The document discusses information security and privacy threats in healthcare, focusing on issues in Thailand, and provides an overview of malware, security breaches that have impacted countries like Thailand, and privacy threats in the Thai healthcare system. It also outlines approaches for protecting privacy and security, including through technical and administrative safeguards.
This document provides an overview of health information privacy and security. It discusses various threats to privacy and security in healthcare contexts, both in Thailand and globally. These include threats from hackers, viruses, poorly designed systems, insider risks, and more. The document also outlines some key principles around privacy, security, and data protection, such as security safeguards, informed consent, and privacy regulations. Specific risks like confidentiality breaches, data integrity issues, and service availability problems are examined. Overall, the document aims to raise awareness of privacy and security challenges and best practices in healthcare.
A5 Security Imperatives For iOS & Android Apps DEMO
Kartik Trivedi, Co-Founder, Symosis
Clinton Mugge, Partner, Symosis
Understand emerging iOS and Android apps security threats
Learn how to design, develop and test secure apps
Protect against inadvertent customer and corporate data leakage in mobile apps
Mobile app security and privacy best practices from leading companies
Get free eval access to iOS/Android app top 10 security CBT
This document discusses network security and auditing Windows servers. It provides background on the speaker and defines information security. It outlines fundamentals of information security like the triangle of security. It describes important documents, regulations and standards, and the purpose of auditing Windows servers for compliance, risk reduction, health, and performance. It discusses evaluating event logs, active directory, user account properties, and group policy settings. It recommends tools for auditing like Wireshark, GFI Languard, Nessus, and OpenVas and maintaining server documentation, backups, and patches.
WSO2Con EU 2016: Reinforcing Your Enterprise with Security ArchitecturesWSO2
In this talk Dulanja will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to provide a robust security architecture for your enterprise. It will also touch upon some of WSO2’s experiences with customers in building a security architecture and there by extracting commonly used security architecture patterns.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
This document discusses the Physical (Environmental) Security domain of the CISSP Common Body of Knowledge. It covers topics such as defining physical security, types of threats to the physical environment like natural/environmental and man-made/political events. It also discusses security countermeasures and technologies to protect physical assets, including administrative, technical, and physical controls. Specific controls covered include perimeter security, building access controls, data center security, and the strategic application of crime prevention through environmental design principles.
Talking about Application Security with Dev, QA and Ops. This presentation is based on my own personal experience with developers, deployments and the implementations of such systems. #nightmares
This document provides an overview of health information privacy and security. It discusses various threats to privacy and security in healthcare contexts, both in Thailand and globally. These include threats from hackers, viruses, poorly designed systems, insider risks, and more. The document also outlines some key principles around privacy, security, and data protection, such as security safeguards, informed consent, and privacy regulations. Specific risks like confidentiality breaches, data integrity issues, and service availability problems are examined. Overall, the document aims to raise awareness of privacy and security challenges and best practices in healthcare.
A5 Security Imperatives For iOS & Android Apps DEMO
Kartik Trivedi, Co-Founder, Symosis
Clinton Mugge, Partner, Symosis
Understand emerging iOS and Android apps security threats
Learn how to design, develop and test secure apps
Protect against inadvertent customer and corporate data leakage in mobile apps
Mobile app security and privacy best practices from leading companies
Get free eval access to iOS/Android app top 10 security CBT
This document discusses network security and auditing Windows servers. It provides background on the speaker and defines information security. It outlines fundamentals of information security like the triangle of security. It describes important documents, regulations and standards, and the purpose of auditing Windows servers for compliance, risk reduction, health, and performance. It discusses evaluating event logs, active directory, user account properties, and group policy settings. It recommends tools for auditing like Wireshark, GFI Languard, Nessus, and OpenVas and maintaining server documentation, backups, and patches.
WSO2Con EU 2016: Reinforcing Your Enterprise with Security ArchitecturesWSO2
In this talk Dulanja will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to provide a robust security architecture for your enterprise. It will also touch upon some of WSO2’s experiences with customers in building a security architecture and there by extracting commonly used security architecture patterns.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
This document discusses the Physical (Environmental) Security domain of the CISSP Common Body of Knowledge. It covers topics such as defining physical security, types of threats to the physical environment like natural/environmental and man-made/political events. It also discusses security countermeasures and technologies to protect physical assets, including administrative, technical, and physical controls. Specific controls covered include perimeter security, building access controls, data center security, and the strategic application of crime prevention through environmental design principles.
Talking about Application Security with Dev, QA and Ops. This presentation is based on my own personal experience with developers, deployments and the implementations of such systems. #nightmares
This document provides an overview and objectives for an information security awareness training. It covers topics like electronic communication, email viruses, phishing, internet usage, social networking, password management, and physical security. The training aims to help users understand cybersecurity threats, how to safely use technology, and their role in protecting company information assets. It emphasizes the importance of having strong, unique passwords and avoiding opening attachments or clicking links from unknown sources.
This is a presentation template if someone is interested in making a case for a web-based security awareness and training program within your company. It is free for all to use and change accordingly.
This document discusses the importance of physical security to protect against attackers. It notes that while many companies focus on network security, physical theft or access can also compromise data. There are two types of attackers - those outside and inside an organization. Guidelines are provided to restrict physical access for outsiders through barriers, checkpoints, and patrols. For insiders, access controls like badge programs, guest monitoring, and equipment locking are recommended. Server rooms should have heightened security like cameras and limited authorized personnel to protect highly sensitive systems and data.
Building An Information Security Awareness ProgramBill Gardner
Most organization’s Security Awareness Programs suck. They involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.
This document provides an overview of information security awareness training from Mount Auburn Hospital. It covers protecting electronic protected health information at work and at home. Key points include understanding what PHI is and why security is important. It describes potential security threats like malware, social engineering, and data theft. Guidelines are provided for secure practices like strong passwords, email safety, and disposing of media properly. Tips for securing data at home involve using antivirus software, backups, and safe internet practices. The goal is to protect patient privacy and comply with HIPAA security requirements.
Software application security training course | Tonex TrainingBryan Len
Price: $1,699.00
Length: 2 Days
TONEX software security training incorporates numerous in-class exercises including hands on activities, contextual analyses and workshops. During the software security training, understudies acquire their very own sample work and tasks and through our instructing, build up their own security system.
This training course will teach you great deal of information about trusted computing infrastructure (TCI), process nodes, trusted platform module (TPM), software integrity, data integrity and protecting credentials included in platform security.
Training Outline:
The software security training course consists of the following lessons, which can be revised and tailored to the client’s need:
Secure Software Development
Computer Security Principles
Secure Programming Techniques
Trusted Computing Infrastructure (TCI)
Low Level Software Security Attacks and Protection
Web Security
Secure Design Principles
Risk Management
Statistical Analysis
Symbolic Execution
Penetration Testing
Cloud Security
Data Security and Privacy (DAP)
Wireless Network Security
Mobile System Security (MSS)
Hands-on and In-Class Activities
Sample Workshops Labs for Software Security Training
Request more information regarding software security training course by tonex. Visit Tonex.com for course detail.
Software application security training course , Tonex Training
https://www.tonex.com/training-courses/software-security-training/
This document outlines an agenda for a security awareness training presentation. It discusses why security awareness training is important, including regulatory compliance, users not understanding security risks, and making system administration easier. It covers who should receive training, including all employees and non-employees. The presentation would cover common security mistakes, training topics such as passwords, email, and malware, and testing users' understanding after the training. Documentation of training efforts is also recommended.
Awareness Training on Information SecurityKen Holmes
We look at the potential risks to information security, how to minimise these when on the internet and how the ISO/IEC 27001 standard can play a part in doing so.
The document discusses security threats in eHealth (electronic health) systems. It outlines various motives for attacks on eHealth systems, including financial gain, revenge, intellectual challenge, and terrorism. Tactics that may be used include stealing devices, sniffing networks, social engineering, trojans, backdoors, and malicious apps. The document recommends solutions like strengthening technology, processes, user training, compliance, and information security governance to better secure eHealth systems and patient data.
This document provides an overview of the Software Development Security Domain topic from the CISSP Common Body of Knowledge. It discusses software development life cycle models and processes, programming languages, database and data warehousing vulnerabilities and protections, and software vulnerabilities and threats. Key frameworks covered include ISO/IEC 15288, SW-CMM, and SSE-CMM. The document also examines governance approaches like COBIT and the importance of assurance requirements.
The document discusses various policies, procedures, and security measures that can be implemented to minimize security breaches in a network. It recommends establishing policies regarding data storage and access, backups, antivirus software, and user access privileges. It also stresses the importance of user training, physical security of network infrastructure, risk assessments, strong identification/authentication methods like two-factor authentication, and use of encryption and digital certificates. Authentication for internal users could include ID/password, physical access cards, and authentication devices, while external users benefit from digital certificates and unique ID/password combinations.
Information security awareness is an essential part of your information security program (ISMS - Information Security Management System). You can find a comprehensive set of security policies and frameworks at https://templatesit.com.
The document discusses insider threat and solutions from the US Department of Defense perspective. It defines insider threat, discusses motivations and past cases like Edward Snowden. It outlines government measures including the National Insider Threat Task Force and requirements around user activity monitoring. Technical solutions discussed include user and entity behavior analytics using machine learning, extensive logging and forensic capabilities, and combining internal monitoring with external threat protection.
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
My GRRCON 2013 talk on imparting security awareness. This is based on a highly successful and well received awareness program I created and rolled out for both blue collar and white collar users.
The document discusses identity and access management strategies for defending against advanced persistent threats (APTs). It outlines how APTs typically progress through four phases - reconnaissance, initial entry, escalation of privileges, and continuous exploitation. It then proposes a "defense-in-depth" approach using identity and access management capabilities to make initial penetration difficult, reduce privilege escalation, limit damage from compromised accounts, and aid in early detection and forensic investigation. Specific capabilities discussed include identity governance, least privilege access, shared account management, session recording, server hardening, and advanced authentication.
This document outlines a presentation on health information privacy and security. It introduces key topics like protecting information privacy and security, user security, malware, and security standards. It also discusses privacy and security laws. The document contains several slides on introduction to information privacy and security, sources of security threats, consequences of security attacks, privacy and security definitions, and examples of different types of security risks.
This document provides an overview of information security and privacy presented by Nawanan Theera-Ampornpunt. It covers topics such as protecting information privacy and security, user security, software security, cryptography, malware, and security standards. Specific threats to information security in Thailand are discussed such as hackers, viruses, insider threats, and natural disasters. The consequences of security attacks on information, operations, individuals, and organizations are also reviewed.
This document provides an overview and objectives for an information security awareness training. It covers topics like electronic communication, email viruses, phishing, internet usage, social networking, password management, and physical security. The training aims to help users understand cybersecurity threats, how to safely use technology, and their role in protecting company information assets. It emphasizes the importance of having strong, unique passwords and avoiding opening attachments or clicking links from unknown sources.
This is a presentation template if someone is interested in making a case for a web-based security awareness and training program within your company. It is free for all to use and change accordingly.
This document discusses the importance of physical security to protect against attackers. It notes that while many companies focus on network security, physical theft or access can also compromise data. There are two types of attackers - those outside and inside an organization. Guidelines are provided to restrict physical access for outsiders through barriers, checkpoints, and patrols. For insiders, access controls like badge programs, guest monitoring, and equipment locking are recommended. Server rooms should have heightened security like cameras and limited authorized personnel to protect highly sensitive systems and data.
Building An Information Security Awareness ProgramBill Gardner
Most organization’s Security Awareness Programs suck. They involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.
This document provides an overview of information security awareness training from Mount Auburn Hospital. It covers protecting electronic protected health information at work and at home. Key points include understanding what PHI is and why security is important. It describes potential security threats like malware, social engineering, and data theft. Guidelines are provided for secure practices like strong passwords, email safety, and disposing of media properly. Tips for securing data at home involve using antivirus software, backups, and safe internet practices. The goal is to protect patient privacy and comply with HIPAA security requirements.
Software application security training course | Tonex TrainingBryan Len
Price: $1,699.00
Length: 2 Days
TONEX software security training incorporates numerous in-class exercises including hands on activities, contextual analyses and workshops. During the software security training, understudies acquire their very own sample work and tasks and through our instructing, build up their own security system.
This training course will teach you great deal of information about trusted computing infrastructure (TCI), process nodes, trusted platform module (TPM), software integrity, data integrity and protecting credentials included in platform security.
Training Outline:
The software security training course consists of the following lessons, which can be revised and tailored to the client’s need:
Secure Software Development
Computer Security Principles
Secure Programming Techniques
Trusted Computing Infrastructure (TCI)
Low Level Software Security Attacks and Protection
Web Security
Secure Design Principles
Risk Management
Statistical Analysis
Symbolic Execution
Penetration Testing
Cloud Security
Data Security and Privacy (DAP)
Wireless Network Security
Mobile System Security (MSS)
Hands-on and In-Class Activities
Sample Workshops Labs for Software Security Training
Request more information regarding software security training course by tonex. Visit Tonex.com for course detail.
Software application security training course , Tonex Training
https://www.tonex.com/training-courses/software-security-training/
This document outlines an agenda for a security awareness training presentation. It discusses why security awareness training is important, including regulatory compliance, users not understanding security risks, and making system administration easier. It covers who should receive training, including all employees and non-employees. The presentation would cover common security mistakes, training topics such as passwords, email, and malware, and testing users' understanding after the training. Documentation of training efforts is also recommended.
Awareness Training on Information SecurityKen Holmes
We look at the potential risks to information security, how to minimise these when on the internet and how the ISO/IEC 27001 standard can play a part in doing so.
The document discusses security threats in eHealth (electronic health) systems. It outlines various motives for attacks on eHealth systems, including financial gain, revenge, intellectual challenge, and terrorism. Tactics that may be used include stealing devices, sniffing networks, social engineering, trojans, backdoors, and malicious apps. The document recommends solutions like strengthening technology, processes, user training, compliance, and information security governance to better secure eHealth systems and patient data.
This document provides an overview of the Software Development Security Domain topic from the CISSP Common Body of Knowledge. It discusses software development life cycle models and processes, programming languages, database and data warehousing vulnerabilities and protections, and software vulnerabilities and threats. Key frameworks covered include ISO/IEC 15288, SW-CMM, and SSE-CMM. The document also examines governance approaches like COBIT and the importance of assurance requirements.
The document discusses various policies, procedures, and security measures that can be implemented to minimize security breaches in a network. It recommends establishing policies regarding data storage and access, backups, antivirus software, and user access privileges. It also stresses the importance of user training, physical security of network infrastructure, risk assessments, strong identification/authentication methods like two-factor authentication, and use of encryption and digital certificates. Authentication for internal users could include ID/password, physical access cards, and authentication devices, while external users benefit from digital certificates and unique ID/password combinations.
Information security awareness is an essential part of your information security program (ISMS - Information Security Management System). You can find a comprehensive set of security policies and frameworks at https://templatesit.com.
The document discusses insider threat and solutions from the US Department of Defense perspective. It defines insider threat, discusses motivations and past cases like Edward Snowden. It outlines government measures including the National Insider Threat Task Force and requirements around user activity monitoring. Technical solutions discussed include user and entity behavior analytics using machine learning, extensive logging and forensic capabilities, and combining internal monitoring with external threat protection.
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
My GRRCON 2013 talk on imparting security awareness. This is based on a highly successful and well received awareness program I created and rolled out for both blue collar and white collar users.
The document discusses identity and access management strategies for defending against advanced persistent threats (APTs). It outlines how APTs typically progress through four phases - reconnaissance, initial entry, escalation of privileges, and continuous exploitation. It then proposes a "defense-in-depth" approach using identity and access management capabilities to make initial penetration difficult, reduce privilege escalation, limit damage from compromised accounts, and aid in early detection and forensic investigation. Specific capabilities discussed include identity governance, least privilege access, shared account management, session recording, server hardening, and advanced authentication.
This document outlines a presentation on health information privacy and security. It introduces key topics like protecting information privacy and security, user security, malware, and security standards. It also discusses privacy and security laws. The document contains several slides on introduction to information privacy and security, sources of security threats, consequences of security attacks, privacy and security definitions, and examples of different types of security risks.
This document provides an overview of information security and privacy presented by Nawanan Theera-Ampornpunt. It covers topics such as protecting information privacy and security, user security, software security, cryptography, malware, and security standards. Specific threats to information security in Thailand are discussed such as hackers, viruses, insider threats, and natural disasters. The consequences of security attacks on information, operations, individuals, and organizations are also reviewed.
This document discusses health information privacy and security. It covers various topics related to protecting personal and organizational information, including threats like hackers and malware, as well as consequences of security breaches like identity theft. It provides examples of risks to confidentiality, integrity and availability of information. The document then discusses ways to safeguard information through administrative, physical, user, system, software, network and database security practices. It also covers privacy safeguards and the importance of user security practices like access control, authentication, authorization, and using strong passwords.
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 21, 2020
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 8, 2021
This document summarizes a presentation on health information privacy and security. It begins with an introduction to information privacy and security, outlining threats like hackers, viruses, and employee errors. It then discusses protecting privacy and security through measures like access controls, encryption, and legal compliance. Specific topics covered include user security using techniques like strong passwords and multi-factor authentication, software security through secure coding practices, and cryptography standards.
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief inOllieShoresna
CYBER SECURITY PRIMER
CYBER SECURITY PRIMER
A brief introduction to cyber security for students who are new to the field.
Network outages, data compromised by hackers, computer viruses and other incidents affect our lives
in ways that range from inconvenient to life-threatening. As the number of mobile users, digital
applications and data networks increase, so do the opportunities for exploitation.
WHAT IS CYBER SECURITY?
Cyber security, also referred to as information technology security, focuses on protecting computers,
networks, programs and data from unintended or unauthorized access, change or destruction.
WHY IS CYBER SECURITY IMPORTANT?
Governments, military, corporations, financial institutions, hospitals and other businesses collect,
process and store a great deal of confidential information on computers and transmit that data across
networks to other computers. With the growing volume and sophistication of cyber attacks, ongoing
attention is required to protect sensitive business and personal information, as well as safeguard
national security.
During a Senate hearing in March 2013, the nation's top intelligence officials warned that cyber attacks
and digital spying are the top threat to national security, eclipsing terrorism.
CYBER SECURITY GLOSSARY OF TERMS
Learn cyber speak by familiarizing yourself with cyber security terminology.1
Access −
The ability and means to communicate with or
otherwise interact with a system, to use system
resources to handle information, to gain
knowledge of the information the system
contains or to control system components and
functions.
Active Attack −
An actual assault perpetrated by an intentional
threat source that attempts to alter a system, its
resources, its data or its operations.
Blacklist −
A list of entities that are blocked or denied
privileges or access.
Bot −
A computer connected to the Internet that has
Information Assurance −
The measures that protect and defend
information and information systems by
ensuring their availability, integrity and
confidentiality.
Intrusion Detection −
The process and methods for analyzing
information from networks and information
systems to determine if a security breach or
security violation has occurred.
Key −
The numerical value used to control
cryptographic operations, such as decryption,
encryption, signature generation or signature
verification.
Malware −
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
been surreptitiously/secretly compromised with
malicious logic to perform activities under the
remote command and control of a remote
administrator.
Cloud Computing −
A model for enabling on-demand network
access to a shared pool of configurab ...
The document discusses a technology and security class. It provides an agenda that covers IT news, an exam follow-up, and a focus on security. Under security news, it lists several recent computer virus and hacking incidents. It then discusses common security myths and holds a quick security assessment activity. The rest of the document outlines various security topics like definitions of security concepts, security risks, protection methods, and ways to assess security risks. It emphasizes the importance of backups, strong passwords, and keeping systems updated with patches.
SIEM stands for Security Information and Event Management. It involves collecting, aggregating, normalizing and retaining logs and other security-related data from across an organization. SIEM performs analysis on this data through correlation, prioritization and notification/alerting. It also provides reporting and workflow capabilities for security teams. While SIEM promises improved security through these functions, it requires careful planning, scoping, requirements development and ongoing focus to avoid failures and ensure value.
The document provides an overview of information security concepts including confidentiality, integrity, availability, encryption, access control, classification labels, risk management, security policies, business continuity planning, operational security, intrusions and attacks, and cryptography. Key terms like encryption algorithms, internet key exchange, and types of intrusion detection systems are defined. A brief history of cryptography from ancient times to modern ciphers is also presented.
The crown jewels of any IT environment is the valuable information you manage. This session will explore techniques and Microsoft technologies that can ensure documents are well-managed, secured, and only available to approved individuals in your organization. We will also look at advanced ediscovery and data governance approaches and technologies that can support these.
Here are the key advantages and disadvantages of single sign-on (SSO):
Advantages:
- Convenience - Users only need to remember one set of credentials to access multiple systems and applications. This improves user experience.
- Increased security - SSO reduces the risk of phishing and password theft since users are not entering credentials repeatedly. It also allows for stronger, centralized authentication policies.
- Lower costs - SSO reduces the overhead of user provisioning and password management across multiple systems. It streamlines IT operations.
Disadvantages:
- Single point of failure - If the SSO server goes down, users cannot access any of the linked systems until it is restored. This reduces availability.
- Increased
Cyber Security presentation for the GS-GMIS in Columbia, SC on 7-19-2018, 125 people present, discussion at an Executive level to help Project Managers better understand Cyber Security and recent updates and guidance to help you plan for your company
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
Cyber security professionals are in high demand, and those willing to learn new skills to enter the area will have plenty of opportunities. Our goal is to present you with the most comprehensive selection of cybersecurity interview questions available.
This document discusses mobile application security risks and provides demonstrations of those risks. It begins with an introduction of the presenters and an audience poll. It then outlines the top mobile application security risks: 1) Side channel data leakage through files and snapshots, 2) Insecure transport and server controls, 3) Insecure data storage, and 4) Privacy issues. Demonstrations are provided for each risk showing how sensitive data can be leaked. Countermeasures for each risk are then discussed, such as encrypting data, using secure protocols, and privacy best practices. The document concludes with a discussion of mobility in the data center and how data centers must also consider mobile security challenges.
Causes And Consequences Of Data LeakagePatty Buckley
Here are the key points from the case study:
- Pepperdine University has embraced BYOD for many years, allowing students, faculty, and guests to use personal devices on the campus network.
- The university implemented Bradford Networks' Network Sentry solution to provide secure network access for BYOD users while also detecting and responding to security threats.
- Network Sentry integrates with Sourcefire IDS to enable rapid identification and remediation of threats. When threats are detected, Network Sentry can isolate infected devices from the network.
- This approach allows the university to safely support BYOD without restricting access for the majority of devices that are not infected. The focus is on responding to threats rather than restricting devices based
Blueprint for Security Architecture & Strategy.pdfFetri Miftach
This document provides an overview of DynTek Security's approach to developing a security architecture and strategy for clients. It introduces key team members and representative client types. It then describes DynTek's process for assessing a client's current security state, planning and architecting a future state, and remediating the current state. The rest of the document discusses DynTek's risk and security control framework, prioritization of controls, and examples of current and future state views. It outlines DynTek's security solutions and services capabilities. In conclusion, it proposes a process for identifying risks, documenting them, selecting solutions, and presenting recommendations to executives.
This document provides an open source study guide for the CompTIA Security+ SY0-501 exam. It aims to gather information from various online sources to cover all exam topics without requiring expensive training courses. The exam domains include threats and vulnerabilities, technologies and tools, architecture and design, identity and access management, risk management, and cryptography. The study guide also provides free resources like practice questions and training courses. It then covers various security topics in detail, such as attacks, system hardening, encryption, firewalls, and more.
Similar to Information Security & Privacy in Healthcare (February 9, 2021) (20)
Presented at the BDMS Golden Jubilee Scientific Conference 2022 "BDMS Beyond 50 years: Looking towards the centennial," Bangkok Dusit Medical Services Public Company Limited (BDMS), Bangkok, Thailand on October 19, 2022
Telemedicine provides healthcare at a distance using telecommunications technology. It has grown from focusing on increasing access to now emphasizing convenience and cost reduction. Store-and-forward and home-based telemedicine have evidence for treating chronic diseases, while office/hospital telemedicine is effective for verbal interactions in specialties like neurology and psychiatry. Current trends include expanding telemedicine to more chronic conditions and migrating services from clinical settings to homes and mobile devices. However, reimbursement remains limited and fragmented while quality of remote care compared to in-person visits requires more evidence. Proper guidelines, standards, training and balancing innovation with risk-based regulation can maximize telemedicine's benefits while minimizing harms.
This document discusses digital health transformation and the role of health information technology. It begins by exploring concepts like artificial intelligence, blockchain, cloud computing and big data. It then examines the potential for "smart" machines in healthcare while acknowledging the complexities of digitizing such a system. The document emphasizes that clinical judgment is still necessary given variations in patients. It outlines components of healthcare systems and forms of health IT both within and beyond hospitals. Finally, it discusses using health IT to support clinical decision making and reduce errors.
Presented at The Thai Medical Informatics Association Annual Conference and The National Conference on Medical Informatics (TMI-NCMedInfo) 2021, Bangkok, Thailand on November 26, 2021
The document discusses the field of health informatics and provides definitions and examples. It defines health informatics as the application of information science to healthcare and biomedical research. It describes the relationships between health informatics and other fields like computer science, engineering, and the medical sciences. The document also discusses different areas of health informatics like clinical informatics, public health informatics, and consumer health informatics. It provides examples of common health information technologies used in healthcare settings like electronic health records, computerized physician order entry, and picture archiving systems.
This document provides an introduction to research ethics and ethics for health informaticians. It begins with definitions of ethics, morals, and norms. It then discusses the role of law, professional codes of conduct, and ethics in establishing standards of acceptable behavior. Key topics in research ethics are introduced through discussions of historic cases like the Nazi human experiments, Beecher's research ethics violations, and the Tuskegee Syphilis Study. The document outlines the Belmont Report's three ethical principles of respect for persons, beneficence, and justice. Ethical issues in health informatics like alerts fatigue from clinical decision support systems and unintended consequences of health IT are also discussed.
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Nawanan Theera-Ampornpunt
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 10, 2021
High performance Serverless Java on AWS- GoTo Amsterdam 2024Vadym Kazulkin
Java is for many years one of the most popular programming languages, but it used to have hard times in the Serverless community. Java is known for its high cold start times and high memory footprint, comparing to other programming languages like Node.js and Python. In this talk I'll look at the general best practices and techniques we can use to decrease memory consumption, cold start times for Java Serverless development on AWS including GraalVM (Native Image) and AWS own offering SnapStart based on Firecracker microVM snapshot and restore and CRaC (Coordinated Restore at Checkpoint) runtime hooks. I'll also provide a lot of benchmarking on Lambda functions trying out various deployment package sizes, Lambda memory settings, Java compilation options and HTTP (a)synchronous clients and measure their impact on cold and warm start times.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
2. 2003 M.D. (First-Class Honors) (Ramathibodi)
2009 M.S. in Health Informatics (U of MN)
2011 Ph.D. in Health Informatics (U of MN)
• Faculty of Medicine Ramathibodi Hospital
Mahidol University
o Deputy Dean for Operations
o Lecturer, Department of Clinical Epidemiology
& Biostatistics
nawanan.the@mahidol.ac.th
SlideShare.net/Nawanan
Facebook.com/NawananT
Line ID: NawananT
Introduction
16. National Healthcare’s Worst Nightmare
https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-
patients-including-pm-lee-stolen-in-singapores-most
17. Ransomware Attack in Thai Hospitals
https://www.facebook.com/SaraburiHospital/photos/a.255929423747
8100/4366815263392646/
18. Sources of the Threats
▪ Hackers
▪ Viruses & Malware
▪ Poorly-designed systems
▪ Insiders (Employees)
▪ People’s ignorance & lack of knowledge
▪ Disasters & other incidents affecting information
systems
19. ▪ Information risks
▪ Unauthorized access & disclosure of confidential information
▪ Unauthorized addition, deletion, or modification of information
▪ Operational risks
▪ System not functional (Denial of Service - DoS)
▪ System wrongly operated
▪ Personal risks
▪ Identity thefts
▪ Financial losses
▪ Disclosure of information that may affect employment or other
personal aspects (e.g. health information)
▪ Physical/psychological harms
▪ Organizational risks
▪ Financial losses
▪ Damage to reputation & trust
▪ Etc.
Consequences of Security Attacks
20. ▪ Privacy: “The ability of an individual or group to
seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
▪ Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)
▪ Information Security: “Protecting information
and information systems from unauthorized
access, use, disclosure, disruption,
modification, perusal, inspection, recording or
destruction” (Wikipedia)
Privacy & Security
23. Examples of Integrity Risks
http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml
Web Defacements
24. Examples of Availability Risks
http://en.wikipedia.org/wiki/Blaster_worm
Viruses/worms that led to instability &
system restart (e.g. Blaster worm)
25. Examples of Availability Risks
http://en.wikipedia.org/wiki/Ariane_5_Flight_501
Ariane 5 Flight 501 Rocket Launch Failure
Cause: Software bug on rocket acceleration due to data conversion
from a 64-bit floating point number to a 16-bit signed integer without
proper checks, leading to arithmatic overflow
29. S: Security and Privacy of Information
and Social Media
S 1 Security and Privacy of Information
S 2 Social Media and
Communication Professionalism
Personnel Safety Goals: S in SIMPLE
34. ▪ Attack
▪ An attempt to breach system security
▪ Threat
▪ A scenario that can harm a system
▪ Vulnerability
▪ The “hole” that is used in the attack
Common Security Terms
35. ▪ Identify some possible means an
attacker could use to conduct a
security attack
▪ Identify measures to prevent or
mitigate the risk of attack
Class Exercise
39. Alice
Simplified Attack Scenarios
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something
(malware, phishing & social
engineering)
Eve/Mallory
40. Alice
Simplified Attack Scenarios
Server Bob
- Intercepting (eavesdropping or
“sniffing”) data in transit
- Modifying data (“Man-in-the-middle”
attacks)
- “Replay” attacks
Eve/Mallory
41. Alice
Simplified Attack Scenarios
Server Bob
- Unauthorized access to servers through
- Physical means
- User accounts & privileges
- Attacks through software vulnerabilities
- Attacks using protocol weaknesses
- DoS / DDoS attacks
Eve/Mallory
42. Alice
Safeguarding Against Attacks
Server Bob
Administrative Security
- Security & privacy policy
- Governance of security risk management & response
- Uniform enforcement of policy & monitoring
- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)
- Legal obligations, requirements & disclaimers
43. Alice
Safeguarding Against Attacks
Server Bob
Physical Security
- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras
- Mobile device security
- Secure storage & secure disposition of storage devices
44. Alice
Safeguarding Against Attacks
Server Bob
User Security
- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)
- Principle of Least Privilege
- “Clear desk, clear screen policy”
- Audit trails
- Education, awareness building & policy enforcement
- Alerts & education about phishing & social engineering
45. Alice
Safeguarding Against Attacks
Server Bob
System Security
- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring
- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities
- Redundancy (avoid “Single Point of Failure”)
- Honeypots
46. Alice
Safeguarding Against Attacks
Server Bob
Software Security
- Software (clients & servers) that is secure by design
- Software testing against failures, bugs, invalid inputs,
performance issues & attacks
- Updates to patch vulnerabilities
47. Alice
Safeguarding Against Attacks
Server Bob
Network Security
- Access control (physical & electronic) to network devices
- Use of secure network protocols if possible
- Data encryption during transit if possible
- Bandwidth monitoring & control
48. Alice
Safeguarding Against Attacks
Server Bob
Database Security
- Access control to databases & storage devices
- Encryption of data stored in databases if necessary
- Secure destruction of data after use
- Access control to queries/reports
- Security features of database management systems (DBMS)
- Data backups (online vs. offline)
52. ▪ Access control
▪ Selective restriction of access to the system
▪ Role-based access control
▪ Access control based on the person’s role
(rather than identity)
▪ Audit trails
▪ Logs/records that provide evidence of
sequence of activities
User Security
53. ▪ Identification
▪ Identifying who you are
▪ Usually done by user IDs or some other unique codes
▪ Authentication
▪ Confirming that you truly are who you identify
▪ Usually done by keys, PIN, passwords or biometrics
▪ Authorization
▪ Specifying/verifying how much you have access
▪ Determined based on system owner’s policy & system
configurations
▪ “Principle of Least Privilege”
User Security
54. ▪ Nonrepudiation
▪ Proving integrity, origin, & performer of an
activity without the person’s ability to refute
his actions
▪ Most common form: signatures
▪ Electronic signatures offer varying degrees of
nonrepudiation
▪ PIN/password vs. biometrics
▪ Digital certificates (in public key infrastructure
- PKI) often used to ascertain nonrepudiation
User Security
55. ▪ Multiple-Factor Authentication
▪ Two-Factor Authentication
▪ Use of multiple means (“factors”) for authentication
▪ Types of Authentication Factors
▪ Something you know
▪ Password, PIN, etc.
▪ Something you have
▪ Keys, cards, tokens, devices (e.g. mobile phones)
▪ Something you are
▪ Biometrics
User Security
56. Need for Strong Password Policy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
57. Unknown Internet sources, via
http://pikabu.ru/story/interesno_kakoy_zhe_u_nikh_parol_4274737,
via Facebook page “สอนแฮกเว็บแบบแมวๆ”
What’s the Password?
59. Recommended Password Policy
▪ Length
▪ 8 characters or more (to slow down brute-force attacks)
▪ Complexity (to slow down brute-force attacks)
▪ Consists of 3 of 4 categories of characters
▪ Uppercase letters
▪ Lowercase letters
▪ Numbers
▪ Symbols (except symbols that have special uses by the
system or that can be used to hack system, e.g. SQL
Injection)
▪ No meaning (“Dictionary Attacks”)
▪ Not simple patterns (12345678, 11111111) (to slow down brute-
force attacks & prevent dictionary attacks)
▪ Not easy to guess (birthday, family names, etc.) (to prevent
unknown & known persons from guessing)
Personal opinion. No legal responsibility assumed.
60. Recommended Password Policy
▪ Expiration (to make brute-force attacks not possible)
▪ 6-8 months
▪ Decreasing over time because of increasing computer’s
speed
▪ But be careful! Too short duration will force users to write
passwords down
▪ Secure password storage in database or system
(encrypted or store only password hashes)
▪ Secure password confirmation
▪ Secure “forget password” policy
▪ Different password for each account. Create variations
to help remember. If not possible, have different sets of
accounts for differing security needs (e.g., bank
accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
62. Techniques to Remember Passwords
▪ http://www.wikihow.com/Create-a-Password-You-Can-
Remember
▪ Note that some of the techniques are less secure!
▪ One easy & secure way: password mnemonic
▪ Think of a full sentence that you can remember
▪ Ideally the sentence should have 8 or more words, with
numbers and symbols
▪ Use first character of each word as password
▪ Sentence: I love reading all 7 Harry Potter books!
▪ Password: Ilra7HPb!
▪ Voila!
Personal opinion. No legal responsibility assumed.
65. Dear mail.mahidol.ac.th Email Account User,
We wrote to you on 11th January 2010 advising that you change the password on
your account in order to prevent any unauthorised account access following
the network instruction we previously communicated.
all Mailhub systems will undergo regularly scheduled maintenance. Access
to your e-mail via the Webmail client will be unavailable for some time
during this maintenance period. We are currently upgrading our data base
and e-mail account center i.e homepage view. We shall be deleting old
[https://mail.mahidol.ac.th/l accounts which are no longer active to create
more space for new accountsusers. we have also investigated a system wide
security audit to improve and enhance
our current security.
In order to continue using our services you are require to update and
re-comfirmed your email account details as requested below. To complete
your account re-comfirmation,you must reply to this email immediately and
enter your account
details as requested below.
Username :
Password :
Date of Birth:
Future Password :
Social Engineering Examples
Real social-engineering e-mail received by Speaker
74. ▪ Poor grammar
▪ Lots of typos
▪ Trying very hard to convince you to open
attachment, click on link, or reply without
enough detail
▪ May appear to be from known person (rely on
trust & innocence)
Signs of a Phishing Attack
75. ▪ Don’t be too trusting of people
▪ Always be suspicious & alert
▪ An e-mail with your friend’s name & info doesn’t have to
come from him/her
▪ Look for signs of phishing attacks
▪ Don’t open attachments unless you expect them
▪ Scan for viruses before opening attachments
▪ Don’t click links in e-mail. Directly type in browser using
known & trusted URLs
▪ Especially cautioned if ask for passwords, bank
accounts, credit card numbers, social security numbers,
etc.
Ways to Protect against Phishing
78. ▪ Virus
▪ Propagating malware that requires user action
to propagate
▪ Infects executable files, data files with
executable contents (e.g. Macro), boot
sectors
▪ Worm
▪ Self-propagating malware
▪ Trojan
▪ A legitimate program with additional, hidden
functionality
Malware
79. ▪ Spyware
▪ Trojan that spies for & steals personal
information
▪ Logic Bomb/Time Bomb
▪ Malware that triggers under certain conditions
▪ Backdoor/Trapdoor
▪ A hole left behind by malware for future
access
Malware
80. ▪ Rogue Antispyware
▪ Software that tricks or forces users to pay before
fixing (real or hoax) spyware detected
▪ Rootkit
▪ A stealth program designed to hide existence of
certain processes or programs from detection
▪ Botnet
▪ A collection of Internet-connected computers that
have been compromised (bots) which controller of the
botnet can use to do something (e.g. do DDoS
attacks)
Malware
81. ▪ Installed & updated antivirus, antispyware, &
personal firewall
▪ Check for known signatures
▪ Check for improper file changes (integrity failures)
▪ Check for generic patterns of malware (for unknown
malware): “Heuristics scan”
▪ Firewall: Block certain network traffic in and out
▪ Sandboxing
▪ Network monitoring & containment
▪ User education
▪ Software patches, more secure protocols
Defense Against Malware
82. ▪ Social media spams/scams/clickjacking
▪ Social media privacy issues
▪ User privacy settings
▪ Location services
▪ Mobile device malware & other privacy risks
▪ Stuxnet (advanced malware targeting certain
countries)
▪ Advanced persistent threats (APT) by
governments & corporations against specific
targets
Newer Threats
98. ▪ Most common reason for security bugs is
invalid programming assumptions that attackers
will look for
▪ Weak input checking
▪ Buffer overflow
▪ Integer overflow
▪ Race condition (Time of Check / Time of Use
vulnerabilities)
▪ Running programs in new environments
Software Security
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
99. ▪ Defense in Depth
▪ Multiple layers of security defense are
placed throughout a system to provide
redundancy in the event a security
control fails
▪ Secure the weakest link
▪ Promote privacy
▪ Trust no one
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
100. ▪ Modular design
▪ Check error conditions on return values
▪ Validate inputs (whitelist vs. blacklist)
▪ Avoid infinite loops, memory leaks
▪ Check for integer overflows
▪ Language/library choices
▪ Development processes
Secure Software Best Practices
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
101. ▪ Consider a log-in form on a web page
Example of Weak Input Checking:
SQL Injection
▪ Source code would look
something like this:
statement = "SELECT * FROM users
WHERE name = '" + userName + "';"
▪ Attacker would enter as username:
' or '1'='1
▪ Which leads to this always-true query:
▪ statement = "SELECT * FROM users
WHERE name = '" + "' or '1'='1" + "';"
statement = "SELECT * FROM users WHERE name = '' or '1'='1';"
http://en.wikipedia.org/wiki/SQL_injection