Information Security Principles · What are we protecting? What is there to protect ? Primary...
Transcript of Information Security Principles · What are we protecting? What is there to protect ? Primary...
![Page 1: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/1.jpg)
Information Security Principles
Kitisak Jirawannakool Information Security Specialist
1
![Page 2: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/2.jpg)
Agenda❖ What is Security? ❖ Risk Analysis ❖ Incident Handling
2
![Page 3: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/3.jpg)
How it used to be?
3
Board
Physical Security
AccountabilityIT & Security
![Page 4: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/4.jpg)
… and How it is growing to be?
4
Board
Physical Security
Accountability
IT & Security
Risk corp. CSIRT
![Page 5: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/5.jpg)
What are we protecting?❖ What is there to protect ?
❖ Primary process ❖ Customers, Employees, Identities ❖ Products, Contracts ❖ Supporting processes ❖ Reputation ❖ Information, infrastructure ❖ Critical infrastructures ❖ Health, lives
5
![Page 6: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/6.jpg)
Assets❖ Hardware ❖ Software ❖ Information ❖ Personnel (People) ❖ Service ❖ Location
6
![Page 7: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/7.jpg)
What is Security?
7
![Page 8: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/8.jpg)
ดด
19
© 2012 IBM Corporation19 OWASP AppSec Asia Pacific 2012 | April 11-14, 2012 | Sydney, Australia
What is security?
8
![Page 9: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/9.jpg)
20
© 2012 IBM Corporation20 OWASP AppSec Asia Pacific 2012 | April 11-14, 2012 | Sydney, Australia
What is security?
9
![Page 10: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/10.jpg)
21
© 2012 IBM Corporation21 OWASP AppSec Asia Pacific 2012 | April 11-14, 2012 | Sydney, Australia
What is security?
Photo credit: Wikimedia Commons user mattes, http://en.wikipedia.org/wiki/File:VTBS-luggage_screening.JPG
10
![Page 11: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/11.jpg)
11
22
© 2012 IBM Corporation22 OWASP AppSec Asia Pacific 2012 | April 11-14, 2012 | Sydney, Australia
What is security?
![Page 12: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/12.jpg)
Security Goals❖ C (Confidentiality) ❖ I (Integrity) ❖ A (Availability)
12
![Page 13: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/13.jpg)
Security Mechanisms❖ Authentication ❖ Access Control ❖ Encryption ❖ Signatures
13 27
© 2012 IBM Corporation27 OWASP AppSec Asia Pacific 2012 | April 11-14, 2012 | Sydney, Australia
Security mechanisms
Authentication
Access control
Encryption
Signatures
![Page 14: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/14.jpg)
Information Security Today
Information Security Today
14
![Page 15: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/15.jpg)
Security Framework
15
![Page 16: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/16.jpg)
❖ Provides Management’s Goals and Objectives in writing
❖ Document Compliance ❖ Create Security Culture
16
![Page 17: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/17.jpg)
❖ Provides Management’s Goals and Objectives in writing
❖ Document Compliance ❖ Create Security Culture
Management’s Security Policy
17
![Page 18: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/18.jpg)
Policy Overview
18
![Page 19: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/19.jpg)
Terminologies❖ Procedures
❖ Required step-by-step actions ❖ Baselines
❖ Establish consistent implementation of security mechanism
❖ Usually platform unique ❖ Guidelines
❖ Recommendations for security product implementations, procurement & planning
19
![Page 20: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/20.jpg)
PDCA
20
• Security*Audit*Plan*• Audit*procedure*
• Implement*new*Policies*and*Standards*
• Implement*new*countermeasures*
• Policy*and*Standards*• Countermeasures*• Training*Plan*
• New*Organiza=on*Chart*• Risk*Assessment*• Network*Design*• Floor*plan*
Plan% Do%
Check%ACT%
![Page 21: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/21.jpg)
What is Risk?❖ The probability that a particular threat will exploit
a particular vulnerability. ❖ Need to systematically understand risks to a
system and decide how to control them.
21Pic source : http://www.fiduciarytechnologiesinc.com/files/risk2.jpg
![Page 22: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/22.jpg)
The Elements of Risk
22
![Page 23: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/23.jpg)
Risk
23
Vulnerabili*es,
Loss$,$Damage$
Threats(
X"
![Page 24: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/24.jpg)
Risks❖ Physical damage ❖ Human interaction ❖ Equipment malfunction ❖ Inside and outside attacks ❖ Data threats ❖ Application error
24
![Page 25: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/25.jpg)
Common Vulnerabilities & Attacks❖ Vulnerabilities
❖ Network: Protocol manipulation, service misuse, plaintext data
❖ Program: Buffer Overflow, Format String Attack
❖ Operating System: Unpatched service
❖ Process/ Implementation: Weak/ sharing of password
❖ Attacks
❖ Network: Sniffing, Denial of service
❖ Program/OS: Malicious code, SQL injection, XSS
❖ Social engineering attack
25
![Page 26: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/26.jpg)
Risk, Response & Recovery
26
![Page 27: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/27.jpg)
What is Risk Analysis?❖ The process of identifying, assessing, and
reducing risks to an acceptable level ❖ Defines and controls threats and vulnerabilities ❖ Implements risk reduction measures
❖ An analytic discipline with three parts: ❖ Risk assessment: determine what the risks are ❖ Risk management: evaluating alternatives for
mitigating the risk ❖ Risk communication: presenting this material in an
understandable way to decision makers and/or the public
27
![Page 28: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/28.jpg)
The Risk Equation
28
![Page 29: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/29.jpg)
Why Risk Analysis?❖ Security risks start when the power is turned-on. At that
point, security risks commence. The only way to deal with those security risks is via risk management
❖ Risks can be identified & reduced, but never eliminated ❖ The purpose of Risk Analysis is to identify potential
problems ❖ Before they occur ❖ So that risk-handling activities (controls and countermeasures)
may be planned and invoked as needed ❖ On a continuous basis across the life of the product, system,
or project
29
![Page 30: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/30.jpg)
Benefits of Risk Analysis❖ Assurance that greatest risks have been
identified and addressed ❖ Increased understanding of risks ❖ Mechanism for reaching consensus ❖ Support for needed controls ❖ Means for communicating results
30
![Page 31: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/31.jpg)
Key Points❖ Key Elements of Risk Analysis
❖ Assets, Threats, Vulnerabilities, and Controls ❖ Most security risk analysis uses qualitative
analysis ❖ Not a scientific process
❖ Companies will develop their own procedure ❖ Still a good framework for better understanding of
system security
31
![Page 32: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/32.jpg)
Risk Analysis Steps
32http://www.corpsnedmanuals.us/DeepDraftNavigation/DDNIncludes/Images/DDNFig2_2RskInfmdDecMkg.png
![Page 33: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/33.jpg)
Risk Management Measurement
33
• Residual risk should be set to an acceptable level
![Page 34: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/34.jpg)
Approaches to Risk Analysis
34
❖ Quantitative vs Qualitative Risk Analysis
❖ Most organizations will use a hybrid of both approaches to risk assessment.
![Page 35: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/35.jpg)
Risk Example by Asset types❖ Hardware ❖ Software ❖ Information ❖ Personnel (People) ❖ Service ❖ Location
35
![Page 36: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/36.jpg)
Hardware❖ Asset : Web server ❖ Threats
❖ Hardware failure ❖ Vulnerabilities
❖ Lack of system monitoring ❖ Lack of maintenance process
❖ Controls ❖ Monitoring system use (A.10.10.2) ❖ Maintenance contract expanded
36
![Page 37: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/37.jpg)
Software❖ Asset : Windows 8 ❖ Threats
❖ Use of Pirated Software ❖ Vulnerabilities
❖ Lack of policy restricting staff to use licensed software
❖ Lack of user awareness ❖ Controls
❖ Acceptable use of assets ❖ Establish formal disciplinary process
37
![Page 38: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/38.jpg)
Information❖ Asset : Confidential files ❖ Threats
❖ Disclosure of confidential information
❖ Vulnerabilities ❖ Lack of information & document classification and handling
procedure ❖ Lack of Physical security ❖ Lack of User awareness
❖ Controls ❖ Establish or implement procedures in information handling ❖ Define rules for working in secure areas ❖ Information Security Education and Training
38
![Page 39: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/39.jpg)
Personnel❖ Asset : Clerk ❖ Threats
❖ Operational Staff or User Errors
❖ Vulnerabilities ❖ Lack of efficient and effective configuration change control ❖ Lack of technical skill ❖ Lack of User awareness
❖ Controls ❖ Establish change control management ❖ Information Security Education and Training
39
![Page 40: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/40.jpg)
Personnel (2)❖ Asset : Clerk ❖ Threats
❖ Resign ❖ Vulnerabilities
❖ Lack of cross-function / backup staff ❖ Poor employee relationship management
❖ Controls ❖ Provide cross-functional training for key job function ❖ Management should provide the resources needed
40
![Page 41: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/41.jpg)
Services❖ Asset : Network system ❖ Threats
❖ Failure of communication services ❖ Vulnerabilities
❖ Lack of redundancy ❖ Controls
❖ Arrange backup internet service ❖ Use redundant Internet service (two ISPs)
41
![Page 42: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/42.jpg)
Location❖ Asset : Head office building ❖ Threats
❖ Sabotage ❖ Vulnerabilities
❖ Lack of Physical Security ❖ Lack of Change Management Controls
❖ Controls ❖ Implement environment threats protection ❖ Establish formal physical entry controls ❖ Establish change control management
42
![Page 43: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/43.jpg)
Group Activity#1 - Risk assessment❖ Separate into 3 groups
❖ IT Support ❖ Server/Network Administrator ❖ Software/Web Development
❖ Define your assets in your organization ❖ Try to think about threats and countermeasure
which is possibly related to your assets above ❖ and present ❖ 30 minutes
43
![Page 44: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/44.jpg)
Risk Management
44
![Page 45: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/45.jpg)
When Risks are happened ....❖ What should we do, if we are management level? ❖ In case of Facebook and Youtube are risks
45
BossEmployees
![Page 46: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/46.jpg)
Risk Management
46
AVOID ACCEPT
REDUCE TRANSFER/SHARE
![Page 47: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/47.jpg)
Key to success for IT security implementation
❖ Supported by CEO or management level ❖ Implement most suitable IT security tools (both
quality and budget) ❖ Every departments are involved to do risk
assessment/analysis ❖ All of employees have awareness
47
![Page 48: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/48.jpg)
Threat Landscapes❖ Exploitation ❖ Web application hacking ❖ Botnet ❖ Malware/ Ransomeware ❖ Phishing/ Spear Phishing ❖ Port scanning ❖ Brute force (Login attempts)
❖ anything else?
48
![Page 49: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/49.jpg)
Exploitations❖ Target on 0-day vulnerabilities ❖ Heartbleed ❖ ShellShock
49
![Page 50: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/50.jpg)
Web Attacking❖ Web Defacement ❖ Malicious script spreading ❖ Phishing ❖ Database and Credential stolen
50
![Page 51: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/51.jpg)
Why we need web application security?
51
![Page 52: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/52.jpg)
Network Security is not enough❖ Network Security Mostly Ignores the Contents of HTTP
Traffic, such as.... ❖ Firewalls, SSL, Intrusion Detection Systems ❖ Operating System Hardening, Database Hardening
❖ Need to secure web application (Not Network Security) ❖ Securing the “custom code” that drives a web application ❖ Securing libraries ❖ Securing backend systems ❖ Securing web and application servers
❖ Cloud Computing is coming, the infrastructure is secured by the provider but we are still need to secure our application.
52
![Page 53: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/53.jpg)
OWASP❖ Open Web Application Security Project ❖ http://www.owasp.org ❖ Open group focused on understanding and
improving the security of web applications and web services!
❖ Hundreds of volunteer experts from around the world
53
![Page 54: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/54.jpg)
Open Web Application Security
54
![Page 55: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/55.jpg)
Probe Scan❖ Port scan - To check which ports are opened and
guess what services are running. ❖ nmap
❖ Vulnerability scan - To check which services or software are vulnerable ❖ Nessus
❖ Login Attempts - To check for weak password accounts ❖ Password attack (brute force, dictionary, rainbow)
❖ Malware Attack (Port + Vulnerability + Login)
55
![Page 56: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/56.jpg)
nmap (Windows)
56
![Page 57: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/57.jpg)
SSH login attempts
57
![Page 58: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/58.jpg)
Blaster worm❖ Analyze Attack DCOM RPC by using 135/TCP
and 137/UDP ❖ Effect for Windows NT, 2000, XP and 2003 ❖ Countdown 30 seconds and automatically
restart
58
Jeffrey Lee Parson, 19 Blaster worm writer
![Page 59: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/59.jpg)
Blaster’s traffic
59
![Page 60: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/60.jpg)
Ransomware❖ Several companies were infected ❖ All important and document files are encrypted
by RSA-4096 (No way to decrypt) ❖ Need much better backup process
60
![Page 61: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/61.jpg)
CryptoLocker
61
![Page 62: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/62.jpg)
Botnet & DDoS
62
![Page 63: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/63.jpg)
Distributed Denial of Service (DDoS) - Flooding
63
Our server
Botnet send many HTTP requests at the same time
![Page 64: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/64.jpg)
Over consuming
64
Your server is like the donkey, and no, it’s not the donkey’s fault.
![Page 65: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/65.jpg)
Phishing
65
Phisher
(Fisher)
Spam
(Food)Faked website
(Hook)
Victim
(Fish)
![Page 66: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/66.jpg)
Spear Phishing
66http://www.terrapapers.com/wp-content/uploads/2013/10/Spear-phishing-1.png
![Page 67: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/67.jpg)
Example
67
![Page 68: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/68.jpg)
Incident Handling
68
![Page 69: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/69.jpg)
Overview - Typical IT Security
69
![Page 70: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/70.jpg)
But.........
70
![Page 71: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/71.jpg)
Controls will be bypassed
71
![Page 72: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/72.jpg)
Traditional Incident Response
72
![Page 73: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/73.jpg)
You In Line of Fire
73
![Page 74: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/74.jpg)
Processes❖ Incident Response plan
74
![Page 75: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/75.jpg)
IR Plan - Preparation❖ Build the secured infrastructure ❖ Security policy ❖ Setup the monitoring system ❖ Prepare IR Team and process
75
![Page 76: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/76.jpg)
IR Plan - Detect & Analysis❖ Setup the monitoring system ❖ Read logs ❖ Maybe someone reports ❖ Analysis when something’s happened
76
![Page 77: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/77.jpg)
IR Plan - Response, Eradication and Recovery
❖ Find the attackers and how ❖ Remove or correct the system ❖ Operate the system again
77
![Page 78: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/78.jpg)
IR Plan - Post incident activities❖ Study from the attacks ❖ Prepare the protections ❖ Keep record
78
![Page 79: Information Security Principles · What are we protecting? What is there to protect ? Primary process Customers, Employees, Identities Products, Contracts Supporting processes Reputation](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f908f53624cdc58a5533d5c/html5/thumbnails/79.jpg)
Thank you
79