SlideShare a Scribd company logo

Information security for dummies

Ivo Depoorter
Ivo Depoorter

The document provides an overview of information security concepts including definitions of security attributes like confidentiality, integrity and availability. It discusses why security is important for compliance, protecting assets and reputation. The document recommends a layered security approach using best practices and standards like ISO 27002. Key security terms are defined such as threats, damages, risks, and authentication. It emphasizes the importance of managing risks and notes that personnel are often the weakest link for attackers who start with information gathering.

1 of 22
Download to read offline
Ivo Depoorter
Whois I  Functions  Sysadmin, DBA, CIO, ADP instructor, SSO, Security consultant  Career (20 y)  NATO – Local government – Youth care  Training  Lots of Microsoft, Linux, networking, programming…  Security: Site Security Officer, CISSP, BCM, Ethical Hacking, network scanning,…
Course outline  Information security?  Security Why?  Security approach  Vocabulary  The weakest link  Real life security sample
Information security? According to Wikipedia, ISO2700x, CISSP, SANS,….  Confidentiality: Classified information must, be protected from unauthorized disclosure.  Integrity: Information must be protected against unauthorized changes and modification.  Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
Information security? Security attributes according to the Belgian privacycommission  Confidentiality  Integrity  Availability +  Accountability  Non-repudiation  Authenticity  Reliability
CIA Exercise Defacing of Belgian Army website
CIA Exercise  Confidentiality  ??  Webserver only hosting public information?  Webserver separated from LAN?  Integrity  Unauthorized changes!  Availability  Information is no longer available
Security Why?  Compliance with law  Protect (valuable) assets  Prevent production breakdowns  Protect reputation, (non-)commercial image  Meet customer & shareholder requirements  Keep personnel happy
Security approach  Both technical and non-technical countermeasures.  Top-management approval and support!  Communicate!  Information security needs a layered approach!!!  Best practices  COBIT Control Objectives for Information and related Technology  ISO 27002 (ISO 17799) Code of practice for information security management  …..
ISO 27002  Section 0 Introduction  Section 1 Scope  Section 2 Terms and Definitions  Section 3 Structure of the Standard  Section 4 Risk Assessment and Treatment  Section 5 Security Policy  Section 6 Organizing Information Security  Section 7 Asset Management  Section 8 Human Resources Security  Section 9 Physical and Environmental Security  Section 10 Communications and Operations Management  Section 11 Access Control  Section 12 Information Systems Acquisition, Development and Maintenance  Section 13 Information Security Incident Management  Section 14 Business Continuity Management  Section 15 Compliance
ISO 27002 - Example Security audit local government > 500 employees Technique: Social Engineering 10 Procedures 9 Physical access 11 Logical access 15 Internal audit
Security vocabulary - Threat  A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. (BCI)  Samples:  Fire  Death of a key person (SPOK or Single Point of Knowledge)  Crash of a critical network component e.g. core switch (SPOF: single point of failure)  …
Security vocabulary - Damage  Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness  Damage in information security:  Operational  Financial  Legal  Reputational  Damage defaced Belgian Army website?  Operational: probably (temporary frontpage, patch management,….)  Financial: probably (training personnel, hiring consultancy,….)  Legal: probably (lawsuit against external responsible?)  Reputational: certainly!
Security vocabulary - Risk  Combination of the probability of an event and its consequence.  Risk components  Threat (probability)  Damage (amount)  Example: Damage Process Threat O F L R Max impact Probability Risk Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
The Zen of Risk  What is just the right amount of security?  Seeking Balance between Security (Yin) and Business (Yang) Potential Loss Cost Countermeasures Productivity
Security vocabulary - AAA  Authentication: technologies used to determine the authenticity of users, network nodes, and documents  Authorization: who is allowed to do what?  Accountability: is it possible to find out who has made any operations? • Strong authentication (two-factor or multifactor) • Something you know (password, PIN,…) • Something you have (token,…) • Something you are (fingerprint, …)
The weakest link Countermeasures: • Force password policy on server • Train personnel • Use strong authentication • … SEC_RITY is not complete without U!
The weakest link Countermeasures: • Implement security & access policies • Job rotation • Encryption • Employee awareness training • Audit trail of all accesses to documents • …. Amateurs hack systems, professionals hack people!
Hacking steps Step Countermeasures (short list) 1. Reconnaissance Be careful with information 2. Network mapping Network IDS – block ICMP 3. Exploiting System hardening 4. Keeping access IDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…
Real life security sample High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) LAN WWW Physical security: • Personnel clearance >2m • Physical control • Pc placement (shoulder surfing) • Clean desk policy • Shredder Tempest!!! • Lock screen policy Logical security • Fiber to pc • VLAN’s • Password policy • …
We learned….  Security is CIA(+)  Why: law, reputation, production continuity,…  Approach: layered, technical & non-technical, support from CEO, lots of communication  Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability  Risk = threat * damage  Security balance: loss vs. cost & countermeasures vs. productivity  The weakest link is personnel!  A hacker starts with information gathering
Information security for dummies

Recommended

Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
Animesh Roy
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
FellowBuddy.com
 

Recommended

Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
Animesh Roy
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
FellowBuddy.com
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
Vamsee Krishna Kiran
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & PrivacyNawanan Theera-Ampornpunt
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
G Prachi
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Cyber security for an organization
Cyber security for an organizationCyber security for an organization
Cyber security for an organization
Tejas Wasule
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
Neha Agarwal
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Security threats
Security threatsSecurity threats
Security threats
Qamar Farooq
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
V-ICT-OR
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 

More Related Content

What's hot

Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
Vamsee Krishna Kiran
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityswapneel07
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
G Prachi
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Cyber security for an organization
Cyber security for an organizationCyber security for an organization
Cyber security for an organization
Tejas Wasule
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
Neha Agarwal
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Security threats
Security threatsSecurity threats
Security threats
Qamar Farooq
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 

What's hot (20)

Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Cyber security for an organization
Cyber security for an organizationCyber security for an organization
Cyber security for an organization
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Security policy
Security policySecurity policy
Security policy
 
Security threats
Security threatsSecurity threats
Security threats
 
Information security management
Information security managementInformation security management
Information security management
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 

Similar to Information security for dummies

Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
V-ICT-OR
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
SHIVA101531
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
James Mulhern
 
Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6David Spinks
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
Andris Soroka
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?NTEN
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - Idealware
Idealware
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
Julius Clark, CISSP, CISA
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
lior mazor
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two
FRSecure
 
Security For Free
Security For FreeSecurity For Free
Security For Free
gwarden
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Ferenc Fresz
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwg
John M. Kennedy
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
Jorge Sebastiao
 
Data Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachData Security Metricsa Value Based Approach
Data Security Metricsa Value Based Approach
Flaskdata.io
 

Similar to Information security for dummies (20)

Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - Idealware
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwg
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
Data Security Metricsa Value Based Approach
Data Security Metricsa Value Based ApproachData Security Metricsa Value Based Approach
Data Security Metricsa Value Based Approach
 

Recently uploaded

Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
Wasim Ak
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
chanes7
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Akanksha trivedi rama nursing college kanpur.
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
Kartik Tiwari
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Dr. Vinod Kumar Kanvaria
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
gb193092
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 

Recently uploaded (20)

Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 

Information security for dummies

  • 2. Whois I  Functions  Sysadmin, DBA, CIO, ADP instructor, SSO, Security consultant  Career (20 y)  NATO – Local government – Youth care  Training  Lots of Microsoft, Linux, networking, programming…  Security: Site Security Officer, CISSP, BCM, Ethical Hacking, network scanning,…
  • 3. Course outline  Information security?  Security Why?  Security approach  Vocabulary  The weakest link  Real life security sample
  • 4. Information security? According to Wikipedia, ISO2700x, CISSP, SANS,….  Confidentiality: Classified information must, be protected from unauthorized disclosure.  Integrity: Information must be protected against unauthorized changes and modification.  Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
  • 5. Information security? Security attributes according to the Belgian privacycommission  Confidentiality  Integrity  Availability +  Accountability  Non-repudiation  Authenticity  Reliability
  • 6. CIA Exercise Defacing of Belgian Army website
  • 7. CIA Exercise  Confidentiality  ??  Webserver only hosting public information?  Webserver separated from LAN?  Integrity  Unauthorized changes!  Availability  Information is no longer available
  • 8. Security Why?  Compliance with law  Protect (valuable) assets  Prevent production breakdowns  Protect reputation, (non-)commercial image  Meet customer & shareholder requirements  Keep personnel happy
  • 9. Security approach  Both technical and non-technical countermeasures.  Top-management approval and support!  Communicate!  Information security needs a layered approach!!!  Best practices  COBIT Control Objectives for Information and related Technology  ISO 27002 (ISO 17799) Code of practice for information security management  …..
  • 10. ISO 27002  Section 0 Introduction  Section 1 Scope  Section 2 Terms and Definitions  Section 3 Structure of the Standard  Section 4 Risk Assessment and Treatment  Section 5 Security Policy  Section 6 Organizing Information Security  Section 7 Asset Management  Section 8 Human Resources Security  Section 9 Physical and Environmental Security  Section 10 Communications and Operations Management  Section 11 Access Control  Section 12 Information Systems Acquisition, Development and Maintenance  Section 13 Information Security Incident Management  Section 14 Business Continuity Management  Section 15 Compliance
  • 11. ISO 27002 - Example Security audit local government > 500 employees Technique: Social Engineering 10 Procedures 9 Physical access 11 Logical access 15 Internal audit
  • 12. Security vocabulary - Threat  A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. (BCI)  Samples:  Fire  Death of a key person (SPOK or Single Point of Knowledge)  Crash of a critical network component e.g. core switch (SPOF: single point of failure)  …
  • 13. Security vocabulary - Damage  Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness  Damage in information security:  Operational  Financial  Legal  Reputational  Damage defaced Belgian Army website?  Operational: probably (temporary frontpage, patch management,….)  Financial: probably (training personnel, hiring consultancy,….)  Legal: probably (lawsuit against external responsible?)  Reputational: certainly!
  • 14. Security vocabulary - Risk  Combination of the probability of an event and its consequence.  Risk components  Threat (probability)  Damage (amount)  Example: Damage Process Threat O F L R Max impact Probability Risk Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
  • 15. The Zen of Risk  What is just the right amount of security?  Seeking Balance between Security (Yin) and Business (Yang) Potential Loss Cost Countermeasures Productivity
  • 16. Security vocabulary - AAA  Authentication: technologies used to determine the authenticity of users, network nodes, and documents  Authorization: who is allowed to do what?  Accountability: is it possible to find out who has made any operations? • Strong authentication (two-factor or multifactor) • Something you know (password, PIN,…) • Something you have (token,…) • Something you are (fingerprint, …)
  • 17. The weakest link Countermeasures: • Force password policy on server • Train personnel • Use strong authentication • … SEC_RITY is not complete without U!
  • 18. The weakest link Countermeasures: • Implement security & access policies • Job rotation • Encryption • Employee awareness training • Audit trail of all accesses to documents • …. Amateurs hack systems, professionals hack people!
  • 19. Hacking steps Step Countermeasures (short list) 1. Reconnaissance Be careful with information 2. Network mapping Network IDS – block ICMP 3. Exploiting System hardening 4. Keeping access IDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…
  • 20. Real life security sample High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) LAN WWW Physical security: • Personnel clearance >2m • Physical control • Pc placement (shoulder surfing) • Clean desk policy • Shredder Tempest!!! • Lock screen policy Logical security • Fiber to pc • VLAN’s • Password policy • …
  • 21. We learned….  Security is CIA(+)  Why: law, reputation, production continuity,…  Approach: layered, technical & non-technical, support from CEO, lots of communication  Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability  Risk = threat * damage  Security balance: loss vs. cost & countermeasures vs. productivity  The weakest link is personnel!  A hacker starts with information gathering