Security+ Guide to Network Security Fundamentals, Fifth Edition. Chapter 1 INTRODUCTION TO SECURITY
|
|
- Sharon Cooper
- 6 years ago
- Views:
Transcription
1 Security+ Guide to Network Security Fundamentals, Fifth Edition Chapter 1 INTRODUCTION TO SECURITY
2 Objectives Describe the challenges of securing information Define information security and explain why it is important Identify the types of attackers that are common today List the basic steps of an attack Describe the five basic principles of defense Security+ Guide to Network Security Fundamentals, Fifth Edition 2
3 Challenges of Securing Information Today all citizens forced to continually protect themselves from attacks by invisible foes Attacks not just physical but also include attacks on information technology Attacks directed at individuals, schools, businesses, and governments through desktop computers, laptops, smartphones, and tablet computers Information security is focused on protecting electronic information of organizations and users Security+ Guide to Network Security Fundamentals, Fifth Edition 3
4 Information Security Personnel Chief Information Security Officer (CISO) - Responsible for assessing, managing, and implementing security Security manager - Supervises technicians, administrators, and security staff Security administrator - Manages daily operations of security technology Security technician - Provide technical support to configure security hardware, implement security software, and diagnose and troubleshoot problems Security+ Guide to Network Security Fundamentals, Fifth Edition 4
5 Information Security Employment Employees with certifications in security are in high demand Security is rarely offshored or outsourced Job outlook for security professionals is exceptionally strong U.S. Bureau of Labor Statistics (BLS) Occupational Outlook Handbook indicates job outlook for information security analysts through end of decade expected to grow by 22 percent, faster than average growth rate Security+ Guide to Network Security Fundamentals, Fifth Edition 5
6 CompTIA Security+ CompTIA Security+ certification is widelyrecognized and highly respected vendor-neutral credential Requires passing current certification exam SY0-401 Tests knowledge and skills required to: identify risks; provide infrastructure, application, operational and information security; apply security controls to maintain confidentiality, integrity, and availability; and identify appropriate technologies and products Security+ Guide to Network Security Fundamentals, Fifth Edition 6
7 Today s Security Attacks Balances manipulated on prepaid debit cards Home Wi-Fi network attacked Twitter accounts exploited Ploutus ATM malware Exposed serial servers Manipulate aircraft and ocean vessels Computer cluster for cracking passwords Apple Mac vulnerabilities Electronic data records stolen Security+ Guide to Network Security Fundamentals, Fifth Edition 7
8 Difficulties in Defending Against Attacks Universally connected devices Increased speed of attacks Greater sophistication of attacks Availability and simplicity of attack tools Faster detection of vulnerabilities Delays in security updating Weak security update distribution Distributed attacks Introduction of BYOD User confusion Security+ Guide to Network Security Fundamentals, Fifth Edition 8
9 Menu of Attack Tools (Figure 1-1) Security+ Guide to Network Security Fundamentals, Fifth Edition 9
10 Difficulties in Defending (Table 1-2) Security+ Guide to Network Security Fundamentals, Fifth Edition 10
11 What Is Information Security? Before defense is possible, one must understand: What is security What information security is Information security terminology Why it is important Security+ Guide to Network Security Fundamentals, Fifth Edition 11
12 Understanding Security Security is defined as either the process (how to achieve security) or the goal (what it means to have security). In reality security is both: it is the goal to be free from danger as well as the process that achieves that freedom Security is the necessary steps to protect a person or property from harm. This harm may come from one of two sources: Direct action Indirect and unintentional action Security+ Guide to Network Security Fundamentals, Fifth Edition 12
13 Security and Convenience Relationship between security and convenience As security is increased, convenience is often decreased Security is inversely proportional to convenience The more secure something is, the less convenient it may become to use Security is sacrificing convenience for safety or giving up short-term comfort for long-term protection Security+ Guide to Network Security Fundamentals, Fifth Edition 13
14 Relationship Security-Convenience (Figure 1-2) Security+ Guide to Network Security Fundamentals, Fifth Edition 14
15 Defining Information Security Information security - Tasks of securing information in digital format: Manipulated by a microprocessor Stored on a storage device Transmitted over a network Protection - Information security cannot completely prevent successful attacks or guarantee that a system is totally secure Protective measures ward off attacks and prevent total collapse of the system when a successful attack does occur Security+ Guide to Network Security Fundamentals, Fifth Edition 15
16 Three Protections Information Provides value to people and organizations Three protections that must be extended over information (CIA): Confidentiality: Ensures only authorized parties can view information Integrity: Ensures information not altered Availability: Ensures information accessible when needed to authorized parties Security+ Guide to Network Security Fundamentals, Fifth Edition 16
17 AAA Three additional protections that must be extended over information (AAA): Authentication: Ensures that the individual is who she claims to be (the authentic or genuine person) and not an imposter Authorization: Providing permission or approval to specific technology resources Accounting: Provides tracking of events Security+ Guide to Network Security Fundamentals, Fifth Edition 17
18 Securing Devices Devices - Information security involves more than protecting the information itself Information is: Stored on computer hardware Manipulated by software Transmitted by communications Each of these areas must also be protected Security+ Guide to Network Security Fundamentals, Fifth Edition 18
19 Three Entities Entities - Information security is achieved through a process that is a combination of three entities Information and the hardware, software, and communications are protected in three layers: Products People Policies and procedures Procedures enable people to understand how to use products to protect information Security+ Guide to Network Security Fundamentals, Fifth Edition 19
20 Security Layers (Figure 1-3) Security+ Guide to Network Security Fundamentals, Fifth Edition 20
21 Security Layers (Table 1-3) Security+ Guide to Network Security Fundamentals, Fifth Edition 21
22 Information Security Definition Comprehensive definition of information security involves both the goals and process Information security defined as that which protects the integrity, confidentiality, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures Security+ Guide to Network Security Fundamentals, Fifth Edition 22
23 Information Security Terminology: Asset Asset - An item that has value In organization assets have these qualities: They provide value to the organization They cannot easily be replaced without a significant investment in expense, time, worker skill, and/or resources They can form part of the organization's corporate identity. Security+ Guide to Network Security Fundamentals, Fifth Edition 23
24 Technology Assets (Table 1-4) Security+ Guide to Network Security Fundamentals, Fifth Edition 24
25 Information Security Terminology: Threat Threat - Action that has the potential to cause harm Information security threats are events or actions that represent a danger to information assets Threat by itself does not mean that security has been compromised; rather, it simply means that the potential for creating a loss is real Threat can result in the corruption or theft of information, a delay in information being transmitted, or loss of good will or reputation Security+ Guide to Network Security Fundamentals, Fifth Edition 25
26 Information Security Terminology: Threat Agent Threat agent - Person or element that has the power to carry out a threat Threat agent can be: Person attempting to break into a secure computer network Force of nature such as a hurricane that could destroy computer equipment and thus destroy information Malicious software that attacks the computer network Security+ Guide to Network Security Fundamentals, Fifth Edition 26
27 Information Security Terminology: Vulnerability Vulnerability - Flaw or weakness that allows a threat agent to bypass security Example is software defect in an operating system that allows an unauthorized user to gain control of a computer without the user s knowledge or permission Security+ Guide to Network Security Fundamentals, Fifth Edition 27
28 Information Security Terminology: Threat Vector Threat vector - means by which an attack can occur Example is attacker, knowing that a flaw in a web server s operating system has not been patched, is using the threat vector (exploiting the vulnerability) to steal user passwords Threat likelihood - probability that threat will come to fruition Security+ Guide to Network Security Fundamentals, Fifth Edition 28
29 Information Security Terminology: Risk Risk - situation that involves exposure to some type of danger. Options when dealing with risk: Risk avoidance Acceptance Mitigation Deterrence Transference Security+ Guide to Network Security Fundamentals, Fifth Edition 29
30 Understanding the Importance of Information Security: Preventing Theft Preventing data theft Stopping data from being stolen cited as primary objective of information security Business data theft is stealing proprietary business information Personal data is prime target of attackers is credit card numbers that can be used to purchase thousands of dollars of merchandise Security+ Guide to Network Security Fundamentals, Fifth Edition 30
31 Identity Theft Thwarting identity theft - Using another s personal information in unauthorized manner for financial gain Example: Steal person s SSN Create new credit card account Charge purchases Leave unpaid Serious problem for Internal Revenue Service (IRS) Security+ Guide to Network Security Fundamentals, Fifth Edition 31
32 Avoid Legal Consequences Avoiding legal consequences - Businesses that fail to protect data they possess may face serious financial penalties from federal or state laws Laws protecting electronic data privacy: Health Insurance Portability and Accountability Act of 1996 (HIPAA) Sarbanes-Oxley Act of 2002 (Sarbox) Gramm-Leach-Bliley Act (GLBA) Payment Card Industry Data Security Standard (PCI DSS) CA Database Security Breach Notification Act Security+ Guide to Network Security Fundamentals, Fifth Edition 32
33 Cost of Attacks (Table 1-6) Maintaining productivity - Post-attack clean up diverts resources like time and money Security+ Guide to Network Security Fundamentals, Fifth Edition 33
34 Foiling Cyberterrorism Foiling cyberterrorism - Premeditated, politically motivated attacks Targets are banking, military, power plants, air traffic control centers Designed to: Cause panic Provoke violence Result in financial catastrophe Security+ Guide to Network Security Fundamentals, Fifth Edition 34
35 Cyberterrorism Targets Potential cyberterrorism targets Banking Military Energy (power plants) Transportation (air traffic control centers) Water systems Security+ Guide to Network Security Fundamentals, Fifth Edition 35
36 Who Are the Attackers? Hacker Older term referred to a person who used advanced computer skills to attack computers Black hat hackers - Attackers who violated computer security for personal gain or to inflict malicious damage White hat hackers - Ethical attackers who received permission to probe system for any weaknesses Gray hat hackers Attackers who would break into a computer system without permission and then publically disclose vulnerability Security+ Guide to Network Security Fundamentals, Fifth Edition 36
37 Cybercrimminals Cybercrimminals - Generic term describes individuals who launch attacks against other users and their computers A loose network of attackers, identity thieves, and financial fraudsters who are highly motivated, less risk-averse, well-funded, and tenacious Instead of attacking a computer to show off their technology skills (fame), cybercriminals have a more focused goal of financial gain (fortune): cybercriminals steal information or launch attacks to generate income Security+ Guide to Network Security Fundamentals, Fifth Edition 37
38 Script Kiddies Script kiddies - Unskilled users with goal to break into computers to create damage Download automated hacking software (scripts) to use to perform malicious acts Attack software today has menu systems and attacks are even easier for unskilled users 40 percent of attacks performed by script kiddies Security+ Guide to Network Security Fundamentals, Fifth Edition 38
39 Brokers Brokers - Individuals who uncover vulnerabilities do not report it to the software vendor but instead sell them to the highest bidder These attackers sell their knowledge of a vulnerability to other attackers or even governments Buyers are generally willing to pay a high price because this vulnerability is unknown Security+ Guide to Network Security Fundamentals, Fifth Edition 39
40 Insiders Insiders - Employees, contractors, and business partners who steal from employer Most malicious insider attacks consist of the sabotage or theft of intellectual property Offenders are usually employees who actually believe that the accumulated data is owned by them and not the organization Others are employees have been pressured into stealing from their employer through blackmail or the threat of violence Security+ Guide to Network Security Fundamentals, Fifth Edition 40
41 Cyberterrorists Cyberterrorists Attackers who have ideological motivation Attacking because of their principles and beliefs Cyberterrorists can be inactive for several years and then suddenly strike in a new way Targets may include a small group of computers or networks that can affect the largest number of users Example: computers that control the electrical power grid of a state or region Security+ Guide to Network Security Fundamentals, Fifth Edition 41
42 Hactivists Hactivists Another group motivated by ideology Unlike cyberterrorists who launch attacks against foreign nations to incite panic, hactivists generally not as well-defined. Attacks can involve breaking into a website and changing the contents on the site as a means of making a political statement against those who oppose their beliefs Other attacks can be retaliatory Security+ Guide to Network Security Fundamentals, Fifth Edition 42
43 State-Sponsored Attackers State-sponsored attackers Attackers supported by governments for launching computer attacks against their foes Attackers target foreign governments or even citizens of the government who are considered hostile or threatening Security+ Guide to Network Security Fundamentals, Fifth Edition 43
44 Steps of an Attack (Steps 1-4) Reconnaissance - Probe for any information about the system to reveal if the system is a viable target for an attack and how it could be attacked Weaponization - Create an exploit and package it into a deliverable payload that can be used against the target Delivery - The weapon is transmitted to the target Exploitation - The exploitation stage triggers the intruders exploit Security+ Guide to Network Security Fundamentals, Fifth Edition 44
45 Steps of an Attack (Steps 5-7) Installation - The weapon is installed to either attack the computer or install a remote backdoor so the attacker can access the system. Command and Control Often the compromised system connects back to the attacker so that the system can be remotely controlled by the attacker and receive future instructions Actions on Objectives - Now attackers can start to take actions to achieve their original objectives, such as stealing user passwords or launching attacks against other computers Security+ Guide to Network Security Fundamentals, Fifth Edition 45
46 Cyber Kill Chain (Figure 1-6) Security+ Guide to Network Security Fundamentals, Fifth Edition 46
47 Defenses Against Attacks Fundamental security principles for defenses Layering Limiting Diversity Obscurity Simplicity Security+ Guide to Network Security Fundamentals, Fifth Edition 47
48 Layering Information security must be created in layers Single defense mechanism may be easy to circumvent Unlikely that attacker can break through all defense layers Layered security approach Can be useful in resisting a variety of attacks Provides the most comprehensive protection Security+ Guide to Network Security Fundamentals, Fifth Edition 48
49 Limiting Limiting access to information reduces the threat against it Only those who must use data granted access Amount of access limited to what that person needs to know Methods of limiting access Technology (file permissions) Procedural (prohibiting document removal from premises) Security+ Guide to Network Security Fundamentals, Fifth Edition 49
50 Diversity Closely related to layering Layers must be different (diverse) If attackers penetrate one layer then same techniques unsuccessful in breaking through other layers Breaching one security layer does not compromise the whole system Example of diversity is using security products from different manufacturers Security+ Guide to Network Security Fundamentals, Fifth Edition 50
51 Obscurity Obscuring inside details to outsiders Example: not revealing details Type of computer Operating system version Brand of software used Difficult for attacker to devise attack if system details are unknown Security+ Guide to Network Security Fundamentals, Fifth Edition 51
52 Security+ Guide to Network Security Fundamentals, Fifth Edition Chapter 1 INTRODUCTION TO SECURITY
Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 1 Introduction to Security Objectives Describe the challenges of securing information Define information security and explain why
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 1 Introduction to Security Objectives Describe the challenges of securing information Define information security and explain why
More informationSyllabus Review Key Points Unit deliverables Homework Tests Class Conduct Security+ Guide to Network Security Fundamentals, Third Edition
1 Introduction to Computer Security Concepts INFOTECH 260 Mr. Ken Foster 2 Introductions Introduce Yourself: First and Last Name How long you have been attending Heald Your level of computer experience
More informationEC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led
EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led Certification: Certified Network Defender Exam: 312-38 Course Description This course is a vendor-neutral, hands-on,
More informationGovernance Ideas Exchange
www.pwc.com.au Anatomy of a Hack Governance Ideas Exchange Robert Di Pietro October 2018 Cyber Security Anatomy of a Hack Cyber Security Introduction Who are the bad guys? Profiling the victim Insights
More informationChapter 12. Information Security Management
Chapter 12 Information Security Management We Have to Design It for Privacy... and Security. Tension between Maggie and Ajit regarding terminology to use with Dr. Flores. Overly technical communication
More informationCombating Cyber Risk in the Supply Chain
SESSION ID: CIN-W10 Combating Cyber Risk in the Supply Chain Ashok Sankar Senior Director Cyber Strategy Raytheon Websense @ashoksankar Introduction The velocity of data breaches is accelerating at an
More informationIntroduction to Ethical Hacking. Chapter 1
Introduction to Ethical Hacking Chapter 1 Definition of a Penetration Tester Sometimes called ethical hackers though label is less preferred Pen testers are: People who assess security of a target Specially
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationOperational Network Security
Tim Boerner April 25, 2013 CS598 Network Security Operational Network Security or how I learned that the purpose of network security has little to do with actually securing the network Introduction Thinking
More informationWhat is Penetration Testing?
What is Penetration Testing? March 2016 Table of Contents What is Penetration Testing?... 3 Why Perform Penetration Testing?... 4 How Often Should You Perform Penetration Testing?... 4 How Can You Benefit
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationCompliance in 5 Steps
Email Compliance in 5 Steps Introduction For most businesses, email is a vital communication resource. Used to perform essential business functions, many organizations rely on email to send sensitive confidential
More informationInformation Security in Corporation
Information Security in Corporation System Vulnerability and Abuse Software Vulnerability Commercial software contains flaws that create security vulnerabilities. Hidden bugs (program code defects) Zero
More informationCyber Security Issues
RHC Summit 6/9/2017 Cyber Security Issues Dennis E. Leber CISO CHFS Why is it Important? Required by Law Good Business Strategy Right Thing to Do Why is it Important? According to Bitglass' 2017 Healthcare
More informationDeMystifying Data Breaches and Information Security Compliance
May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts
More informationBuilding a Case for Mainframe Security
Building a Case for Mainframe Security Dr. Paul Rohmeyer, Ph.D. Stevens Institute of Technology Hoboken, New Jersey June 13-15, 2010 1 AGENDA - Problem Statement - Defining Security - Understanding Mainframe
More informationWhy you MUST protect your customer data
Why you MUST protect your customer data If you think you re exempt from compliance with customer data security and privacy laws because you re a small business, think again. Businesses of all sizes are
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationWhite paper Cybersecurity
White paper Cybersecurity Concepts and Terminology Table of contents 1. Introduction 3 2. Cybersecurity 3 3. Risk assessment 3 4. Threat landscape 4 5. Threat actors and their motivation 4 6. Attack value
More informationInternet of Things Toolkit for Small and Medium Businesses
Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors
More informationMobile Device policy Frequently Asked Questions April 2016
Mobile Device policy Frequently Asked Questions April 2016 In an attempt to help the St. Lawrence University community understand this policy, the following FAQ document was developed by IT in collaboration
More informationANATOMY OF AN ATTACK!
ANATOMY OF AN ATTACK! Are Your Crown Jewels Safe? Dom Kapac, Security Evangelist WHAT DO WE MEAN BY CROWN JEWELS? Crown jewels for most organizations are critical infrastructure and data Data is a valuable
More informationVulnerability Management
Vulnerability Management Service Definition Table of Contents 1 INTRODUCTION... 2 2 SERVICE OFFERINGS VULNERABILITY MANAGEMENT... 2 3 SOLUTION PURPOSE... 3 4 HOW IT WORKS... 3 5 WHAT S INCLUDED... 4 6
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationService. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution
Service SM Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution Product Protecting sensitive data is critical to being
More informationSecuring Today s Mobile Workforce
WHITE PAPER Securing Today s Mobile Workforce Secure and Manage Mobile Devices and Users with Total Defense Mobile Security Table of Contents Executive Summary..................................................................................
More informationThreat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017
Threat analysis Tuomas Aura CS-C3130 Information security Aalto University, autumn 2017 Outline What is security Threat analysis Threat modeling example Systematic threat modeling 2 WHAT IS SECURITY 3
More informationCISO View: Top 4 Major Imperatives for Enterprise Defense
CISO View: Top 4 Major Imperatives for Enterprise Defense James Christiansen Chief Information Security Officer Evantix, Inc. Gary Terrell CIPP Chief Information Security Officer Adobe Session ID: Star
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationmhealth SECURITY: STATS AND SOLUTIONS
mhealth SECURITY: STATS AND SOLUTIONS www.eset.com WHAT IS mhealth? mhealth (also written as m-health) is an abbreviation for mobile health, a term used for the practice of medicine and public health supported
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationWhat is Cybersecurity?
What is Cybersecurity? Protection against unauthorized access to or use of assets via electronic means Not limited to what we think of as Hacking : Fraud Prevention Misuse of Appropriate Access Important
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationCybersecurity Conference Presentation North Bay Business Journal. September 27, 2016
Cybersecurity Conference Presentation North Bay Business Journal September 27, 2016 1 PRESENTER Francis Tam, CPA, CISM, CISA, CITP, CRISC, PCI QSA Partner Information Security and Infrastructure Practice
More informationInsider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm
Insider Threat Program: Protecting the Crown Jewels Monday, March 2, 2:15 pm - 3:15 pm Take Away Identify your critical information Recognize potential insider threats What happens after your critical
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationAchieving End-to-End Security in the Internet of Things (IoT)
Achieving End-to-End Security in the Internet of Things (IoT) Optimize Your IoT Services with Carrier-Grade Cellular IoT June 2016 Achieving End-to-End Security in the Internet of Things (IoT) Table of
More informationHow Cyber-Criminals Steal and Profit from your Data
How Cyber-Criminals Steal and Profit from your Data Presented by: Nick Podhradsky, SVP Operations SBS CyberSecurity www.sbscyber.com Consulting Network Security IT Audit Education 1 Agenda Why cybersecurity
More informationSECURING DEVICES IN THE INTERNET OF THINGS
SECURING DEVICES IN THE INTERNET OF THINGS WHEN IT MATTERS, IT RUNS ON WIND RIVER EXECUTIVE SUMMARY Security breaches at the device level in the Internet of Things (IoT) can have severe consequences, including
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationSecurity Solutions. Overview. Business Needs
Security Solutions Overview Information security is not a one time event. The dynamic nature of computer networks mandates that examining and ensuring information security be a constant and vigilant effort.
More informationProtect Your End-of-Life Windows Server 2003 Operating System
Protect Your End-of-Life Windows Server 2003 Operating System Your guide to mitigating risks in your Windows Server 2003 Systems after the end of support End of Support is Not the End of Business When
More informationCYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW
CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW May 2018 Ed Plawecki General Counsel & Director of Government Relations UHY LLP Jamie See Manager UHY LLP Iowa Public
More informationCybersecurity It Matters to SMB
Cybersecurity It Matters to SMB Kim Bilderback GSEC, CISSP Senior Director AT&T Cybersecurity Services Theft & Loss of Brand Value Federal Sentencing Guidelines Criminal Negligence Prudent Man Rule Due
More informationPrivacy and Cyber Risk Management. Preparing Your Organization for Current and Emerging Risks
Privacy and Cyber Risk Management Preparing Your Organization for Current and Emerging Risks Privacy and Cyber Risk Management Agenda: Recognize security risks Discover the top techniques used by hackers
More informationFTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.
FTA 2017 SEATTLE Cybersecurity and the State Tax Threat Environment 1 Agenda Cybersecurity Trends By the Numbers Attack Trends Defensive Trends State and Local Intelligence What Can You Do? 2 2016: Who
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More informationCybersecurity and Nonprofit
Cybersecurity and Nonprofit 2 2 Agenda Cybersecurity and Non Profits Scenario #1 Scenario #2 What Makes a Difference Cyber Insurance and How it Helps Question and Answer 3 3 Cybersecurity and Nonprofit
More informationDIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018
DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More informationProtect Your End-of-Life Windows Server 2003 Operating System
Protect Your End-of-Life Windows Server 2003 Operating System Your guide to mitigating risks in your Windows Server 2003 Systems after the end of support End of Support is Not the End of Business When
More informationSECURING DEVICES IN THE INTERNET OF THINGS
SECURING DEVICES IN THE INTERNET OF THINGS EXECUTIVE SUMMARY Security breaches at the device level in the Internet of Things (IoT) can have severe consequences, including steep financial losses, damage
More informationREGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.
REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES Dynamic Solutions. Superior Results. PERSONALIZED HELP THAT RELIEVES THE BURDEN OF MANAGING COMPLIANCE The burden of managing risk and compliance is
More informationSecurity Terminology Related to a SOC
Security Terminology Related to a SOC Cybersecurity literacy is crucial for practicing proper security hygiene. As business leaders develop fluency in the language of information security (infosec), they
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationSecuring Devices in the Internet of Things
AN INTEL COMPANY Securing Devices in the Internet of Things WHEN IT MATTERS, IT RUNS ON WIND RIVER EXECUTIVE SUMMARY Security breaches at the device level in the Internet of Things (IoT) can have severe
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationSMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE
SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE Small business cybersecurity survival guide By Stephen Cobb, ESET Senior Security Researcher Computers and the internet bring many benefits to small businesses,
More informationCyber Insurance: What is your bank doing to manage risk? presented by
Cyber Insurance: What is your bank doing to manage risk? David Kitchen presented by Lisa Micciche Today s Agenda Claims Statistics Common Types of Cyber Attacks Typical Costs Incurred to Respond to an
More informationPAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) Table of Contents Introduction 03 Who is affected by PCI DSS? 05 Why should my organization comply 06 with PCI DSS? Email security requirements 08
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationPenetration testing.
Penetration testing Penetration testing is a globally recognized security measure that can help provide assurances that a company s critical business infrastructure is protected from internal or external
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationGuide to Network Security First Edition. Chapter One Introduction to Information Security
Guide to Network Security First Edition Chapter One Introduction to Information Security About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationChapter 1 Ethical Hacking Overview. Revised
Chapter 1 Ethical Hacking Overview Revised 8-30-17 Describe the role of an ethical hacker Describe what you can do legally as an ethical hacker Describe what you cannot do as an ethical hacker Hands-On
More informationAnnual Report on the Status of the Information Security Program
October 2, 2014 San Bernardino County Employees Retirement Association 348 W. Hospitality Lane, Third Floor San Bernardino, CA 92415-0014 1 Table of Contents I. Executive Summary... 3 A. Overview... 3
More informationHave breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?
The financial sector struggles with data leakage in part because many such organizations rely on dinosaurs - security solutions that struggle to protect data outside the corporate network. These orgs also
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More informationPrinciples of ICT Systems and Data Security
Principles of ICT Systems and Data Security Ethical Hacking Ethical Hacking What is ethical hacking? Ethical Hacking It is a process where a computer security expert, who specialises in penetration testing
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationSimple and Powerful Security for PCI DSS
Simple and Powerful Security for PCI DSS The regulations AccessEnforcer helps check off your list. Most merchants think they are too small to be targeted by hackers. In fact, their small size makes them
More informationCisco Adaptive Wireless Intrusion Prevention System: Protecting Information in Motion
Cisco Adaptive Wireless Intrusion Prevention System: Protecting Information in Motion What You Will Learn The wireless spectrum is a new frontier for many IT organizations. Like any other networking medium,
More informationMIS5206-Section Protecting Information Assets-Exam 1
Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 12.16 EB7178 DATA SECURITY Table of Contents 2 Data Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More informationHOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands
HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands HOW SAFE IS YOUR DATA? 16 November 2017 kpmg.ky Agenda Introduction Cyber Security presentation Q&A 3 Why this presentation? 4 The CIA Triad
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationAcceptable Use Policy
Acceptable Use Policy POLICY 07.01.01 Effective Date: 01/01/2015 The following are responsible for the accuracy of the information contained in this document Responsible Policy Administrator Information
More informationTroubleshooting and Cyber Protection Josh Wheeler
May 4, 2016 Troubleshooting and Cyber Protection Josh Wheeler Network Security Network Security Risks Video Network Security Risks Article Network Security Risks Data stealing or disruption of network
More information2015 VORMETRIC INSIDER THREAT REPORT
Research Conducted by Research Analyzed by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security GLOBAL EDITION #2015InsiderThreat EXECUTIVE PERSPECTIVE 1 INSIDER THREATS:
More informationEnterprise SM VOLUME 1, SECTION 5.7: SECURE MANAGED SERVICE
VOLUME 1, SECTION 5.7: SECURE MANAGED EMAIL SERVICE 5.7 SECURE MANAGED EMAIL SERVICE (SMES) [C.2.10.8] The Level 3 Team s (SMES) will meet or exceed the Government s requirements for SMES, as defined in
More informationRiskSense Attack Surface Validation for IoT Systems
RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationGLBA, information security and incident response a compliance perspective
GLBA, information security and incident response a compliance perspective Introductions How many have experience with IT? How many have responsibilities involving IT? How many have responsibilities involving
More informationComplying with RBI Guidelines for Wi-Fi Vulnerabilities
A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Mountain View, CA 94043 www.airtightnetworks.com 2013 AirTight Networks, Inc. All rights reserved. Reserve Bank of India (RBI) guidelines
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationCyber Attacks and Data Breaches: A Legal and Business Survival Guide
Cyber Attacks and Data Breaches: A Legal and Business Survival Guide August 21, 2012 Max Bodoin, Vince Farhat, Shannon Salimone Copyright 2012 Holland & Knight LLP. All Rights Reserved What this Program
More informationHIPAA Regulatory Compliance
Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health
More informationSMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE
SMALL BUSINESS CYBERSECURITY SURVIVAL GUIDE Small business cybersecurity survival guide By Stephen Cobb, ESET Senior Security Researcher Computers and the internet bring many benefits to small businesses,
More informationSecurity of Personal and Financial Information.
Security of Personal and Financial Information Randy Marchany Chief IT Security Officer Director, IT Security Lab VA Tech IT Security Office & Lab www.security.vt.edu 5 Things You Need To Know What/Where
More informationWho We Are! Natalie Timpone
Who We Are! Natalie Timpone Manager of Security Business Management Office Enterprise Security Awareness Manager Carmelo Walsh Security, Risk, and Compliance Security Awareness Subject Matter Expert Who
More informationMitigating Security Breaches in Retail Applications WHITE PAPER
Mitigating Security Breaches in Retail Applications WHITE PAPER Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have
More informationInformation Technology Cyber Security Policy. Convergint Technologies, LLC
Information Technology Cyber Security Policy Convergint Technologies, LLC September 2015 Convergint Technologies, LLC POLICY MANUAL Subject: CYBER SECURITY POLICY Approved: Tom Schmitt Effective Date:
More informationsecurity FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.
security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name. Security for Your Business Mitigating risk is a daily reality for business owners, but you don t have
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationTracking and Reporting
Secure File Transfer Tracking and Reporting w w w. b i s c o m. c o m 321 Billerica Road, Chelmsford, MA phone: 978-250-1800 email: sales@biscom.com EXECUTIVE SUMMARY The Internet has made it easier than
More informationSECURE DATA EXCHANGE
POLICY-DRIVEN SOLUTIONS FOR SECURE DATA EXCHANGE Sending and receiving data is a fundamental part of daily business for nearly every organization. Companies need to share financial transaction details,
More information