Business Continuity Management
|
|
- Oswin Ross
- 5 years ago
- Views:
Transcription
1 University of Oslo INF3510 Information Security Autumn 2018 Workshop Questions and s Lecture 8: Risk Management and Business Continuity Management Question 1: Risk factors A possible definition of information security risk is: risk = likelihood impact a. Explain what is meant by likelihood and impact in this definition. b. Discuss, e.g. with a relevant example, whether this is a reasonable definition. c. Mention factors that contribute to likelihood of a security incident (threat occurrence). d. Discuss whether it is meaningful to analyse risk based on detailed factors (such as threat agent motivation and capacity) during a practical risk analysis. a. The likelihood is the frequency (or probability) that a threat occurs. The impact is the consequence of a threat, i.e. the expected cost of a threat occurrence. b. Many examples are possible. One could consider the threat of DDoS (Distributed Denial of Service) attack against a company web site. The likelihood is the expected probability of an actual DDoS attack taking place. The impact may be measured in terms of financial loss to the company due to customers not being able to make orders. When combined, the risk level increases as a conjunction of the likelihood and impact levels. c. Factors are e.g. threat agent strength, and vulnerability severity. This is because the likelihood of a threat occurrence increases with the strength of the threat agent. Similarly, the likelihood increased with the severity of vulnerabilities. The factor threat agent strength can further be decomposed into motivation and capacity. This is because the threat agent strength increases with motivation and capacity. An agent with the capacity (skills and technology) to execute an attack still needs the motivation to do it. Similarly, a motivated agent still needs the capacity to execute the attack. d. It can be useful for analysing specific threats in more detail, but it would take more time. For example, the likelihood/frequency of specific threats can be decomposed in terms of threat agent strength and vulnerability severity. Some frameworks explicitly take into account threat agent strength as well as vulnerability severity when estimating risk levels, e.g.: NS 5831 Samfunnssikkerhet Beskyttelse mot tilsiktede uønskede handlinger Risikohåndtering NS 5832 Samfunnssikkerhet Beskyttelse mot tilsiktede uønskede handlinger Risikoanalyse
2 Question 2: Risk management decisions The Risk Management Process specified in ISO indicates two decision points. a. Describe a situation where the answer to risk decision point 1 (after the risk assessment) could be negative, thereby requiring a revision of the context establishment and risk assessment phases. b. Describe a situation where the answer to risk decision point 2 (after the risk treatment plan) could be negative, thereby requiring a possible revision of all the previous risk management phases. a. It is possible that the computed risks have a very skewed distribution, e.g. most risks have the same level (e.g. either very low or very high), which makes the risk ranking meaningless. b. It is possible that the proposed risk treatment plan in judged unacceptable by the management, e.g. i. Because the treatment plan is too expensive or too ambitious. If the plan is judged by management as too expensive or too ambitious, then the level of acceptable risk can be increased, so that fewer and less ambitious security controls are needed. ii. Because the risk level of planned retained risk is too high to be accepted. If the level of retained risk is too high, more controls could be proposed. iii. Because the estimated cost of treatment plan is considered misleading due to wrong assessment of risk levels, so that the risk assessment and risk ranking needs to be revised. Question 3: Risk description How should each risk be described? A risk consists of a threat and its risk level which must be described. The risk description should also include assessments of potential threat agents, relevant vulnerabilities and existing security controls, justification for estimating probability and impact, and identification of assets that can be negatively affected. Question 4: Qualitative risk a) Assume that a risk assessment uses three levels of likelihood (low, medium, high) and three levels of impact/consequence level (minor, moderate, major). Draw an appropriate table of qualitative risk that uses 5 qualitative risk levels. b) What is the basis for specifying the qualitative risk levels in the table? c) How is the table used to determine risk levels?
3 a) Different assignments of qualitative risk levels to the entries in the table are possible, but the most natural one is as indicated in the table below. The important rule is that qualitative levels of risk should increase when moving upwards or to the right in the table. It is also typical to have isometric diagonals from top-left to bottom-right, but non-isometric diagonals are of course possible. Impact Minor Moderate Major Likelihood Risk High Moderate High Extreme Medium Low Moderate High Low Negligible Low Moderate b) The assignment of qualitative risk levels in the table is in principle ad hoc, meaning that the risk assessment team can decide how they want to populate the table. The matrix is simply a look-up table. For each threat the team must estimate the likelihood and impact. c) The risk level is determined by direct look-up in the table. Question 5: Relative / Semi-quantitative risk a) Assume a risk assessment method with four relative levels of likelihood: 0 (extremely rare), 1 (rare), 5 (likely), 10 (very likely), and four relative levels of impact/consequence level: 0 (negligible), 1 (minor), 5 (moderate), 10 (major). Draw an appropriate table of relative / semi-quantitative risk that uses 7 numerical relative risk levels. b) What is the basis for specifying the relative risk levels in the table? c) How is the table used to determine risk levels? a) A relative / semi-quantitative risk table defines risk levels as the product of relative likelihood and impact levels. The product gives is a set of relative risk levels. Impact 0 (Negligible) 1 (Minor) 5 (Moderate) 10 (Major) Likelihood Risk 10 (Very Likely) (Relatively likely) (Rare) (Extremely rare) b) The assignment of the relative risk levels in the table is simply based on the product rule. The risk assessment team must decide which numerical relative values to use for the likelihood and impact levels, which is an ad hoc decision. c) The matrix is a look-up table which directly determines the relative risk level for each threat.
4 Question 6: Quantitative risk Consider a quantitative risk analysis for a business. A specific threat is expected to result in a security incident every two months at a cost of $3 000 per incident. a. Compute the single loss expectancy (SLE) and the annualised loss expectancy (ALE). b. How should the ALE be used in deciding how to treat this risk? c. Once controls are put in place, how will they change a later risk analysis? d. Instead of reducing the risk, name two alternative ways to treat a risk. a. SLE = $ ALE = SLE x 6 = $ b. Security controls with a cost up to $ (per year) may be implemented. However, it also needs to be estimated to what extent the risk is reduced as a result of the controls. For example, if the frequency is reduced to once per 4 months as a result of a control costing $ per year, then the controls are not justified. c. The SLE and/or frequency normally decrease. These are computed with consideration of security controls that are used. d. Any of: avoid the risk (cease the activity), share the risk (for example, by insurance), retain the risk (be prepared to tolerate the consequence). Question 7: Qualitative vs. quantitative risk In what way are qualitative and quantitative risk analysis different? Explain one significant drawback of each type. Qualitative risk assessment uses words to describe the likelihood of incidents and the magnitude of potential negative impacts, whereas quantitative risk assessment uses numerical values for likelihood and impact. qualitative scale could be: unlikely, relatively likely, highly likely. quantitative scale could be probability values in the range [0, 1]. Major drawbacks of qualitative risk analysis are that the results are hard to justify objectively and that an exact value is not available for cost/benefit analysis. Major drawbacks of quantitative risk analysis are that the calculations are ad hoc, it can be difficult to explain how the exact figures are obtained and the process can be very labour intensive (although tools are available).
5 Question 8: Threat modelling Consider the case of an online pharmacy, where the diagram below illustrates the main elements in the e-commerce architecture, as well as abstract threats. It can e.g. be assumed that the attacker (threat agent) has as goal to 1) get control of user accounts and their purchasing history, 2) steal the user database (and passwords), 3) sabotage, DDoS or deface the website, or 4) store malware (XSS, malware, exploits) on the website to attack users. You can also consider other attack goals. a. Describe relevant threat scenarios for each attack goal you want to consider. Don t get stuck by the lack of detail in this case description, you can make any assumption you want. The important thing is to be able to identify and articulate relevant threat scenarios, i.e. steps the attacker must take to reach a specific goal. b. For each threat scenario, suggest security controls that can block or mitigate the threat. 1) Threat scenario 1: Spam phishing to hijack user accounts a. A possible threat scenario to get control of a user account is to send phishing to users of the online pharmacy. A challenge for the attackers is to find addresses of customers of the online pharmacy. A possible method for getting user names could be to search online discussion groups for medical issues, where the online pharmacy is mentioned. The phishing could present a link to a fake web page pretending to be the online pharmacy, and asking the user to log in. This would give the attackers account names and corresponding passwords. If the online pharmacy allows federated login e.g. through facebook, then the attackers would get the facebook credentials, which could then be exploited for man other attack scenarios, and have serious impact. b. Controls to prevent this threat could be through security awareness, such as by informing customers that the pharmacy will never send an asking the customers to log in. Another control could be to use a 2 nd authentication factor such as by sending an authorization code by SMS, or having an OTP (onetime-password) app from the service provider. Since an SMS or OTP is dynamic, the attackers could not simply steal a password to take over the account.
6 2) Threat scenario 2: Steal the user database through SQL injection a. A possible threat scenario to get the user database could be through SQL injection through the web interface, if it can be assumed that the web interface has no input filtering and sanitation before input data gets sent to the back-end SQL database. b. Input filtering and sanitation of input from the web would prevent SQL injection. 3) Threat scenario 3: DDoS attack to block customers from purchasing a. DDoS attack capability using botnets can be bought online relatively cheaply. This is a typical way for hackers to monetise botnets which they control. While a DDoS attack is ongoing it will be difficult or impossible for customers to access the online pharmacy, so customers might go to a competitor instead. b. Possible controls to mitigate against DDoS attacks could be to have loadsharing between multiple servers so that a moderate DDoS attack would have limited effect. Another control could be to use a powerful NGF (Next Generation Firewall) which is able to dynamically detect DDoS attack patterns and set up filtering rules to remove the DDoS traffic. Both these controls could be relatively expensive. 4) Threat scenario 4: Store malware on the website to attack the customers/users. a. Assuming that the online pharmacy has pages for discussion or feedback from customers, it could be possible for attackers to store malicious java scripts (disguised as a discussion comment) on the website, which would be downloaded to customer browsers when they access the online pharmacy. This is the principle for typical stored XSS (Cross Side Scripting) attacks. The malicious java script could be used to attack customers e.g. for identity theft or for infecting client machines and turn them into bots in the attacker s bot net. b. The best control for preventing storing malware on the web server, and for preventing XSS, is by filtering data from users to be stored on a web server, and filtering data from web servers on the client browser. Question 9: The misnomer: ROS-analyse a. What is the problem with the concept of Risk and Vulnerability Analysis typically used in a Norwegian risk management context (ROS-analyse)? b. Why is Threat and Risk Analysis (TOR-analyse) a better term? a. The concept of risk and vulnerability analysis (ROS-analyse) puts a strong emphasis on vulnerability analysis. However, there is no vulnerability without threats, hence the threat modelling is the most important part of a risk analysis. The problem with the concept of risk and vulnerability analysis is that it takes focus away from threat modelling which can lead to dysfunctional risk assessment and risk management. b. Since threat modelling is a prerequisite for understanding and analysing risk, it is more meaningful to use the concept of threat and risk analysis (TOR-analyse).
7 Question 10: Business impact analysis c. What is special about risks related to disasters, in terms of likelihood and impact? d. As part of business continuity planning, a BIA (Business Impact Analysis) is often performed. Briefly explain the purpose of a BIA. e. Why is BIA often more meaningful than a traditional risk assessment in case of BCM and planning for disaster recovery. c. The likelihood of disasters is very low, but the impacts are extreme. A risk analysis of disasters can therefor become very unreliable. d. A BIA is performed at the beginning of business continuity planning to identify critical functions that in the event of a disruption would cause the greatest financial or otherwise negative impact. e. The risk levels for disasters are difficult to assess because of the extreme levels (very low likelihood and very large impact), hence qualitative and quantitative risk assessment methods become unreliable. Threats considered in BCM are typically considered too strong for effective prevention (e.g. earthquake, terrorist attack), in contrast to risk management where security controls can block or mitigate threats. The focus of BIA is to identify essential business processes, so that BCM can be used make plans for restoring them in case they get disrupted by serious events. Question 11: Maximum tolerable downtime a. Specify the typical MTD (Maximum Tolerable Downtime) for a business function that is defined as (i) critical; (ii) non-essential. b. Assume that the information processing facilities of an organisation has suffered considerable damage, seriously impacting the business functions. How is the MTD taken into account when deciding whether business recovery at an alternative site should be invoked? a. MTDs: - For critical business functions: Minutes to hours, - Non-essential business functions: Weeks to months b. The estimated time to re-establish the business functions at the existing site is estimated is compared with the MTD. The business recovery plan must be invoked if the estimated time exceeds the MTD.
What is risk? INF3510 Information Security University of Oslo Spring Lecture 3 Risk Management Business Continuity Management
What is risk? INF3510 Information Security University of Oslo Spring 2016 Lecture 3 Risk Management Business Continuity Management UiO, 2016 Audun Jøsang Abstract Risk Model (NSM) ISO31000 Risk Management:
More informationCybersecurity Survey Results
Cybersecurity Survey Results 4 November 2015 DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
More informationThe Cyber War on Small Business
The Cyber War on Small Business Dillon Behr Executive Lines Broker Risk Placement Services, Inc. Meet Our Speaker Dillon Behr Executive Lines Broker Risk Placement Services, Inc. Previously worked as Cyber
More informationIntroduction to Business continuity Planning
Week - 06 Introduction to Business continuity Planning 1 Introduction The purpose of this lecture is to give an overview of what is Business Continuity Planning and provide some guidance and resources
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationHow ISO helps organisation to achieve operational readiness Ong Liong Chuan 26 Apr 2016
How ISO 22301 helps organisation to achieve operational readiness Ong Liong Chuan 26 Apr 2016 Copyright SP PowerGrid Ltd Threat Threat 1 Threat 2 Organisation Threat 3 2 Threat - Terrorist actions ST 19Mar16
More informationCSE 3482 Introduction to Computer Security. Security Risk Management Cost-Benefit Analysis
CSE 3482 Introduction to Computer Security Security Risk Management Cost-Benefit Analysis Instrutor: N. Vlajic, Winter 2017 Security Risk Management Risk Management Risk Identification Risk Control Identify
More informationData Breach Preparedness & Response
Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication
More informationData Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH
Data Breach Preparedness & Response April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH 2015 Armstrong Teasdale 6 Stages of a Data Breach Response Preparation Identification Containment Eradication
More informationUnit 3 Cyber security
2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 3 - revised September 2016 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning
More informationVulnerabilities in online banking applications
Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison
More informationReport. An Evaluation of a Test driven Security Risk Analysis Method Based on an Industrial Case Study
Unrestricted Report An Evaluation of a Test driven Security Risk Analysis Method Based on an Industrial Case Study Author(s) Gencer Erdogan Fredrik Seehusen Yan Li SINTEF ICT Networked Systems and Services
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationHow to Conduct a Business Impact Analysis and Risk Assessment
How to Conduct a Business Impact Analysis and Risk Assessment By Larry Pedrazoli Business Recovery Analyst Miller Brewing Company February 2006 Project Management Institute, La Crosse, WI Chapter Agenda
More informationAdvanced IT Risk, Security management and Cybercrime Prevention
Advanced IT Risk, Security management and Cybercrime Prevention Course Goal and Objectives Information technology has created a new category of criminality, as cybercrime offers hackers and other tech-savvy
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationRisk Assessment. The Heart of Information Security
Risk Assessment The Heart of Information Security Overview Warm-up Quiz Why do we perform risk assessments? The language of risk - definitions The process of risk assessment Risk Mitigation Triangle Lessons
More information2015 HFMA What Healthcare Can Learn from the Banking Industry
2015 HFMA What Healthcare Can Learn from the Banking Industry Agenda Introduction- Background and Experience Healthcare vs. Banking The Results OCR Audit Results Healthcare vs. Banking The Theories Practical
More informationAutomated Context and Incident Response
Technical Brief Automated Context and Incident Response www.proofpoint.com Incident response requires situational awareness of the target, his or her environment, and the attacker. However, security alerts
More informationPenetration Testing and Team Overview
ATO Trusted Access Penetration Testing and Team Overview PRESENTED BY Name: Len Kleinman Director ATO Trusted Access Australian Taxation Office 18 May 2011 What is Vulnerability Management? The on-going
More informationEXAMINATION [The sum of points equals to 100]
Student name and surname: Student ID: EXAMINATION [The sum of points equals to 100] PART I: Meeting Scheduling example Description: Electronic meeting Scheduling system helps meeting initiator to schedule
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 16 IT Security Management and Risk Assessment First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Overview security requirements
More informationmhealth SECURITY: STATS AND SOLUTIONS
mhealth SECURITY: STATS AND SOLUTIONS www.eset.com WHAT IS mhealth? mhealth (also written as m-health) is an abbreviation for mobile health, a term used for the practice of medicine and public health supported
More informationSecurity Fundamentals for your Privileged Account Security Deployment
Security Fundamentals for your Privileged Account Security Deployment February 2016 Copyright 1999-2016 CyberArk Software Ltd. All rights reserved. CAVSEC-PASSF-0216 Compromising privileged accounts is
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationISO : 2013 Method Statement
ISO 27001 : 2013 Method Statement 1.0 Preface 1.1 Prepared By Name Matt Thomas Function Product Manager 1.2 Reviewed and Authorised By Name Martin Jones Function Managing Director 1.3 Contact Details Address
More informationVulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?
Detection Vulnerability Assessment Week 4 Part 2 How Much Danger Am I In? Vulnerability Assessment Aspects of Assessment Vulnerability Assessment is a systematic evaluation of asset exposure to threats
More informationRejuvenating BCM - Infrastructure. Business Continuity Awareness Week March 2009
Rejuvenating BCM - Infrastructure Business Continuity Awareness Week 23 27 March 2009 Brigitte Theuma MBCI, CBCMMA, CBCMP, CBCITP, MIAEM 23 March 2009 Total of 5 pages Table of Contents I. ICT Service
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationCompTIA Advanced Security Practitioner (CASP) (Exam CAS-001)
CompTIA Advanced Security Practitioner (CASP) (Exam CAS-001) Course Outline Course Introduction Course Introduction Lesson 01 - The Enterprise Security Architecture Topic A: The Basics of Enterprise Security
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationBusiness Continuity Policy
Business Continuity Policy Version Number: 3.6 Page 1 of 14 Business Continuity Policy First published: 07-01-2014 Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/2014
More informationTemplate for data breach notifications I
Template for data breach notifications I I. Identification of the data controller This information is exclusively for the relevant Data Protection Authority, not to be shared with third-parties. 1. Details
More informationTHE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY
THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY DATA CENTER WEB APPS NEED MORE THAN IP-BASED DEFENSES AND NEXT-GENERATION FIREWALLS table of contents.... 2.... 4.... 5 A TechTarget White Paper Does
More informationVidder PrecisionAccess
Vidder PrecisionAccess Transparent Multi-Factor Authentication June 2015 910 E HAMILTON AVENUE. SUITE 430. CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview...
More informationINF3510 Information Security. Lecture 12: Development and Operations Security. Audun Jøsang University of Oslo Spring 2014
INF3510 Information Security Lecture 12: Development and Operations Security Audun Jøsang University of Oslo Spring 2014 Outline Software Development Security Malicious Software Attacks on applications
More informationCybersecurity glossary. Please feel free to share this.
Cybersecurity glossary Please feel free to share this.. A B C Antivirus Software designed to prevent viruses entering a computer system or network. Access Control Mechanism Security measures designed to
More informationBCS Level 4 Award in Risk Assessment QAN 603/0830/8
S Level 4 ward in Risk ssessment QN 603/0830/8 Specimen Paper Record your surname / last / family name and initials on the answer sheet. Specimen paper only 20 multiple-choice questions 1 mark awarded
More informationThe Problem. Business Continuity/ Disaster Recovery. Course Outline and Structure. The Problem The Coverage. Sean Gunasekera
Course Outline and Structure Week 1 Security Governance Week 2 Managing Security in the organisation Risk Management Week 3 Risk management Breaches, threats, vulnerabilities Week 4 IS security access
More informationRisk Management. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1
Risk Management Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Define
More informationepldt Web Builder Security March 2017
epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationEthical Hacking and Prevention
Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive
More informationCASE STUDY: REGIONAL BANK
CASE STUDY: REGIONAL BANK Concerned about unauthorised network traffic, a regional bank in the MD/DC/VA area contracted GBMS Tech Ltd to monitor the banks various security systems. GBMS Tech Ltd uncovered
More informationIncident Response. Tony Drewitt Head of Consultancy IT Governance Ltd
Incident Response Tony Drewitt Head of Consultancy IT Governance Ltd www.itgovernance.co.uk IT Governance Ltd: GRC One-Stop-Shop Thought Leaders Specialist publisher Implementation toolkits ATO Consultants
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationCHAPTER 8 SECURING INFORMATION SYSTEMS
CHAPTER 8 SECURING INFORMATION SYSTEMS BY: S. SABRAZ NAWAZ SENIOR LECTURER IN MANAGEMENT & IT SEUSL Learning Objectives Why are information systems vulnerable to destruction, error, and abuse? What is
More informationFull file at https://fratstock.eu
CISSP Guide to Security Essentials, 2 nd Edition Solutions 2 1 CISSP Guide to Security Essentials, 2 nd Edition Chapter 2 Solutions Review Questions 1. The process of obtaining a subject s proven identity
More informationThink Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe
Think Oslo 2018 Where Technology Meets Humanity Oslo Felicity March Cyber Resilience - Europe Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity
More informationDisaster Recovery and Business Continuity Planning (Mile2)
Disaster Recovery and Business Continuity Planning (Mile2) Course Number: DRBCP Length: 4 Day(s) Certification Exam This course will help you prepare for the following exams: ABCP: Associate Business Continuity
More informationCYBER RESILIENCE & INCIDENT RESPONSE
CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable
More informationUnique Phishing Attacks (2008 vs in thousands)
The process of attempting to acquire sensitive information, such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. In the 2 nd half
More informationCybersecurity 2016 Survey Summary Report of Survey Results
Introduction In 2016, the International City/County Management Association (ICMA), in partnership with the University of Maryland, Baltimore County (UMBC), conducted a survey to better understand local
More informationInsider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm
Insider Threat Program: Protecting the Crown Jewels Monday, March 2, 2:15 pm - 3:15 pm Take Away Identify your critical information Recognize potential insider threats What happens after your critical
More informationCybersecurity for Service Providers
Cybersecurity for Service Providers Alexandro Fernandez, CISSP, CISA, CISM, CEH, ECSA, ISO 27001LA, ISO 27001 LI, ITILv3, COBIT5 Security Advanced Services February 2018 There are two types of companies:
More informationTSC Business Continuity & Disaster Recovery Session
TSC Business Continuity & Disaster Recovery Session Mohamed Ashmawy Infrastructure Consulting Pursuit Hewlett-Packard Enterprise Saudi Arabia Mohamed.ashmawy@hpe.com Session Objectives and Outcomes Objectives
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More informationRSA Web Threat Detection
RSA Web Threat Detection Online Threat Detection in Real Time Alaa Abdulnabi. CISSP, CIRM RSA Pre-Sales Manager, TEAM Region 1 Web Threat Landscape In the Wild Begin Session Login Transaction Logout Web
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationExam : Title : ASAM Advanced Security for Account Managers Exam. Version : Demo
Exam : 646-578 Title : ASAM Advanced Security for Account Managers Exam Version : Demo 1. When do you align customer business requirements with the needed solution functionality? A. when preparing for
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationManaging IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services
Managing IT Risk: What Now and What to Look For Presented By Tina Bode IT Assurance Services Agenda 1 2 WHAT TOP TEN IT SECURITY RISKS YOU CAN DO 3 QUESTIONS 2 IT S ALL CONNECTED Introduction All of our
More informationCyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)
Cyber Security Presenters: - Brian Everest, Chief Technology Officer, Starport Managed Services - Susan Pawelek, Accountant, Compliance and Registrant Regulation February 13, 2018 (webinar) February 15,
More informationNo IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP Learning Objectives After this session, participants will be able to: Devise
More informationStandard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.
Standard Categories for Incident Response Teams Definitions V2.1 February 2018 Standard Categories for Incident Response (definitions) V2.1 1 Introduction This document outlines categories that Incident
More informationSecuring Information Systems
Introduction to Information Management IIM, NCKU System Vulnerability and Abuse (1/6) Securing Information Systems Based on Chapter 8 of Laudon and Laudon (2010). Management Information Systems: Managing
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationSecuring today s identity and transaction systems:! What you need to know! about two-factor authentication!
Securing today s identity and transaction systems:! What you need to know! about two-factor authentication! 1 Today s Speakers! Alex Doll! CEO OneID Jim Fenton! Chief Security Officer OneID 2 Contents!
More informationSecurity Policy (EN) v1.3
Security Policy (EN) v1.3 Author: Erik Klein Langenhorst Date: Sept 21, 2017 Classificatie: 2 Intended for stakeholders only Security Policy (EN) v1.5 Pagina 1 van 9 Version History Version Date Name Changes
More informationA Practical Approach to Implement a Risk Based ISMS
A Practical Approach to Implement a Risk Based ISMS Pascal Reiniger Chief Information Security Officer Kanton Basel-Stadt Zürich Security Interest Group Switzerland 07.11.2017 Agenda 1. Introduction 2.
More informationCloud Security Myths Paul Mazzucco, Chief Security Officer
Cloud Security Myths Paul Mazzucco, Chief Security Officer Discussion Points >Yesterday s standards: today s security myths >Cloud security: an ongoing mandate >Actions to take now 90% of Businesses Breached
More informationUnit 2 Essentials of cyber security
2016 Suite Cambridge TECHNICALS LEVEL 2 IT Unit 2 Essentials of cyber security A/615/1352 Guided learning hours: 30 Version 1 September 2016 ocr.org.uk/it LEVEL 2 UNIT 2: Essentials of cyber security A/615/1352
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 22301 Lead Implementer www.pecb.com The objective of the Certified ISO 22301 Lead Implementer examination is to ensure that the candidate
More informationArbor White Paper Keeping the Lights On
Arbor White Paper Keeping the Lights On The Importance of DDoS Defense in Business Continuity Planning About Arbor Networks Arbor Networks Inc., the cyber security division of NETSCOUT, helps secure the
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationIT risks and controls
Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2018 Agenda I IT GOVERNANCE IT evolution, objectives, roles
More informationAuthentication Methods
CERT-EU Security Whitepaper 16-003 Authentication Methods D.Antoniou, K.Socha ver. 1.0 20/12/2016 TLP: WHITE 1 Authentication Lately, protecting data has become increasingly difficult task. Cyber-attacks
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationTHE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES
THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES TABLE OF CONTENTS 3 Introduction 4 Survey Findings 4 Recent Breaches Span a Broad Spectrum 4 Site Downtime and Enterprise
More informationJune 2 nd, 2016 Security Awareness
June 2 nd, 2016 Security Awareness Security is the degree of resistance to, or protection from, harm. if security breaks down, technology breaks down Protecting People, Property and Business Assets Goal
More informationCYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW
CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW May 2018 Ed Plawecki General Counsel & Director of Government Relations UHY LLP Jamie See Manager UHY LLP Iowa Public
More informationSecond International Barometer of Security in SMBs
1 2 Contents 1. Introduction. 3 2. Methodology.... 5 3. Details of the companies surveyed 6 4. Companies with security systems 10 5. Companies without security systems. 15 6. Infections and Internet threats.
More informationPenetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant
Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by
More informationSecuring Information Systems
Chapter 7 Securing Information Systems 7.1 Copyright 2011 Pearson Education, Inc. STUDENT LEARNING OBJECTIVES Why are information systems vulnerable to destruction, error, and abuse? What is the business
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationNebraska CERT Conference
Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology
More informationRadware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper
Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper Table of Contents Abstract...3 Understanding Online Business
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationCERTIFIED SECURE COMPUTER USER COURSE OUTLINE
CERTIFIED SECURE COMPUTER USER COURSE OUTLINE Page 1 TABLE OF CONTENT 1 COURSE DESCRIPTION... 3 2 MODULE-1: INTRODUCTION TO DATA SECURITY... 4 3 MODULE-2: SECURING OPERATING SYSTEMS... 6 4 MODULE-3: MALWARE
More informationLab #3 Defining an Information Systems Security Policy Framework for an IT Infrastructure
Lab #3 Defining an Information Systems Security Policy Framework for an IT Infrastructure Introduction In any company, a security policy helps to mitigate the risks and threats the business encounters.
More informationProtecting Against Online Fraud. F5 EMEA Webinar August 2014
Protecting Against Online Fraud F5 EMEA Webinar August 2014 Agenda Fraud threat trends and business challenges Web fraud protection Mobile fraud protection Security operations center Example architecture
More information