This document provides an overview and introduction to a presentation on balancing risk and security from a legal perspective. It discusses using a "defense in depth" approach to security, the hierarchy of adherence to rules from natural laws to individual habits, and the importance of having legal, security, audit, and HR teams work together to effectively address security and compliance issues. The presentation aims to discuss business concepts in a non-technical manner and promote asking questions.
This is a presentation discussing recommendations for a secure connection between a remote data center and a primary data center; taking into account user connectivity and end-user security awareness training.
This is a presentation discussing recommendations for a secure connection between a remote data center and a primary data center; taking into account user connectivity and end-user security awareness training.
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
Heartbleed, Shell Shock, POODLE, Drupalgeddon and Ghost. How is it possible to secure my website in the face of the hackzor onslaught?
Every bit of software in your stack composes compromisable surface area, so you have to think about security from the OS to the JS, and beyond. When securing your website, you need to think breadth as well as depth; there’s no use in having 3 deadbolts a pit bull and a portcullis on your front door while leaving your porch door unlocked.
We’ll start at the 10,000’ level, reviewing the risks and drivers of website security, then zoom in for a birds-eye view of security best practices, and finally deep-dive on a few of the most effective attack mitigation strategies.
Topics we will cover:
- What security means for your business: compliance and risk management
- The security triad: Confidentiality, Integrity, and Availability
- OWASP Top 10
- Evaluating hosting options based on security
- Securing your operating system
- Configuring Nginx and Apache for security
- Understanding ‘contrib’ module security
- Configuring Drupal for Security
- How to address DOS with a CDN (a battle of 3 letter acronyms)
- Data encryption
- Key Management (Don’t tape your key to the front door)
- PII - What is it and why does it matter?
- Securing your users: Password security and best practices
- Real world scenarios
Watch the session video: https://www.youtube.com/watch?v=KtdY5eSEfAk
Cyber security training for Non-IT StaffRajneesh G
Cyberspace is constantly evolving and presenting organizations with new opportunities, as the desire of businesses to quickly adopt new technologies, such as using the Internet to open new channels and adopting cloud services, provides
vast opportunity. But, it also brings unanticipated risks and inadvertent consequences that can have a potentially negative impact.
Tesseract is committed to solve the cyber security challenges for business who seek to enhance the technologies and
employee to protect from advance threats.
Enterprises face a wide range of threats across their information infrastructure. In order to protect critical systems and information, a comprehensive security approach is necessary. A single layer of defense cannot be considered adequate. Although no system can be considered absolutely secure, a multi-tiered security approach can effectively reduce the overall risk an organization must face.
In this webinar, Tom will illustrate an effective security approach through the image of a castle. He will review many of the different defenses that can be deployed in unison to better secure a network from a range of threats. Tom will also provide examples of improvements that can be made leveraging existing controls to provide an overall increase in organizational security.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
Cyber Security - The New Threats to Internal ControlsDecosimoCPAs
Fraud specialist and published author Pamela Mantone presented "Cyber Security - The New Threats to Internal Controls" at the 2013 Decosimo Accounting Forum hosted by the University of North Alabama on July 19.
Brain Hacking: Using behavioural economics and consumer psychology to improve...David Greenwood
Security is a feeling, based not solely on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures. You might feel that you're at high risk of burglary, medium risk of murder, and low risk of identity theft. And your neighbour, in the exact same situation, might feel that he's at high risk of identity theft, medium risk of burglary, and low risk of murder.
You can be secure even though you don't feel secure. And you can feel secure even though you're not. Learn why we’re predictably irrational, and how you use this new found knowledge to nudge consumers to make better cybersecurity decisions.
Presented at BSides Belfast, 7th September 2017.
https://www.youtube.com/watch?v=uHpXt-PItdk&feature=youtu.be&t=1s
This is the PPT I gave in Charlotte. Many people have asked me for it. I do hope the videos uploaded also. If not, I will try to re-do those. Warning: this presentation uses copyright protected materials used under the Multimedia guidelines and fair use exemptions of the U.S Copyright law. Further use is prohibited.
Researchers, Discovery and the Internet: What Next?David Smith
A web2.0 issues and implications overview I put together for the Research Information Network as part of their workshop on researchers and discovery services.
http://www.rin.ac.uk/discovery-services-workshop
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
Heartbleed, Shell Shock, POODLE, Drupalgeddon and Ghost. How is it possible to secure my website in the face of the hackzor onslaught?
Every bit of software in your stack composes compromisable surface area, so you have to think about security from the OS to the JS, and beyond. When securing your website, you need to think breadth as well as depth; there’s no use in having 3 deadbolts a pit bull and a portcullis on your front door while leaving your porch door unlocked.
We’ll start at the 10,000’ level, reviewing the risks and drivers of website security, then zoom in for a birds-eye view of security best practices, and finally deep-dive on a few of the most effective attack mitigation strategies.
Topics we will cover:
- What security means for your business: compliance and risk management
- The security triad: Confidentiality, Integrity, and Availability
- OWASP Top 10
- Evaluating hosting options based on security
- Securing your operating system
- Configuring Nginx and Apache for security
- Understanding ‘contrib’ module security
- Configuring Drupal for Security
- How to address DOS with a CDN (a battle of 3 letter acronyms)
- Data encryption
- Key Management (Don’t tape your key to the front door)
- PII - What is it and why does it matter?
- Securing your users: Password security and best practices
- Real world scenarios
Watch the session video: https://www.youtube.com/watch?v=KtdY5eSEfAk
Cyber security training for Non-IT StaffRajneesh G
Cyberspace is constantly evolving and presenting organizations with new opportunities, as the desire of businesses to quickly adopt new technologies, such as using the Internet to open new channels and adopting cloud services, provides
vast opportunity. But, it also brings unanticipated risks and inadvertent consequences that can have a potentially negative impact.
Tesseract is committed to solve the cyber security challenges for business who seek to enhance the technologies and
employee to protect from advance threats.
Enterprises face a wide range of threats across their information infrastructure. In order to protect critical systems and information, a comprehensive security approach is necessary. A single layer of defense cannot be considered adequate. Although no system can be considered absolutely secure, a multi-tiered security approach can effectively reduce the overall risk an organization must face.
In this webinar, Tom will illustrate an effective security approach through the image of a castle. He will review many of the different defenses that can be deployed in unison to better secure a network from a range of threats. Tom will also provide examples of improvements that can be made leveraging existing controls to provide an overall increase in organizational security.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
Cyber Security - The New Threats to Internal ControlsDecosimoCPAs
Fraud specialist and published author Pamela Mantone presented "Cyber Security - The New Threats to Internal Controls" at the 2013 Decosimo Accounting Forum hosted by the University of North Alabama on July 19.
Brain Hacking: Using behavioural economics and consumer psychology to improve...David Greenwood
Security is a feeling, based not solely on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures. You might feel that you're at high risk of burglary, medium risk of murder, and low risk of identity theft. And your neighbour, in the exact same situation, might feel that he's at high risk of identity theft, medium risk of burglary, and low risk of murder.
You can be secure even though you don't feel secure. And you can feel secure even though you're not. Learn why we’re predictably irrational, and how you use this new found knowledge to nudge consumers to make better cybersecurity decisions.
Presented at BSides Belfast, 7th September 2017.
https://www.youtube.com/watch?v=uHpXt-PItdk&feature=youtu.be&t=1s
This is the PPT I gave in Charlotte. Many people have asked me for it. I do hope the videos uploaded also. If not, I will try to re-do those. Warning: this presentation uses copyright protected materials used under the Multimedia guidelines and fair use exemptions of the U.S Copyright law. Further use is prohibited.
Researchers, Discovery and the Internet: What Next?David Smith
A web2.0 issues and implications overview I put together for the Research Information Network as part of their workshop on researchers and discovery services.
http://www.rin.ac.uk/discovery-services-workshop
The art of seduction, looking how behavior psychology can influence the perception of information security. How cialdini principles of influence are used in phishing attacks, and viral marketing.
1. Risk v Security; Defense in Depth;
and the Hierarchy of Adherence to
Rules.
An InfoSec Guide to the Care and Feeding of your Legal Team
ISSA CISO Forum
January 30, 2015
Phillip Mahan, CISSP, CIPM, CISA, CIPP/US
(c) 2013 Binary Bodyguards, Inc.
2. Before we begin...
It’s best knowing what you are getting
yourself into when you sit down for a
presentation.
This is a Non-Technical Presentation.
Today we’ll deal with Business concepts and not Technical
data.
This is a Right-Brained leaning presentation.
This is more Concept than Concrete, although we
have both.
(c) 2013 Binary Bodyguards, Inc.
3. January 30
1649 King Charles I of England is beheaded
1790 The first boat specialized as a Lifeboat is tested on the
river Tyne
1982 Richard Skrenta wrote the first PC Virus code. 400 lines
long disguised as an Apple Boot Loader. Named “Elk Cloner”
Birthdays
1935 Douglas Englebart - Inventor of the Mouse
1951 Phil Collins - Singer / Drummer
1974 Christian Bale - Batman
(c) 2013 Binary Bodyguards, Inc.
4. Standard Disclaimer
The instructor(s) may or may not be a lawyer, and even if they were, they are not YOUR
lawyer. Nothing that is said should be considered legal advice or opinion. The information
presented herein represents the instructor’s personal opinion and current understanding of
the issues involved. Neither the instructor(s) nor their respective organizations assume any
responsibility or liability for damages arising out of any reliance on or use of this information.
If you are viewing this presentation from a distribution rather than actually being there, some
of the slides may not make any sense out of context. If you have questions, please contact
the instructor(s) at the address provided on the contact slide.
(c) 2013 Binary Bodyguards, Inc.
5. The importance of Words
“The difference between the right word, and almost the right word, is
the difference between LIGHTNING and a lightning bug.” - Mark Twain
“Should” vs “Shall” in Policy:
‘Shall’ has consequences if violated.
‘Should’ is a recommendation.
Let’s eat, Grandpa. I’m hungry!
OR
Let’s eat Grandpa. I’m hungry!
Commas;
Saving lives since
the 1300s
“You should see Lord of the rings!”
-Your favorite Nerdy friend
“You shall not PASS!!”
-Gandalf to the Balrog before
knocking it into the depths
(c) 2013 Binary Bodyguards, Inc.
6. Songs you can’t get out of your head
Unwritten Rules :
The Laws of Nature
Individual Habits
Team “Procedures”
The spoken word travels at the
speed of sound. Sound waves fade.
If it is heard and understood, sounds
remain in our mind with ‘echoic
memory’.
(c) 2013 Binary Bodyguards, Inc.
If you have ever had a song stuck in your head, you
know about ‘echoic loops’
7. Let me look that up for you...
Written Rules :
Laws of Man
Corporate Policies
Department Standards
The Written word endures for as
long as people read it. It also
makes better reference material
than the spoken word.
‘Iconic memory’ is not as strong, but has a better shelf
life if you can convince people to read the manual.
You also need to be able to prove that it has been read.
(c) 2013 Binary Bodyguards, Inc.
8. Risk Vs Security
Some words are NOT interchangeable, but the masses
love to try to make them so.
Security conjures images of Guards in uniform,
Blankets, and people with Guns. Most people are
uncomfortable with Security on a visceral level.
Risk can be avoided, it brings images of some modicum
of control over their circumstance. A Risk Appetite
can be quantified, where Security is more nebulous for
most.
(c) 2013 Binary Bodyguards, Inc.
9. Hierarchy of Adherence to Rules
The Laws of Nature
The Laws of Man
Corporate Policies
Department Standards
Team Procedures
Individual Habits
The Laws of Nature
are inviolate, all others
are subject to the
individual and their
own personal codes.
You can also count on
a person’s Habits.
(c) 2013 Binary Bodyguards, Inc.
10. Looking at Defense in Depth
The Data is the key to the kingdom.
Know how long to keep the Data.
An unenforced policy is a suggestion.
Privacy Laws vary and need to be considered.
If a Control can’t be proved, it doesn’t exist.
Confidentiality, Integrity, Accessibility.
Know who has access to your Assets.
Know the Value of the data being protected.
7 lenses for your data.
(Plus the Data.)
(c) 2013 Binary Bodyguards, Inc.
11. Guten Tag
We all need to try and speak the
same language
здравствуйте
Hello
Bonjour
Source: Monty Python and the Holy Grail Source: Monty Python and the Holy Grail
Remember: Not everyone speaks “Security”
Ciao
(c) 2013 Binary Bodyguards, Inc.
13. Putting it all together
The opposite of Love is not Hate. It is
Apathy. Make sure you are loved, or hated so
you can show examples of what to do, and
what not to do.
Legal, Security, Audit, and HR make up your
4 Horsemen of the Apocalypse and should be
able to truly make a difference.
(c) 2013 Binary Bodyguards, Inc.
14. (c) 2013 Binary Bodyguards, Inc.
Questions?
Curiosity is Good.
Don’t be afraid
to ask questions.
Thank you for your time this morning!!
Contact me after the presentation
at pmahan.presentation@gmail.com
or on twitter @Mahan_Presents
15. References
“Privacy in the Information age - Revised Edition” - Harry Henderson
“IT Governance Policies & Procedures 2013 Edition” - Michael Wallace and Larry Webber
“Da Vinci and the 40 Answers: A Playbook for Creativity and Fresh Ideas” - Mark L. Fox
A guide to TRIZ methodology for Problem Solving and Creativity
“Thought Particles: Building Blocks of Perceptual Reality / Binary Code of the Mind” - Roy H Williams
This is an audio book that gives information on Particle Stack and Particle Conflict. Very useful for presentations
“Practical Guide to Computer Forensics” - David Benton & Frank Grindstaff
“Foundations of Information Privacy and Data Protection” - Peter P. Swire CIPP/US and Kenesa Ahmad CIPP/US
The “Owly” series of books - Andy Runton
This series doesn’t have anything to do with the presentation, but I wanted to put in a plug for a friend.
These are books that children love.
“Welcome to Your Brain” - Sandra Aamodt, Ph.D. and Sam Wang, Ph.D.
Why You Lose Your Car Keys but Never Forget How to Drive and Other Puzzles of Everyday Life
“On the Origin of Stories: Evolution Cognition, and Fiction” - Brian Boyd
“Pendulum” - Michael Drew & Roy H. Williams
An explanation of Research that has shown a 40 year cycle where Humanity goes from “Me” to “We” and the implications on
Communications and Marketing.
(c) 2013 Binary Bodyguards, Inc.
