Who Are The Enemies? What Can They Do?

Size: px
Start display at page:

Download "Who Are The Enemies? What Can They Do?"

Transcription

1 Who Are The Enemies? What Can They Do? Internet Software Security Issues in the Software Development Process Dr Charles P Pfleeger Pfleeger Consulting Group

2 Overview WAMPS Workshop Anual do MPS 2

3 Overview Security Process Many Kinds of Threat Agents Countering Threats Software Process Improving Security in Software WAMPS Workshop Anual do MPS 3

4 What Developers Should Know about Security WAMPS Workshop Anual do MPS 4

5 What Developers Should Know about Security Security is not automatic People and situations are hostile Security can be tricky No magic technique or checklist leads to security BUT security can be compatible with good development processes WAMPS Workshop Anual do MPS 5

6 Security Considerations Goals Threats and Vulnerabilities Method + Opportunity + Motive Controls WAMPS Workshop Anual do MPS 6

7 What Security Is Confidentiality information available for reading only when authorized Integrity information available for modification only when authorized Availability information available for use when authorized

8 Threat Sources WAMPS Workshop Anual do MPS 8

9 Threat Sources Natural Fire, flood, hardware failure Human Unintentional Errors (accidental file deletion) Omissions (missing data) Intentional Outsiders Insiders WAMPS Workshop Anual do MPS 9

10 Method + Opportunity + Motive WAMPS Workshop Anual do MPS 10

11 Method + Opportunity + Motive Method tools, techniques, knowledge Opportunity access, ability work factor: difficulty, time Motive reason (if any) WAMPS Workshop Anual do MPS 11

12 Types of Harm WAMPS Workshop Anual do MPS 12

13 Types of Harm Confidentiality Reveal private data Integrity Damage or delete data Availability Denial of access or service WAMPS Workshop Anual do MPS 13

14 Controls Physical Guards, fences, sprinklers Administrative Logical Policies, laws Technical Devices (login tokens) Software (intrusion monitors) Combinations (network monitoring) WAMPS Workshop Anual do MPS 14

15 Why Security is Hard (1) The defender must counter all threats; an attacker needs only one vulnerability Developers can introduce/allow flaws without knowing it Testing may not demonstrate security Harm can come from intentional or unintentional causes WAMPS Workshop Anual do MPS 15

16 Why Security is Hard (2) Is 1000 the same as 1,000? Is invisible text acceptable? Does efficiency or inefficiency matter? Does order matter? WAMPS Workshop Anual do MPS 16

17 Why Security is Hard (3) How can you demonstrate protection? How can you justify spending for security? Security is not just a set of features WAMPS Workshop Anual do MPS 17

18 Security Conclusions WAMPS Workshop Anual do MPS 18

19 Security Conclusions No one person or group alone can be responsible for security Solid security is not added at the end Security is hard WAMPS Workshop Anual do MPS 19

20 Security Design Concepts WAMPS Workshop Anual do MPS 20

21 Security Design Concepts Common sense Saltzer and Schroeder documented and published in 1975 Others (Viega & McGraw, Howard & LeBlanc, NIST, OWASP, more) build on Saltzer and Schroeder WAMPS Workshop Anual do MPS 21

22 Saltzer and Schroeder Economy of mechanism Fail safe defaults Complete mediation Open design Separation of privilege Least privilege, permission-based Least common mechanism Ease of use WAMPS Workshop Anual do MPS 22

23 Viega and McGraw Secure the weakest link Keep it simple Promote privacy Remember that hiding secrets is hard Be reluctant to trust Use community resources WAMPS Workshop Anual do MPS 23

24 Howard and LeBlanc Minimize attack surface Assume external systems are insecure Security features are not the same as secure features Don t mix code and data Plan for failure Learn from mistakes Backward compatibility is tricky Fix security issues correctly WAMPS Workshop Anual do MPS 24

25 Security Control Philosophy WAMPS Workshop Anual do MPS 25

26 Security Control Philosophy Secure perimeter Control of users and environment (devices, software) Defense in depth Perfect (secure) software WAMPS Workshop Anual do MPS 26

27 Web Characteristics WAMPS Workshop Anual do MPS 27

28 Web Characteristics Wide availability, to the masses Mandatory presence Very low cost of entry Very low skill to enter Low genetic diversity Very rapid technology turnover High demand for oh, wow WAMPS Workshop Anual do MPS 28

29 Software Development vs. the Web Orderly, managed process Well-defined system Well-defined requirements Integrated testing Continuous improvement Controllable => securable Unmanaged No perimeter; constant change Programs usedreused for any situation Testing varies Little feedback Uncontrolled => unsecured WAMPS Workshop Anual do MPS 29

30 Some Sources of Computer Incidents Errors Insiders Nonmalicious and malicious Hackers Organizations Terrorists WAMPS Workshop Anual do MPS 30

31 Errors WAMPS Workshop Anual do MPS 31

32 Errors Humans are human Errors are unintentional Pressure, distraction, confusion Random WAMPS Workshop Anual do MPS 32

33 Insiders WAMPS Workshop Anual do MPS 33

34 Insiders Insiders account for much harm Many insiders, many actions Much power Most insider harm is unintentional Intentional harm from anger, payoff, values conflict WAMPS Workshop Anual do MPS 34

35 Hackers WAMPS Workshop Anual do MPS 35

36 Hackers Individuals, loose federations Motivation Personal Objective Experience, fame Impact Modest Sometimes accidental side effects WAMPS Workshop Anual do MPS 36

37 Hackers Motivations Selfgratification, addiction, espionage, theft, profit, vengeance, sabotage, freedom, 27% Challenge, knowledge, pleasure, 49% Recognition, excitement (illegal activity), friendship, 24% Denning 1999, citing Chantler WAMPS Workshop Anual do MPS 37

38 Disturbing Hacker Trends ~0-day exploits Bagle, Netsky, Zafi worm writers join forces Enormous botnets for rent Conficker very sophisticated; evolving WAMPS Workshop Anual do MPS 38

39 Organized Crime Organized bureaucracies (computer work is only one activity) Motivation Financial Objective Fraud, extortion Impact e.g., identity theft, credit WAMPS Workshop Anual do MPS 39

40 Intelligence Services Motivation Data: political, economic, military Objective needs of military during engagement about potentially hostile nations transnational threats (drugs, WMD) Mostly to learn Sometimes to influence world Occasionally to act WAMPS Workshop Anual do MPS 40

41 Terrorists WAMPS Workshop Anual do MPS 41

42 Terrorists Motivation Ideological, political Objective Intelligence gathering Psychological fear, panic, persuasion, misinformation Mass annoyance to mass disruption WAMPS Workshop Anual do MPS 42

43 Cyber Warfare Activities Disruption Sabotage Denial of service Misinformation Deception WAMPS Workshop Anual do MPS 43

44 Uses of Computers in Terrorism Disseminate information web pages, desktop publishing Communicate with each other Gather, hold, analyze information data mining, web browsing Target computers (uncommon) unauthorized access (read, write, delete) denial of service WAMPS Workshop Anual do MPS 44

45 Why Cyber-Advertising (and Spam) Is Attractive Remote operation, anonymous Massive reach, low cost Agile, easy to change, tune Message tuned to audience (coupled with data mining) Novel campaign garners media attention WAMPS Workshop Anual do MPS 45

46 Why Cyber-Terrorism Is Also Attractive Remote operation, anonymous Massive reach, low cost Agile, easy to change, tune Message tuned to audience (coupled with data mining) Novel campaign garners media attention WAMPS Workshop Anual do MPS 46

47 The Medium Is the Message The Internet may be worth more as a communications medium than a target Individual nodes or whole subdomains can still be targets WAMPS Workshop Anual do MPS 47

48 Lessons (To Be) Learned Evidence of vulnerability is visible to others Attackers work together Talk (articles, blogs) may alert them to weaknesses WAMPS Workshop Anual do MPS 48

49 Recent Events 2008 attack on firewall of China Apparently political 2006 top level domain server DOS attack 2002 disabled 8/13 root name servers Apparently a simple ICMP packet flood 2007 attack on Estonia web Motive unknown; testing? 2003 power blackout in NE Canada, US Apparently tree limbs, cascading errors 2000 attack on wastewater treatment control center Apparently a disgruntled former employee WAMPS Workshop Anual do MPS 49

50 Interdependent Risk One company, two divisions, both at risk of catastrophic (company) failure If Division 1 invests in risk-reduction, it remains at risk unless Division 2 does also In fact, Division 1 s investment is wasteful if Division 2 does not invest What is incentive for an interdependent multi-corporation industry (power, finance, telecommunications) to invest in security? WAMPS Workshop Anual do MPS 50

51 Playing Security Analyst: A Smart Terrorist Would Plan, research, experiment Plant attacks today for use tomorrow Diversify the approach Implement multiple concurrent attacks Use different approaches to come from all directions WAMPS Workshop Anual do MPS 51

52 Software Process WAMPS Workshop Anual do MPS 52

53 Software Process Models MPS.BR CMMI ISO 9000 Others WAMPS Workshop Anual do MPS 53

54 Common Aspects Establish an organizational policy Plan and define a process Monitor and control the process Evaluate adherence Collect improvement information Correct root causes of problems Ensure continuous improvement WAMPS Workshop Anual do MPS 54

55 Basic Process Areas WAMPS Workshop Anual do MPS 55

56 Basic Process Areas Requirements development Project planning Project monitoring and control Measurement and analysis Process and product quality assurance Configuration management WAMPS Workshop Anual do MPS 56

57 Measurement WAMPS Workshop Anual do MPS 57

58 Measurement What is important to measure How to measure it How precise the measurement must be How to interpret the measurement How to use measurement to improve WAMPS Workshop Anual do MPS 58

59 System Development Controls System development lifecycle Requirements determination Protection specifications development Design review System test review Certification and accreditation Service level agreement WAMPS Workshop Anual do MPS 59

60 Conclusions: What to Do? WAMPS Workshop Anual do MPS 60

61 What to Do: Process Requirements development Project planning Project monitoring and control Measurement and analysis Process and product quality assurance Configuration management Include security requirements Security overseer Threat control analysis Security control coverage Security testing at all stages Security review prior to stage release WAMPS Workshop Anual do MPS 61

62 What to Do: Design Include security from the start Make security trade-off decisions visible and based on balance of competing factors Ensure a security expert is integral part of design team Ensure that project team members are all sensitive to security WAMPS Workshop Anual do MPS 62

63 What to Do: Measurement What is important to measure How to measure it How precise the measurement must be How to interpret the measurement WAMPS Workshop Anual do MPS 63

Practical Steps To Securing Process Control Networks

Practical Steps To Securing Process Control Networks Practical Steps To Securing Process Control Networks Villanova University Seminar Rich Mahler Director, Commercial Cyber Solutions Lockheed Martin Lockheed Martin Corporation 2014. All Rights Reserved.

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006 CSE331: Introduction to Networks and Security Lecture 1 Fall 2006 Basic Course Information Steve Zdancewic lecturer Web: http://www.cis.upenn.edu/~stevez E-mail: stevez@cis.upenn.edu Office hours: Tues.

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Cyber Adversary Characterization. Know thy enemy!

Cyber Adversary Characterization. Know thy enemy! Cyber Adversary Characterization Know thy enemy! Brief History of Cyber Adversary Modeling Mostly Government Agencies. Some others internally. Workshops DARPA 2000 Other Adversaries, RAND 1999-2000 Insider

More information

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT Chandramohan Muniraman, University of Houston-Victoria, chandram@houston.rr.com Meledath Damodaran, University of Houston-Victoria, damodaranm@uhv.edu

More information

BBM 461: SECURE PROGRAMMING INTRODUCTION. Ahmet Burak Can

BBM 461: SECURE PROGRAMMING INTRODUCTION. Ahmet Burak Can BBM 461: SECURE PROGRAMMING INTRODUCTION 1 Ahmet Burak Can COURSE MATERIAL Counter Hack Reloaded:A Step-by- Step Guide to Computer Attacks and Effective Defenses, Edward Skoudis, Tom Liston, Prentice Hall

More information

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Internet Safety and Security: Strategies for Building an Internet Safety Wall Internet Safety and Security: Strategies for Building an Internet Safety Wall Sylvanus A. EHIKIOYA, PhD Director, New Media & Information Security Nigerian Communications Commission Abuja, NIGERIA Internet

More information

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1 Threats and Attacks Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to:

More information

Business Case. for an. Information Security Awareness Program

Business Case. for an. Information Security Awareness Program Business Case (BS.ISAP.01) 1 (9) Business Case for an Information Security Business Case (BS.ISAP.01) 2 Contents 1. Background 3 2. Purpose of This Paper 3 3. Business Impact 3 4. The Importance of Security

More information

esoft Technical White Paper: Who Needs Firewall Protection?

esoft Technical White Paper: Who Needs Firewall Protection? esoft Technical White Paper: Who Needs Firewall Protection? "Without the protection of a firewall, which serves as a buffer between an organization s internal network and myriad external networks including

More information

What is Really Needed to Secure the Internet of Things?

What is Really Needed to Secure the Internet of Things? What is Really Needed to Secure the Internet of Things? By Alan Grau, Icon Labs alan.grau@iconlabs.com The Internet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

Course mechanics. CS 458 / 658 Computer Security and Privacy. Course website. Additional communication

Course mechanics. CS 458 / 658 Computer Security and Privacy. Course website. Additional communication CS 458 / 658 Computer Security and Privacy Module 1 Introduction to Computer Security and Privacy Fall 2008 Course mechanics Instructor: Ian Goldberg Contact info: http://www.cs.uwaterloo.ca/ iang/ Office

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Information Security By Bhupendra Ratha, Lecturer School of Library & Information Science D.A.V.V., Indore E-mail:bhu261@gmail.com Outline of Information Security Introduction Impact of information Need

More information

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services 1. Computer Security: An Introduction Definitions Security threats and analysis Types of security controls Security services Mar 2012 ICS413 network security 1 1.1 Definitions A computer security system

More information

NETWORK SECURITY ASPECTS & VULNERABILITIES

NETWORK SECURITY ASPECTS & VULNERABILITIES NETWORK SECURITY ASPECTS & VULNERABILITIES Luis Sousa Cardoso FIINA President Brdo pri Kranju, 19. in 20. maj 2003 1 Background Importance of Network Explosive growth of computers and network - To protect

More information

Cyber Security Where Do I Begin?

Cyber Security Where Do I Begin? ISPE Automation Forum Cyber Security Where Do I Begin? Don Dickinson Project Engineer Phoenix Contact ..50% more infected Web pages Click in the on one last and three you months won t of notice 2008 than

More information

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals Learning Objective Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Hackers: Detection and Prevention

Hackers: Detection and Prevention Computer Networks & Computer Security SE 4C03 Project Report Hackers: Detection and Prevention Due Date: March 29 th, 2005 Modified: March 28 th, 2005 Student Name: Arnold Sebastian Professor: Dr. Kartik

More information

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D. 18th Annual Space & Missile Defense Symposium IAMD Evolution and Integration/Key Topic: Predictive Cyber Threat Analysis Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

More information

Federal Bureau of Investigation

Federal Bureau of Investigation Federal Bureau of Investigation SSA John Caruthers Cyber Criminal Section SSA Kenneth Schmutz Cyber National Security Section April 11, 2012 FBI Mission Cyber Threats FBI Response 1. Protect the United

More information

Type Threats Origin. Destruction of equipment or media. Dust, corrosion, freezing. Climatic phenomenon. Seismic phenomenon. Volcanic phenomenon

Type Threats Origin. Destruction of equipment or media. Dust, corrosion, freezing. Climatic phenomenon. Seismic phenomenon. Volcanic phenomenon nnex C (informative) xamples of typical threats The following table gives examples of typical threats. The list can be used during the threat assessment process. Threats may be deliberate, accidental or

More information

Cyber Risks and Insurance Solutions Malaysia, November 2013

Cyber Risks and Insurance Solutions Malaysia, November 2013 Cyber Risks and Insurance Solutions Malaysia, November 2013 Dynamic but vulnerable IT environment 2 Cyber risks are many and varied Malicious attacks Cyber theft/cyber fraud Cyber terrorism Cyber warfare

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft) 1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

More information

Penetration Testing in Romania

Penetration Testing in Romania Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the

More information

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs EXECUTIVE SUMMARY Supervisory Control and Data Acquisition (SCADA) systems are used for remote

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

Cybersecurity Awareness. Part 1

Cybersecurity Awareness. Part 1 Part 1 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat

More information

Information Security. CS526 Topic 1

Information Security. CS526 Topic 1 Information Security CS 526 Topic 1 Overview of the Course 1 Today s Security News Today: 220 million records stolen, 16 arrested in massive South Korean data breach A number of online gaming & movie ticket

More information

OPC & Security Agenda

OPC & Security Agenda OPC & Security Agenda Cyber Security Today Cyber Security for SCADA/IS OPC Security Overview OPC Security Products Questions & Answers 1 Introduction CYBER SECURITY TODAY The Need for Reliable Information

More information

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Guidelines for Website Security and Security Counter Measures for e-e Governance Project and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online

More information

The Battlefield. critical infrastructure:

The Battlefield. critical infrastructure: CIP A Business View Rolf Schulz CEO Definition critical infrastructure: 1. Elements of a system that are so vital that disabling any of them would incapacitate the entire system. 2. [In security,] those

More information

Design Principles for Protection Mechanisms. Security Principles. Economy of Mechanism. Least Privilege. Complete Mediation. Economy of Mechanism (2)

Design Principles for Protection Mechanisms. Security Principles. Economy of Mechanism. Least Privilege. Complete Mediation. Economy of Mechanism (2) Security Principles Design Principles for Protection Mechanisms Security is a system requirement just like performance, capability, cost, etc. Therefore, it may be necessary to trade off certain security

More information

Cyber Security & State Energy Assurance Plans

Cyber Security & State Energy Assurance Plans Cyber Security & State Energy Assurance Plans Michigan Cyber Summit 2011 Friday, October 7, 2011 Jeffrey R. Pillon, Director of Energy Assurance National Association of State Energy Officials What is Energy

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

Cybersecurity for the C-Level

Cybersecurity for the C-Level Cybersecurity for the C-Level Director Glossary of Defined Cybersecurity Terms A Active Attack An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources,

More information

Presented by Evan Sylvester, CISSP

Presented by Evan Sylvester, CISSP Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information

More information

Cyril Onwubiko Networking and Communications Group http://ncg. ncg.kingston.ac.

Cyril Onwubiko Networking and Communications Group http://ncg. ncg.kingston.ac. Cyril Onwubiko Networking and Communications Group http://ncg ncg.kingston.ac..ac.uk http://ncg.kingston.ac.uk +44 (0)20 8547 2000 Security Threats & Vulnerabilities in assets are two most fundamental

More information

Data Security Concerns for the Electric Grid

Data Security Concerns for the Electric Grid Data Security Concerns for the Electric Grid Data Security Concerns for the Electric Grid The U.S. power grid infrastructure is a vital component of modern society and commerce, and represents a critical

More information

The Four-Step Guide to Understanding Cyber Risk

The Four-Step Guide to Understanding Cyber Risk Lifecycle Solutions & Services The Four-Step Guide to Understanding Cyber Risk Identifying Cyber Risks and Addressing the Cyber Security Gap TABLE OF CONTENTS Introduction: A Real Danger It is estimated

More information

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant How Security Testing can ensure Your Mobile Application Security Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant Once More Consulting & Advisory Services IT Governance IT Strategic

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte Cyber security Time for a new paradigm Stéphane Hurtaud Partner Information & Technology Risk Deloitte 90 More than ever, cyberspace is a land of opportunity but also a dangerous world. As public and private

More information

Protecting Organizations from Cyber Attack

Protecting Organizations from Cyber Attack Protecting Organizations from Cyber Attack Cliff Glantz and Guy Landine Pacific Northwest National Laboratory (PNNL) PO Box 999 Richland, WA 99352 cliff.glantz@pnnl.gov guy.landine@pnnl.gov 1 Key Topics

More information

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系 資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系 Outline Infosec, COMPUSEC, COMSEC, and Network Security Why do we need Infosec and COMSEC? Security

More information

Capabilities for Cybersecurity Resilience

Capabilities for Cybersecurity Resilience Capabilities for Cybersecurity Resilience In the Homeland Security Enterprise May 2012 DHS Cybersecurity Strategy A cyberspace that: Is Secure and Resilient Enables Innovation Protects Public Advances

More information

Network Security Threat Matrix May 2004

Network Security Threat Matrix May 2004 May 2004 By Lawrence Allhands BlueMotorcycle Consulting 650/704-4821 2830 Flores #18 San Mateo, CA 94403 http://www.bluemotorcycle.com Abstract Know your enemy If you know the enemy and know yourself,

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

Results Oriented Change Management

Results Oriented Change Management Results Oriented Change Management Validating Change Policy through Auditing Abstract Change management can be one of the largest and most difficult tasks for a business to implement, monitor and control

More information

CS 458 / 658 Computer Security and Privacy. Course mechanics. Course website. Module 1 Introduction to Computer Security and Privacy.

CS 458 / 658 Computer Security and Privacy. Course mechanics. Course website. Module 1 Introduction to Computer Security and Privacy. CS 458 / 658 Computer Security and Privacy Module 1 Introduction to Computer Security and Privacy Spring 2013 Course mechanics Instructor: Ian Goldberg https://cs.uwaterloo.ca/ iang/ Office hours: Thursdays

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

ITAR Compliance Best Practices Guide

ITAR Compliance Best Practices Guide ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations

More information

What is Cyber Liability

What is Cyber Liability What is Cyber Liability Ubiquitous Warfare Espionage Media Operational Data Security and Privacy Tech 1 Data Security and Privacy Data Breach Response Costs Privacy Regulatory Action Civil Litigation INSURABLE

More information

Institute of Internal Auditors Cyber Security. Birmingham Event 15 th May 2014 Jason Alexander

Institute of Internal Auditors Cyber Security. Birmingham Event 15 th May 2014 Jason Alexander Institute of Internal Auditors Cyber Security Birmingham Event 15 th May 2014 Jason Alexander Introduction Boards growing concern with Cyber Risk Cyber risk is not new, but incidents have increased in

More information

Appendix A: Gap Analysis Spreadsheet. Competency and Skill List. Critical Thinking

Appendix A: Gap Analysis Spreadsheet. Competency and Skill List. Critical Thinking Appendix A: Gap Analysis Spreadsheet Competency and Skill List Competency Critical Thinking Data Collection & Examination Communication & Collaboration Technical Exploitation Information Security Computing

More information

Security and Privacy

Security and Privacy Security and Privacy Matthew McCormack, CISSP, CSSLP CTO, Global Public Sector, RSA The Security Division of EMC 1 BILLIONS OF USERS MILLIONS/BILLIONS OF APPS 2010 Cloud Big Data Social Mobile Devices

More information

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime? Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies

More information

IBM i2 Enterprise Insight Analysis for Cyber Analysis

IBM i2 Enterprise Insight Analysis for Cyber Analysis IBM i2 Enterprise Insight Analysis for Cyber Analysis Protect your organization with cyber intelligence Highlights Quickly identify threats, threat actors and hidden connections with multidimensional analytics

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco. The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco. 1 Calling All CEOs Are You Ready to Defend the Battlefield of the 21st Century? It is not the norm for corporations to be

More information

Bellevue University Cybersecurity Programs & Courses

Bellevue University Cybersecurity Programs & Courses Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320

More information

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's: Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services

More information

Guide to Vulnerability Management for Small Companies

Guide to Vulnerability Management for Small Companies University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...

More information

Cyber Security for SCADA/ICS Networks

Cyber Security for SCADA/ICS Networks Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com Increasing Cyber Attacks on SCADA / ICS Systems 2 What is SCADA Supervisory Control And

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief RSA SecurID Authentication in Action: Securing Privileged User Access RSA SecurID solutions not only protect enterprises against access by outsiders, but also secure resources from internal threats The

More information

Secure By Design: Security in the Software Development Lifecycle

Secure By Design: Security in the Software Development Lifecycle Secure By Design: Security in the Software Development Lifecycle Twin Cities Rational User s Group Security Briefing by Arctec Group (www.arctecgroup.net) Integrating Security into Software Development

More information

Internet security: Shutting the doors to keep hackers off your network

Internet security: Shutting the doors to keep hackers off your network Internet security: Shutting the doors to keep hackers off your network A Paralogic Networks Guide www.scholarisintl.com Introduction Like all revolutionary steps in technological development the Internet

More information

Cybersecurity Definitions and Academic Landscape

Cybersecurity Definitions and Academic Landscape Cybersecurity Definitions and Academic Landscape Balkrishnan Dasarathy, PhD Program Director, Information Assurance Graduate School University of Maryland University College (UMUC) Email: Balakrishnan.Dasarathy@umuc.edu

More information

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014 Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion

More information

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun CSCI 454/554 Computer and Network Security Instructor: Dr. Kun Sun About Instructor Dr. Kun Sun, Assistant Professor of Computer Science http://www.cs.wm.edu/~ksun/ Phone: (757) 221-3457 Email: ksun@wm.edu

More information

privileged identities management best practices

privileged identities management best practices privileged identities management best practices abstract The threat landscape today requires continuous monitoring of risks be it industrial espionage, cybercrime, cyber-attacks, Advanced Persistent Threat

More information

Promoting Network Security (A Service Provider Perspective)

Promoting Network Security (A Service Provider Perspective) Promoting Network Security (A Service Provider Perspective) Prevention is the Foundation H S Gupta DGM (Technical) Data Networks, BSNL hsgupta@bsnl.co.in DNW, BSNL 1 Agenda Importance of Network Security

More information

REV: 0.1.1 (July 2011) McAfee Security: Intrusion Prevention System

REV: 0.1.1 (July 2011) McAfee Security: Intrusion Prevention System McAfee Security: Intrusion Prevention System REV: 0.1.1 (July 2011) 1 Contents 1. McAfee Network Security Platform...3 2. McAfee Host Intrusion Prevention for Server...4 2.1 Network IPS...4 2.2 Workload

More information

Unit 3 Cyber security

Unit 3 Cyber security 2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:

More information

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta. Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks

More information

The Human Factor of Cyber Crime and Cyber Security

The Human Factor of Cyber Crime and Cyber Security The Human Factor of Cyber Crime and Cyber Security Challenges: September 11th has marked an important turning point that exposed new types of security threats and disclosed how cyber criminals pursuit

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

Risk Assessment Guide

Risk Assessment Guide KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment

More information

Microsoft s cybersecurity commitment

Microsoft s cybersecurity commitment Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade

More information

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery Disaster Recovery 1.1 Introduction Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and

More information

Security Goals Services

Security Goals Services 1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance;

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12 Trends in Malware DRAFT OUTLINE Presentation Synopsis Security is often a game of cat and mouse as security professionals and attackers each vie to stay one step ahead of the other. In this race for dominance,

More information

IQware's Approach to Software and IT security Issues

IQware's Approach to Software and IT security Issues IQware's Approach to Software and IT security Issues The Need for Security Security is essential in business intelligence (BI) systems since they have access to critical and proprietary enterprise information.

More information

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices

More information

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012 Designing & Implementing Enterprise Security Programs MBA Bank Expo 2012 April 11, 2012 Session Purpose G R O U P Premise: Security is institutionalized, but the enterprise is evolving. the enterprise

More information

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics SBA Cybersecurity for Small Businesses 1.1 Introduction Welcome to SBA s online training course: Cybersecurity for Small Businesses. SBA s Office of Entrepreneurship Education provides this self-paced

More information

AB 1149 Compliance: Data Security Best Practices

AB 1149 Compliance: Data Security Best Practices AB 1149 Compliance: Data Security Best Practices 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: AB 1149 is a new California

More information

Getting real about cyber threats: where are you headed?

Getting real about cyber threats: where are you headed? Getting real about cyber threats: where are you headed? Energy, utilities and power generation companies that understand today s cyber threats will be in the best position to defeat them June 2011 At a

More information

Cyber Security and Critical Information Infrastructure

Cyber Security and Critical Information Infrastructure Cyber Security and Critical Information Infrastructure Dr. Gulshan Rai Director General Indian Computer Emergency Response Team (CERT- In) grai [at] cert-in.org.in The Complexity of Today s Network Changes

More information

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:

More information