Mike Stone, profile picture
Uploaded byMike Stone
PPTX, PDF285 views

Plain talk about security public - ms1

The document discusses key concepts in information security including the security trinity of confidentiality, integrity, and availability. It outlines the four As of security - account management, authentication controls, authorization/access controls, and audit controls. The document then explains how various security controls protect confidentiality, integrity, and availability. It concludes with outlining a risk-driven security process of identifying assets, risks, impacts, and controls to defend assets within an organization's security budget and objectives.

Technology
Related topics:
Information Security

Embed presentation

Download to read offline
Plain Talk about Security 1January 27, 2015 by Mike Stone
Introduction Plain Talk about Security04/02/2015 2 • Security is not just a matter of opinion • even though everybody has an opinion about security • Security is not a wasted effort • even though it may seem like any determined attacker will get through your defenses • Security is a logic, a calculation, and a profession • logic: “you can’t protect assets you don’t know about” • calculation: “the value of a risk to an asset is equal to the value of the asset times the probability that the risk will occur” • profession: “An occupation doesn’t need society’s recognition to be a profession (CISSP). It only needs the actions and activities among its members to cooperate to serve a certain ideal (Security)” – (ISC)2 • Information Security has its counterparts in physical security
The Security Trinity (CIA) Plain Talk about Security04/02/2015 3 Confidentiality Integrity Availability Keep the asset secret! Ensure intended users can always access asset! Prevent unauthorized change to asset!
Start with a Good Secure Architecture Plain Talk about Security04/02/2015 4 Physical Security Information Security • A good architecture • Form facilitates function • Modular • Adaptable • Scalable • A secure architecture • Facilitates organizational mission & objectives • Provides granular segmentation • Provides situational awareness • Defends its assets Internet Dev & QA DMZ Users Prod SOC & NOC C C C C C C Public Confi- dential Top Secret C C
Four A’s of Security: #1 Account Management Plain Talk about Security04/02/2015 5 Physical Security Information Security • User Accounts: represent interactive humans • Service Accounts: represent batch processes • Role-based Accounts: represent groups of accounts with similar profiles & needs admins services employees customers suppliers hackers
Four A’s of Security: #2: Authentication Controls Plain Talk about Security04/02/2015 6 Physical Security Information Security • One Factor Authentication: What you know (password) • Two Factor Authentication: What you have (token) + what you know • Three Factor Authentication: What you are (biometric) + what you have + what you know STOP! Identify yourself! Show me your pass! You don’t look like the commander! Password token Biometric Hand Scanner“Digital Signatures and Certificates also provide User, Host, Software, Message, and Data Authentication Controls!”
Four A’s of Security: #3 Authorization (Access) Controls Plain Talk about Security04/02/2015 7 Physical Security Information Security • Who/what is allowed to do what to a resource (asset) • Resources are assets that are allowed to be used • Minimum Privilege: the least privileges required to perform a job (role) = Granularity • Strong Access Controls require Strong Authentication Controls! General Prod $ $$ $$$ C C Confidential Prod Top Secret Prod Confidential Clearance Top Secret ClearanceGeneral Clearance “Encryption also provides a Presentation Layer Access Control!”
SQL WS TS Srvr Rtr SW Four A’s of Security: #4 Audit Controls Plain Talk about Security04/02/2015 8 Physical Security Information Security • Logs (Running) & Monitoring (Real-Time): ad hoc record of alerts and events • Audit: formal documentation of who did what when and where compared to a framework • Report: statistical (and possibly graphic) view of historical data and trends • Evidence: documentation proving compliance with a security control or standard FW IPS A/V SSL DLP CA NNM MoM SIEM MoM SQL EM WS EM TS EM Srvr EM Rtr EM SW EM FW EM IPS EM A/V EM SSL EM DLP EM CA EM “Digital Signatures and trusted Certificates can provide non- repudiation for business or legal transactions!”
Confidentiality Plain Talk about Security04/02/2015 9 Physical Security Information Security • Protects an asset or person from unauthorized viewing or exposure by: • Access Controls • Encryption • Symmetric • Asymmetric Shredder Symmetric Keys Public & Private Keys “Considering Moore’s Law, you’d better add another bit to the encryption key length every 18 months!” Bob Alice E D KG key key Hi! Hi! @# $^ Bob Alice E D KG Public key Private key Hi! Hi! @# $^
Integrity Plain Talk about Security04/02/2015 10 Physical Security Information Security • Protects an asset from unauthorized modification by: • Access Controls • Digital Signature • Hash • Encryption “Digital Signature, Hash, & Encryption also provide Presentation Layer Access Controls!” General Prod $ $$ $$$ C C Important Prod Critical Prod Medium Integrity Clearance High Integrity ClearanceGeneral Clearance
Site #1 Site #2 Availability Plain Talk about Security04/02/2015 11 Physical Security Information Security • Ensures an resource will always be available for authorized use • High-Availability services shouldn’t have Single Points of Failure (SPoF) • Recovery Point Objective (RPO): how much data a service can afford to lose • Recovery Time Objective (RTO): how much time a service can afford to be shut down S1 SW1 S2 SW2 c1 c2 LB1 LB2 S1 SW1 S2 SW2 c1 c2 LB1 LB2 R1 R2 DNS 1 DNS 2 Internet c3
A Risk-Driven Security Process Plain Talk about Security04/02/2015 12 • Identify your major assets • Identify the risks to those assets • Measure the impacts ($) and probabilities (%) of those risks • Decide what levels of impacts and probabilities of risks are acceptable • Allocate a security budget equal to the difference between the maximum risk (impact x probability) and the acceptable risk level • Create or modify the policies, standards, procedures, and controls to defend those assets while achieving business missions and objectives • Assess residual risks • Review effectiveness of those policies, standards, procedures, and controls ID Assets ID Risks Calc Impact & Probability Decide Acceptable Levels Budget Security Plan Defenses Assess Residual Risks Review Effectiveness

More Related Content

PDF
CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...
byCloudCamp Chicago
 
PPTX
501 ch-1-mastering-security-basics
bygocybersec
 
PPTX
How to create a secure IoT device
byAbhijeet Rane
 
PPTX
501 ch 1 mastering security basics
bygocybersec
 
PPTX
501 ch 6 threats vulnerabilities and common attacks
bygocybersec
 
PDF
Solving problems with authentication
byMecklerMedia
 
PPTX
Kubernetes Secrets Management - Securing Your Production Environment
byAkeyless
 
PPTX
501 ch 5 securing hosts and data
bygocybersec
 
CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...
byCloudCamp Chicago
 
501 ch-1-mastering-security-basics
bygocybersec
 
How to create a secure IoT device
byAbhijeet Rane
 
501 ch 1 mastering security basics
bygocybersec
 
501 ch 6 threats vulnerabilities and common attacks
bygocybersec
 
Solving problems with authentication
byMecklerMedia
 
Kubernetes Secrets Management - Securing Your Production Environment
byAkeyless
 
501 ch 5 securing hosts and data
bygocybersec
 

What's hot

PPTX
IBM Secret Key management protoco
bygori4
 
PPTX
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
byQuest
 
PDF
Identifying Hybrid AD Security Risks with Continuous Assessment
byQuest
 
PDF
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
byAkeyless
 
PDF
Sounding the Alarm with Real-Time AD Detection and Alerting
byQuest
 
PDF
Better to Ask Permission? Best Practices for Privacy and Security
byEric Kavanagh
 
PDF
Securing Your Mobile Applications
byGreg Patton
 
PDF
Investigating and Recovering from a Potential Hybrid AD Security Breach
byQuest
 
PDF
Ayala mar23
byNational Information Standards Organization (NISO)
 
PDF
The Shifting Landscape of PoS MalwareOutput
bySilas Cutler
 
PPTX
501 ch 2 understanding iam
bygocybersec
 
PPTX
501 ch 7 protecting against advanced attacks
bygocybersec
 
PPTX
Things Security
byDony Riyanto
 
PPTX
The Key to Strong Cloud Security
byAkeyless
 
PPTX
Cyber security
byJahirUddinKomol
 
PDF
Data Security for Project Managers
byJoseph Wojowski
 
PPTX
501 ch 8 risk managment tool
bygocybersec
 
PDF
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
byBurton Lee
 
PPTX
Enterprise Documents Secure and On the Go
byRob Bogue
 
PDF
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
byNorth Texas Chapter of the ISSA
 
IBM Secret Key management protoco
bygori4
 
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
byQuest
 
Identifying Hybrid AD Security Risks with Continuous Assessment
byQuest
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
byAkeyless
 
Sounding the Alarm with Real-Time AD Detection and Alerting
byQuest
 
Better to Ask Permission? Best Practices for Privacy and Security
byEric Kavanagh
 
Securing Your Mobile Applications
byGreg Patton
 
Investigating and Recovering from a Potential Hybrid AD Security Breach
byQuest
 
Ayala mar23
byNational Information Standards Organization (NISO)
 
The Shifting Landscape of PoS MalwareOutput
bySilas Cutler
 
501 ch 2 understanding iam
bygocybersec
 
501 ch 7 protecting against advanced attacks
bygocybersec
 
Things Security
byDony Riyanto
 
The Key to Strong Cloud Security
byAkeyless
 
Cyber security
byJahirUddinKomol
 
Data Security for Project Managers
byJoseph Wojowski
 
501 ch 8 risk managment tool
bygocybersec
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
byBurton Lee
 
Enterprise Documents Secure and On the Go
byRob Bogue
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
byNorth Texas Chapter of the ISSA
 

Viewers also liked

DOCX
Bab v
byKhoirul Umam
 
PDF
“Gray Relational Based Analysis of Al-6351”
byiosrjce
 
PPTX
Стимулирование трудовой деятельности и мотивация к труду персонала организации
byElena Aleksandrovna Elena_Aleksandrovna_R
 
PDF
RSPH2
byJay Robertson
 
DOCX
University Missouri
byAna Lucia
 
PPTX
Socio economische oorzaken zijn taboe2
byannekesomers
 
PDF
LL.M New York Law School
byRoberth D. Angeles
 
PDF
「着飾らない IoT」
byEmbarcadero Technologies
 
PPTX
Gezinnen en kansen 4
byannekesomers
 
PPTX
Trabajo
byrafeltamara23
 
PDF
Exwfylla 01 10 2010
byireportergr
 
PDF
Minister of BJP
bykalajain123
 
PPT
Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»
byarhivkruf
 
PPTX
It's good to check our plans and actions to see if we need to adapt
byMartin Jack
 
PPTX
Where the mind is without fear
bywhirlsemantic
 
Bab v
byKhoirul Umam
 
“Gray Relational Based Analysis of Al-6351”
byiosrjce
 
Стимулирование трудовой деятельности и мотивация к труду персонала организации
byElena Aleksandrovna Elena_Aleksandrovna_R
 
RSPH2
byJay Robertson
 
University Missouri
byAna Lucia
 
Socio economische oorzaken zijn taboe2
byannekesomers
 
LL.M New York Law School
byRoberth D. Angeles
 
「着飾らない IoT」
byEmbarcadero Technologies
 
Gezinnen en kansen 4
byannekesomers
 
Trabajo
byrafeltamara23
 
Exwfylla 01 10 2010
byireportergr
 
Minister of BJP
bykalajain123
 
Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»
byarhivkruf
 
It's good to check our plans and actions to see if we need to adapt
byMartin Jack
 
Where the mind is without fear
bywhirlsemantic
 

Similar to Plain talk about security public - ms1

PDF
information security introduction for campus students.pdf
byhailegebrielgeta6
 
PDF
Course Information Security Lecture 1.pdf
bySamahAdel16
 
PPT
Chapter 3: Information Security Framework
byNada G.Youssef
 
PPT
InfoSecConcepts.ppt
byMobileAntitheft
 
PDF
Basic security concepts_chapter_1_6perpage
bynakomuri
 
PDF
Computer Security
byFrederik Questier
 
PPTX
Basic concepts in computer security
byArzath Areeff
 
PPTX
Advanced Operating System Principles.pptx
byyuvapapa26
 
PPT
Information security introduction
byPrachi Gulihar
 
PPTX
INFORMATION AND CYBER SECURITY
byNishant Pawar
 
PPTX
Chapter 1 compu secur.pptx of security service
byyhalemayalu
 
PDF
ICT-security-Lesson-4.pdf
byasdfg hjkl
 
PPTX
ISM-CS5750-01.pptx
byRashidSahito1
 
PPTX
informations_security_presentations.pptx
byFAKHARZAMANPROUD
 
PPTX
ISA 1a - Essential Terms and Concepts.pptx
byPatrickWilson621054
 
PDF
Software Technical Design for Information Security: A short intro for Tech Le...
byChris F Carroll
 
PPTX
Date security introduction
byLeo Mark Villar
 
PPT
Information Security
bychenpingling
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
PPT
Basic Security Chapter 1
byAfiqEfendy Zaen
 
information security introduction for campus students.pdf
byhailegebrielgeta6
 
Course Information Security Lecture 1.pdf
bySamahAdel16
 
Chapter 3: Information Security Framework
byNada G.Youssef
 
InfoSecConcepts.ppt
byMobileAntitheft
 
Basic security concepts_chapter_1_6perpage
bynakomuri
 
Computer Security
byFrederik Questier
 
Basic concepts in computer security
byArzath Areeff
 
Advanced Operating System Principles.pptx
byyuvapapa26
 
Information security introduction
byPrachi Gulihar
 
INFORMATION AND CYBER SECURITY
byNishant Pawar
 
Chapter 1 compu secur.pptx of security service
byyhalemayalu
 
ICT-security-Lesson-4.pdf
byasdfg hjkl
 
ISM-CS5750-01.pptx
byRashidSahito1
 
informations_security_presentations.pptx
byFAKHARZAMANPROUD
 
ISA 1a - Essential Terms and Concepts.pptx
byPatrickWilson621054
 
Software Technical Design for Information Security: A short intro for Tech Le...
byChris F Carroll
 
Date security introduction
byLeo Mark Villar
 
Information Security
bychenpingling
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
Basic Security Chapter 1
byAfiqEfendy Zaen
 

Recently uploaded

PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
final.pdf
byomarbishtawi04
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Workflow and decision Automation with Flowable
bychakib ch
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 

Plain talk about security public - ms1

  • 1.
    Plain Talk about Security 1January27, 2015 by Mike Stone
  • 2.
    Introduction Plain Talk aboutSecurity04/02/2015 2 • Security is not just a matter of opinion • even though everybody has an opinion about security • Security is not a wasted effort • even though it may seem like any determined attacker will get through your defenses • Security is a logic, a calculation, and a profession • logic: “you can’t protect assets you don’t know about” • calculation: “the value of a risk to an asset is equal to the value of the asset times the probability that the risk will occur” • profession: “An occupation doesn’t need society’s recognition to be a profession (CISSP). It only needs the actions and activities among its members to cooperate to serve a certain ideal (Security)” – (ISC)2 • Information Security has its counterparts in physical security
  • 3.
    The Security Trinity(CIA) Plain Talk about Security04/02/2015 3 Confidentiality Integrity Availability Keep the asset secret! Ensure intended users can always access asset! Prevent unauthorized change to asset!
  • 4.
    Start with aGood Secure Architecture Plain Talk about Security04/02/2015 4 Physical Security Information Security • A good architecture • Form facilitates function • Modular • Adaptable • Scalable • A secure architecture • Facilitates organizational mission & objectives • Provides granular segmentation • Provides situational awareness • Defends its assets Internet Dev & QA DMZ Users Prod SOC & NOC C C C C C C Public Confi- dential Top Secret C C
  • 5.
    Four A’s ofSecurity: #1 Account Management Plain Talk about Security04/02/2015 5 Physical Security Information Security • User Accounts: represent interactive humans • Service Accounts: represent batch processes • Role-based Accounts: represent groups of accounts with similar profiles & needs admins services employees customers suppliers hackers
  • 6.
    Four A’s ofSecurity: #2: Authentication Controls Plain Talk about Security04/02/2015 6 Physical Security Information Security • One Factor Authentication: What you know (password) • Two Factor Authentication: What you have (token) + what you know • Three Factor Authentication: What you are (biometric) + what you have + what you know STOP! Identify yourself! Show me your pass! You don’t look like the commander! Password token Biometric Hand Scanner“Digital Signatures and Certificates also provide User, Host, Software, Message, and Data Authentication Controls!”
  • 7.
    Four A’s ofSecurity: #3 Authorization (Access) Controls Plain Talk about Security04/02/2015 7 Physical Security Information Security • Who/what is allowed to do what to a resource (asset) • Resources are assets that are allowed to be used • Minimum Privilege: the least privileges required to perform a job (role) = Granularity • Strong Access Controls require Strong Authentication Controls! General Prod $ $$ $$$ C C Confidential Prod Top Secret Prod Confidential Clearance Top Secret ClearanceGeneral Clearance “Encryption also provides a Presentation Layer Access Control!”
  • 8.
    SQL WS TSSrvr Rtr SW Four A’s of Security: #4 Audit Controls Plain Talk about Security04/02/2015 8 Physical Security Information Security • Logs (Running) & Monitoring (Real-Time): ad hoc record of alerts and events • Audit: formal documentation of who did what when and where compared to a framework • Report: statistical (and possibly graphic) view of historical data and trends • Evidence: documentation proving compliance with a security control or standard FW IPS A/V SSL DLP CA NNM MoM SIEM MoM SQL EM WS EM TS EM Srvr EM Rtr EM SW EM FW EM IPS EM A/V EM SSL EM DLP EM CA EM “Digital Signatures and trusted Certificates can provide non- repudiation for business or legal transactions!”
  • 9.
    Confidentiality Plain Talk aboutSecurity04/02/2015 9 Physical Security Information Security • Protects an asset or person from unauthorized viewing or exposure by: • Access Controls • Encryption • Symmetric • Asymmetric Shredder Symmetric Keys Public & Private Keys “Considering Moore’s Law, you’d better add another bit to the encryption key length every 18 months!” Bob Alice E D KG key key Hi! Hi! @# $^ Bob Alice E D KG Public key Private key Hi! Hi! @# $^
  • 10.
    Integrity Plain Talk aboutSecurity04/02/2015 10 Physical Security Information Security • Protects an asset from unauthorized modification by: • Access Controls • Digital Signature • Hash • Encryption “Digital Signature, Hash, & Encryption also provide Presentation Layer Access Controls!” General Prod $ $$ $$$ C C Important Prod Critical Prod Medium Integrity Clearance High Integrity ClearanceGeneral Clearance
  • 11.
    Site #1 Site#2 Availability Plain Talk about Security04/02/2015 11 Physical Security Information Security • Ensures an resource will always be available for authorized use • High-Availability services shouldn’t have Single Points of Failure (SPoF) • Recovery Point Objective (RPO): how much data a service can afford to lose • Recovery Time Objective (RTO): how much time a service can afford to be shut down S1 SW1 S2 SW2 c1 c2 LB1 LB2 S1 SW1 S2 SW2 c1 c2 LB1 LB2 R1 R2 DNS 1 DNS 2 Internet c3
  • 12.
    A Risk-Driven SecurityProcess Plain Talk about Security04/02/2015 12 • Identify your major assets • Identify the risks to those assets • Measure the impacts ($) and probabilities (%) of those risks • Decide what levels of impacts and probabilities of risks are acceptable • Allocate a security budget equal to the difference between the maximum risk (impact x probability) and the acceptable risk level • Create or modify the policies, standards, procedures, and controls to defend those assets while achieving business missions and objectives • Assess residual risks • Review effectiveness of those policies, standards, procedures, and controls ID Assets ID Risks Calc Impact & Probability Decide Acceptable Levels Budget Security Plan Defenses Assess Residual Risks Review Effectiveness