This slide provide various details regarding Information security. The Database its Advantage, Regarding DBMS, RDBMS, IS Design conderations. Various Cyber crime Techniques. Element of Information i.e Integrity, Availability , Classification of Threats. Information Security Risk Assessment. Four Stages of Risk Management. NIST Definition. Risk Assessment Methodologies. Security Risk Assessment Approach. Risk Mitigation Options. Categories of controls. Technical Controls etc.
FellowBuddy.com is an innovative platform that brings students together to share notes, exam papers, study guides, project reports and presentation for upcoming exams.
We connect Students who have an understanding of course material with Students who need help.
Benefits:-
# Students can catch up on notes they missed because of an absence.
# Underachievers can find peer developed notes that break down lecture and study material in a way that they can understand
# Students can earn better grades, save time and study effectively
Our Vision & Mission – Simplifying Students Life
Our Belief – “The great breakthrough in your life comes when you realize it, that you can learn anything you need to learn; to accomplish any goal that you have set for yourself. This means there are no limits on what you can be, have or do.”
Like Us - https://www.facebook.com/FellowBuddycom
FellowBuddy.com is an innovative platform that brings students together to share notes, exam papers, study guides, project reports and presentation for upcoming exams.
We connect Students who have an understanding of course material with Students who need help.
Benefits:-
# Students can catch up on notes they missed because of an absence.
# Underachievers can find peer developed notes that break down lecture and study material in a way that they can understand
# Students can earn better grades, save time and study effectively
Our Vision & Mission – Simplifying Students Life
Our Belief – “The great breakthrough in your life comes when you realize it, that you can learn anything you need to learn; to accomplish any goal that you have set for yourself. This means there are no limits on what you can be, have or do.”
Like Us - https://www.facebook.com/FellowBuddycom
This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
Cyber security and demonstration of security toolsVicky Fernandes
Presentation on Cybersecurity and demonstration of security tools, conducted by Vicky Fernandes on 10th September 2019 at Don Bosco Institute of Technology, Mumbai.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
Cyber security and demonstration of security toolsVicky Fernandes
Presentation on Cybersecurity and demonstration of security tools, conducted by Vicky Fernandes on 10th September 2019 at Don Bosco Institute of Technology, Mumbai.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
Security is now important to all of us, not just people who work at Facebook. Most developers think about security in terms of security technologies that they want to apply to their systems, and then ask how secure the system is. From a secure systems perspective, this is the wrong way around. To build a secure system, you need to start from the things that need to be protected and the threats to those resources.
In this session, Eoin dives into the fundamentals of system security to introduce the topics we need to understand in order to decide how to secure our systems.
This publication covers two important aspects of information security governance: determining the security strategy approach and the strategy development process.
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
25 Quotes That Will Make You a Better Freelancercontently
We talk to a lot of smart people here at The Freelancer. Over the years, we've interviewed Pulitzer Prize winners, entrepreneurs, and even famous journalists like Glenn Greenwald.
So we decided to gather the 25 best quotes we could find—on topics ranging from writing, negotiation, and managing clients—and put them on a SlideShare for easy browsing. The hope is that freelancers of all levels will find the advice invaluable.
Ramco ERP on Cloud - The Best Cloud Computing Solution Worldwide Ramco Systems
Visit: http://www.ramco.com/erp-suite/index.aspx
Why Cloud ERP Software?
Ramco ERP on Cloud gives you incredible cost benefits with no investment. It is the most preferred choice for businesses across the globe as it encompasses in-built intelligence and business acumen for your industry.
Go- through in detail about Ramco ERP on Cloud.
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
This is a talk about managing your software and infrastructure-as-code that walks through a real-world example of deploying microservices on AWS using Docker, Terraform, and ECS.
Introduction to Information Technology (IT), Introduction to Information System (IS), Difference between IS & IT, Need for Information System, Information systems in the enterprise, Impact of information technology on business (Business Data Processing, Intra and Inter organizational communication using network technology, Business process and Knowledge process outsourcing), Managers and activities in IS, Importance of IS in decision making and strategy building, Information systems and subsystems.
Management Information System
Information System
Information Systems Framework
Information Systems Concepts
system
Data Versus Information
Attributes
Transaction Processing Activities
Process Control Systems
LJ Innovation village 2019 - Uploaded by LJ ProjectsLJ PROJECTS
This presentation is the spread awareness to ensure that knowledge to share to all students. LJ Innovation is the events that showcase the various projects done by students to increase their skills and talents.
Cloudedots - Ideas into Reality | Mobile and Web App development CompanyLJ PROJECTS
We are cross-platform and native MOBILE, WEB, SOFTWARE APPS AND INTERNET OF THINGS (IoT) Solutions Company. We turn and tune your idea into reality.
We take your business to reach the sky limits with the awesome user interface, interactive designs, bug-free, high quality, better scalable and easy maintainable using our tools and technology.
The process we follow is to listen your requirements, understanding, visualize by experts and apply effective methods using tools and technology to achieve the results of your idea into reality.
Foodies- An e-Food inventory Management PortalLJ PROJECTS
Foodies (An e-Food inventory Management Portal) is the complete solution for food and home delivery system. It provides the use-cases, ER-diagrams, System requirement Context Level etc. It provide various screenshot of the system.
To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc.
Types of Access Control.
Grid Computing is the emerging technology. you will learn all the stuff related to grid computing in this slides. this slide shows various architecture and its easy explanation.
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
This ppt explain you various type of possible attack, security property, Traffic Analysis, Security mechanism Intrusion detection system, vulnerability, Attack framework etc.
This ppt show concept of Data Link Access, BSD Packet Filter, DLPI, Linux SOCK_PACKET, libpcap–Packet capture Library, libnet: Packet Creation and Injection Library
This ppt show the very fundamental aspects of VPN(Virtual Private Networks) and show why it is used and its associated benefits. Also show characteristics, Tunneling, Encapsulation, etc.
In this ppt, we try to cover basic concept of TCP/IP model. Also we have added how to capture IP Packet. Working of OSI Layers. Also try to cover Packet of Ethernet Frame. PDU = Protocol Data Unit. Cover the difference between Packet and Frames in TCP/IP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
2. Basics of Information System
• Data: raw facts
– Alphanumeric, image, audio, and video
• Information: collection of facts organized in such a way
that they have additional value beyond the value of the
facts themselves
An Information System is a set of interrelated components
that collect or retrieve, process, store and distribute
information to support decision making and control in an
organization.
3. Basics of Information System
• IS accepts data from their environment and manipulate
data to produce information that is used to solve a
business problem or to help in taking business decisions.
4. Basics of Information System
Today Information Systems are mostly computerized, and
software based.
Information System is made of hardware, software, data,
procedures and people.
The major functions of an IS are-
Input
Storage
Processing / manipulation
Control
Output
5. Basics of Information System
IS are developed to help specific business functions.
Some Examples are-
Enterprise Resource Planning (ERP)
Financial Management Information Systems (FMIS)
Customer Relationship Management Systems (CRM)
6. Basics of Information System
Most common types of information systems used in
business organizations
Electronic and mobile commerce systems
Transaction processing systems
Management information systems
Decision support systems
Specialized business information systems
7. Basics of Information System
Electronic and Mobile Commerce
E-commerce: any business transaction executed
electronically between parties
Companies (B2B)
Companies and consumers (B2C)
Consumers and other consumers (C2C)
Companies and the public sector
Consumers and the public sector
8. Basics of Information System
Transaction Processing Systems
Transaction: business-related exchange
Payments to employees
Sales to customers
Payments to suppliers
Transaction processing system (TPS): organized
collection of people, procedures, software, databases,
and devices used to record completed business
transactions
9. Basics of Information System
Additional Business Information Systems
• Management Information Systems (MIS)
– provide routine information to managers and decision makers
• Knowledge Management Systems (KMS)
– create, store, share, and use the organization’s knowledge and
experience
• Artificial intelligence (AI)
– field in which the computer system takes on the characteristics
of human intelligence
• Decision support system (DSS)
– used to support problem-specific decision making
10. Basics of Information System
In the past decade, the nature of IS has undergone a great
change, from Mainframe based IS to Client /Server to
today’s Web based information system.
Information Systems today are distributed and
component based.
Business now have no geographical boundaries.
Wide spread of internet and increase in bandwidth
helped development of Global Information Systems.
11. Basics of Information System
Web services play a major role in building global IS for
today’s dynamic business world.
Web services perform functions ranging from simple
request to complicated business processes.
Advantages of GIS
Strong Return-On-Investment (ROI)
Increased Productivity
Flexibility
Low maintenance cost
12. Basics of Information System
Data Management
Without data and the ability to process it, an organization
could not successfully complete most business activities
Data consists of raw facts
For data to be transformed into useful information, it
must first be organized in a meaningful way
14. Basics of Information System
• Data Management
• Entity: a generalized class of people, places, or things (objects) for
which data is collected, stored, and maintained
• Attribute: characteristic of an entity
• Data item: value of an attribute
• Key: field or set of fields in a record that is used to identify the
record
• Primary key: field or set of fields that uniquely identifies the
record
15. Basics of Information System
• Data Management
• Traditional approach to database management
– separate data files are created for each application
• Results in data redundancy (duplication)
• Data redundancy conflicts with data integrity
• Database approach to database management:
– pool of related data is shared by multiple applications
• Significant advantages over traditional approach
17. Basics of Information System
Advantages of Database Approach
Improved strategic use of Organization data
Accurate, complete and up to date data is available.
It is available to decision makers when , where and in the
required format they want.
Reduce Data Duplications
Easier updating and modifications
Data and Program Independence
Easier Control of data access
Improved Data Integrity
Changes to data are available to all immediately.
18. Basics of Information System
Important facts When building a database
Content: What data should be collected, at what cost?
Access: What data should be provided to which users and
when?
Logical structure: How should data be arranged to make sense
to a given user?
Physical organization: Where should data be physically located?
19. Basics of Information System
Relational Database Model
data elements are placed in two-dimensional tables
(relations), which are the logical equivalent of files
Each row of a table represents a data entity
Columns of the table represent attributes
The domain of the database model consists of all of the
allowable values for data attributes
20. Basics of Information System
• Database Management Systems (DBMS)
• Interface between:
– Database and application programs
– Database and the user
• Creating and implementing the right database system
ensures that the database will support both business
activities and goals
• DBMS: a group of programs used as an interface
between a database and application programs or a
database and the user
21. Basics of Information System
IS design Considerations
Information systems planning: translating strategic
and organizational goals into systems development
initiatives
Aligning organizational goals and IS goals is critical for any
successful systems development effort
Determining whether organizational and IS goals are
aligned can be difficult
22. Basics of Information System
Tough competition forces business take correct decisions
at perfect time.
Thus IS has become mandatory for businesses to
perform their day-to-day functions.
As IS plays a crucial role in business systems, it is
important that they remain secured.
Also the data contained in them should not fall into
wrong hands.
Any problem with IS will result in
Loss of productivity, loss of revenue, legal liabilities, loss of
reputation and other losses.
23. Information System Security
Today most of the IS are connected to internet.
Thus they are exposed to the outside world directly.
Threats from the outside world must be addressed.
Damage from a non-secure IS can result in catastrophic
consequences for the organization.
Thus organizations must investigate and evaluate the
factors that could be a threat.
24. What Is Information Security???
Protection of information systems against
unauthorized access to or modification of
information, whether in storage, processing or
transit, and against the denial of service to
authorized users or the provision of the service to
unauthorized users, including those measures
necessary to detect, document, and counter such
threats.
- U.S. Govt.’s NIA Glossary
25. Why Information Security???
Use of IT across businesses
Fast growth of Internet
Commercialization of Internet
Web site defacement
Theft of confidential data
Financial Frauds
Legal requirements
26. Why Information Security???
Increased rate of cyber crime issues.
Cyber crime is defined as criminal activity involving the
IT infrastructure, including illegal access, illegal
interception, data interference, misuse of devices, ID
theft and electronic fraud.
27. Cyber Crime Techniques
Data Scavenging
Shoulder Surfing
Piggy Backing
Man In the middle
Social Engineering
Buffer overruns
SQL injections
28. Why Information Security???
Cookies
Cross Site Scripting (XSS)
SPAM
Denial Of Service (DOS)/ DDOS
Virus / Worms/ Trojans
Spyware / Adware
Phising
Spoofing …………………….. Etc.
29. Elements of Information Security
Three basic elements of Information Security.
Confidentiality
Integrity
Availability
30. Confidentiality
It is the principle that information will
not be disclosed to unauthorized
subjects.
Examples:
Unauthorized network data sniffing
Listening a phone conversation.
31. Integrity
It is the protection of system
information or process from intentional
or accidental unauthorized changes.
33. Information Security
In another words …….
……Information security means
making sure to provide required
information for the correct people at
the correct time.
34. Other Elements of InfoSec
Identification – recognition of an entity by a system.
Authentication-Process of verifying identity.
Accountability –Tracing activities of individual on a
system.
Authorization- Granting access or other
permissions.
Privacy- Right of individual to control the sharing of
information about him.
35. How to achieve Information Security???
Information Security does not mean only installing antivirus
and firewalls.
Information security tends to protect hardware, software,
data, procedures, records, supplies and human resources.
Information assets are those resources that store, transport,
create, use or are information.
36. How to achieve Information Security???
Administrative Controls- Policies, standards,
procedures, guidelines, employee screening, change
control, Security awareness trainings.
Technical Controls- Access controls, encryption,
Firewalls, IDS, IPS,HTTPS
Physical Controls- controlled physical access to
resources, monitoring, no USB or CDROM etc.
37. How to achieve Information Security???
Information Security is the responsibility of
everyone who can affect the security of a
system.
38. Some Good Habits
Always use official software.
Keep all software uptodate with patches.
If using free software always download from original
developers site.
Do not disclose all your information on internet sites like
orkut/Facebook.
Use Internet with control.
Use email properly.
Take care while discarding your waste material.
Use small gadgets carefully as information storage.
Be careful while surfing from a cybercafe.
39. Information System Security
Threat
A threat is a possible event that can damage or harm an
Information System.
Vulnerability
It is the weakness within a system. It is the degree of exposure
in view of threat.
Countermeasures
It is a set of actions implemented to prevent threats.
40. Information System Security
Network Level Threats
Attacker requires network access to organization systems or
networks.
Hacking Computers, Implementing Spywares
Information Level Threats
Attack on the information.
Sending fake queries to sales department
Submitting false information.
Creating revenge web sites.
41. Information System Security
Major Security Threats to an IS
Computer Crimes / Abuse
Human Error
Failure of Hardware or Software
Natural Disasters
Political Disasters
42. Information System Security
Computer Crime / Abuse
Computer Viruses
A code that performs malicious act.
Can insert itself into other programs in a system.
Worm is a virus that can replicate itself to other systems using
network.
Biggest threat to personal computing.
Trojan Horse
A program that performs malicious or unauthorized acts.
Distributed as a good program.
May be hidden within a good program.
43. Information System Security
Denial of Service (DoS)
Making system unavailable to legitimate users.
Impersonation
Assuming someone else’s identity and enjoying his privileges.
Salami Technique
Diverting small amount of money from a large number of
accounts maintained by the system.
Small amounts go unnoticed.
Spoofing
Configuring a computer to assume some other computers
identity.
44. Information System Security
Scavenging
Unauthorized access to information by searching through the
remains after a job is finished.
Dumpster diving
Data Leakage
Various techniques are used to obtain stored data
SQL injection
Error Outputs
Wiretapping
Tapping computer transmission lines to obtain data.
Theft of Mobile Devices
45. Information System Security
Myths, rumors and hoaxes
Created by sending false emails to as many people as possible.
These may have significant impact on companies, their
reputation and business.
Web Site Attacks
Web site defacement
Adding wrong information
Increase in cyber crime rates
Organized cyber criminals
46. Information System Security
Employee Issues
Disgruntle Employees
Availability of hacking tools
Social Engineering Attacks
Sharing Passwords
Sharing Official Systems
Not following clean desk policy
Rise in Mobile workers
Use mobile devices
Wireless access
Lots of organization data exposed
47. Classification of Threats
Basic of the effective Security Management.
Organization require to know the damage caused when
security incident or an attack happens.
This helps management to decide the budget for security
related expenditures.
Organizations can not secure everything.
Organizations can not spend too much on security.
48. Classification of Threats
Four things to be considered while evaluating threat
Asset
Something of value to the organization
Actor / Attacker
Who or what may violate the security requirement
Motive
Deliberate or accidental
Access
How the attacker will access the asset.
50. Classification of Threats
Classify Assets
Tag Assets based on their value to the organization.
Find various threats to important assets.
Tag threats for an asset.
Find the threats which have maximum risk.
Calculate the loss due to these threats.
51. Classification of Threats
Cost of a threat can be calculated considering following
factors
Productivity
No. of employees affected
No. of hours wasted
Cost per hour / per employee
Revenue
Direct financial loss
Future business loss
Financial Performance
Credit rating and stock price
Other Expenses
Hidden Costs
52. Classification of Threats
Cost of a threat can be calculated considering following
factors
Other Expenses
Overtime Costs
Travel Expenses
Third Party costs
Equipment Rental Costs
Hidden Costs
Difficult to calculate
Cost of damaged reputation
Loss of faith by customers, bankers or vendors
53. Information System Security
The aim of the information system security is to protect
organization assets.
If not fully protected at least limit damage to them.
Limit access to information to authorized users only.
Information systems controls play a crucial role to ensure
secure operations of IS.
They safeguard the assets and the data within them.
54. Information System Security
The organization needs to develop a set of security
policies, procedures and technological measures.
Information System Controls-
Preventive Controls
Prevent an error or attack
Detective Controls
Detect a security breach or incident
Corrective Controls
These control detect any error or incident and correct it.
56. Building Blocks of Information Security
Basic Terms and Definitions
Encryption
Modification of data for security reasons prior to their
transmissions so that it is not comprehensible without the
decoding method.
Cipher
Cryptographic transformation that operates on characters or
bits of data.
Cryptanalysis
Methods to break the cipher so that encrypted message can be
read.
57. Building Blocks of Information Security
Electronic Signature
Process that operates on a message to assure message source
authenticity, integrity and non-repudiation.
Non-Repudiation
Methods by which the transmitted data is tagged with sender’s
identity as a proof so neither can deny the transmission.
Steganography
Method of hiding the existence of data. The bit map images are
regularly used to transmit hidden messages.
58. Building Blocks of Information Security
Identification
It is a method by which a user claims his identity to a system.
Authentication
It is the method by which a system verifies the identity of a user or
another system
Accountability
It is the method by which a system tracks the actions performed by
a user or a process.
Authorization
It is a method by which a system grants certain permissions to a
user.
Privacy
It is protection on individual data and information.
59. Building Blocks of Information Security
The Three Pillars of Information Security
Confidentiality
It is related to the access to data.
Any intentional or unintentional unauthorized disclosure of
data will make data loose it’s confidentiality.
Integrity
It is nothing but the trueness or correctness of data.
Any unauthorized modifications to data affects integrity of that
data.
Availability
It means reliable and timely access to required data.
60. Building Blocks of Information Security
Terms for Information Classification
Unclassified
Not so important information. Can be disclosed to public.
Sensitive but unclassified
Information is somewhat important but if disclosed to public will not
cause any damage
Confidential
Unauthorized disclosure may cause some damage.
Secret
Unauthorized disclosure may cause serious damage.
Top secret
Unauthorized disclosure may cause vary serious damage.
61. Building Blocks of Information Security
How ever some organizations classify information as
Public
Sensitive
Private
Following criteria are used to determine the classification
of information
Value
Age
Useful Life
Personal Association
62. Introduction… Risk Assessment
Inability of corporations to protect themselves from
cyber-risks has attributed to heavy financial losses,
breaches of privacy, and even the downfall of
corporations.
Cyber-risks are generated from hackers, malicious
software, disgruntled employees, competitors, and
many other sources both internal and external.
These external and internal cyber-attacks on
corporate assets and an increasingly technology-
savvy corporate management have led to a more
appropriate awareness of the information security
risks to corporate information.
63. Introduction
Understandably, information security is now a major concern
for most corporations.
A recent survey reported that computer security is the critical
attribute of corporate networks for 78 percent of corporate
executives.
Another survey reported that security outweighed other
concerns by a factor of three as the driving concern for IT
improvements.
Many corporations are putting their money by increasing
security spending.
In a survey of chief security officers, corporations have
increased their information security budget fivefold to 30
percent of their IT budget.
64. Introduction
But even with all this spending, many corporate executives are
unsure about the effectiveness of their information security
programs or the security controls that have been put in place.
A survey found that 34 percent of organizations see their own
security controls as inadequate to detect a security breach.
Thus organizations need a reliable method for measuring the
effectiveness of their information security program.
An information security risk assessment is designed specifically
for that task.
An information security risk assessment, when performed
correctly, can give corporate managers the information they
need to understand and control the risks to their assets.
65. Security Risk Assessment
A security risk assessment is an important element in the
overall security risk management process.
Security risk management involves the process of ensuring
that the risk posture of an organization is within
acceptable bounds as defined by senior management.
There are four stages of the security risk management
process
66. Four Stages of Risk Management
Security Risk Assessment
objective analysis of the effectiveness of the current security
controls that protect an organization’s assets and a
determination of the probability of losses to those assets.
A security risk assessment reviews the threat environment of
the organization, the value of assets, the criticality of systems,
the vulnerabilities of the security controls, the impact of
expected losses, and recommendations for additional controls
to reduce risk to an acceptable level.
Based on this information the senior management of the
organization can determine if additional security controls are
required.
67. Four Stages of Risk Management
Test and Review
Security testing is the examination of the security controls
against the security requirements.
Security controls are determined during the security risk
assessment and tested during security testing efforts.
Security testing is performed more frequently than security
risk assessments.
68. Four Stages of Risk Management
Risk Mitigation
Risks to an organization’s assets are reduced through the
implementation of new security controls or the improvement
of existing controls.
Security risk assessments provide information to allow the
senior management to make risk-based decisions for the
development of new controls.
Also helps in deciding expenditure of resources on security
improvements on existing controls.
Risk can be mitigated through corrections and additional
controls or accepted or transferred.
69. Four Stages of Risk Management
Operational Security
The implementation and operation of most security controls
are performed by operational personnel.
Daily and weekly activities such as applying patches,
performing account maintenance, and
providing security awareness training are essential for
maintaining an adequate security posture.
70. NIST Definition
The periodic assessment of risk to agency operations or
assets resulting from the operation of an information
system is an important activity.
The risk assessment brings together important
information for agency officials with regard to the
protection of the information system and generates
essential information required for the security plan.
71. NIST Definition
The risk assessment includes: (i) the identification of
threats to and vulnerabilities in the information system;
(ii) the potential impact or magnitude of harm that a loss
of confidentiality, integrity, or availability would have on
agency operations (including mission, functions, image, or
reputation) or agency assets should there be a threat
exploitation of identified vulnerabilities; and (iii) the
identification and analysis of security controls for the
information system.
72. Risk Assessment
Asset –
assets are the information and resources that have value to
the organization.
Examples include buildings, equipments, personnel,
organization reputation, business documents, and many other
tangible and intangible items.
It is useful to categorize or classify assets to organize asset
protection requirements, and the vulnerability assessment of
assets.
73. Risk Assessment
Asset Valuation
One of the key steps to performing a security risk assessment is to determine
the value of the assets that require protection.
Various types of asset valuation techniques used.
74. Risk Assessment
The actual cost of an asset is determined by the
importance it has to the organization as a whole.
The following factors affect the cost evaluation of an
asset-
Current cost of the asset
Cost to acquire or develop the asset
Cost to maintain and protect the asset
Value of the asset to the owner and users
Cost others are willing to pay for the asset
Cost to replace the asset
Other business activities affected because of failure or
unavailability of this asset
75. Risk Assessment
Determining the value of an asset is the first step to
understand what security measures are required and
what fund should be allocated to protect the asset.
The asset value should also be able to answer the
question how much it could cost the company to not
protect the asset.
It helps in performing effective cost/benefit analysis
It helps select specific countermeasures and safeguards
It helps understand organization about the assets really
important.
76. Risk Assessment Methodologies
For Risk Assessment different standardized methodologies are used
by the industries.
The SP 800-30 document is the risk methodology developed by
NIST.
This is named “Risk Management Guide for Information Technology
Systems”
It is considered a U.S. federal government standard.
It is specific to IT threats and how they relate to information
security risk.
77. Risk Assessment Methodologies
It lays out the following steps:
System Characterization
Threat Identification
Vulnerability Identification
Control analysis
Likelihood determination
Impact analysis
Risk determination
Control recommendations
Result documentation
It does not cover larger organizational threat types such
as natural disasters, environmental issues etc.
78. Risk Assessment Methodologies
The second type of risk assessment methodology is
Facilitated Risk Analysis Process.
Developed by Thomas Peltier.
It involves assessing only those systems that are critical.
This helps reduces costs and overcome time obligations.
It is normally used to analyze a single system, single
application or a business process at a time.
It does not involve any mathematical calculations.
Requires a good experienced team members for the risk
assessment team.
79. Risk Assessment Methodologies
Another methodology is Operationally Critical Threat, Asset,
and Vulnerability Evaluation(OCTAVE).
This method is designed to help people manage and direct
the risk evaluation for information security within their
company.
This methodology relies on the concept that people
working within the organization know what kind of risks
they are facing and best understand what is needed.
The members of the risk assessment team undergo
facilitated workshops.
The facilitator helps the team members understand the risk
methodology.
80. Risk Assessment Methodologies
The team members then apply this to vulnerabilities and
threats identified within their business units.
The NIST, FRAP and OCTAVE methodology basically
considers IT security threats and information security
risks.
The Australian and New Zealand methodology
AS/NZS4360 provides a broader approach to risk
management.
This considers company’s financial, capital, human safety
and business decision risks.
However this is not designed for security.
81. Risk Assessment Methodologies
United Kingdom created a risk assessment methodology
- Central Computing and Telecommunications Agency
Risk Analysis and Management Method – CRAMM
It works in three stages – define objectives, assess risks
and identify countermeasures.
It follows the basic structure of any risk methodology.
It basically provides automated tools in the form of
questionnaires, assess dependency modeling, assessment
formulas, compliancy reporting.
Some organizations develop their own risk assessment
methodologies and tools.
82. Risk Assessment
Threat
A threat is commonly described as an event with an undesired
impact on the organization’s assets.
The components of a threat include the threat agent and the
undesirable event.
Threat Agent
A threat agent is an entity that may cause a threat to happen
Undesirable Event
An undesirable event is what is caused by a threat agent.
The event is considered undesirable if it threatens a protected asset.
Such events include destruction of equipment, disclosure of sensitive
information, and unavailability of resources.
85. Risk Assessment
Specific Threat Statements
A vendor may accidentally cause the slow down of the
computing equipment.
A vendor may purposefully cause the slow down of the
computing equipment.
The security risk assessment team is expected to use
their experience, judgment, and common sense when
assessing the validity of threat statements.
86. Risk Assessment
Factors affecting Threat Statement Validity
History
Environmental Factors
Geography and Climate
Facility Size and Configuration
Social and Political Climate
Business Factors
Visibility
Services Performed
Value of Equipment and Inventories
87. Security Risk Assessment Approach
There are nearly as many security risk assessment
approaches as there are organizations that perform them.
The first step in performing a security risk assessment is to
clearly define and understand the approach to be taken.
There are many approaches for performing a security risk
assessment.
These approaches vary in terms of analysis, measurement,
use of tools, and the definition of the project phases
defined.
88. Security Risk Assessment Approach
One of the differences between various security risk
assessment techniques is the way they determine or
calculate risk decision variables.
The important risk decision variables are …
value of the asset;
likelihood that a vulnerability will be exploited; and
severity of the impact.
89. Security Risk Assessment Approach
The terms ‘‘likelihood’’ and ‘‘probability’’ are both used to
describe how likely an event is to occur.
However, ‘‘likelihood’’ is used to qualitatively describe this
occurrence and ‘‘probability’’ is used to quantitatively
describe this occurrence.
Probability is a numerical measure of the chance of a
specific event or outcome.
90. Security Risk Assessment Approach
The probability of an event is measured as the ratio of the
sum of the events in question to the total number of
possible events.
Therefore, probability is always a numerical value between
0 and 1, 0 indicating no chance of the event happening and
1 indicating that the event is certain to happen.
91. Security Risk Assessment Approach
When some computational method i.e. some formula is
used to determine the values of the risk variables, it is
called quantitative analysis.
Where as when it is done using subjective judgment
approach is called qualitative analysis.
92. Security Risk Assessment Approach
Quantitative Analysis
Quantitative analysis is an approach that relies on specific
formulas and calculations to determine the value of the risk
decision variables.
These formulas cover the expected loss for specific risks and
the value of safeguards to reduce the risk.
There are three classic quantitative risk analysis formulas –
annual loss expectancy,
single loss expectancy,
safeguard value
93. Security Risk Assessment Approach
Quantitative Analysis
Single Loss Expectancy = Asset Value X Exposure Factor.
Annual Loss Expectancy (ALE) = Single Loss Expectancy X
Annual Rate of Occurrence
Safeguard Value = ALE Before - ALE After - Annual Safeguard
Cost.
94. Security Risk Assessment Approach
Quantitative Analysis
Single loss expectancy (SLE) is the expected loss as the
result of a single incident.
An exposure factor is the average amount of loss to the
asset for a single incident.
Annual rate of occurrence (ARO) is simply a prediction of
how often a specific risk event is likely to happen each
year.
95. Security Risk Assessment Approach
Quantitative Analysis
Safeguard value is defined as the reduction experienced in
the annualized loss expectancy minus the annual cost of
implementing the countermeasure.
96. Security Risk Assessment Approach
Qualitative Analysis
Qualitative analysis relies on the subjective judgment of the
security risk assessment team to determine the overall risk
to the information systems.
The same basic elements are required to determine risk,
such as asset value, threat frequency, impact, and safeguard
effectiveness, but these elements are now measured in
subjective terms such as ‘‘high’’ or ‘‘not likely.’’
97. Security Risk Assessment Approach
Qualitative Analysis
Qualitative values have order.
These values are hierarchical. For example,
High > Medium > Low
98. Security Risk Assessment Approach
Quantitative Vs. Qualitative Analysis
Quantitative risk - A method of determining and presenting
security risk that relies on specific formulas and
calculations to determine the value of the security risk.
Advantages: Objective; security risk expressed in terms of
dollars
Disadvantages: Security risk calculations are complex;
accurate values are difficult to obtain
99. Security Risk Assessment Approach
Quantitative Vs. Qualitative Analysis
Qualitative risk - A method of determining and presenting
security risk that relies on subjective measures of asset
valuation, threats, vulnerabilities, and ultimately of the
security risk.
Advantages: Easy to understand; provides adequate
indication of the organization’s security risk
Disadvantages: Subjective; may not be trusted by some in
management positions
100. Risk Mitigation Options
Risk Avoidance
Avoid activities involving greater risk
Use alternate solutions
Risk Termination
Eliminate risk by removing the source
Risk Reduction
Minimize probability of occurrence of risk
Risk Minimization
Reduce the impact on the organization
Risk Transfer
Insurance