SlideShare a Scribd company logo

Information security - what is going on 2016

Download as PPTX, PDF
Tomppa Järvinen
Tomppa Järvinen

As an user, I want the system to protect my personal information so that only authorized parties can access it.

1 of 33
Aditro – Our focus benefits yours Information Security 2016 Tomi Järvinen Platform Security Specialist 1/23/2017 1Copyright © Aditro. All rights reserved.
Agenda  Information security today  Information Security, actual risks, how breaches happens  Information security in daily work  Security in project work & development  Online security, email & social media  Traveling safety tips 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 2
Security principles 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 3 High level information security principles (C-I-A) • Confidentiality • Encryption, Authentication, Access controls • Integrity • Data validationChecker, Quality Assurance, Audit Logs • Availability • Monitoring, BCP/DRP Plans and Tests, Back-up, fault tolerant storage, Sufficient Capacity Ddos Leak Intrusion
Todays risks » ISF Security forum: 2016 - innovative and sophisticated attacks. Targeted campaigns with 0-day vulnerabilities » Fake login pages » DOS(Ddos) » Encrypting the organization » Phishing has been successful and profitable for criminals » Attacks on payment card data » Future? Jailbreaking the cloud? (e.g. malware built to crack cloud-based systems) » IOT, Light bulps, Surveillance cameras » http://motherboard.vice.com/read/15-million-connected-cameras-ddos-botnet-brian-krebs » http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets- biggest-ddos-ever/ » 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 4
Not just media hype https://haveibeenpwned.com/ http://www.privacyrights.org/data-breach http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html http://www.privacyrights.org/data-breach USA only source, (GDPR will change this) Breach Type: CARD, HACK, INSD, PHYS, PORT, STAT, DISC, UNKN Organization Type: Business, Financial, Government Year(s) of Breach: 2016, 2015, 2014 RESULT: Breaches made public fitting this criteria: 440 Records lost total: 154,492,525 Good DAY! RDP For Sale! Good day! Working Admin account to high profile profile Wevb-server! server! possible test period – – Full Access
Closer look to typical cases ”Hacked account” Type: High Privilege account credentials leaked Risk: Third party have full control to administrator level account, through O365 mailbox also all information about systems, links to servers, sharepoint, etc How this can happen?
Closer look to typical cases ”Hacked account” Type: High Privilege account credentials leaked Risk: Third party have full control to administrator level account, through O365 mailbox also all information about systems, links to servers, sharepoint, etc How this can happen?
Closer look to typical cases ”Hacked account” Type: High Privilege account credentials leaked Risk: Third party have full control to administrator level account, through O365 mailbox also all information about systems, links to servers, sharepoint, etc How this can happen? ”Urgent Paypal error! Respond soon” ”Mailbox full, click to avoid account termination…” Regocnize malicious mail, be aware if: 1. Request about account / password 2. Something strange in sender/receiver 3. Language, typos 4. link http, not https 5. Threat about something (if not, account closed…) 6. hurry (request to act 12, 24, 36, 48h) 7. attachments 8. Zip attachments 9. Link to file in web
Compromised server” Type: SSH port open, not hardened, server compromised Risk: Third party have full control to server, possible data leak from server or jump point to other infrastructure, DOS to some other organization Configurations in hurry ”
Compromised server” Type: SSH port open, not hardened, server compromised Risk: Third party have full control to server, possible data leak from server or jump point to other infrastructure, DOS to some other organization Configurations in hurry ”
Compromised server” Type: SSH port open, not hardened, server compromised Risk: Third party have full control to server, possible data leak from server or jump point to other infrastructure, DOS to some other organization Configurations in hurry ” Some Linux server tips: 1. Disable Remote Root Access 2. Patch the Operating System and third party application 3. Limit SSH Access, Fail2Ban 4. https://www.cyberciti.biz/tips/linux-security.html Windows server: 1. Aditro guidelines & SOP 2. CIS Hardening 3. Microsoft RAP 4. Vulnerability scanning
Type: Get high privilige account details and access to web application Risk: Third party have full control to web application, information leak, possible financial damages Tools: Kali-Social engineering Toolkit Social engineering combined (phishing & fake site)
Type: Get high privilige account details and access to web application Risk: Third party have full control to web application, information leak, possible financial damages Tools: Kali-Social engineering Toolkit Social engineering combined (phishing & fake site)
Type: Get high privilige account details and access to web application Risk: Third party have full control to web application, information leak, possible financial damages Tools: Kali-Social engineering Toolkit Social engineering combined (phishing & fake site)
Attacker motivation 12.06.2014 15 Attacker Motivation Goal Government Financial, influence Collecting information Criminals Financial Threats, blackmailing Commercial organizations Financial Disturbance of the competitor. Collection of information Insider self-interest, vengeance Economic benefits Damage to the organization's. Revenge Curious users (external or internal) bicurious Pressing any buttons and see what happens Hactivism power Placing an opponent in a bad light, collecting information
How security breaches occur? 1612.06.2014
Agenda  Information security today  Information Security, actual risks, how breaches happens  Information security in daily work  IT infrastructure  Security in project work & development  Online security, email & social media  Traveling safety tips 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 17
Defense In Depth (the onion approach) 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 18 http://www.techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Image: GBizz
ImplementationDevelopmentBefore development Preparation, feasibility study Project planning Testing Implementation SECURITY Requirement specifications, based on • ”Technical – features” • Organization guidelines • OWASP • CIS • Data content • Availability (e.g. fault tolerance • Integrity(e.g. logs) • Legal framework (e.g. GDPR) Project Risk management (GDPR – mandatory PIA) Project information security Own personnels & external • Access control • Tools • up to date • Licensed • Open source? • NDA - agreements • Firewall openings • Badges Application secúrity • Test plan • Security requirement /requireme nt tests • Code audit • Penetration test Production security • Security checklist • Supply and disposal of material • Users and maintenance instructions • Description of file Security in projects development documentation from security point of view (typical & simplified) Productization (documentation, support) Information Security (Confidentiality – Integrity – Availability)
Security inside application http://www.guidanceshare.com/wiki (simple) https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project (security in development framework) Do not trust input; • centralized input validation. • Do not rely on client- side validation. • Be careful with canonicalization issues. • Constrain, reject, and sanitize input. • Validate for type, length, format, and range.
Security in Agile (Scrum, Extreme Programming (XP), DSDM) 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 21 Waterfall Requirements Project Testing Implementation / product in use Agile List of needs, ”features” Development according backlog For example 5 items/week Product or part of product GO/NO GO Implementation / product in use . Project team have freedom and responsibility Security needs to be inside the process and “things to do”. Eg. TÒOLS: 1. Security user stories 2. Regular risk & security review 3. “Team Security responsible” – who call up reviews? 4. Security workshop, misuse cases / attacker stories 5. Threat modeling http://www.n4s.fi/2014magazine/article2/assets/guidebook_handbook.pdf https://technet.microsoft.com/en-us/security/hh855044.aspx -Threat Modeling and Agile Development Practices
Agile security - some highlights 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 22 • Security user stories, the customer/business does not know how to ask security • Checkpoint, public live data testing, take into account the backlog in prioritizing (vs logging implementation, e.g. if there is some data what should not leak) • Backlog changes between iterations should be done so that if something essential is changing or there comes totally new feature / component /, a new security risk assessment or reflection should be done. Team's expertise plays a big role. (Note! The risk assessment process does not need not be heavy) • Typically highest-priority backlog items are not security items, prioritised by the Product Owner
Security ”themes” for backlog 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 23 • Access control and user management • User data model • Account lifecycle • Access control implementation • Logging • Audit log of security activities • Audit log of personal data access • Log event separation • Protection of log events • Standardisation of log events • Operational environment • Platform hardening • Network architecture • Separate development and production
Security user stories 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 24 • Non-functional user stories, like • User: "I want to be protected from unintentionally or accidentally sharing personal information.” -> backlog: “ geolocation information is removed from EXIF metadata unless user explicitly indicate he want to share it.” • Technical user stories, like: • The authentication timeout performs at 25 seconds • password entry retry limit is set at 5x
Security Backlog Items 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 25 • Prevent simultaneous connections from same user/IP • Prevent user from uploading files greater than____ • Use mappings and indexed menus insteadt of free form input • The number of users must be limited • Log critical operations and the details of initiation • Consider all input malicioius and filter according to the context • Limit the use of external processes, prefer library calls • Validate all input to ensure only allowed (whitelisted) set of characters is processed https://www.owasp.org/images/c/c6/OWASP_AppSec_Research_2010_Agile_Prod_Sec_Mgmt_by_Vaha-Sipila.pdf http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf
Misuse cases /Evil user story workshops 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. Example #1. "As a hacker, I can send bad data in URLs, so I can access data and functions for which I'm not authorized." Example #2. "As a hacker, I can send bad data in the content of requests, so I can access data and functions for which I'm not authorized." Example #3. "As a hacker, I can send bad data in HTTP headers, so I can access data and functions for which I'm not authorized." Example #4. "As a hacker, I can read and even modify all data that is input and output by your application." https://www.owasp.org/index.php/Application_Threat_Modeling
27 Security in work, (C-I-A) • Take care of work material • Make sure that your files are always backed up. Dispose of confidential material in accordance with instructions. Be sure to log out from software and systems • Protect your equipment and the environment • Make sure that your computer security software is working and updated. Use the password-protected "screen saver". Lock your room and your computer when you leave for a short time • Be sure about source of information • The message may contain malware or be forged. the name and address of the sender does not guarantee anything, does not it. The programs should not be installed unless you are sure that it is safe. The file which you are not sure or do not know who it is, do not open. Be carefull with USB-Sticks • Be accurate in your own work • When you send something, please tell clearly what it is, do not send attachments without first informing the recipient about coming files. Also keep in mind the so- called Hidden Data (MS-Office meta-data). Be a always little suspicious when someone asks for confidential information, verify persons identity http://www.digitalconfidence.com/Hidden-Data-and-Metadata-FAQ.html
28 Profitable tool for Criminals - Email » To end user, biggest threat » in case of successful phishing, access to address book, O365, all mail, all work files » Malicious email: » Spam (Spam), pharmacies, pornography, gambling. (Might be legal, just hidden costs with small letters) » Scams (Scam), financial or emotional benefits, wide variety of frauds. » Phishing » Malware, malicious links to services Cornell University 120 examples collected 2015: http://www.it.cornell.edu/security/phishbowl.cfm What happened? “urgency, stress, tiredness 28Actually: http://thewatchrun.com/wp- content/themes/twentythirteen/dhl_paket
29 Social media • ready to use • scalable • no IT help needed • service for almost any possible use case • all possible bells and whistles • can be used anywhere • free of charge, (if your privacy and personal life has no value) 500 Mb video, 20 minutes • where is the data? • who gets it? • provider employees? • network traffic? • bottlenecks? • privacy policy? • Privacy Data collection and destruction? • terms of service? • investigation? (in case of illegal content, data theft, copyright etc.) • lock-in?
30 Social media • Keep your password / username combination safe, if the worst happens (e.g. serious illness) • material may be financially or for some other reason valuable to others • Use different password in services, and user id, • mnemonic? software like "KeePass“ http://keepass.info/ for password management • Keep copies of everything on your own computer • Account de-activation (mistake, leak, id theft) end of life service • Do not accept all friend requests • If necessary, clear the browser cache • "Sure" way to store files securely is an encryption Strong password? Not : Pa5!&rVx!, Better “AksuliKivenKalaValeLomaLue” 8 character password with 94 different character vs, 16 just numbers, same difficulty for password cracker. • “Terms of Service; Didn't Read” https://tosdr.org/ • https://blog.kaspersky.com/remember-strong-passwords/6386/ (about Entropy and passwords, “disorder”) • http://resources.infosecinstitute.com/password-security-complexity-vs-length/
• Email encryption, Aditro TLS by default (encryption depends on receiver) • File/Folder level encryption, 7-zip + AES option • Create Encrypted package, send by email or share using OneDrive, send password with SMS • VeraCrypt, heavier tool, for example project use. https://veracrypt.codeplex.com/ • Create ”container” to place where every member have access • share password with secure way Encryption, secure way to share (for example file share in public cloud) http://www.northeastern.edu/securenu/sensitive-information-2/how-to-use-7-zip-to-encrypt-files-and-folders/
32 Keep safety when traveling • Activate lock out functions for screen savers – Computers with confidential data should be configured to "lock out" after 20 minutes of inactivity. PC in sleep mode can be hacked easily • Laptop hard drives should be encrypted, Ask for more information about from the IT Service Desk. • With kiosk PCs, clear browser cache • Before travel, write down important contact details, IT-service desk, “if device is lost instructions” operator, credit card contact numbers • Use VPN, open WLAN is OPEN • Change your password while abroad, before travel • Take care of USB-sticks, don’t take USBs from unknown • Always transport your devices as hand luggage when traveling (e.g. train, ship, bus) • Make sure that the PIN and protection code are enabled. • Disable bluetooth if you don’t need it • Be careful when (or avoid totally) printing and carrying confidential material
Thank You! 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 33 Tomi.Jarvinen@aditro.com https://Twitter.com/tomppaj

Recommended

Information security and research data
Information security and research dataInformation security and research data
Information security and research data
Tomppa Järvinen
 
Data protection in Practice
Data protection in PracticeData protection in Practice
Data protection in Practice
Tomppa Järvinen
 
TrustCom-16 - Paper ID 227
TrustCom-16 - Paper ID 227TrustCom-16 - Paper ID 227
TrustCom-16 - Paper ID 227
Denys A. Flores, PhD
 
WPCCS 16 Presentation
WPCCS 16 PresentationWPCCS 16 Presentation
WPCCS 16 Presentation
Denys A. Flores, PhD
 
Database forensics
Database forensicsDatabase forensics
Database forensics
Denys A. Flores, PhD
 
3 ways to secure your law firm’s information and reputation
3 ways to secure your law firm’s information and reputation3 ways to secure your law firm’s information and reputation
3 ways to secure your law firm’s information and reputation
Nikec Solutions
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal Threats
Abbie Hosta
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
ijtsrd
 

Recommended

Information security and research data
Information security and research dataInformation security and research data
Information security and research data
Tomppa Järvinen
 
Data protection in Practice
Data protection in PracticeData protection in Practice
Data protection in Practice
Tomppa Järvinen
 
TrustCom-16 - Paper ID 227
TrustCom-16 - Paper ID 227TrustCom-16 - Paper ID 227
TrustCom-16 - Paper ID 227
Denys A. Flores, PhD
 
WPCCS 16 Presentation
WPCCS 16 PresentationWPCCS 16 Presentation
WPCCS 16 Presentation
Denys A. Flores, PhD
 
Database forensics
Database forensicsDatabase forensics
Database forensics
Denys A. Flores, PhD
 
3 ways to secure your law firm’s information and reputation
3 ways to secure your law firm’s information and reputation3 ways to secure your law firm’s information and reputation
3 ways to secure your law firm’s information and reputation
Nikec Solutions
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal Threats
Abbie Hosta
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
ijtsrd
 
Cyber security
Cyber securityCyber security
Cyber security
Peter Henley
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
Data security strategies and drivers
Data security strategies and driversData security strategies and drivers
Data security strategies and drivers
Freeform Dynamics
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for Librarians
National Information Standards Organization (NISO)
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentation
JamesDempsey1
 
Security bigdata
Security bigdataSecurity bigdata
Security bigdata
Jitendra Chauhan
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
Eryk Budi Pratama
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOA
Peter Henley
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
andreasschuster
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Blue Coat
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyNetwork Intelligence India
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
Ari Elias-Bachrach
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicCyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Secunoid Systems Inc
 
IT Security Guest Lecture
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest Lecture
Murthinty
 
Data Leakage Presentation
Data Leakage PresentationData Leakage Presentation
Data Leakage Presentation
Mike Spaulding
 
Intro to information security
Intro to information securityIntro to information security
Intro to information security
Viraj Ekanayake
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
Jerod Brennen
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss PreventionNicholas Davis
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionNicholas Davis
 
Prep course Nov 12: Introduction to FK (Heidi A.)
Prep course Nov 12: Introduction to FK (Heidi A.)Prep course Nov 12: Introduction to FK (Heidi A.)
Prep course Nov 12: Introduction to FK (Heidi A.)Fredskorpset
 
Social Media Management as a Business Opportunity
Social Media Management as a Business OpportunitySocial Media Management as a Business Opportunity
Social Media Management as a Business Opportunity
Vikas Sharan
 

More Related Content

What's hot

Cyber security
Cyber securityCyber security
Cyber security
Peter Henley
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
Data security strategies and drivers
Data security strategies and driversData security strategies and drivers
Data security strategies and drivers
Freeform Dynamics
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for Librarians
National Information Standards Organization (NISO)
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentation
JamesDempsey1
 
Security bigdata
Security bigdataSecurity bigdata
Security bigdata
Jitendra Chauhan
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
Eryk Budi Pratama
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOA
Peter Henley
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
andreasschuster
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Blue Coat
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
Ari Elias-Bachrach
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicCyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Secunoid Systems Inc
 
IT Security Guest Lecture
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest Lecture
Murthinty
 
Data Leakage Presentation
Data Leakage PresentationData Leakage Presentation
Data Leakage Presentation
Mike Spaulding
 
Intro to information security
Intro to information securityIntro to information security
Intro to information security
Viraj Ekanayake
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
Jerod Brennen
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss PreventionNicholas Davis
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionNicholas Davis
 

What's hot (20)

Cyber security
Cyber securityCyber security
Cyber security
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
Data security strategies and drivers
Data security strategies and driversData security strategies and drivers
Data security strategies and drivers
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for Librarians
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentation
 
Security bigdata
Security bigdataSecurity bigdata
Security bigdata
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOA
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat Protection
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicCyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
 
IT Security Guest Lecture
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest Lecture
 
Data Leakage Presentation
Data Leakage PresentationData Leakage Presentation
Data Leakage Presentation
 
Intro to information security
Intro to information securityIntro to information security
Intro to information security
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss Prevention
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss Prevention
 

Viewers also liked

Prep course Nov 12: Introduction to FK (Heidi A.)
Prep course Nov 12: Introduction to FK (Heidi A.)Prep course Nov 12: Introduction to FK (Heidi A.)
Prep course Nov 12: Introduction to FK (Heidi A.)Fredskorpset
 
Social Media Management as a Business Opportunity
Social Media Management as a Business OpportunitySocial Media Management as a Business Opportunity
Social Media Management as a Business Opportunity
Vikas Sharan
 
Russian fashion ecommerce market
Russian fashion ecommerce marketRussian fashion ecommerce market
Russian fashion ecommerce market
panarin
 
Senior slide show 2014
Senior slide show 2014Senior slide show 2014
Senior slide show 2014mzzbarnes
 
Amistad
AmistadAmistad
Amistad
Kerla Kerlita
 

Viewers also liked (6)

Prep course Nov 12: Introduction to FK (Heidi A.)
Prep course Nov 12: Introduction to FK (Heidi A.)Prep course Nov 12: Introduction to FK (Heidi A.)
Prep course Nov 12: Introduction to FK (Heidi A.)
 
Social Media Management as a Business Opportunity
Social Media Management as a Business OpportunitySocial Media Management as a Business Opportunity
Social Media Management as a Business Opportunity
 
Russian fashion ecommerce market
Russian fashion ecommerce marketRussian fashion ecommerce market
Russian fashion ecommerce market
 
Senior slide show 2014
Senior slide show 2014Senior slide show 2014
Senior slide show 2014
 
Amistad
AmistadAmistad
Amistad
 
Plagiarism
PlagiarismPlagiarism
Plagiarism
 

Similar to Information security - what is going on 2016

Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
MarlboroAbyad
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)
Ben Woelk, CISSP, CPTC
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
Daniel Thomas
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
iMIS
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
iMIS
 
Cloud Security.pptx
Cloud Security.pptxCloud Security.pptx
Cloud Security.pptx
Binod Rimal
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
SecureDocs
 
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
BAINIDA
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Cloudera, Inc.
 

Similar to Information security - what is going on 2016 (20)

Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
Cloud Security.pptx
Cloud Security.pptxCloud Security.pptx
Cloud Security.pptx
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 

More from Tomppa Järvinen

Riskienhallinnan koulutus "public"
Riskienhallinnan koulutus "public"Riskienhallinnan koulutus "public"
Riskienhallinnan koulutus "public"
Tomppa Järvinen
 
Tietoturvaa it kehitykselle 12 2012
Tietoturvaa it kehitykselle 12 2012Tietoturvaa it kehitykselle 12 2012
Tietoturvaa it kehitykselle 12 2012
Tomppa Järvinen
 
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminenKyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Tomppa Järvinen
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
Yliopistojen Projekti SIG 2015
Yliopistojen Projekti SIG 2015 Yliopistojen Projekti SIG 2015
Yliopistojen Projekti SIG 2015
Tomppa Järvinen
 
Pilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Pilvipalvelut Hallitusti käyttöön SaaS & Public CloudPilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Pilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Tomppa Järvinen
 
Safe use of cloud - alternative cloud
Safe use of cloud - alternative cloudSafe use of cloud - alternative cloud
Safe use of cloud - alternative cloud
Tomppa Järvinen
 
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Tomppa Järvinen
 
Pilvipalvelut ja tietoturva - 24.5.2011
Pilvipalvelut ja tietoturva - 24.5.2011Pilvipalvelut ja tietoturva - 24.5.2011
Pilvipalvelut ja tietoturva - 24.5.2011
Tomppa Järvinen
 
Pilvipalveluhanke tietoturvan nakokulmasta
Pilvipalveluhanke tietoturvan nakokulmastaPilvipalveluhanke tietoturvan nakokulmasta
Pilvipalveluhanke tietoturvan nakokulmastaTomppa Järvinen
 
Service goes accessible_2013_sh
Service goes accessible_2013_shService goes accessible_2013_sh
Service goes accessible_2013_sh
Tomppa Järvinen
 

More from Tomppa Järvinen (11)

Riskienhallinnan koulutus "public"
Riskienhallinnan koulutus "public"Riskienhallinnan koulutus "public"
Riskienhallinnan koulutus "public"
 
Tietoturvaa it kehitykselle 12 2012
Tietoturvaa it kehitykselle 12 2012Tietoturvaa it kehitykselle 12 2012
Tietoturvaa it kehitykselle 12 2012
 
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminenKyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
 
Yliopistojen Projekti SIG 2015
Yliopistojen Projekti SIG 2015 Yliopistojen Projekti SIG 2015
Yliopistojen Projekti SIG 2015
 
Pilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Pilvipalvelut Hallitusti käyttöön SaaS & Public CloudPilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Pilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
 
Safe use of cloud - alternative cloud
Safe use of cloud - alternative cloudSafe use of cloud - alternative cloud
Safe use of cloud - alternative cloud
 
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
 
Pilvipalvelut ja tietoturva - 24.5.2011
Pilvipalvelut ja tietoturva - 24.5.2011Pilvipalvelut ja tietoturva - 24.5.2011
Pilvipalvelut ja tietoturva - 24.5.2011
 
Pilvipalveluhanke tietoturvan nakokulmasta
Pilvipalveluhanke tietoturvan nakokulmastaPilvipalveluhanke tietoturvan nakokulmasta
Pilvipalveluhanke tietoturvan nakokulmasta
 
Service goes accessible_2013_sh
Service goes accessible_2013_shService goes accessible_2013_sh
Service goes accessible_2013_sh
 

Recently uploaded

Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
gharris9
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Access Innovations, Inc.
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
eCommerce Institute
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
faizulhassanfaiz1670
 

Recently uploaded (17)

Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
 

Information security - what is going on 2016

  • 1. Aditro – Our focus benefits yours Information Security 2016 Tomi Järvinen Platform Security Specialist 1/23/2017 1Copyright © Aditro. All rights reserved.
  • 2. Agenda  Information security today  Information Security, actual risks, how breaches happens  Information security in daily work  Security in project work & development  Online security, email & social media  Traveling safety tips 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 2
  • 3. Security principles 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 3 High level information security principles (C-I-A) • Confidentiality • Encryption, Authentication, Access controls • Integrity • Data validationChecker, Quality Assurance, Audit Logs • Availability • Monitoring, BCP/DRP Plans and Tests, Back-up, fault tolerant storage, Sufficient Capacity Ddos Leak Intrusion
  • 4. Todays risks » ISF Security forum: 2016 - innovative and sophisticated attacks. Targeted campaigns with 0-day vulnerabilities » Fake login pages » DOS(Ddos) » Encrypting the organization » Phishing has been successful and profitable for criminals » Attacks on payment card data » Future? Jailbreaking the cloud? (e.g. malware built to crack cloud-based systems) » IOT, Light bulps, Surveillance cameras » http://motherboard.vice.com/read/15-million-connected-cameras-ddos-botnet-brian-krebs » http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets- biggest-ddos-ever/ » 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 4
  • 5. Not just media hype https://haveibeenpwned.com/ http://www.privacyrights.org/data-breach http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html http://www.privacyrights.org/data-breach USA only source, (GDPR will change this) Breach Type: CARD, HACK, INSD, PHYS, PORT, STAT, DISC, UNKN Organization Type: Business, Financial, Government Year(s) of Breach: 2016, 2015, 2014 RESULT: Breaches made public fitting this criteria: 440 Records lost total: 154,492,525 Good DAY! RDP For Sale! Good day! Working Admin account to high profile profile Wevb-server! server! possible test period – – Full Access
  • 6. Closer look to typical cases ”Hacked account” Type: High Privilege account credentials leaked Risk: Third party have full control to administrator level account, through O365 mailbox also all information about systems, links to servers, sharepoint, etc How this can happen?
  • 7. Closer look to typical cases ”Hacked account” Type: High Privilege account credentials leaked Risk: Third party have full control to administrator level account, through O365 mailbox also all information about systems, links to servers, sharepoint, etc How this can happen?
  • 8. Closer look to typical cases ”Hacked account” Type: High Privilege account credentials leaked Risk: Third party have full control to administrator level account, through O365 mailbox also all information about systems, links to servers, sharepoint, etc How this can happen? ”Urgent Paypal error! Respond soon” ”Mailbox full, click to avoid account termination…” Regocnize malicious mail, be aware if: 1. Request about account / password 2. Something strange in sender/receiver 3. Language, typos 4. link http, not https 5. Threat about something (if not, account closed…) 6. hurry (request to act 12, 24, 36, 48h) 7. attachments 8. Zip attachments 9. Link to file in web
  • 9. Compromised server” Type: SSH port open, not hardened, server compromised Risk: Third party have full control to server, possible data leak from server or jump point to other infrastructure, DOS to some other organization Configurations in hurry ”
  • 10. Compromised server” Type: SSH port open, not hardened, server compromised Risk: Third party have full control to server, possible data leak from server or jump point to other infrastructure, DOS to some other organization Configurations in hurry ”
  • 11. Compromised server” Type: SSH port open, not hardened, server compromised Risk: Third party have full control to server, possible data leak from server or jump point to other infrastructure, DOS to some other organization Configurations in hurry ” Some Linux server tips: 1. Disable Remote Root Access 2. Patch the Operating System and third party application 3. Limit SSH Access, Fail2Ban 4. https://www.cyberciti.biz/tips/linux-security.html Windows server: 1. Aditro guidelines & SOP 2. CIS Hardening 3. Microsoft RAP 4. Vulnerability scanning
  • 12. Type: Get high privilige account details and access to web application Risk: Third party have full control to web application, information leak, possible financial damages Tools: Kali-Social engineering Toolkit Social engineering combined (phishing & fake site)
  • 13. Type: Get high privilige account details and access to web application Risk: Third party have full control to web application, information leak, possible financial damages Tools: Kali-Social engineering Toolkit Social engineering combined (phishing & fake site)
  • 14. Type: Get high privilige account details and access to web application Risk: Third party have full control to web application, information leak, possible financial damages Tools: Kali-Social engineering Toolkit Social engineering combined (phishing & fake site)
  • 15. Attacker motivation 12.06.2014 15 Attacker Motivation Goal Government Financial, influence Collecting information Criminals Financial Threats, blackmailing Commercial organizations Financial Disturbance of the competitor. Collection of information Insider self-interest, vengeance Economic benefits Damage to the organization's. Revenge Curious users (external or internal) bicurious Pressing any buttons and see what happens Hactivism power Placing an opponent in a bad light, collecting information
  • 16. How security breaches occur? 1612.06.2014
  • 17. Agenda  Information security today  Information Security, actual risks, how breaches happens  Information security in daily work  IT infrastructure  Security in project work & development  Online security, email & social media  Traveling safety tips 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 17
  • 18. Defense In Depth (the onion approach) 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 18 http://www.techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ Image: GBizz
  • 19. ImplementationDevelopmentBefore development Preparation, feasibility study Project planning Testing Implementation SECURITY Requirement specifications, based on • ”Technical – features” • Organization guidelines • OWASP • CIS • Data content • Availability (e.g. fault tolerance • Integrity(e.g. logs) • Legal framework (e.g. GDPR) Project Risk management (GDPR – mandatory PIA) Project information security Own personnels & external • Access control • Tools • up to date • Licensed • Open source? • NDA - agreements • Firewall openings • Badges Application secúrity • Test plan • Security requirement /requireme nt tests • Code audit • Penetration test Production security • Security checklist • Supply and disposal of material • Users and maintenance instructions • Description of file Security in projects development documentation from security point of view (typical & simplified) Productization (documentation, support) Information Security (Confidentiality – Integrity – Availability)
  • 20. Security inside application http://www.guidanceshare.com/wiki (simple) https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project (security in development framework) Do not trust input; • centralized input validation. • Do not rely on client- side validation. • Be careful with canonicalization issues. • Constrain, reject, and sanitize input. • Validate for type, length, format, and range.
  • 21. Security in Agile (Scrum, Extreme Programming (XP), DSDM) 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 21 Waterfall Requirements Project Testing Implementation / product in use Agile List of needs, ”features” Development according backlog For example 5 items/week Product or part of product GO/NO GO Implementation / product in use . Project team have freedom and responsibility Security needs to be inside the process and “things to do”. Eg. TÒOLS: 1. Security user stories 2. Regular risk & security review 3. “Team Security responsible” – who call up reviews? 4. Security workshop, misuse cases / attacker stories 5. Threat modeling http://www.n4s.fi/2014magazine/article2/assets/guidebook_handbook.pdf https://technet.microsoft.com/en-us/security/hh855044.aspx -Threat Modeling and Agile Development Practices
  • 22. Agile security - some highlights 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 22 • Security user stories, the customer/business does not know how to ask security • Checkpoint, public live data testing, take into account the backlog in prioritizing (vs logging implementation, e.g. if there is some data what should not leak) • Backlog changes between iterations should be done so that if something essential is changing or there comes totally new feature / component /, a new security risk assessment or reflection should be done. Team's expertise plays a big role. (Note! The risk assessment process does not need not be heavy) • Typically highest-priority backlog items are not security items, prioritised by the Product Owner
  • 23. Security ”themes” for backlog 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 23 • Access control and user management • User data model • Account lifecycle • Access control implementation • Logging • Audit log of security activities • Audit log of personal data access • Log event separation • Protection of log events • Standardisation of log events • Operational environment • Platform hardening • Network architecture • Separate development and production
  • 24. Security user stories 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 24 • Non-functional user stories, like • User: "I want to be protected from unintentionally or accidentally sharing personal information.” -> backlog: “ geolocation information is removed from EXIF metadata unless user explicitly indicate he want to share it.” • Technical user stories, like: • The authentication timeout performs at 25 seconds • password entry retry limit is set at 5x
  • 25. Security Backlog Items 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 25 • Prevent simultaneous connections from same user/IP • Prevent user from uploading files greater than____ • Use mappings and indexed menus insteadt of free form input • The number of users must be limited • Log critical operations and the details of initiation • Consider all input malicioius and filter according to the context • Limit the use of external processes, prefer library calls • Validate all input to ensure only allowed (whitelisted) set of characters is processed https://www.owasp.org/images/c/c6/OWASP_AppSec_Research_2010_Agile_Prod_Sec_Mgmt_by_Vaha-Sipila.pdf http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf
  • 26. Misuse cases /Evil user story workshops 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. Example #1. "As a hacker, I can send bad data in URLs, so I can access data and functions for which I'm not authorized." Example #2. "As a hacker, I can send bad data in the content of requests, so I can access data and functions for which I'm not authorized." Example #3. "As a hacker, I can send bad data in HTTP headers, so I can access data and functions for which I'm not authorized." Example #4. "As a hacker, I can read and even modify all data that is input and output by your application." https://www.owasp.org/index.php/Application_Threat_Modeling
  • 27. 27 Security in work, (C-I-A) • Take care of work material • Make sure that your files are always backed up. Dispose of confidential material in accordance with instructions. Be sure to log out from software and systems • Protect your equipment and the environment • Make sure that your computer security software is working and updated. Use the password-protected "screen saver". Lock your room and your computer when you leave for a short time • Be sure about source of information • The message may contain malware or be forged. the name and address of the sender does not guarantee anything, does not it. The programs should not be installed unless you are sure that it is safe. The file which you are not sure or do not know who it is, do not open. Be carefull with USB-Sticks • Be accurate in your own work • When you send something, please tell clearly what it is, do not send attachments without first informing the recipient about coming files. Also keep in mind the so- called Hidden Data (MS-Office meta-data). Be a always little suspicious when someone asks for confidential information, verify persons identity http://www.digitalconfidence.com/Hidden-Data-and-Metadata-FAQ.html
  • 28. 28 Profitable tool for Criminals - Email » To end user, biggest threat » in case of successful phishing, access to address book, O365, all mail, all work files » Malicious email: » Spam (Spam), pharmacies, pornography, gambling. (Might be legal, just hidden costs with small letters) » Scams (Scam), financial or emotional benefits, wide variety of frauds. » Phishing » Malware, malicious links to services Cornell University 120 examples collected 2015: http://www.it.cornell.edu/security/phishbowl.cfm What happened? “urgency, stress, tiredness 28Actually: http://thewatchrun.com/wp- content/themes/twentythirteen/dhl_paket
  • 29. 29 Social media • ready to use • scalable • no IT help needed • service for almost any possible use case • all possible bells and whistles • can be used anywhere • free of charge, (if your privacy and personal life has no value) 500 Mb video, 20 minutes • where is the data? • who gets it? • provider employees? • network traffic? • bottlenecks? • privacy policy? • Privacy Data collection and destruction? • terms of service? • investigation? (in case of illegal content, data theft, copyright etc.) • lock-in?
  • 30. 30 Social media • Keep your password / username combination safe, if the worst happens (e.g. serious illness) • material may be financially or for some other reason valuable to others • Use different password in services, and user id, • mnemonic? software like "KeePass“ http://keepass.info/ for password management • Keep copies of everything on your own computer • Account de-activation (mistake, leak, id theft) end of life service • Do not accept all friend requests • If necessary, clear the browser cache • "Sure" way to store files securely is an encryption Strong password? Not : Pa5!&rVx!, Better “AksuliKivenKalaValeLomaLue” 8 character password with 94 different character vs, 16 just numbers, same difficulty for password cracker. • “Terms of Service; Didn't Read” https://tosdr.org/ • https://blog.kaspersky.com/remember-strong-passwords/6386/ (about Entropy and passwords, “disorder”) • http://resources.infosecinstitute.com/password-security-complexity-vs-length/
  • 31. • Email encryption, Aditro TLS by default (encryption depends on receiver) • File/Folder level encryption, 7-zip + AES option • Create Encrypted package, send by email or share using OneDrive, send password with SMS • VeraCrypt, heavier tool, for example project use. https://veracrypt.codeplex.com/ • Create ”container” to place where every member have access • share password with secure way Encryption, secure way to share (for example file share in public cloud) http://www.northeastern.edu/securenu/sensitive-information-2/how-to-use-7-zip-to-encrypt-files-and-folders/
  • 32. 32 Keep safety when traveling • Activate lock out functions for screen savers – Computers with confidential data should be configured to "lock out" after 20 minutes of inactivity. PC in sleep mode can be hacked easily • Laptop hard drives should be encrypted, Ask for more information about from the IT Service Desk. • With kiosk PCs, clear browser cache • Before travel, write down important contact details, IT-service desk, “if device is lost instructions” operator, credit card contact numbers • Use VPN, open WLAN is OPEN • Change your password while abroad, before travel • Take care of USB-sticks, don’t take USBs from unknown • Always transport your devices as hand luggage when traveling (e.g. train, ship, bus) • Make sure that the PIN and protection code are enabled. • Disable bluetooth if you don’t need it • Be careful when (or avoid totally) printing and carrying confidential material
  • 33. Thank You! 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 33 Tomi.Jarvinen@aditro.com https://Twitter.com/tomppaj