The document provides information about Leo Lourdes and his foundation in cyber security. Leo Lourdes has extensive training and certifications in IT management, project management, information security and service management. The objective of his cyber security foundation is to prevent harm to computer networks, applications, devices and data. The training covers topics such as the CIA triad, security governance, risk management and cyber threats.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
This post contains detailed Mindmap related to Complex subject of Cyber security and address critical components summarized as below:
- Cyber Security standards
- SOC (Security Operation Center)
- Cybersecurity Lifecycle
- Hacker Kill Chain
- Malware (Types,Protection Mechanism)
- Cyber Architecture
- CSC (Critical Security Standards)
- Incident Management
- Network Perimeter best security practices
- Final Case Study
I hope the Technical post is appreciated and liked by Security Consultants and Subject Matter experts on Cybersecurity.Your criticals Inputs are appreciated.Thank you
- Wajahat Iqbal
(Wajahat_Iqbal@Yahoo.com)
ETHICAL HACKING AND SOCIAL ENGINEERING
Topics Covered: Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling, Enterprise Information Security Architecture, Vulnerability, Assessment and Penetration Testing, Types of Social Engineering, Insider Attack, Preventing Insider Threats, Social Engineering Targets and Defence Strategies
Thinking like a hacker - Introducing Hacker VisionPECB
This webinar will explain how to improve Security by adopting the mindset of your opponent, and 'seeing like a hacker'!
Main points covered:
• Introducing ways in which you can think like a hacker, and get into your attacker's mindset so that you can better identify and assess threats.
• How to use this thinking to improve your security controls - how effective are they? And how can you better test them for readiness?
• Visual examples to really lift the lid on what your attackers see, as 'hacker vision' gets you thinking in the mindset of a hacker.
• Examples covered will include physical security, Network security, as well as IoT security.
Presenter:
Our exclusive presenter, Mark Carney is a former pen tester and now a professional security researcher for Security Research Labs in Berlin, specializing in embedded systems and IoT. His background spans compliance testing, Red Teaming, full stack pen testing, and social engineering & physical access engagements.
Link to the recorded webinar: https://youtu.be/Fx2Ha8kIqgE
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
What's New In CompTIA Security+ - Course Technology Computing ConferenceCengage Learning
What's New In CompTIA Security+ - Course Technology Computing Conference
Presenter: Mark Ciampa, Western Kentucky University
The new CompTIA Security+ exam (SY0-401) is projected to be rolled out in the late spring of 2014. This exam will have several significant changes from the previous exam. These include an expanded emphasis on topics such as securing mobile devices, cloud computing, cryptography, and threats and vulnerabilities. In addition, CompTIA is continuing to use performance-based questions on Security+ exams, requiring test-takers to configure firewall access control lists, match ports with services, and analyze log files. What exactly will the new Security+ exam cover? How will the updated Cengage Security+ Guide to Network Security Fundamentals 5th Edition address these changes? And what are the best ways to help students be prepared for the new Security+ exam with its performance-based questions? This session will look at what's new in CompTIA Security+ and how we can teach security to our students.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
This post contains detailed Mindmap related to Complex subject of Cyber security and address critical components summarized as below:
- Cyber Security standards
- SOC (Security Operation Center)
- Cybersecurity Lifecycle
- Hacker Kill Chain
- Malware (Types,Protection Mechanism)
- Cyber Architecture
- CSC (Critical Security Standards)
- Incident Management
- Network Perimeter best security practices
- Final Case Study
I hope the Technical post is appreciated and liked by Security Consultants and Subject Matter experts on Cybersecurity.Your criticals Inputs are appreciated.Thank you
- Wajahat Iqbal
(Wajahat_Iqbal@Yahoo.com)
ETHICAL HACKING AND SOCIAL ENGINEERING
Topics Covered: Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling, Enterprise Information Security Architecture, Vulnerability, Assessment and Penetration Testing, Types of Social Engineering, Insider Attack, Preventing Insider Threats, Social Engineering Targets and Defence Strategies
Thinking like a hacker - Introducing Hacker VisionPECB
This webinar will explain how to improve Security by adopting the mindset of your opponent, and 'seeing like a hacker'!
Main points covered:
• Introducing ways in which you can think like a hacker, and get into your attacker's mindset so that you can better identify and assess threats.
• How to use this thinking to improve your security controls - how effective are they? And how can you better test them for readiness?
• Visual examples to really lift the lid on what your attackers see, as 'hacker vision' gets you thinking in the mindset of a hacker.
• Examples covered will include physical security, Network security, as well as IoT security.
Presenter:
Our exclusive presenter, Mark Carney is a former pen tester and now a professional security researcher for Security Research Labs in Berlin, specializing in embedded systems and IoT. His background spans compliance testing, Red Teaming, full stack pen testing, and social engineering & physical access engagements.
Link to the recorded webinar: https://youtu.be/Fx2Ha8kIqgE
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
What's New In CompTIA Security+ - Course Technology Computing ConferenceCengage Learning
What's New In CompTIA Security+ - Course Technology Computing Conference
Presenter: Mark Ciampa, Western Kentucky University
The new CompTIA Security+ exam (SY0-401) is projected to be rolled out in the late spring of 2014. This exam will have several significant changes from the previous exam. These include an expanded emphasis on topics such as securing mobile devices, cloud computing, cryptography, and threats and vulnerabilities. In addition, CompTIA is continuing to use performance-based questions on Security+ exams, requiring test-takers to configure firewall access control lists, match ports with services, and analyze log files. What exactly will the new Security+ exam cover? How will the updated Cengage Security+ Guide to Network Security Fundamentals 5th Edition address these changes? And what are the best ways to help students be prepared for the new Security+ exam with its performance-based questions? This session will look at what's new in CompTIA Security+ and how we can teach security to our students.
Information security is often misunderstood, undervalued and often tackled as an afterthought. This presentation was given in 2014 during an ISACA educational event.
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
The CompTIA Cybersecurity Analyst (CySA+) certification is the industry standard for demonstrating that cybersecurity professionals can analyze data and interpret the results to detect vulnerabilities, threats, and risks to an organization.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
2. CYBER SECURITY
THE OBJECTIVE
To prevent or mitigate harm to or destruction of
Computer Networks, Applications, Devices, and Data.
3. Trainer Profile
LEO LOURDES
(MBA IT Management, BoM Hons. HRM)
Implementer of ISO 20000-1:2011
Certified in COBIT® 5
Certified in ISO 9001 Auditor (PECB)
Certified in PRINCE2® in Project Management
Certified in ITIL® Practitioner
Certified in ITIL® Intermediate Certificate in IT Service Operation
Certified in ITIL Information Security based on ISO/IEC 27002
Certified in ITIL for Cloud Computing
Certified in ITIL IT Service Management
Certified in Coaching and Calibration Skills for Call Center
Certified in Delivering Learning / Teaching by City & Guilds, United Kingdom
wecare@thinkleosolutions.com
++6016-349 1793
Experience:
Management Representative (MR) ISO 20000-1: 2011
IT Service Management (Incident, Problem, Change) Manager
Security, Compliance & Risk Management
Senior CRM Delivery Analyst
Certified Trainer
Certified IT Auditor & Consultant
4. • The CIA Triad
• Security Governance
• Risk Management
• Cyber Threats
CYBER SECURITY AWARENESS : DAY 1
6. Confidentiality Terms
Term Definition
Sensitivity The level of damage or harm that could occur if the asset is revealed or
disclosed.
Discretion The ability for a person to control the level of access to, or disclosure of,
an asset.
Criticality The level of importance of an asset to the mission or objective.
Concealment The act of hiding or preventing disclosure of an asset.
Secrecy The practice of preventing or limiting information disclosure.
Privacy The protection of confidential or personal information.
Seclusion The act of storing something in a location that is out of the way, and thus
not easily observed or found.
Isolation The act of keeping something separate from other things that are similar
in nature.
7. Term Definition
Accuracy The degree to which the data is correct and precise.
Truthfulness The quality of a source of information being factual and realistic.
Validity The quality of an asset being factually or logically sound.
Authenticity The quality of an asset being genuine.
Accountability The condition of a person or entity being held responsible for their
actions.
Responsibility The obligation of a person or entity to take ownership of their actions.
Completeness The quality of an asset that has all its necessary parts or components.
Comprehensiveness The quality of an asset being complete in scope, and fully inclusive of all
relevant elements.
Integrity Terms
8. Term Definition
Usability The degree to which an asset can be easily learned, understood, utilized,
or controlled by a subject.
Accessibility The assurance that an asset can, under the widest range of circumstances,
be used by a subject, regardless of their capabilities or limitations.
Timeliness The quality of an asset, particularly information, being prompt and
available within a reasonable time frame, and with low latency.
Availability Terms
9. Term Definition
Asset Anything of value that could be compromised, stolen, or harmed,
including information, systems, personnel, physical resources, and
reputation.
Threat Any event or action that could potentially cause damage to an asset or
an interruption of services.
Threat actor A person, group, or other entity that could potentially attack, damage,
or otherwise compromise a system or resource.
Vulnerability A condition that leaves the system and its assets open to harm—
including such things as software bugs, insecure passwords, inadequate
physical security, poorly designed networks, or insufficient user training
and awareness.
Exploit A technique that takes advantage of a vulnerability to perform an attack.
Risk The likelihood of a threat occurring, as well as its potential damage
to assets.
Control A countermeasure that you put in place to avoid, mitigate, or
counteract security risks due to threats or attacks; also known as a
safeguard.
Common Security Terms (Slide 1 of 2)
10. Common Security Terms (Slide 2 of 2)
Term Definition
Attack The active attempt by a threat actor to break into and exploit a vulnerable
system, data, or other resource.
Breach The result of a successful attack. Can include theft, destruction, or loss of
availability of data, a system, or other resources.
Exposure The level, usually expressed in percentage, to which a resource is at direct
risk of attack.
Social engineering The practice of using deception and trickery against human beings as a
method of attack.
Defense in depth The practice of providing security in multiple layers for more
comprehensive protection against attack.
11. • Methods of exercising control and management over an organization.
• Seeks to mitigate security risk.
• Turns a reactionary security culture into a proactive one.
• Supports business objectives to minimize cost and disruption.
• A major objective is compliance.
• Compliance assures that the organization operates within regulatory requirements.
Security Governance
12. • Strategic alignment of information security with business strategies to support
organizational objectives.
• Risk management by risk mitigation and reducing potential impact on resources.
• Resource management by use of information security knowledge and infrastructures.
• Performance measurement by evaluating, monitoring, and reporting information
security governance metrics to achieve objectives.
• Value delivery by optimizing information security investments that support
organizational objectives.
Governance Requirements
13. Security Goal Categories
Goal Description
Strategic • Align with business and information technology goals.
• Long horizon (3-5 years or more).
• Ex: establish security policies and ensure all users understand
responsibilities.
Tactical • Provide broad initiatives necessary to support goals of strategic plan.
• May consist of multiple projects.
• Usually 6-18 month time period.
• Ex: implement disaster recovery programs and customer relationship
management.
Operational • Specific short-term goals.
• Put tactical plan into practice.
• Ensure that individual projects are completed with milestones.
• Ex: perform project-wise risk assessment and development of security
policies.
14. Privacy Issues
• Personally identifiable information (PII) could be used to identify
an individual.
• Only a few pieces of information can expose a person’s identity.
• Criminals can use PII for extortion, fraud, or shaming.
• Ex:
• Names
• Social Security numbers
• Addresses
• Personal characteristics
• PII, once exposed, may not be “recoverable”.
15. Data Breach
• An incident that results in release or potential
exposure of secure information.
• Can be true test of legal compliance.
• If organization performs due care to comply with laws,
breach’s effects may be mitigated.
• Organization can also avoid severe legal penalties.
• Especially a concern with privacy laws, as many
breaches expose customer PII.
• Consequences for compliance failure are magnified
under a breach.
• Most laws require timely notification in the event of a
breach.
16. IT/Information Security Standard Description
PCI DSS • Specifies how organizations handle information security for major
card brands.
• Compliance validated on annual basis.
• Organizations or merchants that accept, transmit, or store
cardholder data from these brands must comply.
NIST SP 800 series • Various publications establish computer security standards,
including:
• SP 800-12: An Introduction to Computer Security: The NIST
Handbook
• SP 800-14: Generally Accepted Principles and Practices for
Securing Information Technology Systems
• SP 800-33: Underlying Technical Models for Information
Technology Security
• SP 800-53: Security and Privacy Controls in Federal Information
Systems and Organizations
Industry Standards (Slide 1 of 2)
17. Industry Standards (Slide 2 of 2)
IT/Information Security Standard Description
COBIT 5 Standards for IT management and governance, promoting five
principles:
• Meeting stakeholder needs.
• Covering the enterprise end-to-end.
• Applying a single, integrated framework.
• Enabling a holistic approach.
• Separating governance from management.
ISO/IEC 27001 Focuses on topics in information security management:
• Responsibilities and procedures.
• Reporting information security events.
• Reporting information security weaknesses.
• Assessment of and decision on information security events.
• Response to information security incidents.
• Learning from information security incidents.
• Collection of evidence.
18. • The organization’s principles, proper conduct, and system of moral values.
• Code of ethics helps professionals cooperate and pursue common goals.
• Code can guard against competitive pressures to act unscrupulously.
• Provides a guide for what other professionals will do.
The Purpose of Ethics
19. • Organizations often document ethical expectations.
• May also be bound by ethics outlined in laws and standards.
• Ethical codes can also minimize risk.
• Employees with a track record of ethical behavior can help organization avoid harm.
• Organizations are also responsible for acting ethically to their employees, customers,
and other stakeholders.
Organizational Ethics
20. • Lack of documentation creates organizational chaos.
• Documentation provides a framework for people to work together in achieving
organizational goals.
• Security documentation can also act as a road map to governance.
The Value of Security Documentation
21. Security Document Types
Security Document Type Description
Policy High-level statement of management intentions. Contains purpose, scope, and
compliance expected of every employee.
Example: Information security will ensure the protection of information by
implementing security best practices.
Standard Required implementation or use of tools.
Example: The corporation must implement 802.1x security for all wireless
networks.
Guideline Recommended or suggested action or best practice.
Example: When travelling with laptops, users should use safety precautions to
prevent laptop theft, damage, or data loss.
Procedure Step-by-step description of how to implement a system or process.
Example: Toimplement Secure Shell (SSH) on the router, enter the enable mode
and then enter the appropriate commands for the router.
Baseline Minimum security required for a system or process.
Example: Trivial File Transfer Protocol (TFTP) must be disabled in all servers except
for those specifically used for the TFTP service.
22. • Objectives that security policies can fulfill:
• Inform employees about their security-related duties and responsibilities.
• Define an organization’s security goals.
• Outline a computer system's security requirements.
• Objectives depend on the organization’s specific requirements.
• Policies should be long enough to explain but short enough to be understood.
• All employees should have access to the policy.
Security Policy Objectives
23. What Is Risk?
• Building damage
• Data loss
• Loss of productivity
• Loss of life
• Loss of equipment
• Access to system by malicious
individual
26. The Risk Analysis Process
Risk Analysis Process Phase Description
Asset identification and valuation Identifying assets that require protection and determining value of the
assets, including data, data systems, buildings, and employees.
Vulnerability identification Identifying vulnerabilities so analyst can confirm where problems exist.
Threat assessment Determining what threats may exploit identified vulnerabilities.
Risk assessment Assessing the probability that threats will exploit vulnerabilities. Can be
quantitative (numbers-based) or qualitative (words-based).
Financial impact evaluation Once probabilities are determined, evaluating potential financial impact
of risks.
27. • Comprehensively identify all assets in the organization.
• Waiting until it’s too late will make it harder to recover an asset.
• If you don’t identify an asset, you may not even know when it’s compromised.
• Describe assets in terms of:
• Basic characteristics.
• Value to the company.
• Use on a daily basis.
• Replaceability.
Asset Identification
28. • What effort was required to develop or obtain it?
• What does it cost to maintain and protect it?
• How much will we lose in operational functionality if the asset is misplaced or
damaged?
• What would it cost to replace it?
• What enemies might pay for it?
• What liability penalties might occur if the asset is compromised?
Asset Valuation
29. Asset Valuation Methods
Asset Valuation Method Description
Asset management system Contains a detailed record of corporate property and similar assets,
including facilities, furniture, computers, and other real property.
Accounting system Contains additional financial information about assets, such as
expensing the cost to develop software packages.
Insurance valuation Good source of asset valuation due to rigorous analysis of risk of
loss.
Qualitative valuation Narrative descriptions capture expert judgement about asset value.
30. Areas of Vulnerability
Vulnerability Area Example Threat and Risk
Physical structure Window accessibility in a room where secure information is stored can
expose vulnerabilities and create a venue for sudden intrusion threats.
Electrical Failure of a vulnerable electrical feed can threaten system data.
Software Worms, viruses, and Trojans threaten systems.
Network Unencrypted data on network can be vulnerable to interception and exploit.
Personnel Key trained personnel must be available to deal with critical events to avoid
corporate-wide vulnerabilities.
Hardware Losses due to theft and physical damage generate costs for replacement and
lost productivity.
Documentation If poorly written, can cause confusion and impair decision making.
Organization must protect integrity and confidentiality of sensitive
documentation.
Process Outdated or inefficient processes can impair business operations; poor
security processes weaken defenses and increase risk.
31. Identify Threats
Threat Type Description
Natural disasters • Earthquakes
• Wildfires
• Flooding
• Excessive snowfalls
• Tsunamis
• Hurricanes
• Tornados
• Landslides
Man-made disasters Intentional:
• Arson
• Terrorist attacks
• Political unrest
• Break-ins
• Theft of equipment and/or data
• Equipment damage
• File destruction
•Information disclosure
Unintentional:
• Employee mistakes
• Power outages
• Excessive employee illnesses or epidemics
• Information disclosure
33. • Likelihood: How likely is it that the threat occurs?
• Impact: What kind of damage will the threat cause?
Risk Assessment Determination Factors
34. Residual Risk
• Risk that remains even after controls are in
place.
• You can’t account for every risk, no matter
how hard you try.
• Some risks are not worth the cost of the
countermeasure.
• Identifying residual risk can help you assess
the effectiveness of your controls.
• The acceptable response to residual risk is
to have a solid disaster recovery plan.
• Controls gap is the amount of risk that
countermeasures do not cover.
• Expressed in percentages
• Correlates to residual risk
Controls gap = total risk – countermeasures
Controls
Inherent
Risk
Residual
Risk
35. • Not just simple pass-fail results or generating paperwork for an audit.
• Well-executed assessment determines validity and effectiveness of controls.
• Can expose strengths and weaknesses of current systems.
• Helps identify a plan for correcting weaknesses.
Monitoring and Measuring
36. • Ongoing effort to optimize policies and processes.
• A function of risk management.
• Includes best practices:
• Continuously seek to discover new vulnerabilities.
• Be context aware in your risk analysis.
• Prioritize your efforts to vulnerabilities
that actually pose a significant risk.
• Determine patchability.
Continuous Improvement
37. Threat Types (Slide 1 of 2)
Threat Type Description
Phishing and social
engineering
• Attackers use psychological tactics to manipulate victims into disclosing
information or performing an action that they shouldn’t.
• Phishing is the most common form.
• Uses email with malicious attachments or links.
Insider threat • Disgruntled employees and others with internal access.
• Use their access privilege or knowledge to steal data or damage systems.
• Can also be accidental/unintentional.
Malware • Any software intended to damage a computer system.
• Can be distributed through email, websites, file sharing, social media, even
legitimate published software.
• Includes viruses, worms, Trojans, keyloggers, rootkits, bootkits, ransomware,
spyware, etc.
Session Hijacking/
Man-in-the-
Middle
• Attacker takes over legitimate network connection, often after user has
authenticated.
38. Threat Types (Slide 2 of 2)
Threat Type Description
Denial of service • Any attack that consumes computer or network resources so the system
cannot service legitimate client requests.
• Can be conducted against:
• Network
• CPU
• RAM
• Disk space
• Maximum allowed connections
Unauthorized network
access
• Deliberate or accidental.
• Normal security controls are bypassed.
Injection and Cross-Site
commands
• Malicious commands hide inside normal browser activity.
• Includes command and SQL injection, XSS, and XSRF.
• E.g:
• <IMG SRC=javascript:alert(“XSS”)>
• Encoded <IMG SRC=javascript:alert("XSS")>
39. • Basic categories of remediation:
• Good security policy and management commitment to security.
• Fix vulnerable code.
• Properly configure systems.
• Change business processes.
• Improve security culture through training and awareness.
• Effective threat remediation involves all personnel working together.
• Implementing of technical controls and management of good business processes.
• Various security departments should coordinate in remediation efforts.
• Remediation policy should reflect risk tolerance.
• Strategies and controls should be consistently evaluated for their effectiveness.
Threat Remediation