Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.
-
Upload
garry-gardner -
Category
Documents
-
view
233 -
download
0
Transcript of Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.
![Page 1: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/1.jpg)
Internet SecurityPast, Present, and the Future
Ehsan ForoughiM.Sc., CISSP, CISM
![Page 2: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/2.jpg)
Information Security Triad (CIA)
Availability
Con
fiden
tial
ity Integrity
![Page 3: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/3.jpg)
Confidentiality Integrity Availability Authenticity Non-repudiation
Security Concepts
Ref: Wikipedia
![Page 4: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/4.jpg)
Cyber Security in Canada
![Page 5: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/5.jpg)
Cybercrime costs businesses in US $8.9 B in 2012 – increase of %38 from 2010
On average security breaches◦ Take 24 days to spot◦ Take 40 days to clean◦ Take $592,000 to clean up per incident◦ Increase of %42 in cleanup cost from 2011
In a study of 56 organizations:◦ $8.9M in cyber security/crime cost per
organization per year◦ Security tools lowered cost by $1.6M
Cost of Cyber Crime
![Page 6: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/6.jpg)
Cost of Cyber Crime
Average Cost of Cyber Security Attacks Per Second By Industry
Ref: Enlight Research
![Page 7: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/7.jpg)
Targeted Attacks
Ref: HP Ponemon Report
![Page 8: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/8.jpg)
TJX Companies: 94 Million CC exposed (2006)
Conficker Worm Botnet: Affected 15M systems at its peak. (2008)
Heartland Payment Systems: 134 Million CC data lost (2008)
Stuxnet attack on Iran Nuclear Plants: Damage Cost ?? (2010)
Sony network breach of 77 M accounts, cost $171 M (2011)
Incidents
![Page 9: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/9.jpg)
44%
30%
19%
5% 2%
Biggest hit to businesses
Lost InformationBusiness DisruptionLost RevenueEquipment DamageOther
Cost of Cyber Crime
Ref: Businessweek
![Page 10: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/10.jpg)
Infrastructure Security (Network / Internet Security)
Application Security Physical Security (Environmental Security) Operational and Process Security Cryptography e-Forensics Governance & Compliance Business Continuity and Disaster Recovery
Planning (BCP / DRP)
Subject Areas in Cyber Security
![Page 11: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/11.jpg)
Internet Security Threats
Vulnerability(Weakness)
Insecure Design /
Architecture
Software Bugs
(Errors)
Spoofing / Phishing
Malware
Denial of Service
![Page 12: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/12.jpg)
int main() { char buffer[4]; int some_variable = 1; ... strcpy("Test", &buffer);
Software Bugs: Buffer Overflow
T e s t \0
![Page 13: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/13.jpg)
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
![Page 14: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/14.jpg)
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
$90 $90
$100 $10
$10
![Page 15: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/15.jpg)
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
$90 $90
$100 $100
$10 $10
![Page 16: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/16.jpg)
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
$90 $90
$100 $100
$10 $10
2003 Blackout
![Page 17: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/17.jpg)
Trojan Horses Viruses Worms Rootkits Botnets Spyware
Malware
![Page 18: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/18.jpg)
Sending Spam Email
Stealing Passwords and Information
Using Resources
Malware: Goals
![Page 19: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/19.jpg)
USB Disk
Shared Network Drives
Pop-ups and download links
Insecure Network
Malware: Transfer Mediums
![Page 20: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/20.jpg)
Distributed Denial of Service Attack Grudge factor Oct 2012 attack on banks by Izzad-Dinal-
Qassam Hackers◦ CapitalOne◦ HSBC◦ SunTrust
Anonymous group crippled Visa, MasterCard, PayPal over WikiLeaks
Denial of Service
![Page 21: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/21.jpg)
import smtplibfrom email import MIMETexts = smtplib.SMTP('localhost')msg = MIMEText.MIMEText('Hello from Microsoft.')msg['Subject'] = 'This is a test'msg['From'] = '[email protected]'msg['To'] = '[email protected]'ret = s.sendmail(msg['From'], [msg['To']],
msg.as_string())s.close()
Spoofing Example: Email
![Page 22: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/22.jpg)
Let’s Rethink Email Security
![Page 23: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/23.jpg)
Email Security
![Page 24: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/24.jpg)
NPIBOEFT
Security Tools: Cryptography
![Page 25: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/25.jpg)
NPIBOEFT
Security Tools: Cryptography
N P I B O E F T
![Page 26: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/26.jpg)
NPIBOEFT
Security Tools: Cryptography
N
M
P
O
I
H
B
A
O
N
E
D
F
E
T
S
![Page 27: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/27.jpg)
Confidentiality Integrity Authenticity
Cryptography
Alice Bob
Charlie
![Page 28: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/28.jpg)
Symmetric Key Cryptography Shared Secret Encryption Only Usages:
◦ Password Protected Zip Files◦ WEP-Shared (WiFi)◦ SSL / HTTPS
01011001
11001101
10010100
11001101
01011001
A -> B
![Page 29: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/29.jpg)
Public Key Cryptography
Ref: Wikipedia
![Page 30: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/30.jpg)
Public Key Cryptography Encryption
Authenticity (Signing)
Usages:◦ Email Validation (PGP)◦ Authentication / Login◦ Banking
![Page 31: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/31.jpg)
Antivirus replacement: Microsoft Malicious Software Removal Tools
Malware Removal: Malware-bytes Browsers:
◦ Use Chrome ◦ Stay away from Internet Explorer
Email Security: Web-mails such as Gmail Password Management: PasswordSafe,
LastPass, etc
Tools for Personal Security
![Page 32: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/32.jpg)
Payment Card Industry Data Security Standard (PCI-DSS)◦ Liability!
Privacy Laws: Canada Privacy Act 1983 ISO 27001: Information Security
Management Systems
Compliance
![Page 33: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/33.jpg)
Innternational Information Systems Security Certification Consortium - (ISC)²
Non-profit (since 1989) Focused on IT Security 90,000 Members Certified Information Systems Security
Professional (CISSP) Certified Secure Software Lifecycle
Professional (CSSLP) CISSP: US DoD and NSA requirement
Associations - (ISC)2
![Page 34: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/34.jpg)
Information Systems Audit and Control Association (previously)
Non-profit (since 1967) Focused on IT Governance and Audit 95,000 Members Certified Information Systems Auditor (CISA) Certified Information Security Manager
(CISM) Continuing Education Point system, called
CPE
Associations - ISACA
![Page 35: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/35.jpg)
Open Web Application Security Project (OWASP)
Non-profit Open source Focused on Securing Web
Associations – OWASP
![Page 36: Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.](https://reader035.fdocuments.net/reader035/viewer/2022062421/56649d0f5503460f949e57a6/html5/thumbnails/36.jpg)
Questions?