.
•Depending on the specific position and company, a security software
developer might oversee a team of developers in the creation of secure
software tools, develop a company-wide software security strategy,
participate in the lifecycle development of software systems, support
software deployments to customers, and test their work for
vulnerabilities.

21. Salary:
•US: $ 72,673 per annum
•India: Rs. 5,91,899
Certifications:
•ECSP: EC-Council Certified Secure Programmer
•CSSLP: Certified Secure Software Lifecycle Professional
•GSSP-JAVA: GIAC Secure Software Programmer-Java
•GWEB: GIAC Certified Web Application Defender
•GSSP-.NET: GIAC Secure Software Programmer- .NET

22. 2. Security Architect:
•A security architect is meant to create, build and execute network
and computer security for an organization.
•Security architects are responsible for developing complex security
framework and ensuring that they function effectively.
•They design security systems to counter malware, hacking and
DDoS attacks.

23. Salary:
•India: Rs 20,14,765 per annum
•US: $123,856 per annum
Certifications:
•CompTIA Security+
•Ethical Hacking
•Certified Information Systems Security Professional (CISSP)

24. 3. Security Consultant:
•Security Consultants evaluate cybersecurity threats, risks, problems,
and give possible solutions for different organizations and guide
them in protecting and securing their physical capital and data.
Salary:
•India: Rs 7,45,839 per annum
•US: $83,288 per annum

25. Certifications:
•CompTIA Security+
•Cybersecurity Analyst (CySA+)
•Certified Ethical Hacker (CEH)
•EC-Council Certified Security Analyst (ECSA)
•Certified Information Security Manager (CISM)
•Certified Information Systems Security Professional (CISSP)
•Offensive Security Certified Professional (OSCP)

26. 4. Information Security Analyst / Security Engineers
•Information Security Analysts are the front-line defense of
networks.
•Information Security Analysts put firewalls and encryption in order
to protect breaches, constantly monitor and audit systems for
unusual activities.

27. Salary:
•India: Rs 520,922 per annum
Certifications:
•CompTIA Security+
•Cybersecurity Analyst (CySA+)
•Certified Ethical Hacker (CEH)

28. 5. Computer Forensics Analysts:
•Forensics analysts focus on cyber-crime, an ever-growing
phenomenon. They work with law enforcement agencies in both
public and private sector organizations and are asked to
undertake a wide variety of tasks, including:
 Recovering deleted files
 Interpreting data linked to crime
 Analyzing mobile phone records
 Pursuing data trails
•Computer forensic analysts must keep a well — detailed records
of their investigations, and often provide evidence in court.

29. Salary:
•India: Rs 8,85,000 per annum
Certifications:
•Certified Computer Forensics Examiner (CCFE)
•Certified Mobile Forensics Examiner (CMFE)
•Computer Hacking Forensic Investigator (CHFI)
•GIAC Certified Forensic Examiner (GCFE)
•GIAC Certified Forensic Analyst (GCFA)
•Certified Computer Examiner (CCE)

30. 6. Chief Information Security Officer
The Chief Information Security Officer is normally a mid-executive level
position whose job is to manage the affairs operations of a company’s or
organization’s IT security division. CISOs are usually responsible for planning,
coordinating and directing all computer, network and data security needs of
their employers.
Salary:
India: Rs 25,49,020 per annum
Certifications:
EC-Council Certified Chief Information Security Officer (CCISO)

31. 7. Penetration Tester:
•Penetration testing is the proactive authorized employment of
testing procedures on the IT system to identify system flaws.
•A penetration tester usually attempts to (with permission) hack into
a computer and network systems to pre-emptively discover
operating system vulnerabilities, service and application problems,
improper configurations and more, before an intruder cause real
damage.

32. Salary:
•India: Rs. 4,96,666 per annum
Certifications:
•Certified Ethical Hacker (CEH)
•EC-Council Certified Security Analyst (ECSA)
•Offensive Security Certified Professional (OSCP)
•Offensive Security Exploitation Expert (OSEE)

33. 8. Security Systems Administrator
•A security systems administrator’s responsibility is a bit similar to many
cybersecurity jobs i.e., installing, administering, maintaining and
troubleshooting computer, network and data security systems.
•The main distinction between security systems administrators and other
cybersecurity professionals is that the security systems administrator is
normally the person in charge of the daily operation of those security
systems.
•The regular tasks include systems monitoring and running regular
backups, and setting up, deleting and maintaining individual user
accounts.
•Security systems administrators are usually often involved in developing
organizational security procedures.

34. Salary:
•India: Rs 4,50,000 per annum
Certifications:
•Certified Information Security Manager (CISM)
•Cisco Certified Network Associate—Routing and Switching (CCNA)
•Certified Information Systems Security Professional (CISSP)
•EC-Council Network Security Administrator (ENSA)
•CompTIA's popular base-level security certification (Security+)

35. WHAT IS CVE, CWE, CVSS, OWASP TOP 10, SANS
TOP 25
•Common Vulnerabilities and Exposures (CVE) is a catalog of known
security threats. The catalog is sponsored by the United States
Department of Homeland Security (DHS), and threats are divided
into two categories: vulnerabilities and exposures.
•CVE Databases:
The National Institute of Standards and Technology (NIST)
The MITRE Corporation

36. •The Common Vulnerability Scoring System (CVSS) is a free and
open industry standard for assessing the severity of computer
system security vulnerabilities.

37. •Common Weakness Enumeration (CWE) is a list of software
weaknesses.
•CWE Database:
The MITRE Corporation
•Total number of CWE’s: 808

38. •CWE/SANS Top 25 Most Dangerous Software Errors is a list of the
most widespread and critical errors that can lead to serious
vulnerabilities in software.
•They are often easy to find, and easy to exploit.
•They are dangerous because they will frequently allow attackers
to completely take over the software, steal data, or prevent the
software from working at all.

42. •The OWASP Top 10 is a powerful awareness document for web
application security.
•It represents a broad consensus about the most critical security risks
to web applications.
•The OWASP Top 10 list consists of the 10 most seen application
vulnerabilities:
Injection
Broken Authentication
Sensitive data exposure
XML External Entities (XXE)

43. Broken Access control
Security misconfigurations
Cross Site Scripting (XSS)
Insecure Deserialization
Using Components with known vulnerabilities
Insufficient logging and monitoring

44. DEMONSTRATION OF WIRESHARK, NMAP &
NESSUS