In-Depth Performance Testing Guide for IT Professionals
Egypt Cloud Day, May2011-- Information Assurance
1. ٦/١٩/١٤٣٢
Session: Information
Assurance the superset of
Information Security
Speaker: Mahmoud Tawfik
p
Agenda
• Information Assurance.
I f ti A
• Risk Assessment & Management.
• Cryptography
• Ethical-Hacking
• Recent incidents and news.
• Will Egypt plan for a security strategy?
• Q&A.
١
2. ٦/١٩/١٤٣٢
IA
• Risk Assessment & Management
• Strategic Risk Management
• Reliability.
• GRC (Governance, Risk and Compliance).
• Audits and Privacy.
• Accounting ,Fraud.
• BCP ( Business Continuity Plan).
• DRP ( Disaster Recovery Plan).
IA Concepts
• Defense in Depth ( Multiple layers of defense)
• Security through obscurity
• CIA ( Confidentiality , Integrity and Availability)
• Authenticity
• Utility
• Non-repudiation
٢
3. ٦/١٩/١٤٣٢
Risk
• What is Risk?
• Risk = Probability * Impact
• What is a Threat?
• What is a Vulnerability?
• What is an Exploit?
Risk
Qualitative risk assessment:
• Identifying threats.
• Identify vulnerabilities
T&T to Identify Vulnerabilities:
1. CVE
2. Vulnerability Scanners
3. Penetration test
3 P t ti t t
٣
4. ٦/١٩/١٤٣٢
Risk
Quantitative risk assessment
Annualized Loss Expectancy (ALE)
Single Loss Expectancy (SLE)
Annualized Rate of Occurrence (ARO)
ALE = SLE * ARO
Risk
Risk management techniques
1. Avoidance
2. Transference
3. Acceptance
4. Mitigations
٤
5. ٦/١٩/١٤٣٢
Cryptography
Symmetric
Symmetric cryptography uses the same secret
y yp g p y
(private) key to encrypt and decrypt data.
Asymmetric
public key and private key.
Access Control
Access Control : Control access to critical assets
Identification and authentication determine who can log
on to a system.
٥
6. ٦/١٩/١٤٣٢
Penetration test
Penetration Test aka Ethical Hacking
• Reconnaissance (Information Intelligence).
• Vulnerability Scanning & Analysis.
• Exploitation.
• Reporting and Documentation
Documentation.
Incidents
Recent Incidents and News
• RSA security breach.
• Top-Secret US lab hacked.
• Israel planning strategy to defend
networks from attacks.
• White House Reveals Cyber Security
Plan.
٦
7. ٦/١٩/١٤٣٢
Incidents
RSA breach
Uri Rivner, head of new technologies, identity protection and verification at
RSA said
"The attacker in this case sent two different phishing emails over a two-
day period. The two emails were sent to two small groups of employees;
you wouldn’t consider these users particularly high profile or high value
targets. The email subject line read “2011 Recruitment Plan.”
The email was crafted well enough to trick one of the employees to
retrieve it from their Junk mail folder, and open the attached excel file. It
was a spreadsheet titled “2011 Recruitment plan.xls.
The spreadsheet contained a zero-day exploit that installs a backdoor
through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by
now Adobe has released a patch for the zero-day, so it can no longer be
used to inject malware onto patched machines.."
Source :http://blogs.rsa.com/rivner/anatomy-of-an-attack/
Incidents
Top secret US lab hacked
The unknown attackers managed to access a non-classified computer
maintained by the Oak Ridge National Laboratory by sending employees
hoax emails that contained malicious attachments. That allowed them to
access a database containing the personal information of people who
visited the lab over a 14-year period starting in 1990. The institution, which
has a staff of about 3,800, conducts top-secret research that is used for
homeland security and military purposes.
Oak Rid National L b t i i a hi hl secretive f ilit l
O k Ridge N ti l Laboratories is highly ti facility located i
t d in
Tennessee that is used for homeland security and military purposes. It is
managed by the US Department of Energy and conducts research into
nuclear energy, chemical science, and biological systems.
Source:http://www.theregister.co.uk/2011/04/19/us_lab_security_breach/
٧
8. ٦/١٩/١٤٣٢
Cyber strategies
Israel planning strategy to defend
computer networks from attacks
A team of experts convened by the prime minister to develop a strategy to
defend Israel's computer networks against assault from hostile countries and
terrorist organizations is expected to submit its recommendations after the
Passover holiday. The group, headed by Maj. Gen. (res. ) Isaac Ben-Israel,
was formed in November, a few months after foreign media reported on the
Stuxnet computer worm - which struck nuclear facilities in Iran, as well as a
number of networks around the world
world.
Various entities in Israel, he revealed, such as banks and major corporations,
had not consented to accepting government protection until the Counter-
Terrorism Bureau broke into their networks to demonstrate the potential harm
they faced.
Source:http://www.haaretz.com/print-edition/news/israel-planning-strategy-to-
defend-computer-networks-from-attack-1.353722
Cyber strategies
White House Reveals Cyber Security Plan
A cyber security plan proposed by the Obama administration aims to
protect individual privacy, federal computer networks and elements of
national critical infrastructure. The proposal includes more stringent
penalties for cyber criminals; mandatory data breach reporting for
organizations; placing the responsibility for defending federal agency
networks from attack in the hands of the Department of Homeland Security
(DHS); and improving protection for elements of the country's critical
country s
infrastructure. It also would establish guidelines for the government
to help companies that suffer cyber incidents, and for information
sharing about threats among businesses and state and local governments.
Reference
: http://content.usatoday.com/communities/theoval/post/2011/05/obama-team-
unveils-new-cybersecurity-plan/1
٨
9. ٦/١٩/١٤٣٢
Strategy
Will Egypt plan for a security strategy?
• More than 10 hacked government websites in 2011.
• Government infrastructure relies on Microsoft Windows.
• Egypt needs an urgent cyber defense/warfare strategy.
Is this possible after 25 Jan revolution ?
source:http://zone-
h.org/archive/filter=1/domain=.gov.eg/fulltext=1/page=1
Defacements
387 hacked government sites
٩
10. ٦/١٩/١٤٣٢
Thank
Th k you! !
Now, it is time for Q&A
Email : m.tawfik@fixed-solutions.com
Twitter : mtawfik5
١٠