SlideShare a Scribd company logo

IT Security & Risk

•Download as PPTX, PDF•
•
T
Tanujpandey5

Some Fundamental Concepts About Information Technology Security & Risks. Please suggest any edit/changes if required. I hope this will help you guys :)

Technology
1 of 15
IT SECURITY & RISK Fundamental Concepts TANUJ PANDEY
Security Fundamentals (Confidentiality/Integrity/Availability): Fig 1: CIA Triad • Confidentiality is a set of rules that limits access to information i.e. prevent any data from unauthorized access. E.g. Credentials, Credit card details, or any PII (Personal identifiable information).
Integrity is the assurance that the information is trustworthy and accurate i.e. data is received by any receiver is accurate or valid without any modification or tampering. Availability is a guarantee of reliable access to the information by authorized people. When any Authorized Impact of loss of CIA: There are level of ratings for measuring impact of loss of CIA that can be faced by any organization: (I):Low(Rating of 1): Limited adverse effect on organizational operation assets, or individuals. (II)Medium(Rating of 2): Serious adverse effect on organizational operation assets, or individuals. (III):High(Rating of 3) Severe or catastrophic adverse effect on organizational operation assets, or individuals.
AAA(Authentication, Authorization, Accountability): • Authentication provides access controls for systems by checking too see if a user’s credential matches with credentials in a database of authorized or in a data authentication server. • Authentication is important because it enables organization to keep their networks secure by permitting only authenticated users. • Authentication used to protect any computer Systems, Networks, Databases, Websites & Other Network based application or services.
• Authorization is a process of giving someone permission to do something. • In multi users computer system a system administrator defines for system which user are allowed access to system & what privileges of use (such as access to directories, hours of access, amount of allocated space, and so forth. • Accountability is an insurance that an individual or an organization will be evaluated on their performance for which they are responsible. • Accountability and transparency are generally considered the two main pillars of good corporate governance.
Risk: • A Risk in terms of Information Technology is when any information has long been appreciated, valuable & important asset & if there is any risk of security breach through which we can face a broad impact on our business. • To calculate the risk: Risk=Loss*Impact. • Types of Risk: • Qualitative Risk: A qualitative risk analysis prioritizes the identified project risks using a pre-defined rating scale. Risks will be scored based on their probability or likelihood of occurring and the impact on project objectives should they occur. • Quantitative Risk: A quantitative risk analysis is a further analysis of the highest priority risks during a which a numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the project. •
Risk Analysis: • Risk analysis performed as a part of IT risk assessment & involves identify risk, threats, & determining how to manage them. • In the risk analysis we focus on: *Issue *Consequences *Likelihood *Impact level *Risk level *Mitigation Strategy *Status
Risk Assessment: • An IT Risk Assessment states you about the state of security of your IT infrastructure it can facilitate decision making on your organizational security strategy. • Purpose Of Risk Assessment: (I)Identify threats & Vulnerabilities. (II)Enhance Enterprise wide security. (III)Justify Security Investments. (IV)Risk Mitigation: 1.Preventive 2.Mitigation 3.Recovery Fig 1.1: Risk
Risk Management: • There are four phases of risk management: (I) Plan: Make plans for potential risks & Vulnerabilities. (II) Assess: Identify a risk and take an appropriate action regarding to that. (III) Handle: When we assess a risk, We mitigate the risk in this phase. (IV) Monitor & Report: Check on a regular basis to get the status of security. Fig 1.2: Risk Management
Basic Principles Of IT Security: • Principle 1. There is no such thing as absolute security. • Principle 2.The three security goals are Confidentiality, Integrity, Availability. • Principle 3. Defense in depth as security. (Protects, Detects & Records). • Principle 4. When left on their own people tend to make worst decisions. (Sharing credentials in exchange for worthless goods). • Principle 5. Computer Security depends on two types of requirements: Functional(What a system should do) & Assurance(How functional requirements should implemented & Tested). • Principle 6. Security through obscurity is not an answer. (Do not depend only on one mechanism) • Principle 7. Security=Risk Management. ( What is likelihood that this loss will occur? ). • Principle 8. Three types of controls are: (Layers of protection) (i) Preventive (ii) Detective (iii) Corrective(Responsive). Principle 9. Complexity is the enemy of security. ( Security mechanism must be known to authorized user). Principle 10. Fear, Uncertainty, and doubt do not work in selling security. (Information Security Managers must justify all investments in security using techniques). Principle 11. People, Process and Technology are all needed to adequately secure a system or facility. (Series of countermeasures & Controls). Principle 12. Open disclosure of vulnerabilities is good for security.
Controls: Security Controls are safeguards or countermeasures to avoid, detect, minimize security risks to physical/Logical property, Information, computer systems or other assets. Types of Controls: (I): Preventive: Preventive controls are designed to keep errors and irregularities from occurring in the first place. (II): Detective: Detective controls are designed to detect errors or irregularities that may have occurred. (III): Corrective (Responsive): Corrective controls are designed to correct errors or irregularities that have been detected. Various Controls which can be used to prevent security breaches: *Firewalls *IDS (Intrusion Detection System) *Biometric Access *Encryption *CCTV (Closed Circuit Television) *Strong Authentication *Motion Sensors *Security Guards
Access Control: • Access control is a way of limiting access to a system or to Physical/Logical access resources. • Access control is a process by which users are granted access & certain privileges to systems resources • or information. • Access control is a fundamental concept in IT Security which minimize the risk in an organization. • Access control are of two types: (I): Physical Access: Limits access to physical IT Assets. E.g. Guards/CCTV’s at main server room. (II): Logical Access: Limits Access to computer Network system files & Data. E.g. credentials, validation, authorization, and accountability should be defined for each users separately. Fig 1.3:Access Control
Threat/ Threat Agents: • A Threat is a possible danger that might exploit a vulnerability to breach security & therefore cause possible harm. • A Threat can be intentional (i.e. hacking an individual or organization) or accidental (e.g. Possibility of a computer • Malfunctioning) or any natural disaster. • Threat Agent is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company. • Threat Agents can take one or more of following actions against an asset: • Access: Simple Unauthorized access. • Misuse: Unauthorize use of assets. • Disclose: Any Sensitive Information. • Modify: Unauthorize change to an asset. • Deny Access: Includes destruction theft of a non-data asset.
Exploit/Vulnerability: • An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behaviour to occur on computer software, hardware, or something electronic. • Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. • A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.
Cryptography: • Cryptography is a method of protecting information and communications. • Cryptography is most often associated with scrambling plaintext (ordinary text, sometimes referred to as cleartext) into ciphertext (a process called encryption), then back again (known as decryption). • Cryptography has two encryption algorithms: • 1.Symmetric Key: Uses only one key for encryption. • 2.Assymmetric Key: Uses different keys one for encryption & other for one decryption. • Cryptography has four Objectives: (I)Confidentiality (II)Integrity (III)Non-Repudiation (IV)Authentication

Recommended

Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
Bhadra Gowdra
 
Information security
Information security Information security
Information security
razendar79
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Evolution of Security
Evolution of SecurityEvolution of Security
Evolution of Security
DM_GS
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 

Recommended

Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
Bhadra Gowdra
 
Information security
Information security Information security
Information security
razendar79
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Evolution of Security
Evolution of SecurityEvolution of Security
Evolution of Security
DM_GS
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
Computing safety
Computing safetyComputing safety
Computing safety
titoferrus
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15
Chun Hoi Lam
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
KATHEESKUMAR S
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
bhaskard8
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
Desmond Devendran
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
Online
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasi
Nova Novelia
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
Stephen Abram
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information Systems
msd11
 
PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
PiBits
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptx
MsVaishaliKumar
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
UK Defence Cyber School
 

More Related Content

What's hot

Computing safety
Computing safetyComputing safety
Computing safety
titoferrus
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15
Chun Hoi Lam
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
KATHEESKUMAR S
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
bhaskard8
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
Desmond Devendran
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
Online
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasi
Nova Novelia
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
Stephen Abram
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information Systems
msd11
 

What's hot (19)

Computing safety
Computing safetyComputing safety
Computing safety
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
Information security
Information securityInformation security
Information security
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
Information Security
Information SecurityInformation Security
Information Security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Information security management
Information security managementInformation security management
Information security management
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasi
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information Systems
 

Similar to IT Security & Risk

PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
PiBits
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptx
MsVaishaliKumar
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
UK Defence Cyber School
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
shahadd2021
 
I0516064
I0516064I0516064
I0516064
IOSR Journals
 
Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1
ssuserf35ac9
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
Alan Holyoke
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
Aksum Institute of Technology(AIT, @Letsgo)
 
Introduction to Computer Security
Introduction to Computer SecurityIntroduction to Computer Security
Introduction to Computer Security
Kamal Acharya
 
Information Security
Information Security Information Security
Information Security
Alok Katiyar
 
Information security background
Information security backgroundInformation security background
Information security background
Nicholas Davis
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
TikdiPatel
 
Computer security ppt for computer science student.pptx
Computer security ppt for computer science student.pptxComputer security ppt for computer science student.pptx
Computer security ppt for computer science student.pptx
dagiabebe267
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
cejobelle
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
Zara Nawaz
 

Similar to IT Security & Risk (20)

PPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptxPPT0-Computer Security Concepts.pptx
PPT0-Computer Security Concepts.pptx
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptx
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
 
I0516064
I0516064I0516064
I0516064
 
Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
 
Introduction to Computer Security
Introduction to Computer SecurityIntroduction to Computer Security
Introduction to Computer Security
 
Information Security
Information Security Information Security
Information Security
 
Information security background
Information security backgroundInformation security background
Information security background
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
 
Computer security ppt for computer science student.pptx
Computer security ppt for computer science student.pptxComputer security ppt for computer science student.pptx
Computer security ppt for computer science student.pptx
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 

Recently uploaded

PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 

Recently uploaded (20)

PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 

IT Security & Risk

  • 1. IT SECURITY & RISK Fundamental Concepts TANUJ PANDEY
  • 2. Security Fundamentals (Confidentiality/Integrity/Availability): Fig 1: CIA Triad • Confidentiality is a set of rules that limits access to information i.e. prevent any data from unauthorized access. E.g. Credentials, Credit card details, or any PII (Personal identifiable information).
  • 3. Integrity is the assurance that the information is trustworthy and accurate i.e. data is received by any receiver is accurate or valid without any modification or tampering. Availability is a guarantee of reliable access to the information by authorized people. When any Authorized Impact of loss of CIA: There are level of ratings for measuring impact of loss of CIA that can be faced by any organization: (I):Low(Rating of 1): Limited adverse effect on organizational operation assets, or individuals. (II)Medium(Rating of 2): Serious adverse effect on organizational operation assets, or individuals. (III):High(Rating of 3) Severe or catastrophic adverse effect on organizational operation assets, or individuals.
  • 4. AAA(Authentication, Authorization, Accountability): • Authentication provides access controls for systems by checking too see if a user’s credential matches with credentials in a database of authorized or in a data authentication server. • Authentication is important because it enables organization to keep their networks secure by permitting only authenticated users. • Authentication used to protect any computer Systems, Networks, Databases, Websites & Other Network based application or services.
  • 5. • Authorization is a process of giving someone permission to do something. • In multi users computer system a system administrator defines for system which user are allowed access to system & what privileges of use (such as access to directories, hours of access, amount of allocated space, and so forth. • Accountability is an insurance that an individual or an organization will be evaluated on their performance for which they are responsible. • Accountability and transparency are generally considered the two main pillars of good corporate governance.
  • 6. Risk: • A Risk in terms of Information Technology is when any information has long been appreciated, valuable & important asset & if there is any risk of security breach through which we can face a broad impact on our business. • To calculate the risk: Risk=Loss*Impact. • Types of Risk: • Qualitative Risk: A qualitative risk analysis prioritizes the identified project risks using a pre-defined rating scale. Risks will be scored based on their probability or likelihood of occurring and the impact on project objectives should they occur. • Quantitative Risk: A quantitative risk analysis is a further analysis of the highest priority risks during a which a numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the project. •
  • 7. Risk Analysis: • Risk analysis performed as a part of IT risk assessment & involves identify risk, threats, & determining how to manage them. • In the risk analysis we focus on: *Issue *Consequences *Likelihood *Impact level *Risk level *Mitigation Strategy *Status
  • 8. Risk Assessment: • An IT Risk Assessment states you about the state of security of your IT infrastructure it can facilitate decision making on your organizational security strategy. • Purpose Of Risk Assessment: (I)Identify threats & Vulnerabilities. (II)Enhance Enterprise wide security. (III)Justify Security Investments. (IV)Risk Mitigation: 1.Preventive 2.Mitigation 3.Recovery Fig 1.1: Risk
  • 9. Risk Management: • There are four phases of risk management: (I) Plan: Make plans for potential risks & Vulnerabilities. (II) Assess: Identify a risk and take an appropriate action regarding to that. (III) Handle: When we assess a risk, We mitigate the risk in this phase. (IV) Monitor & Report: Check on a regular basis to get the status of security. Fig 1.2: Risk Management
  • 10. Basic Principles Of IT Security: • Principle 1. There is no such thing as absolute security. • Principle 2.The three security goals are Confidentiality, Integrity, Availability. • Principle 3. Defense in depth as security. (Protects, Detects & Records). • Principle 4. When left on their own people tend to make worst decisions. (Sharing credentials in exchange for worthless goods). • Principle 5. Computer Security depends on two types of requirements: Functional(What a system should do) & Assurance(How functional requirements should implemented & Tested). • Principle 6. Security through obscurity is not an answer. (Do not depend only on one mechanism) • Principle 7. Security=Risk Management. ( What is likelihood that this loss will occur? ). • Principle 8. Three types of controls are: (Layers of protection) (i) Preventive (ii) Detective (iii) Corrective(Responsive). Principle 9. Complexity is the enemy of security. ( Security mechanism must be known to authorized user). Principle 10. Fear, Uncertainty, and doubt do not work in selling security. (Information Security Managers must justify all investments in security using techniques). Principle 11. People, Process and Technology are all needed to adequately secure a system or facility. (Series of countermeasures & Controls). Principle 12. Open disclosure of vulnerabilities is good for security.
  • 11. Controls: Security Controls are safeguards or countermeasures to avoid, detect, minimize security risks to physical/Logical property, Information, computer systems or other assets. Types of Controls: (I): Preventive: Preventive controls are designed to keep errors and irregularities from occurring in the first place. (II): Detective: Detective controls are designed to detect errors or irregularities that may have occurred. (III): Corrective (Responsive): Corrective controls are designed to correct errors or irregularities that have been detected. Various Controls which can be used to prevent security breaches: *Firewalls *IDS (Intrusion Detection System) *Biometric Access *Encryption *CCTV (Closed Circuit Television) *Strong Authentication *Motion Sensors *Security Guards
  • 12. Access Control: • Access control is a way of limiting access to a system or to Physical/Logical access resources. • Access control is a process by which users are granted access & certain privileges to systems resources • or information. • Access control is a fundamental concept in IT Security which minimize the risk in an organization. • Access control are of two types: (I): Physical Access: Limits access to physical IT Assets. E.g. Guards/CCTV’s at main server room. (II): Logical Access: Limits Access to computer Network system files & Data. E.g. credentials, validation, authorization, and accountability should be defined for each users separately. Fig 1.3:Access Control
  • 13. Threat/ Threat Agents: • A Threat is a possible danger that might exploit a vulnerability to breach security & therefore cause possible harm. • A Threat can be intentional (i.e. hacking an individual or organization) or accidental (e.g. Possibility of a computer • Malfunctioning) or any natural disaster. • Threat Agent is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company. • Threat Agents can take one or more of following actions against an asset: • Access: Simple Unauthorized access. • Misuse: Unauthorize use of assets. • Disclose: Any Sensitive Information. • Modify: Unauthorize change to an asset. • Deny Access: Includes destruction theft of a non-data asset.
  • 14. Exploit/Vulnerability: • An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behaviour to occur on computer software, hardware, or something electronic. • Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. • A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.
  • 15. Cryptography: • Cryptography is a method of protecting information and communications. • Cryptography is most often associated with scrambling plaintext (ordinary text, sometimes referred to as cleartext) into ciphertext (a process called encryption), then back again (known as decryption). • Cryptography has two encryption algorithms: • 1.Symmetric Key: Uses only one key for encryption. • 2.Assymmetric Key: Uses different keys one for encryption & other for one decryption. • Cryptography has four Objectives: (I)Confidentiality (II)Integrity (III)Non-Repudiation (IV)Authentication