The document discusses strategies for effective encryption deployment. It begins with an overview of encryption and emphasizes that while the mathematics are complex, effective encryption primarily requires attention to detail, good design, and project management skills. The rest of the presentation focuses on developing an encryption strategy, including defining requirements, classifying data, documenting policies and processes, assessing legacy systems, choosing appropriate encryption methods, and properly managing encryption keys. Effective encryption is portrayed as a comprehensive program rather than an isolated technical solution.
Firewalls and border routers are still the cornerstone for perimeter security
Always will be a place for VPNs
Attacks occur at the application layer
So ensure app security
Vulnerability management is one of the most important, yet most difficult and ‘boring’ information security processes I know. As it includes stakeholders from various business functions it requires delicate design and execution. I see VM as a big data and stakeholder management challenge.
Firewalls and border routers are still the cornerstone for perimeter security
Always will be a place for VPNs
Attacks occur at the application layer
So ensure app security
Vulnerability management is one of the most important, yet most difficult and ‘boring’ information security processes I know. As it includes stakeholders from various business functions it requires delicate design and execution. I see VM as a big data and stakeholder management challenge.
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
This webinar will provide more information on the importance of information security and how you can take security well beyond compliance, an approach on building strong information security, privacy and data governance programs, and the importance of strong data governance in relation to privacy and information security requirements.
The webinar covers
• Information Security
• Importance Of Information Security Today
• Taking Information Security Beyond A Compliance First
• Importance Of Data Governance In Information Security
• Privacy
• Changing And Evolving Privacy Requirements
• Importance Of Data Governance In Privacy
• Data Governance And Data Privacy
• Data Privacy - Data Processing Principles
Presenters:
Moji is a Senior Business Process Analyst working with GemaltoThales, a leading firm in the IT industry. Moji has over fifteen years of experience in leading projects to improve processes, create and implement processes leading to increased revenue generation and eliminate redundancies.
She has a zeal for adding value and increasing revenue for organizations. Moji is very passionate about Data Privacy and its application in business and consumer rights.
Hardeep Mehrotara has 20+ years of senior leadership experience in Information Technology and Cyber Security working for public and private organizations building security programs from the ground up. He has been featured on Canadian television as a cyber expert and provided advice to various communities on implementing cybersecurity strategy, best practices and controls. He has been a co-author on numerous leading industry security control frameworks, technical benchmarks and industry best practice standards.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/aQcS5-RFIEY
Website link: https://pecb.com/
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
In this age of big data, AI, and machine learning, organizations collect vast amounts of data about their customers, processes, preferences, usage patterns, etc. Organizations intend to use the data and generate a sustained competitive advantage for their products/offerings.
With all the data they are collecting and storing, they also accumulate huge risks associated with storing and protecting the data. Balancing monetizing data with the risk puts a lot of the roles like CDO, CPO, CISO, CIO in a quagmire.
Privacy / Security leadership needs to influence the organization in adopting a privacy/security-first culture by establishing a robust privacy/security program. Most organizations need to be able to achieve that within a limited budget.
Ideally, at the end of the rollout of a privacy program, a company can tell:
Where every bit of sensitive data resides,
Who has access to which sensitive data,
All security controls to protect sensitive data, and
The retention times for every piece of sensitive data.
In this webinar, we will cover how to build a dynamic and automated privacy/security program that manages the data lifecycle from collection to deletion. This talk will also give a sneak peek into technologies that will influence the privacy, security, governance capabilities of the future and reshape the way organizations address challenges with current and emerging technologies.
What you’ll take away:
Basic concepts around understanding the risk around the personal information your organization is collecting
Building a method of mitigating the risk discussed above
how to incorporate an enterprise-wide ‘security-first’ culture
A practical approach to implementing a data privacy/security program from scratch.
50 Shapes of Network & Information SecurityHatem ElSahhar
Knowledge is a right for EVERYONE – feel free to share it!
Here are 50 slides listing some concepts of network and information security. You may find them randomly listed and not structured very well, but I have posting them on a daily basis -almost- and topics were not ready to publish from day one.
The slides may help some of you to get to know some new topics, and might help others to review what they already knew.
They are not considered as a study material, as they don’t cover all the aspects of each listed topic, you will need to dig deeper.
I hope you find them beneficial.
اللهم علمنا ما ينفعنا و انفعنا بما علمتنا و زدنا علما
Build an Information Security StrategyAndrew Byers
Organizations are struggling to keep up with today’s evolving threat landscape.
From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
Every organization needs some kind of information security program to protect their systems and assets.
Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.
Skills that make network security training easyEC-Council
Network security is an entry point to cybersecurity and is highly preferred by companies due to its cost-effective and result-driven nature. With its growing demand in the market, it is wise to pursue it as a profession.
Read more to learn the top 5 skills needed for network security training: https://www.eccouncil.org/programs/certified-network-security-course/
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
This webinar will provide more information on the importance of information security and how you can take security well beyond compliance, an approach on building strong information security, privacy and data governance programs, and the importance of strong data governance in relation to privacy and information security requirements.
The webinar covers
• Information Security
• Importance Of Information Security Today
• Taking Information Security Beyond A Compliance First
• Importance Of Data Governance In Information Security
• Privacy
• Changing And Evolving Privacy Requirements
• Importance Of Data Governance In Privacy
• Data Governance And Data Privacy
• Data Privacy - Data Processing Principles
Presenters:
Moji is a Senior Business Process Analyst working with GemaltoThales, a leading firm in the IT industry. Moji has over fifteen years of experience in leading projects to improve processes, create and implement processes leading to increased revenue generation and eliminate redundancies.
She has a zeal for adding value and increasing revenue for organizations. Moji is very passionate about Data Privacy and its application in business and consumer rights.
Hardeep Mehrotara has 20+ years of senior leadership experience in Information Technology and Cyber Security working for public and private organizations building security programs from the ground up. He has been featured on Canadian television as a cyber expert and provided advice to various communities on implementing cybersecurity strategy, best practices and controls. He has been a co-author on numerous leading industry security control frameworks, technical benchmarks and industry best practice standards.
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/aQcS5-RFIEY
Website link: https://pecb.com/
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
In this age of big data, AI, and machine learning, organizations collect vast amounts of data about their customers, processes, preferences, usage patterns, etc. Organizations intend to use the data and generate a sustained competitive advantage for their products/offerings.
With all the data they are collecting and storing, they also accumulate huge risks associated with storing and protecting the data. Balancing monetizing data with the risk puts a lot of the roles like CDO, CPO, CISO, CIO in a quagmire.
Privacy / Security leadership needs to influence the organization in adopting a privacy/security-first culture by establishing a robust privacy/security program. Most organizations need to be able to achieve that within a limited budget.
Ideally, at the end of the rollout of a privacy program, a company can tell:
Where every bit of sensitive data resides,
Who has access to which sensitive data,
All security controls to protect sensitive data, and
The retention times for every piece of sensitive data.
In this webinar, we will cover how to build a dynamic and automated privacy/security program that manages the data lifecycle from collection to deletion. This talk will also give a sneak peek into technologies that will influence the privacy, security, governance capabilities of the future and reshape the way organizations address challenges with current and emerging technologies.
What you’ll take away:
Basic concepts around understanding the risk around the personal information your organization is collecting
Building a method of mitigating the risk discussed above
how to incorporate an enterprise-wide ‘security-first’ culture
A practical approach to implementing a data privacy/security program from scratch.
50 Shapes of Network & Information SecurityHatem ElSahhar
Knowledge is a right for EVERYONE – feel free to share it!
Here are 50 slides listing some concepts of network and information security. You may find them randomly listed and not structured very well, but I have posting them on a daily basis -almost- and topics were not ready to publish from day one.
The slides may help some of you to get to know some new topics, and might help others to review what they already knew.
They are not considered as a study material, as they don’t cover all the aspects of each listed topic, you will need to dig deeper.
I hope you find them beneficial.
اللهم علمنا ما ينفعنا و انفعنا بما علمتنا و زدنا علما
Build an Information Security StrategyAndrew Byers
Organizations are struggling to keep up with today’s evolving threat landscape.
From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
Every organization needs some kind of information security program to protect their systems and assets.
Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.
Skills that make network security training easyEC-Council
Network security is an entry point to cybersecurity and is highly preferred by companies due to its cost-effective and result-driven nature. With its growing demand in the market, it is wise to pursue it as a profession.
Read more to learn the top 5 skills needed for network security training: https://www.eccouncil.org/programs/certified-network-security-course/
While nothing is ever "completely secure," and there is no magic product to make every organization immune from unwanted attackers,this Razorpoint document outlines 10 keys to consider seriously regarding effective network security.
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE360 BSI
This 4 day training program combines advanced technology and relevant practical experience to develop your IT security policies & create a robust IT infrastructure.
Information security is critical for modern business models today.
Organizations must be prepared to take crucial steps to strengthen their IT infrastructure from both internal & external threats.
Organizations must look to develop a security network that enhances business operations while improving its security position. Successful security architecture combines a mix of the latest policies & practices, technology, and a robust awareness program.
This 4 day intensive training workshop addresses the latest concerns on IT infrastructure and security. Participants will develop key skills and core competencies that will allow them to meet the ever-changing security demands of the 21st century.
Course Participants will:
Master the tools & techniques for effective information & network security.
Discover how to create a complete & sustainable IT security architecture.
Gain knowledge on how to develop sound security policy together with your security architecture.
Learn how to perform an IT governance assessment using CoBIT 4.0
Learn how to perform smart security risk assessment within your organization.
Gain valuable insights on implementing a proactive & robust security management system.
Learn how to detect & prevent information security breaches due to inadequate IT security awareness within the organization.
Who should attend:
Vice Presidents, Directors, General Managers
Chief Information Officers
Chief Security Officers
Chief Information Security Officers
Chief Technology Officers
Contact Kris at kris@360bsi.com for further information.
Detailed analysis of current trends and challenges, workforce challenges/ the security talent gap, and job qualifications/ salary data for Cyber Security in 2015.
Small IT businesses may not have the time and resources to formulate a strategy and see that employees diligently follow it. However, IT consulting companies can make that happen with their white label IT services.
This presentation was discussed in a Webinar with MetricStream in September 2016. It is applicable for small, medium and large businesses when considering information and cyber security risk.
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE360 BSI
This 4 day training program combines advanced technology and relevant practical experience to develop your IT security policies & create a robust IT infrastructure.
Participants will develop key skills and core competencies that will allow them to meet the ever-changing security demands of the 21st century.
Course Participants will:
- Master the tools & techniques for effective information & network security.
- Discover how to create a complete & sustainable IT security architecture.
- Gain knowledge on how to develop sound security policy together with your security architecture.
- Learn how to perform an IT governance assessment using CoBIT 5.0
- Learn how to perform smart security risk assessment within your organization.
- Gain valuable insights on implementing a proactive & robust security management system.
- Learn how to detect & prevent information security breaches due to inadequate IT security awareness within the organization.
Contact kris@360bsi.com to register.
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
WHY IS THIS IT RISK ASSESSMENT WORKSHOP IMPORTANT?
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Savings, security, and stability: how ShareGate benefits everyonesammart93
PowerPoint presentation of the live event tackling:
- What is Microsoft 365 governance, and why is it important
- The challenges of managing Microsoft 365
- The hidden costs of ad-hoc management
- Enhancing collaboration through automation
Feel free to use this presentation should you need to make the case for ShareGate to upper management as a tool for automated governance in Microsoft 365!
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE360 BSI
This 4 day training program combines advanced technology and relevant practical experience to develop your IT security policies & create a robust IT infrastructure.
Information security is critical for modern business models today.
Organizations must be prepared to take crucial steps to strengthen their IT infrastructure from both internal & external threats.
Organizations must look to develop a security network that enhances business operations while improving its security position. Successful security architecture combines a mix of the latest policies & practices, technology, and a robust awareness program.
This 4 day intensive training workshop addresses the latest concerns on IT infrastructure and security. Participants will develop key skills and core competencies that will allow them to meet the ever-changing security demands of the 21st century.
Course Participants will:
- Master the tools & techniques for effective information & network security.
- Discover how to create a complete & sustainable IT security architecture.
- Gain knowledge on how to develop sound security policy together with your security architecture.
- Learn how to perform an IT governance assessment using CoBIT 4.0
- Learn how to perform smart security risk assessment within your organization.
- Gain valuable insights on implementing a proactive & robust security management system.
- Learn how to detect & prevent information security breaches due to inadequate IT security awareness within the organization.
Who should attend:
Vice Presidents, Directors, General Managers
Chief Information Officers
Chief Security Officers
Chief Information Security Officers
Chief Technology Officers
Contact Kris at kris@360bsi.com for further information.
In this exclusive Security Leadership Series eBook, Citrix chief information security officer Stan Black and chief security strategist Kurt Roemer share best practices for leading meaningful security discussions with the board of directors; engaging end users to protect business information; and meeting security-related compliance requirements.
Cyber security practices involve preventing malicious attacks on computers, servers, mobile devices, electronic systems, networks, and data. It is also called information technology security or electronic information security.
https://www.infosectrain.com/courses/ceh-v11-certification-training/
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Ben Rothke
Deployment Strategies for Effective Encryption - Presentation by Ben Rothke given at the Computer Forensics Show & Conference - April 19-20, 2010New York, NY
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
E5 rothke - deployment strategies for effective encryption
1. Deployment Strategies for
Effective Encryption
Session E5
Tuesday April 3, 2012
9:45AM - 10:45AM
Ben Rothke, CISSP CISM
Wyndham Worldwide - Manager - Information Security
2. MIS Training Institute Session E5 - Slide 2
About me
Ben Rothke, CISSP, CISM, CISA
Manager - Information Security - Wyndham Worldwide
All content in this presentation reflect my views
exclusively and not that of Wyndham Worldwide
Author - Computer Security: 20 Things Every Employee
Should Know (McGraw-Hill)
Write the Security Reading Room blog
https://365.rsaconference.com/blogs/securityreading
3. MIS Training Institute Session E5 - Slide 3
Overview
Encryption internals are built on complex mathematics
and number theory
Your successful encryption program requires a CISSP,
CISA and PMP, not necessarily a PhD
Effective encryption requires attention to detail, good
design, combined with good project management and
documentation
Your encryption strategy must reflect this
4. MIS Training Institute Session E5 - Slide 4
It’s 2012 – where’s the encryption?
Many roll-outs nothing more than stop-gap solutions
Getting it done often takes precedence over key
management, documentation, processes, etc.
Many organizations lack required security expertise
These and more combine to obstruct encryption from
being ubiquitous
Adds up to a significant need for encryption
deployment strategies
5. MIS Training Institute Session E5 - Slide 5
Encryption strategy in 3 easy steps
1. Define your requirements
2. Know where your sensitive data resides
3. Create detailed implementation plans
When implementing your encryption strategy,
remember that information security is a process, not
a product.
6. MIS Training Institute Session E5 - Slide 6
Typical encryption nightmare scenario
Monday 9AM – Audit report released to CEO
Numerous failings, namely lack of strong encryption
Monday 11 AM – CEO screams at CIO
Monday Noon – CIO screams at CISO
Monday 2PM – CISO screams at staff
Tuesday – With blank check, CISO tells info security manager to
order encryption equipment ASAP
Thursday - Security team spends two days and nights
installing/configuring encryption hardware and software
Six months later – Complete disarray with regard to encryption key
management. CEO screams at CIO, who fires the CISO. Next day –
Interim CISO tells team to get encryption working by the weekend
7. MIS Training Institute Session E5 - Slide 7
Encryption nirvana scenario
Strategy
Data Mapping
Risk Modeling
Control Gaps
Implementation
Management
Audit
Deployment
Define Drivers
Data
Classification
Policy Definition
Policy
Initial Drivers
• Business
• Technical
• Regulatory
Effective
Encryption
8. MIS Training Institute Session E5 - Slide 8
Encryption challenges
Operating systems and application vendors haven’t
made it easy and seamless to implement encryption
Lack of legacy support
Laws often conflict or fail to provide effective guidance
Far too few companies have encryption policies and/or
a formal encryption strategy
Costs / Performance
up-front and on-going maintenance costs
performance hit
added technical staff
9. MIS Training Institute Session E5 - Slide 9
Encryption – a double-edged sword
No one,
not even
NSA, CIA,
KGB, or evil
hacker, can
read your
data
No one,
including
you, can
read your
data
Effective
Encryption
Strategy
10. MIS Training Institute Session E5 - Slide 10
Common deployment mistakes
Thinking encryption is plug and play
Hardware is PnP
making encryption work is not
Going to a vendor too early
vendors sell hardware/software
you need requirements, project plans,
implementation guides, etc.
11. MIS Training Institute Session E5 - Slide 11
More common deployment mistakes
Not being transparent to end users
if it’s a pain to use, they will ignore/go around it.
Not giving enough time to design/test
effective encryption roll-outs take time
require significant details
you can’t rush this!
12. MIS Training Institute Session E5 - Slide 12
Dealing with vendors
When you drive the
project
you define the
requirements
you have chosen them
vendors provides best
practices / assistance
vendor input can be
invaluable
project succeeds
They are brought in
as the experts
they are expected to
put out a fire
they spec out their
product
you don’t have internal
expertise working with
them
project fails
13. MIS Training Institute Session E5 - Slide 13
Technically advanced airplane paradox
TAA in theory have more available safety, but without
proper training for their pilots, they could be less safe
than airplanes with less available safety
FAA found that without proper training for the pilots
who fly them, technically advanced airplanes don’t
advance safety at all
TAA presents challenges that under-prepared pilots
might not be equipped to handle
Encryption is exactly like a TAA
Your staff must be trained and prepared
14. MIS Training Institute Session E5 - Slide 14
Encryption Strategy
Mathematics of cryptography is rocket science
But most aspects of information security, compliance
and audit are not!
Good computer security is attention to detail and good
design, combined with effective project management
Enterprise encryption strategy must reflect this
not everyone will need encryption across the board
policies need to be determined first as to what requires
encryption
15. MIS Training Institute Session E5 - Slide 15
What should the strategy include?
laptop encryption
database encryption
network encryption
smart cards
mobile encryption
wireless encryption
smart phones
iPad/iPod/iPhone
application encryption
storage encryption
PDAs
USB
floppies/CD-ROM/DVD
emerging technologies
16. MIS Training Institute Session E5 - Slide 16
Strategy prioritization
Prioritize based on specific requirements and
compensating controls
start with assumption that data needn’t be encrypted
unless there’s specific requirement to encrypt or
identify high-risk situation where encrypting data will
avert disaster
false sense of security
takes budget away from more pressing encryption
requirements
increases administrative burden
locked out of your own data
17. MIS Training Institute Session E5 - Slide 17
Current state
Evaluate current encryption strategy and
policy
In sync with industry security best
practices?
Encryption framework in place?
Policies in place?
Define what regulations must be
complied with
Document current encryption hardware
/ software environment
Define Drivers
Data
Classification
Policy Definition
Policy
18. MIS Training Institute Session E5 - Slide 18
Current state
Evaluate current encryption strategy and policy
In sync with industry security best practices?
Encryption framework in place?
Policies in place?
Define what regulations must be complied with
Document current encryption hardware / software
environment
19. MIS Training Institute Session E5 - Slide 19
Analyze your encryption needs
protect data from loss and exposure
prevent access to the system itself?
does software need to access the files after encryption?
data to be transported securely? By what means?
how much user burden is acceptable?
how strong does the encryption need to be?
do you need to match the solution to the hardware?
regulatory, contractual, organizational policy
ask a lot of questions at this point!
20. MIS Training Institute Session E5 - Slide 20
Encryption keys – where art thou?
VPN connections
SSL/TLS
PKI/IdM
user-generated keys
file system encryption
Third-parties
Trusted Platform Module (TPM)
built into news desktops and laptops
21. MIS Training Institute Session E5 - Slide 21
Drivers
Business
customer trust
intellectual property
Technical
AES, PGP, BitLocker, etc.
Increase in mobile devices
Regulatory
PCI / SoX / EU / ISO-17799
State data breach laws
Define Drivers
Data
Classification
Policy Definition
Policy
22. MIS Training Institute Session E5 - Slide 22
Documentation and policies
Encryption must be supported by policies,
documentation and a formal system and risk
management program
Shows work adequately planned and supervised
Demonstrates internal controls studied and evaluated
Policy must be:
Endorsed by management
Communicated to end-users and business partners /
3rd-parties that handle sensitive data. If can’t meet
company’s policies, don’t give access to your data
Encryption responsibility should be fixed with
consequences for noncompliance
Define Drivers
Data
Classification
Policy Definition
Policy
23. MIS Training Institute Session E5 - Slide 23
Encryption processes
Encryption is a process intensive
Must be well-defined and documented
If not implemented and configured properly, can cause
system performance degradation or operational hurdles
Improperly configured encryption processes give false
sense of security
Perception that confidentiality of sensitive
information is protected when it’s not
24. MIS Training Institute Session E5 - Slide 24
Data classification
Provides users with information to guide
security-related information handling
process must align with business processes
classification is dynamic
changes as data objects move from one class
to another
changes as business strategies, structures
and external forces change
understand potential for change
embed appropriate processes to manage it
Define Drivers
Data
Classification
Policy Definition
Policy
25. MIS Training Institute Session E5 - Slide 25
Data classification drivers
Compliance, discovery, archiving, never delete retention
policy, performance, availability, recovery attributes…
Gartner: Organizations that do not have an effective
data classification program usually fail at their data
encryption projects.
Four Category Five Category
• Secret
• Confidential
• Private
• Unclassified
• Top Secret
• Highly Confidential
• Proprietary
• Internal Use Only
• Public
26. MIS Training Institute Session E5 - Slide 26
Encryption strategy
Identify all methods of data input/output
storage media
business partners and other third parties
applicable regulations and laws
high-risk areas
laptops
wireless
data backups
others
Strategy
Data Mapping
Risk Modeling
Control Gaps
27. MIS Training Institute Session E5 - Slide 27
Data discovery
Identify precisely where data is stored and all data
flows
System wide audit of all data repositories
significant undertaking for large enterprises
process can take months
Required to comply with PCI?
confirm you are not storing PCI-prohibited data
manually review data flows within POS application to
find files where results of card swipe are written
29. MIS Training Institute Session E5 - Slide 29
Requirements analysis
Define business, technical, and operational
requirements and objectives for encryption
define policies, architecture, and scope of
encryption requirements
conduct interviews, review policy documents,
analyze current and proposed encryption
strategy to identify possible security gaps
determine liabilities
better requirements definition directly
correlates to successful encryption program
Strategy
Data Mapping
Risk Modeling
Control Gaps
30. MIS Training Institute Session E5 - Slide 30
Legacy systems
Most legacy systems not designed for encryption
Legacy encryption options
retrofitting application so that encryption is built-in to
application functions
using encryption appliance that sits between app and
database
off-loading encryption to storage mechanism or database
Hardest platform – AS/400
31. MIS Training Institute Session E5 - Slide 31
Full-disk / host-based encryption (at rest)
Data encrypted at creation
first possible level of data security
little chance of encrypted data being intercepted,
accidentally or maliciously
if intercepted, encryption renders it unreadable
can significantly increase processing overhead
requires additional processing power/expense
highly secure and well-suited to active data files
large-scale data encryption can be unwieldy and impact
performance
Vendors: Microsoft, Check Point, PGP, TrueCrypt
32. MIS Training Institute Session E5 - Slide 32
Full-disk / host-based (at rest)
Data encrypted at creation
first possible level of data security
little chance of encrypted data being intercepted,
accidentally or maliciously
can significantly increase processing overhead
requires additional processing power/expense
highly secure and well-suited to active data files
large-scale data encryption can be unwieldy and impact
performance
Vendors: Microsoft, Check Point, PGP, TrueCrypt
33. MIS Training Institute Session E5 - Slide 33
Appliance-based encryption
Data leaves host unencrypted, then goes to dedicated
appliance for encryption
after encryption, data enters network or storage device
quickest to implement, but can be costly
can be easy to bypass
good quick fix
for extensive data storage encryption, cost and
management complexity of encrypting in-band can
increase significantly
Vendors: NetApp, Thales/nCipher
34. MIS Training Institute Session E5 - Slide 34
Storage device encryption
Data transmitted unencrypted to storage device
easiest integration into existing backup environments
supports in-device key management
easy to export encrypted data to tape
easy to implement and cost-effective
best suited to static and archived data or encrypting
large quantities of data for transport
large numbers of devices can be managed from single
key management platform
Vendors: EMC, IBM, Hitachi
35. MIS Training Institute Session E5 - Slide 35
Tape-based encryption
Data can be encrypted on tape drive
most secure solution
no performance penalty
easy to implement
provides protection from both offsite and on-premise
information loss
enables secure shipment of data
allows secure reuse of tapes
Vendors: Thales, HP, CA, Brocade, NetApp
36. MIS Training Institute Session E5 - Slide 36
Database encryption
DBMS-based encryption vulnerable when encryption
key used to encrypt data stored in DB table inside the
DB, protected by native DBMS access controls
users who have access rights to encrypted data often
have access rights to encryption key
creates security vulnerability because encrypted text
not separated from means to decrypt it
also doesn’t provide adequate tracking or monitoring of
suspicious activities
37. MIS Training Institute Session E5 - Slide 37
Database encryption
Inside DBMS Outside DBMS
• Least impact on app
• Security
vulnerability-
encryption key
stored in database
table
• Performance
degradation
• To separate keys,
additional hardware
required, e.g., HSM
• Remove
computational
overhead from
DBMS and
application servers
• Separate encrypted
data from encrypted
key
• Communication
overhead
• Must administer
more servers
38. MIS Training Institute Session E5 - Slide 38
Key Management (KM)
Generation, distribution, storage, recovery and
destruction of encryption keys
encryption is 90% management and policy, 10%
technology
most encryption failures due to ineffective KM
processes
80% of 22 SAP testing procedures related to encryption
are about KM
effective KM policy and design requires significant time
and effort
39. MIS Training Institute Session E5 - Slide 39
The n2 Problem
With symmetric cryptography, as number of users
increases, number of keys required increases rapidly
For group of n users, there needs to be 1/2 (n2 - n) keys
for total communications
As number of parties (n) increases, number of symmetric
keys becomes unreasonably large for practical use
Users 1/2 (n2
- n) Shared key pairs
required
2 ½ (4 - 2) 1
3 ½ (9 – 3) 3
10 ½ (100 – 10) 45
100 ½ (10,000 – 100) 4,950
1000 ½ (1,000,000 –
1,000)
499,500
40. MIS Training Institute Session E5 - Slide 40
Key management questions
how many keys do you need?
where are keys stored?
who has access to keys?
how will you manage keys?
how will you protect access to encryption keys?
how often should keys change?
what if key is lost or damaged?
how much key management training will we need?
how about disaster recovery?
41. MIS Training Institute Session E5 - Slide 41
PCI DSS key management requirements
PCI DSS v2.0 requirement 3.6
generation of strong keys
secure key distribution
periodic key changes
destruction of old keys
dual control of keys
replacement of compromised keys
key revocation
42. MIS Training Institute Session E5 - Slide 42
Key Management
Keys must be accessible for the data to be accessible
If too accessible, higher risk of compromise
Reliability
Outage in the system will prevent business from
functioning
Centralized key management
Can help simplify key management for multiple
applications
43. MIS Training Institute Session E5 - Slide 43
Key generation and destruction
Generation Destruction
• FIPS 140-2
validated
cryptographic
module
• distribution
• manual
• electronic
• backup/restore
• split knowledge
• Getting rid of keys is
just as detailed as
creating them
• Processes must deal
with keys stored on:
• hard drives
• USB
• EPROM
• Third parties
• facilities must exist to
destroy hard-copies of
key, both on paper
and in hardware
44. MIS Training Institute Session E5 - Slide 44
OASIS Enterprise Key Management
Infrastructure (EKMI)
Focused on standardizing management of symmetric
encryption cryptographic keys across the enterprise
within a symmetric KM system
Working on creation of:
Symmetric Key Services Markup Language (SKSML)
protocol
Implementation and operations guidelines for an SKMS
Audit guidelines for auditing an SKMS
Interoperability test-suite for SKSML implementations
www.oasis-open.org/committees/ekmi
45. MIS Training Institute Session E5 - Slide 45
For more information
Guideline for Implementing Cryptography in the Federal
Government
http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf
Cryptographic Toolkit
http://csrc.nist.gov/groups/ST/toolkit/index.html
Recommendation for Key Management
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
Encryption Strategies: The Key to Controlling Data
www.oracle.com/encryption/wp/encryption_strategies_wp.pdf
47. MIS Training Institute Session E5 - Slide 47
Organizations that do not have an effective data
classification program usually fail at their data
encryption projects
Creating an effective deployment strategy is the
difference between strong encryption and an audit
failure
Encryption is about attention to detail, good design
and project management
Summary
48. MIS Training Institute Session E5 - Slide 48
Contact info
Ben Rothke, CISSP CISA
Manager – Information Security
Wyndham Worldwide Corporation
www.linkedin.com/in/benrothke
www.twitter.com/benrothke
www.slideshare.net/benrothke