SlideShare a Scribd company logo

Egypt Cloud Day, May2011-- Information Assurance

E
Egypt Cloud Forum
Technology
1 of 10
٦/١٩/١٤٣٢ Session: Information Assurance the superset of Information Security Speaker: Mahmoud Tawfik p Agenda • Information Assurance. I f ti A • Risk Assessment & Management. • Cryptography • Ethical-Hacking • Recent incidents and news. • Will Egypt plan for a security strategy? • Q&A. ١
٦/١٩/١٤٣٢ IA • Risk Assessment & Management • Strategic Risk Management • Reliability. • GRC (Governance, Risk and Compliance). • Audits and Privacy. • Accounting ,Fraud. • BCP ( Business Continuity Plan). • DRP ( Disaster Recovery Plan). IA Concepts • Defense in Depth ( Multiple layers of defense) • Security through obscurity • CIA ( Confidentiality , Integrity and Availability) • Authenticity • Utility • Non-repudiation ٢
٦/١٩/١٤٣٢ Risk • What is Risk? • Risk = Probability * Impact • What is a Threat? • What is a Vulnerability? • What is an Exploit? Risk Qualitative risk assessment: • Identifying threats. • Identify vulnerabilities T&T to Identify Vulnerabilities: 1. CVE 2. Vulnerability Scanners 3. Penetration test 3 P t ti t t ٣
٦/١٩/١٤٣٢ Risk Quantitative risk assessment Annualized Loss Expectancy (ALE) Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) ALE = SLE * ARO Risk Risk management techniques 1. Avoidance 2. Transference 3. Acceptance 4. Mitigations ٤
٦/١٩/١٤٣٢ Cryptography Symmetric Symmetric cryptography uses the same secret y yp g p y (private) key to encrypt and decrypt data. Asymmetric public key and private key. Access Control Access Control : Control access to critical assets Identification and authentication determine who can log on to a system. ٥
٦/١٩/١٤٣٢ Penetration test Penetration Test aka Ethical Hacking • Reconnaissance (Information Intelligence). • Vulnerability Scanning & Analysis. • Exploitation. • Reporting and Documentation Documentation. Incidents Recent Incidents and News • RSA security breach. • Top-Secret US lab hacked. • Israel planning strategy to defend networks from attacks. • White House Reveals Cyber Security Plan. ٦
٦/١٩/١٤٣٢ Incidents RSA breach Uri Rivner, head of new technologies, identity protection and verification at RSA said "The attacker in this case sent two different phishing emails over a two- day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.” The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls. The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.." Source :http://blogs.rsa.com/rivner/anatomy-of-an-attack/ Incidents Top secret US lab hacked The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes. Oak Rid National L b t i i a hi hl secretive f ilit l O k Ridge N ti l Laboratories is highly ti facility located i t d in Tennessee that is used for homeland security and military purposes. It is managed by the US Department of Energy and conducts research into nuclear energy, chemical science, and biological systems. Source:http://www.theregister.co.uk/2011/04/19/us_lab_security_breach/ ٧
٦/١٩/١٤٣٢ Cyber strategies Israel planning strategy to defend computer networks from attacks A team of experts convened by the prime minister to develop a strategy to defend Israel's computer networks against assault from hostile countries and terrorist organizations is expected to submit its recommendations after the Passover holiday. The group, headed by Maj. Gen. (res. ) Isaac Ben-Israel, was formed in November, a few months after foreign media reported on the Stuxnet computer worm - which struck nuclear facilities in Iran, as well as a number of networks around the world world. Various entities in Israel, he revealed, such as banks and major corporations, had not consented to accepting government protection until the Counter- Terrorism Bureau broke into their networks to demonstrate the potential harm they faced. Source:http://www.haaretz.com/print-edition/news/israel-planning-strategy-to- defend-computer-networks-from-attack-1.353722 Cyber strategies White House Reveals Cyber Security Plan A cyber security plan proposed by the Obama administration aims to protect individual privacy, federal computer networks and elements of national critical infrastructure. The proposal includes more stringent penalties for cyber criminals; mandatory data breach reporting for organizations; placing the responsibility for defending federal agency networks from attack in the hands of the Department of Homeland Security (DHS); and improving protection for elements of the country's critical country s infrastructure. It also would establish guidelines for the government to help companies that suffer cyber incidents, and for information sharing about threats among businesses and state and local governments. Reference : http://content.usatoday.com/communities/theoval/post/2011/05/obama-team- unveils-new-cybersecurity-plan/1 ٨
٦/١٩/١٤٣٢ Strategy Will Egypt plan for a security strategy? • More than 10 hacked government websites in 2011. • Government infrastructure relies on Microsoft Windows. • Egypt needs an urgent cyber defense/warfare strategy. Is this possible after 25 Jan revolution ? source:http://zone- h.org/archive/filter=1/domain=.gov.eg/fulltext=1/page=1 Defacements 387 hacked government sites ٩
٦/١٩/١٤٣٢ Thank Th k you! ! Now, it is time for Q&A Email : m.tawfik@fixed-solutions.com Twitter : mtawfik5 ١٠

Recommended

Cyber warfare capabiliites : A Reality Check
Cyber warfare capabiliites : A Reality CheckCyber warfare capabiliites : A Reality Check
Cyber warfare capabiliites : A Reality Check
Rajeev Chauhan
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
Rahul Neel Mani
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
Frode Hommedal
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
BeyondTrust
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
 

Recommended

Cyber warfare capabiliites : A Reality Check
Cyber warfare capabiliites : A Reality CheckCyber warfare capabiliites : A Reality Check
Cyber warfare capabiliites : A Reality Check
Rajeev Chauhan
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
Rahul Neel Mani
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
Frode Hommedal
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
BeyondTrust
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
 
Threat intelligence in security
Threat intelligence in securityThreat intelligence in security
Threat intelligence in security
Osama Ellahi
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Marlabs
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)
Priyanka Aash
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
HITCON GIRLS
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Syed Peer
 
Cyber Brochure
Cyber BrochureCyber Brochure
Cyber Brochure
Brian Wharton
 
Why_TG
Why_TGWhy_TG
Why_TG
TOP GUN
 
By Roberto Preatoni Fabio Ghioni Corp Vs Corp
By Roberto Preatoni Fabio Ghioni Corp Vs CorpBy Roberto Preatoni Fabio Ghioni Corp Vs Corp
By Roberto Preatoni Fabio Ghioni Corp Vs Corp
Fabio Ghioni
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
Deep Shankar Yadav
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Cyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il businessCyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il business
Francesco Faenzi
 
DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015
Andrzej Bartosiewicz
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detection
Jisc
 
Proactive Counterespionage & Business Continuity / Resiliency
Proactive Counterespionage & Business Continuity / ResiliencyProactive Counterespionage & Business Continuity / Resiliency
Proactive Counterespionage & Business Continuity / Resiliency
Dr. Lydia Kostopoulos
 
Fabio Ghioni
Fabio GhioniFabio Ghioni
Fabio Ghioni
Fabio Ghioni
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is Impossible
Richard Stiennon
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
James Anderson
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 

More Related Content

What's hot

Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 

What's hot (20)

Threat intelligence in security
Threat intelligence in securityThreat intelligence in security
Threat intelligence in security
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber Brochure
Cyber BrochureCyber Brochure
Cyber Brochure
 
Why_TG
Why_TGWhy_TG
Why_TG
 
By Roberto Preatoni Fabio Ghioni Corp Vs Corp
By Roberto Preatoni Fabio Ghioni Corp Vs CorpBy Roberto Preatoni Fabio Ghioni Corp Vs Corp
By Roberto Preatoni Fabio Ghioni Corp Vs Corp
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 
Cyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il businessCyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il business
 
DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detection
 
Proactive Counterespionage & Business Continuity / Resiliency
Proactive Counterespionage & Business Continuity / ResiliencyProactive Counterespionage & Business Continuity / Resiliency
Proactive Counterespionage & Business Continuity / Resiliency
 
Fabio Ghioni
Fabio GhioniFabio Ghioni
Fabio Ghioni
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is Impossible
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 

Similar to Egypt Cloud Day, May2011-- Information Assurance

54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
alinainglis
 
ppt_deck_cybersecurity_for_Everyone.pptx
ppt_deck_cybersecurity_for_Everyone.pptxppt_deck_cybersecurity_for_Everyone.pptx
ppt_deck_cybersecurity_for_Everyone.pptx
jmiham
 

Similar to Egypt Cloud Day, May2011-- Information Assurance (20)

GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docx
 
Cybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdfCybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdf
 
Cyber Security in 2018
Cyber Security in 2018Cyber Security in 2018
Cyber Security in 2018
 
Cyber espionage
Cyber espionageCyber espionage
Cyber espionage
 
Why Risk Management Fails
Why Risk Management FailsWhy Risk Management Fails
Why Risk Management Fails
 
603535ransomware
603535ransomware603535ransomware
603535ransomware
 
ppt_deck_cybersecurity_for_Everyone.pptx
ppt_deck_cybersecurity_for_Everyone.pptxppt_deck_cybersecurity_for_Everyone.pptx
ppt_deck_cybersecurity_for_Everyone.pptx
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
Network security
Network securityNetwork security
Network security
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
 
The Cybersecurity Mess
The Cybersecurity MessThe Cybersecurity Mess
The Cybersecurity Mess
 
1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
cybersecurity notes important points.pptx
cybersecurity notes important points.pptxcybersecurity notes important points.pptx
cybersecurity notes important points.pptx
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 

Recently uploaded (20)

Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 

Egypt Cloud Day, May2011-- Information Assurance

  • 1. ٦/١٩/١٤٣٢ Session: Information Assurance the superset of Information Security Speaker: Mahmoud Tawfik p Agenda • Information Assurance. I f ti A • Risk Assessment & Management. • Cryptography • Ethical-Hacking • Recent incidents and news. • Will Egypt plan for a security strategy? • Q&A. ١
  • 2. ٦/١٩/١٤٣٢ IA • Risk Assessment & Management • Strategic Risk Management • Reliability. • GRC (Governance, Risk and Compliance). • Audits and Privacy. • Accounting ,Fraud. • BCP ( Business Continuity Plan). • DRP ( Disaster Recovery Plan). IA Concepts • Defense in Depth ( Multiple layers of defense) • Security through obscurity • CIA ( Confidentiality , Integrity and Availability) • Authenticity • Utility • Non-repudiation ٢
  • 3. ٦/١٩/١٤٣٢ Risk • What is Risk? • Risk = Probability * Impact • What is a Threat? • What is a Vulnerability? • What is an Exploit? Risk Qualitative risk assessment: • Identifying threats. • Identify vulnerabilities T&T to Identify Vulnerabilities: 1. CVE 2. Vulnerability Scanners 3. Penetration test 3 P t ti t t ٣
  • 4. ٦/١٩/١٤٣٢ Risk Quantitative risk assessment Annualized Loss Expectancy (ALE) Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) ALE = SLE * ARO Risk Risk management techniques 1. Avoidance 2. Transference 3. Acceptance 4. Mitigations ٤
  • 5. ٦/١٩/١٤٣٢ Cryptography Symmetric Symmetric cryptography uses the same secret y yp g p y (private) key to encrypt and decrypt data. Asymmetric public key and private key. Access Control Access Control : Control access to critical assets Identification and authentication determine who can log on to a system. ٥
  • 6. ٦/١٩/١٤٣٢ Penetration test Penetration Test aka Ethical Hacking • Reconnaissance (Information Intelligence). • Vulnerability Scanning & Analysis. • Exploitation. • Reporting and Documentation Documentation. Incidents Recent Incidents and News • RSA security breach. • Top-Secret US lab hacked. • Israel planning strategy to defend networks from attacks. • White House Reveals Cyber Security Plan. ٦
  • 7. ٦/١٩/١٤٣٢ Incidents RSA breach Uri Rivner, head of new technologies, identity protection and verification at RSA said "The attacker in this case sent two different phishing emails over a two- day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.” The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls. The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.." Source :http://blogs.rsa.com/rivner/anatomy-of-an-attack/ Incidents Top secret US lab hacked The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes. Oak Rid National L b t i i a hi hl secretive f ilit l O k Ridge N ti l Laboratories is highly ti facility located i t d in Tennessee that is used for homeland security and military purposes. It is managed by the US Department of Energy and conducts research into nuclear energy, chemical science, and biological systems. Source:http://www.theregister.co.uk/2011/04/19/us_lab_security_breach/ ٧
  • 8. ٦/١٩/١٤٣٢ Cyber strategies Israel planning strategy to defend computer networks from attacks A team of experts convened by the prime minister to develop a strategy to defend Israel's computer networks against assault from hostile countries and terrorist organizations is expected to submit its recommendations after the Passover holiday. The group, headed by Maj. Gen. (res. ) Isaac Ben-Israel, was formed in November, a few months after foreign media reported on the Stuxnet computer worm - which struck nuclear facilities in Iran, as well as a number of networks around the world world. Various entities in Israel, he revealed, such as banks and major corporations, had not consented to accepting government protection until the Counter- Terrorism Bureau broke into their networks to demonstrate the potential harm they faced. Source:http://www.haaretz.com/print-edition/news/israel-planning-strategy-to- defend-computer-networks-from-attack-1.353722 Cyber strategies White House Reveals Cyber Security Plan A cyber security plan proposed by the Obama administration aims to protect individual privacy, federal computer networks and elements of national critical infrastructure. The proposal includes more stringent penalties for cyber criminals; mandatory data breach reporting for organizations; placing the responsibility for defending federal agency networks from attack in the hands of the Department of Homeland Security (DHS); and improving protection for elements of the country's critical country s infrastructure. It also would establish guidelines for the government to help companies that suffer cyber incidents, and for information sharing about threats among businesses and state and local governments. Reference : http://content.usatoday.com/communities/theoval/post/2011/05/obama-team- unveils-new-cybersecurity-plan/1 ٨
  • 9. ٦/١٩/١٤٣٢ Strategy Will Egypt plan for a security strategy? • More than 10 hacked government websites in 2011. • Government infrastructure relies on Microsoft Windows. • Egypt needs an urgent cyber defense/warfare strategy. Is this possible after 25 Jan revolution ? source:http://zone- h.org/archive/filter=1/domain=.gov.eg/fulltext=1/page=1 Defacements 387 hacked government sites ٩
  • 10. ٦/١٩/١٤٣٢ Thank Th k you! ! Now, it is time for Q&A Email : m.tawfik@fixed-solutions.com Twitter : mtawfik5 ١٠