Introduction to Information Security
17
An Introduction to Information Security – What? http://www.shaolintiger.com http://www.darknet.org.uk @ShaolinTiger & @THEdarknet on Twitter
-
Upload
gareth-davies -
Category
Technology
-
view
6.928 -
download
2
description
A short talk about Information Security, mainly focusing on start-ups and entrepreneurs. Some basics on what Information Security is, how it can impact your business and some tips on how to mitigate against risk.
Transcript of Introduction to Information Security
An Introduction to Information Security – What?
http://www.shaolintiger.com http://www.darknet.org.uk
@ShaolinTiger & @THEdarknet on Twitter
So who am I? Founder & Writer
- Top 5 infosec blog in the world- 40,000+ RSS Subscribers- 11,000+ Twitter followers- http://www.darknet.org.uk
Co-Founded Security-Forums.com
- Top 3 infosec forum in the World- Founded in 2002 to get out of Usenet- Sold in 2004 to windowsecurity.com
What is Information Security?
- It is quite a vague term – but it can be defined.
C
AI
CIA?
Confidentiality
Integrity
Availability
Confidentiality
- If confidentiality is breached it’s generally classified as a ‘leak’- Can have legal implications- Bad for your reputation- Hacker only needs read access
Integrity
- Less common but more serious- Can cause persistent problems- Possible to remain undetected for a long period- Hacker does need write access
Availability
- This is what DDoS attacks do- Usually short term but VERY damaging- Hard to solve- Hacker needs no access
What can I do?
- Passwords, passwords passwords!
- This is THE most important thing
Use a password manager
This will help you to: Generate, maintain & manage strong passwords Use different passwords for every site/service Manage password access for your company Change passwords when employees leave Use KeepassX, LastPass, 1Password or Passpack
Resource Management
- People can be bad, make sure all master accounts are under the company not under individuals
- Separate access so changes can be logged- This is especially critical for tech services such
as:- Github- Amazon Web Services- Linode- Bitbucket- Dropbox
- Anywhere that your code/resources are stored
Turn on MAX Security- Pretty much all services like AWS/Github etc support 2FA (Two factor authentication)
PLEASE TURN IT ON!
If not you could end up like Code Spaces.
Education
- The weakest part of any organisation is always the human element, known in infosec as ‘wetware’
- Prone to social engineering
- If you are a company owner or the tech go-to person, it’s your job to educate
Safe Coding Practises
- Use a framework
- Don’t EVER EVER EVER EVER trust user input
- Always Hash passwords
- Build your APIs with Authentication
- Check ‘OWASP Top 10’ for more info
DDoS Protection
- Unfortunately if you get popular this is a serious risk (Happening to Feedly/Evernote last month)
- There are various services that you can look at to mitigate against DDoS attacks:
- http://www.incapsula.com/- https://www.cloudflare.com/- http://www.akamai.com/
Platform Security
- ALWAYS keep the core up to date- If you can use a specialist host (WPengine/Page.ly)- Use as few plugins as possible- NEVER pirate themes/plugins as they often contain
malware
The END!
Questions?
Stalk me @ShaolinTiger or @THEdarknet on Twitter
If you are interested in Infosec – http://fb.me/darknetorguk
This preso will be on http://slideshare.net/shaolintiger
