Introduction to Information Security
-
Upload
gareth-davies -
Category
Technology
-
view
6.928 -
download
2
description
Transcript of Introduction to Information Security
An Introduction to Information Security – What?
http://www.shaolintiger.com http://www.darknet.org.uk
@ShaolinTiger & @THEdarknet on Twitter
So who am I? Founder & Writer
- Top 5 infosec blog in the world- 40,000+ RSS Subscribers- 11,000+ Twitter followers- http://www.darknet.org.uk
Co-Founded Security-Forums.com
- Top 3 infosec forum in the World- Founded in 2002 to get out of Usenet- Sold in 2004 to windowsecurity.com
What is Information Security?
- It is quite a vague term – but it can be defined.
C
AI
CIA?
Confidentiality
Integrity
Availability
Confidentiality
- If confidentiality is breached it’s generally classified as a ‘leak’- Can have legal implications- Bad for your reputation- Hacker only needs read access
Integrity
- Less common but more serious- Can cause persistent problems- Possible to remain undetected for a long period- Hacker does need write access
Availability
- This is what DDoS attacks do- Usually short term but VERY damaging- Hard to solve- Hacker needs no access
What can I do?
- Passwords, passwords passwords!
- This is THE most important thing
Use a password manager
This will help you to: Generate, maintain & manage strong passwords Use different passwords for every site/service Manage password access for your company Change passwords when employees leave Use KeepassX, LastPass, 1Password or Passpack
Resource Management
- People can be bad, make sure all master accounts are under the company not under individuals
- Separate access so changes can be logged- This is especially critical for tech services such
as:- Github- Amazon Web Services- Linode- Bitbucket- Dropbox
- Anywhere that your code/resources are stored
Turn on MAX Security- Pretty much all services like AWS/Github etc support 2FA (Two factor authentication)
PLEASE TURN IT ON!
If not you could end up like Code Spaces.
Education
- The weakest part of any organisation is always the human element, known in infosec as ‘wetware’
- Prone to social engineering
- If you are a company owner or the tech go-to person, it’s your job to educate
Safe Coding Practises
- Use a framework
- Don’t EVER EVER EVER EVER trust user input
- Always Hash passwords
- Build your APIs with Authentication
- Check ‘OWASP Top 10’ for more info
DDoS Protection
- Unfortunately if you get popular this is a serious risk (Happening to Feedly/Evernote last month)
- There are various services that you can look at to mitigate against DDoS attacks:
- http://www.incapsula.com/- https://www.cloudflare.com/- http://www.akamai.com/
Platform Security
- ALWAYS keep the core up to date- If you can use a specialist host (WPengine/Page.ly)- Use as few plugins as possible- NEVER pirate themes/plugins as they often contain
malware
The END!
Questions?
Stalk me @ShaolinTiger or @THEdarknet on Twitter
If you are interested in Infosec – http://fb.me/darknetorguk
This preso will be on http://slideshare.net/shaolintiger