SlideShare a Scribd company logo

Information Technology Security Basics

Download as PPT, PDF
M
Mohan Jadhav

The document discusses various topics related to IT security basics. It begins by providing two examples of security breaches to illustrate why security is important. It then discusses the four virtues of security and the nine rules of security. The document also defines information security, its goal of ensuring confidentiality, integrity and availability of systems, and the potential impacts of security failures. Additionally, it outlines common security definitions, 10 security domains, and provides an overview of access control and application security.

Leadership & Management
1 of 47
IT Security Basics 1
WIIFY 1. Why Security? 2. What are the sources of compromise? 3. Four virtues of Security. 4. The 9 rules of Security. 5. What is Information Security, it’s goal and impact. 6. Common Security definitions/terms. 7. 10 Security Domains by ‘International Information Systems Security Certification Consortium’ (ISC)2. 8. 3 Steps to success in Security. 9. Resources on web. 10.What do I do as a user? 11.Q&A. 2
Why Security? 3 • Case 1 The City of Joburg on 25 Oct night announced a breach of its network and shut down its website and all e-services as a precautionary measure. Key city systems were shut down, including online services, bill payments, and more. • Case 2 Database of Debit Card Payment System of Middle East Bank is hacked. The organized gang alters the available balances of card holders and duplicates the cards. The cash withdrawn from 17 countries is small amounts was in total US $18 Million in 2 days.
Serious Matters We all are at risk. This statement is not meant to instill fear, but simply to properly represent the state of IT in our modern world. Security can no longer be a question. It can no longer be ignored, dismissed, or treated like thorn in our side. At any given moment, an adequate amount of security is all that stands between our precious data and that wave of relentless and talented intruders striking out at our valuable resources. “Why would anyone hack us?’ is no longer a defense, and, “Do we really need to secure ourselves?” is no longer a question. We all are targets. We all are vulnerable. We are under attack, and without security, the only questions are where and when will we be struck, and just how badly will it hurt. 4
Don’t be so Sure! Usual pretext for not paying attention to Security. • I have antivirus installed. • I do not buy anything online. • We have nothing important stored except Client’s data. • It will never happen to me. • I am online for very short time just for checking emails. • Why someone will steal my data and what are they going to do with it. We’ll pull them in the court? 5
IT Security Areas • Information Security • Network Security • Cyber/Internet Security • Physical Security • Application Security • Database Security • Cloud Security • Mobile Security • Telecom Security • Software Security • Storage Security • Web Security 6
What are the sources of compromise? • Inside Job: 32% from internal employees, 28% ex-employees and partners and 50% from employees misusing access privileges. • Spyware: Most spyware comes in as direct result of user behavior. • Desktop/Laptop/Smart Devices: It’s like locking the doors and windows of the house - with the burglar still in the basement. • Put simply, to keep the burglar out of the basement, organizations need to remove the ability of employees to let the burglars in, in the first place. They need to implement tamper-proof solutions that users cannot easily evade – no matter what the external inducements. Do you know you are tracked? Big Data Analytics Organizations and Cyber criminals are watching. Install the Collusion for your browser and experience how you are tracked. 7
The four virtues of Security 1. Daily Consideration – Security MUST be a daily consideration in every area. 2. Community Effort – Security MUST be a community effort. 3. Higher Focus – Security practices MUST maintain a generalized focus. 4. Education – Security practices MUST include some measure of training for everyone. How do we practice these virtues?  Make security a continual thought. Encourage others to be continually mindful of security. Formally include security in all new projects and project implementations.  Keep informed. Inform others. Keep up-to-date. Inform end-users. Make group- based decisions.  Learn and share the concepts. Think in terms of the bigger picture. Follow the practices of higher security. Follow the concept of the written practice.  Good software installation practices. Good awareness practice. Good web browsing practice. Good confidentiality practices. 8
The nine rules of Security 1. Rule of Least Privilege. 2. Rule of Change. 3. Rule of Zero Trust. 4. Rule of the Weakest Link. 5. Rule of Separation. 6. Rule of the Three-Fold Process (IMM). 7. Rule of Preventive Action. 8. Rule of Immediate and Proper Response. 9. Rule of Encryption 9
What is Information Security (InfoSec)? 10  InfoSec is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.  Program/Process and not a project.  Never is 100%.  Risk Management to maintain and improve Security Posture.  Changing Security Landscape.  Threats.  Countermeasures.
GOAL and Impact of Information Security 11 GOAL - To ensure the Confidentiality, Integrity and Availability (CIA) of critical systems and confidential information. Impact due to information security failure:  Service Liability  Financial Liability  Legal Issues  Adverse impact on Image  Adverse impact on Brand  Adverse business impact
Common Security Definitions 12 Vulnerability is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. Threat is any potential danger to information or systems. The threat is that someone or something, will identify a specific vulnerability and use it against the company or individual. Threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a file’s integrity. Risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. Exposure is an instance of being exposed to losses from a threat agent. Countermeasure or safeguard, is put into place to mitigate the potential risk. .
Common Security Terms • Anti-Virus - A security program that can run on a computer or mobile device and protects you by identifying and stopping the spread of malware on your system. • Drive-by Download - These attacks exploit vulnerabilities in your browser or it's plugins and helper applications when you simply surf to an attacker- controlled website. • Exploit Code that is designed to take advantage of a vulnerability. An exploit is designed to give an attacker the ability to execute additional malicious programs on the compromised system. • Firewall - A security program that filters inbound and outbound network connections. • Malware Stands for 'malicious software'. It is any type of code or program cyber attackers use to perform malicious actions. • Patch is an update to a vulnerable program or system. • Phishing is a social engineering technique where cyber attackers attempt to fool you into taking an action in response to an email. 13
Security Components Flowchart 14 .
Security Domains - (ISC)2 15 1. Access Control. 2. Application Security. 3. Business Continuity and Disaster Recovery Planning. 4. Cryptography. 5. Information Security and Risk Management. 6. Legal, Regulations, Compliance, and Investigations. 7. Operations Security. 8. Physical (Environmental) Security. 9. Security Models and Architecture. 10. Telecommunications and Network Security.
Access Control Access controls are security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. Aim of Access Controls:  Identification : Method of establishing the subject (e.g. Username, any other public information, systems, etc). Authentication : Method of proving ones identify (e.g. use of biometric, passphrase token, private information, etc). Authorization : Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources. Access Control Models: DAC, MAC, RBAC. Access Control Layers: Administrative, Physical, Technical/Logical. 16
Access Control – Quick Test 1. The basic functionality of a malicious code is to… a. Upgrade the operating system b. Execute itself in the client system c. Spoof d. Denial of Service 2. What is AAA of access control system? a. Access, Accept and Apply. b. Authorization, Authentication and Accountability. c. Authentication, Authorization and Accountability. d. Application, Acceptance and Approval. 17
Application Security 18 Applications are usually developed with functionality in mind and not security. Security and Functionality need to be incorporated during design and development. Both application and environment controls need to be used to ensure application security. ‘Security by Design’ should be the mantra for robust and secure applications. Application Controls Data modeling. Object oriented programming. Reusable and disturbed codes. Client/ Server Model. Data Types, Format and Length. Environment Controls Database modeling / Database management. Relational databases and database interfaces. DMZ – De military zones. Access restriction. Change Management. Software (code) Escrow.
Application Security… 19 Application Life Cycle Phases Project initiation. Functional design analysis and planning. System design and specifications. Software development. Installation / implementation. Operations / maintenance. Disposal. Software development methods Waterfall method. Spiral method. Joint analysis development. Rapid application development. Clean room development.
Application Security – Quick Test 1. An attack is a… a. Vulnerability b. Threat c. Technique d. Compromise 2. Encapsulation is a … a. Wrapper b. Threat c. Software application d. Class 20
Business Continuity and Disaster Recovery Plan  Checklist review  Structured walk-through  Simulation test  Parallel test  Full interruption test 21 The goal of disaster recovery is to minimize the effects of a disaster and take the necessary steps to ensure that the critical resources, personnel, and business processes are able to resume operation in a timely manner. The goal of business continuity planning is to provide methods and procedures for dealing with longer-term outages and disasters to ensure business is back to normal. Business Impact Analysis (BIA) is the crucial first step for business continuity and disaster recovery planning. This encompasses a detailed risk assessment and risk analysis. Qualitative and quantitative information needed to gathered and then properly analyzed and interpreted. Phases of plan development : Phases of plan implementation:  Identify business critical resources  Estimate potential disasters  Selecting planning strategies  Implementing strategies  Testing and revising the plan
Business Continuity and Disaster Recovery Plan – Quick test 22 1. The primary focus of the Business Continuity Plan is… a. Integrity b. Authenticity c. Availability d. Business growth 2. The Recovery Point Objective (RPO) estimates… a. The timeframe within which to resume operations b. The data recovery point c. The resources required for business continuity d. The time required to develop a BCP
Cryptography 23 Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. It is considered a science of protecting information by encoding it into an unreadable format. Goal of Cryptosystems: Confidentiality : Unauthorized parties cannot access the information. Authenticity : Validating the source of the message to ensure that the sender is properly identified. Integrity : Provides an assurance that the data was not modified during transmission. Nonrepudiation : Prevents the denial of actions by sender and receiver. Cryptographic Standards: Encryption, Hashing, Digital Signatures, PKI. Common Cryptography Systems: TLS, SET, IPSec, PGP, S/MIME, SSH, S-HTTP, Kerberos, Steganography, Digital Watermarking, SecureID, WAP, WPA, WEP. The goal of designing an encryption technology is to make compromising it too expensive or too time consuming.
Cryptography – Quick Test 1. IEEE 802.11 is a set of standards for … a. Wired Local Area Network b. Hyper Text Transport Protocol c. Secure Transport Layer d. Wireless Local Area Network 2. Steganography is a… a. Public Key Infrastructure b. Private Key c. Concealing Message d. Watermarking 24
Information Security and Risk Management Information Security and Risk Management are analogous to each other. Information security is to preserve CIA of organizational assets. Risk Management is to identify the threats and vulnerabilities that could impact the information security and devise suitable controls to mitigate these risks. 25 To ensure that information and vital services are accessible for use when required. To ensure the accuracy and completeness of information to protect university business processes. To ensure protection against unauthorized access to or use of confidential information. transmission
Information Security and Risk Management - 90/10 Rule Process Technology People 26 10% 90%
Information Security and Risk Management – Quick Test 1. In order to have an effective security within the organization, it is important that the people or personnel are aware of… a. Security requirements b. Security policies and procedures c. Roles and responsibilities d. All of the above 2. Which one of the following is a common type of classification in Government as well as private/public sector organizations? a. Top secret b. Confidential c. Unclassified d. Public 27
Legal, Regulations, Compliance, and Investigation 28 IT is need to be aware of various legal and regulatory requirements pertaining to the ethical usage of computers, compliance frameworks across the world, and investigative mechanisms to identify, protect, and preserve any evidence from computer crimes. The law and regulations depend on the state or country of operation. Laws are usually based on ethics and are put in place to ensure that others act in an ethical way. MOM of a Crime: Motive is the “Who” and “Why” of a crime. Opportunity is the “where” and “when” of a crime. Means is the capabilities a criminal would need to be successful. Some common types of computer crimes: Salami – Small crimes with the hope that the larger crime will go unnoticed. Data diddling – Alteration of existing data. Password sniffing – Sniff network traffic for passwords. IP Spoofing – Changing the attackers IP. Emanations capturing – Capturing electrical pulses and making meaning from them. Social reengineering – Faking somebody’s identity.
Legal, Regulations, Compliance, and Investigation… 29 Assets that Organizations are trying to protect: Intellectual Property Trade Secrets Copyrights Trademark Patents Software piracy Privacy Some Acts you will come across: Health Insurance Portability and Accountability Act Sarbanes-Oxley Act (SOX) 2001 Gramm-Leach-Bliley Act (GLBA) 1999 Data Protection Act (DPA) Computer Fraud and Abuse Act Federal Privacy Act 1972
Legal, Regulations, Compliance, and Investigation – Quick Test 1. Cyber Crime is using… a. Communication networks to perpetrate crime b. Phishing techniques c. Spam emails d. Unauthorized access 2. The primary objective of a Denial-of-Service attack is to… a. Authenticity b. Availability c. Authorization d. Access Control 30
Operations Security 31 Operational security has to do with keeping up with implemented solutions, keeping track of changes, properly maintaining systems, continually enforcing necessary standards and following through with security practices and tasks. This includes the continual maintenance of an environment and the activities that should take place on a day-to-day basis. Administrative Management Separation of duties. Rotation of duties / Job rotation. Least privilege access / shared access. Mandatory vacations. Accountability Access revalidation. Health checks. Capturing and monitoring audit logs. Auditing.
Operations Security… 32 Security Operations and Product Evaluation Operational assurance. Life cycle assurance. Change Management Control Request for change. Change approval. Change documentation. Change testing and presented. Change implementation. Change reporting. Media Controls : Media management “cradle to grave”. System Controls : Selected tasks can be performed only by “elevated access”. Trusted Recovery : System reboots and restarts. Input and Output Controls : Garbage In, Garbage Out.
Operations Security – Quick Test 1. A systematic and procedural way of managing incidents in known as… a. Configuration management b. Incident management c. Change management d. System management 2. If an event could possibly violate information security, then such an event is known as … a. Problem b. Confidentiality breach c. Incident d. Integrity breach 33
Physical (Environmental) Security 34 Physical and Environmental security encompasses a different set of threats, vulnerabilities and risks than the other types of security. Physical security mechanisms include site design and layout, environmental components, emergency response readiness, training, access control, intrusion detection, and power and fire protection. Physical security mechanisms protect people, data, equipment, systems, facilities and a long list of company assets. Type of threats:  Natural Environment : Floods, earthquake, storms, etc.  Supply System : Power distribution outages, interruptions, etc.  Man made : Unauthorized access, employee error and accidents, damage, etc.  Politically motivated : Strikes, riots, civil disobedience, etc. Solutions are planned and designed for:  Prevention  Detection  Suppression / Response
35
Physical (Environmental) Security – Quick Test 1. Which of the following needs to be considered while designing controls for physical security… a. Physical facility b. Geographic location c. Supporting facilities d. All of the above 2. Evacuation procedures should primarily address… a. Network b. Furniture c. People d. Computers 36
Security Architecture and Design 37 Two fundamental concepts in computers and information security are Policy and Security Model. While the Policy outlines how data is accessed, the level of security required and the actions that need to be taken when the requirements are not met, the Security Model is a statement that outlines the requirements necessary to properly support and implement the policy. Architecture defines how they are implemented. Some basic security models: Bell-LaPadula: [Protects Confidentiality] A subject cannot read data at a higher security level, a subject cannot write data to a lower security level, a subject that has read & write capability can perform these functions at the same security level. Biba: [Protects Integrity] A subject cannot read data at a lower security level, a subject cannot modify data to a higher security level, a subject cannot modify an object in a higher integrity level. Clark Wilson: Subjects can only access objects through authorized programs , separation of duties is enforced and auditing is required.
Security Architecture and Design – Quick Test 1. A trusted computer system should have… a. A well-defined security policy b. Accountability c. Assurance mechanisms d. All the above three 2. A security label is NOT… a. A classification mechanism b. A labeling of low, medium, high based on security c. A computer model d. Used for defining protection mechanisms 38
Telecommunications and Network Security 39 IT deals with the security of voice and data communications through local area, wide area, and remote access networking. The electrical transmission of data amongst systems, whether through analog, digital or wireless transmission types, various devices, software and protocols.
Telecommunication and Network Security – Quick Test 1. A protocol is a … a. Data encryption standard b. Layered architecture c. Communication standard d. Data link 2. The Internet Protocol (IP) operates in the … a. Physical layer b. Network layer c. Application layer d. Communication layer 40
The three steps to Success 1. Think about Security. 2. Do something (while still thinking about Security). 3. Continue to think about Security. Security cannot be afterthought. Do your best. Adopt good practices else trust in God! 41
10 Essentials of Security 1. THINK before you click. 2. Protect passwords. 3. Know if your job requires higher security standards. 4. Register all computers and devices used for business. 5. Connect to networks safely. 6. Manage and store client and company data securely. 7. Backup and encrypt data wherever it’s stored. 8. Keep your security settings and software up to date. 9. Manage your online privacy settings and THINK before sharing information. 10.Report security incidents immediately. 42
What to do for Security? (No more No less) • Make security a headline everyday. • ManageMenTactfully, Totally, Thoughtfully, Talkatively, Task fully, Thankfully, with respect to Trust, Time, Technology. • Communicate, Follow-up, Document, and Update. • Lead by example. • Expect unexpected. • Respond promptly but thoughtfully. Avoid reaction. • Delegate however empower and support. 43
Resources: • National Institute of Standards and Technology (NIST) – www.nist.gov • http://www.sourcesecurity.com/ • National Vulnerability Database http://web.nvd.nist.gov/view/vuln/search • Department of Electronics and Information Technology http://deity.gov.in/ • Latest IT News and Articles http://www.informationweek.in/home.aspx • IT Security Experts https://www.isc2.org/ • Information Systems Audit and Control Association http://www.isaca.org/about-isaca/Pages/default.aspx • https://www.us-cert.gov/about-us • https://www.nist.gov/ • https://www.cisecurity.org/ 44
Homework An ISF Threat Horizon Report 2019-2021: Recommended read at your leisure time 45 ISF_Threat Horizon 2021_Report.pdf
Summary  Why security is important and what are the sources of compromise.  Four virtues and eight rules of security.  What is information security, CIA and BIA.  Common security definitions and terms. 10 Security domains by (ISC)2.  3 Steps for success in security.  What to do for security. 46
THANK YOU for Watching Securely! 47

Recommended

Cybersecurity
CybersecurityCybersecurity
Cybersecurity
ANGIEPAEZ304
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
Prolifics
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.ppt
BiggBoss4Unseen
 
CloudSeK COCON POC Talk
CloudSeK COCON POC TalkCloudSeK COCON POC Talk
CloudSeK COCON POC Talk
Rahul Sasi
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 

Recommended

Cybersecurity
CybersecurityCybersecurity
Cybersecurity
ANGIEPAEZ304
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
Prolifics
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.ppt
BiggBoss4Unseen
 
CloudSeK COCON POC Talk
CloudSeK COCON POC TalkCloudSeK COCON POC Talk
CloudSeK COCON POC Talk
Rahul Sasi
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources Security
Nada G.Youssef
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
BCM Institute
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
Information Technology Risk Management
Information Technology Risk ManagementInformation Technology Risk Management
Information Technology Risk Management
Glen Alleman
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity Model
Sarah Moore
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
Manish Chaurasia
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Edureka!
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides
SlideTeam
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides
SlideTeam
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 

More Related Content

What's hot

Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources Security
Nada G.Youssef
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
BCM Institute
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
Information Technology Risk Management
Information Technology Risk ManagementInformation Technology Risk Management
Information Technology Risk Management
Glen Alleman
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity Model
Sarah Moore
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
Manish Chaurasia
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Edureka!
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides
SlideTeam
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides
SlideTeam
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 

What's hot (20)

Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources Security
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Information Technology Risk Management
Information Technology Risk ManagementInformation Technology Risk Management
Information Technology Risk Management
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity Model
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 

Similar to Information Technology Security Basics

Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackamrutharam
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Accellis Technology Group
 
Cyber Security vs.pdf
Cyber Security vs.pdfCyber Security vs.pdf
Cyber Security vs.pdf
Ming Man Chan
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
techtutorus
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
KnownId
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
SOCVault
 
Ethicalhackingalicencetohack 120223062548-phpapp01
Ethicalhackingalicencetohack 120223062548-phpapp01Ethicalhackingalicencetohack 120223062548-phpapp01
Ethicalhackingalicencetohack 120223062548-phpapp01
rajkumar jonuboyena
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
CSNP
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
 
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfTop_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
infosec train
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdf
ShivamSharma909
 
New Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: HowlandNew Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: Howland
nado-web
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
Animesh Roy
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
Bule Hora University
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
Jazmine Brown
 

Similar to Information Technology Security Basics (20)

Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
Cyber Security vs.pdf
Cyber Security vs.pdfCyber Security vs.pdf
Cyber Security vs.pdf
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
Ethicalhackingalicencetohack 120223062548-phpapp01
Ethicalhackingalicencetohack 120223062548-phpapp01Ethicalhackingalicencetohack 120223062548-phpapp01
Ethicalhackingalicencetohack 120223062548-phpapp01
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfTop_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdf
 
New Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: HowlandNew Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: Howland
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 

Recently uploaded

W.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest ExperienceW.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest Experience
William (Bill) H. Bender, FCSI
 
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
CIOWomenMagazine
 
Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)
Amir H. Fassihi
 
Training- integrated management system (iso)
Training- integrated management system (iso)Training- integrated management system (iso)
Training- integrated management system (iso)
akaash13
 
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
juniourjohnstone
 
TCS AI for Business Study – Key Findings
TCS AI for Business Study – Key FindingsTCS AI for Business Study – Key Findings
TCS AI for Business Study – Key Findings
Tata Consultancy Services
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
Muhammad Adil Jamil
 
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docxModern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
ssuserf63bd7
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
gcljeuzdu
 

Recently uploaded (9)

W.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest ExperienceW.H.Bender Quote 65 - The Team Member and Guest Experience
W.H.Bender Quote 65 - The Team Member and Guest Experience
 
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...
 
Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)Founder-Game Director Workshop (Session 1)
Founder-Game Director Workshop (Session 1)
 
Training- integrated management system (iso)
Training- integrated management system (iso)Training- integrated management system (iso)
Training- integrated management system (iso)
 
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
SOCIO-ANTHROPOLOGY FACULTY OF NURSING.....
 
TCS AI for Business Study – Key Findings
TCS AI for Business Study – Key FindingsTCS AI for Business Study – Key Findings
TCS AI for Business Study – Key Findings
 
Leadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact PlanLeadership Ethics and Change, Purpose to Impact Plan
Leadership Ethics and Change, Purpose to Impact Plan
 
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docxModern Database Management 12th Global Edition by Hoffer solution manual.docx
Modern Database Management 12th Global Edition by Hoffer solution manual.docx
 
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
一比一原版杜克大学毕业证(Duke毕业证)成绩单留信认证
 

Information Technology Security Basics

  • 2. WIIFY 1. Why Security? 2. What are the sources of compromise? 3. Four virtues of Security. 4. The 9 rules of Security. 5. What is Information Security, it’s goal and impact. 6. Common Security definitions/terms. 7. 10 Security Domains by ‘International Information Systems Security Certification Consortium’ (ISC)2. 8. 3 Steps to success in Security. 9. Resources on web. 10.What do I do as a user? 11.Q&A. 2
  • 3. Why Security? 3 • Case 1 The City of Joburg on 25 Oct night announced a breach of its network and shut down its website and all e-services as a precautionary measure. Key city systems were shut down, including online services, bill payments, and more. • Case 2 Database of Debit Card Payment System of Middle East Bank is hacked. The organized gang alters the available balances of card holders and duplicates the cards. The cash withdrawn from 17 countries is small amounts was in total US $18 Million in 2 days.
  • 4. Serious Matters We all are at risk. This statement is not meant to instill fear, but simply to properly represent the state of IT in our modern world. Security can no longer be a question. It can no longer be ignored, dismissed, or treated like thorn in our side. At any given moment, an adequate amount of security is all that stands between our precious data and that wave of relentless and talented intruders striking out at our valuable resources. “Why would anyone hack us?’ is no longer a defense, and, “Do we really need to secure ourselves?” is no longer a question. We all are targets. We all are vulnerable. We are under attack, and without security, the only questions are where and when will we be struck, and just how badly will it hurt. 4
  • 5. Don’t be so Sure! Usual pretext for not paying attention to Security. • I have antivirus installed. • I do not buy anything online. • We have nothing important stored except Client’s data. • It will never happen to me. • I am online for very short time just for checking emails. • Why someone will steal my data and what are they going to do with it. We’ll pull them in the court? 5
  • 6. IT Security Areas • Information Security • Network Security • Cyber/Internet Security • Physical Security • Application Security • Database Security • Cloud Security • Mobile Security • Telecom Security • Software Security • Storage Security • Web Security 6
  • 7. What are the sources of compromise? • Inside Job: 32% from internal employees, 28% ex-employees and partners and 50% from employees misusing access privileges. • Spyware: Most spyware comes in as direct result of user behavior. • Desktop/Laptop/Smart Devices: It’s like locking the doors and windows of the house - with the burglar still in the basement. • Put simply, to keep the burglar out of the basement, organizations need to remove the ability of employees to let the burglars in, in the first place. They need to implement tamper-proof solutions that users cannot easily evade – no matter what the external inducements. Do you know you are tracked? Big Data Analytics Organizations and Cyber criminals are watching. Install the Collusion for your browser and experience how you are tracked. 7
  • 8. The four virtues of Security 1. Daily Consideration – Security MUST be a daily consideration in every area. 2. Community Effort – Security MUST be a community effort. 3. Higher Focus – Security practices MUST maintain a generalized focus. 4. Education – Security practices MUST include some measure of training for everyone. How do we practice these virtues?  Make security a continual thought. Encourage others to be continually mindful of security. Formally include security in all new projects and project implementations.  Keep informed. Inform others. Keep up-to-date. Inform end-users. Make group- based decisions.  Learn and share the concepts. Think in terms of the bigger picture. Follow the practices of higher security. Follow the concept of the written practice.  Good software installation practices. Good awareness practice. Good web browsing practice. Good confidentiality practices. 8
  • 9. The nine rules of Security 1. Rule of Least Privilege. 2. Rule of Change. 3. Rule of Zero Trust. 4. Rule of the Weakest Link. 5. Rule of Separation. 6. Rule of the Three-Fold Process (IMM). 7. Rule of Preventive Action. 8. Rule of Immediate and Proper Response. 9. Rule of Encryption 9
  • 10. What is Information Security (InfoSec)? 10  InfoSec is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.  Program/Process and not a project.  Never is 100%.  Risk Management to maintain and improve Security Posture.  Changing Security Landscape.  Threats.  Countermeasures.
  • 11. GOAL and Impact of Information Security 11 GOAL - To ensure the Confidentiality, Integrity and Availability (CIA) of critical systems and confidential information. Impact due to information security failure:  Service Liability  Financial Liability  Legal Issues  Adverse impact on Image  Adverse impact on Brand  Adverse business impact
  • 12. Common Security Definitions 12 Vulnerability is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. Threat is any potential danger to information or systems. The threat is that someone or something, will identify a specific vulnerability and use it against the company or individual. Threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a file’s integrity. Risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. Exposure is an instance of being exposed to losses from a threat agent. Countermeasure or safeguard, is put into place to mitigate the potential risk. .
  • 13. Common Security Terms • Anti-Virus - A security program that can run on a computer or mobile device and protects you by identifying and stopping the spread of malware on your system. • Drive-by Download - These attacks exploit vulnerabilities in your browser or it's plugins and helper applications when you simply surf to an attacker- controlled website. • Exploit Code that is designed to take advantage of a vulnerability. An exploit is designed to give an attacker the ability to execute additional malicious programs on the compromised system. • Firewall - A security program that filters inbound and outbound network connections. • Malware Stands for 'malicious software'. It is any type of code or program cyber attackers use to perform malicious actions. • Patch is an update to a vulnerable program or system. • Phishing is a social engineering technique where cyber attackers attempt to fool you into taking an action in response to an email. 13
  • 15. Security Domains - (ISC)2 15 1. Access Control. 2. Application Security. 3. Business Continuity and Disaster Recovery Planning. 4. Cryptography. 5. Information Security and Risk Management. 6. Legal, Regulations, Compliance, and Investigations. 7. Operations Security. 8. Physical (Environmental) Security. 9. Security Models and Architecture. 10. Telecommunications and Network Security.
  • 16. Access Control Access controls are security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. Aim of Access Controls:  Identification : Method of establishing the subject (e.g. Username, any other public information, systems, etc). Authentication : Method of proving ones identify (e.g. use of biometric, passphrase token, private information, etc). Authorization : Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources. Access Control Models: DAC, MAC, RBAC. Access Control Layers: Administrative, Physical, Technical/Logical. 16
  • 17. Access Control – Quick Test 1. The basic functionality of a malicious code is to… a. Upgrade the operating system b. Execute itself in the client system c. Spoof d. Denial of Service 2. What is AAA of access control system? a. Access, Accept and Apply. b. Authorization, Authentication and Accountability. c. Authentication, Authorization and Accountability. d. Application, Acceptance and Approval. 17
  • 18. Application Security 18 Applications are usually developed with functionality in mind and not security. Security and Functionality need to be incorporated during design and development. Both application and environment controls need to be used to ensure application security. ‘Security by Design’ should be the mantra for robust and secure applications. Application Controls Data modeling. Object oriented programming. Reusable and disturbed codes. Client/ Server Model. Data Types, Format and Length. Environment Controls Database modeling / Database management. Relational databases and database interfaces. DMZ – De military zones. Access restriction. Change Management. Software (code) Escrow.
  • 19. Application Security… 19 Application Life Cycle Phases Project initiation. Functional design analysis and planning. System design and specifications. Software development. Installation / implementation. Operations / maintenance. Disposal. Software development methods Waterfall method. Spiral method. Joint analysis development. Rapid application development. Clean room development.
  • 20. Application Security – Quick Test 1. An attack is a… a. Vulnerability b. Threat c. Technique d. Compromise 2. Encapsulation is a … a. Wrapper b. Threat c. Software application d. Class 20
  • 21. Business Continuity and Disaster Recovery Plan  Checklist review  Structured walk-through  Simulation test  Parallel test  Full interruption test 21 The goal of disaster recovery is to minimize the effects of a disaster and take the necessary steps to ensure that the critical resources, personnel, and business processes are able to resume operation in a timely manner. The goal of business continuity planning is to provide methods and procedures for dealing with longer-term outages and disasters to ensure business is back to normal. Business Impact Analysis (BIA) is the crucial first step for business continuity and disaster recovery planning. This encompasses a detailed risk assessment and risk analysis. Qualitative and quantitative information needed to gathered and then properly analyzed and interpreted. Phases of plan development : Phases of plan implementation:  Identify business critical resources  Estimate potential disasters  Selecting planning strategies  Implementing strategies  Testing and revising the plan
  • 22. Business Continuity and Disaster Recovery Plan – Quick test 22 1. The primary focus of the Business Continuity Plan is… a. Integrity b. Authenticity c. Availability d. Business growth 2. The Recovery Point Objective (RPO) estimates… a. The timeframe within which to resume operations b. The data recovery point c. The resources required for business continuity d. The time required to develop a BCP
  • 23. Cryptography 23 Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. It is considered a science of protecting information by encoding it into an unreadable format. Goal of Cryptosystems: Confidentiality : Unauthorized parties cannot access the information. Authenticity : Validating the source of the message to ensure that the sender is properly identified. Integrity : Provides an assurance that the data was not modified during transmission. Nonrepudiation : Prevents the denial of actions by sender and receiver. Cryptographic Standards: Encryption, Hashing, Digital Signatures, PKI. Common Cryptography Systems: TLS, SET, IPSec, PGP, S/MIME, SSH, S-HTTP, Kerberos, Steganography, Digital Watermarking, SecureID, WAP, WPA, WEP. The goal of designing an encryption technology is to make compromising it too expensive or too time consuming.
  • 24. Cryptography – Quick Test 1. IEEE 802.11 is a set of standards for … a. Wired Local Area Network b. Hyper Text Transport Protocol c. Secure Transport Layer d. Wireless Local Area Network 2. Steganography is a… a. Public Key Infrastructure b. Private Key c. Concealing Message d. Watermarking 24
  • 25. Information Security and Risk Management Information Security and Risk Management are analogous to each other. Information security is to preserve CIA of organizational assets. Risk Management is to identify the threats and vulnerabilities that could impact the information security and devise suitable controls to mitigate these risks. 25 To ensure that information and vital services are accessible for use when required. To ensure the accuracy and completeness of information to protect university business processes. To ensure protection against unauthorized access to or use of confidential information. transmission
  • 26. Information Security and Risk Management - 90/10 Rule Process Technology People 26 10% 90%
  • 27. Information Security and Risk Management – Quick Test 1. In order to have an effective security within the organization, it is important that the people or personnel are aware of… a. Security requirements b. Security policies and procedures c. Roles and responsibilities d. All of the above 2. Which one of the following is a common type of classification in Government as well as private/public sector organizations? a. Top secret b. Confidential c. Unclassified d. Public 27
  • 28. Legal, Regulations, Compliance, and Investigation 28 IT is need to be aware of various legal and regulatory requirements pertaining to the ethical usage of computers, compliance frameworks across the world, and investigative mechanisms to identify, protect, and preserve any evidence from computer crimes. The law and regulations depend on the state or country of operation. Laws are usually based on ethics and are put in place to ensure that others act in an ethical way. MOM of a Crime: Motive is the “Who” and “Why” of a crime. Opportunity is the “where” and “when” of a crime. Means is the capabilities a criminal would need to be successful. Some common types of computer crimes: Salami – Small crimes with the hope that the larger crime will go unnoticed. Data diddling – Alteration of existing data. Password sniffing – Sniff network traffic for passwords. IP Spoofing – Changing the attackers IP. Emanations capturing – Capturing electrical pulses and making meaning from them. Social reengineering – Faking somebody’s identity.
  • 29. Legal, Regulations, Compliance, and Investigation… 29 Assets that Organizations are trying to protect: Intellectual Property Trade Secrets Copyrights Trademark Patents Software piracy Privacy Some Acts you will come across: Health Insurance Portability and Accountability Act Sarbanes-Oxley Act (SOX) 2001 Gramm-Leach-Bliley Act (GLBA) 1999 Data Protection Act (DPA) Computer Fraud and Abuse Act Federal Privacy Act 1972
  • 30. Legal, Regulations, Compliance, and Investigation – Quick Test 1. Cyber Crime is using… a. Communication networks to perpetrate crime b. Phishing techniques c. Spam emails d. Unauthorized access 2. The primary objective of a Denial-of-Service attack is to… a. Authenticity b. Availability c. Authorization d. Access Control 30
  • 31. Operations Security 31 Operational security has to do with keeping up with implemented solutions, keeping track of changes, properly maintaining systems, continually enforcing necessary standards and following through with security practices and tasks. This includes the continual maintenance of an environment and the activities that should take place on a day-to-day basis. Administrative Management Separation of duties. Rotation of duties / Job rotation. Least privilege access / shared access. Mandatory vacations. Accountability Access revalidation. Health checks. Capturing and monitoring audit logs. Auditing.
  • 32. Operations Security… 32 Security Operations and Product Evaluation Operational assurance. Life cycle assurance. Change Management Control Request for change. Change approval. Change documentation. Change testing and presented. Change implementation. Change reporting. Media Controls : Media management “cradle to grave”. System Controls : Selected tasks can be performed only by “elevated access”. Trusted Recovery : System reboots and restarts. Input and Output Controls : Garbage In, Garbage Out.
  • 33. Operations Security – Quick Test 1. A systematic and procedural way of managing incidents in known as… a. Configuration management b. Incident management c. Change management d. System management 2. If an event could possibly violate information security, then such an event is known as … a. Problem b. Confidentiality breach c. Incident d. Integrity breach 33
  • 34. Physical (Environmental) Security 34 Physical and Environmental security encompasses a different set of threats, vulnerabilities and risks than the other types of security. Physical security mechanisms include site design and layout, environmental components, emergency response readiness, training, access control, intrusion detection, and power and fire protection. Physical security mechanisms protect people, data, equipment, systems, facilities and a long list of company assets. Type of threats:  Natural Environment : Floods, earthquake, storms, etc.  Supply System : Power distribution outages, interruptions, etc.  Man made : Unauthorized access, employee error and accidents, damage, etc.  Politically motivated : Strikes, riots, civil disobedience, etc. Solutions are planned and designed for:  Prevention  Detection  Suppression / Response
  • 35. 35
  • 36. Physical (Environmental) Security – Quick Test 1. Which of the following needs to be considered while designing controls for physical security… a. Physical facility b. Geographic location c. Supporting facilities d. All of the above 2. Evacuation procedures should primarily address… a. Network b. Furniture c. People d. Computers 36
  • 37. Security Architecture and Design 37 Two fundamental concepts in computers and information security are Policy and Security Model. While the Policy outlines how data is accessed, the level of security required and the actions that need to be taken when the requirements are not met, the Security Model is a statement that outlines the requirements necessary to properly support and implement the policy. Architecture defines how they are implemented. Some basic security models: Bell-LaPadula: [Protects Confidentiality] A subject cannot read data at a higher security level, a subject cannot write data to a lower security level, a subject that has read & write capability can perform these functions at the same security level. Biba: [Protects Integrity] A subject cannot read data at a lower security level, a subject cannot modify data to a higher security level, a subject cannot modify an object in a higher integrity level. Clark Wilson: Subjects can only access objects through authorized programs , separation of duties is enforced and auditing is required.
  • 38. Security Architecture and Design – Quick Test 1. A trusted computer system should have… a. A well-defined security policy b. Accountability c. Assurance mechanisms d. All the above three 2. A security label is NOT… a. A classification mechanism b. A labeling of low, medium, high based on security c. A computer model d. Used for defining protection mechanisms 38
  • 39. Telecommunications and Network Security 39 IT deals with the security of voice and data communications through local area, wide area, and remote access networking. The electrical transmission of data amongst systems, whether through analog, digital or wireless transmission types, various devices, software and protocols.
  • 40. Telecommunication and Network Security – Quick Test 1. A protocol is a … a. Data encryption standard b. Layered architecture c. Communication standard d. Data link 2. The Internet Protocol (IP) operates in the … a. Physical layer b. Network layer c. Application layer d. Communication layer 40
  • 41. The three steps to Success 1. Think about Security. 2. Do something (while still thinking about Security). 3. Continue to think about Security. Security cannot be afterthought. Do your best. Adopt good practices else trust in God! 41
  • 42. 10 Essentials of Security 1. THINK before you click. 2. Protect passwords. 3. Know if your job requires higher security standards. 4. Register all computers and devices used for business. 5. Connect to networks safely. 6. Manage and store client and company data securely. 7. Backup and encrypt data wherever it’s stored. 8. Keep your security settings and software up to date. 9. Manage your online privacy settings and THINK before sharing information. 10.Report security incidents immediately. 42
  • 43. What to do for Security? (No more No less) • Make security a headline everyday. • ManageMenTactfully, Totally, Thoughtfully, Talkatively, Task fully, Thankfully, with respect to Trust, Time, Technology. • Communicate, Follow-up, Document, and Update. • Lead by example. • Expect unexpected. • Respond promptly but thoughtfully. Avoid reaction. • Delegate however empower and support. 43
  • 44. Resources: • National Institute of Standards and Technology (NIST) – www.nist.gov • http://www.sourcesecurity.com/ • National Vulnerability Database http://web.nvd.nist.gov/view/vuln/search • Department of Electronics and Information Technology http://deity.gov.in/ • Latest IT News and Articles http://www.informationweek.in/home.aspx • IT Security Experts https://www.isc2.org/ • Information Systems Audit and Control Association http://www.isaca.org/about-isaca/Pages/default.aspx • https://www.us-cert.gov/about-us • https://www.nist.gov/ • https://www.cisecurity.org/ 44
  • 45. Homework An ISF Threat Horizon Report 2019-2021: Recommended read at your leisure time 45 ISF_Threat Horizon 2021_Report.pdf
  • 46. Summary  Why security is important and what are the sources of compromise.  Four virtues and eight rules of security.  What is information security, CIA and BIA.  Common security definitions and terms. 10 Security domains by (ISC)2.  3 Steps for success in security.  What to do for security. 46
  • 47. THANK YOU for Watching Securely! 47