it security_awareness & training
TRANSCRIPT
-
8/8/2019 IT Security_Awareness & Training
1/13
Prepared by: Aymard
-
8/8/2019 IT Security_Awareness & Training
2/13
Awareness Importance of Information Security in todays world
Social engineering
Hacking
Security controls [risk mitigation lattice]
Hands-on practices Managing passwords (Office applications)
PDF conversion Encryption
-
8/8/2019 IT Security_Awareness & Training
3/13
Importance of Information Security in todays worldImportance of Information Security in todays world
Why Security?
Evolution of technology focused on ease of use
Increased network environment and network-basedapplications
Decreasing skill level needed for exploit
Direct impact of security breach on corporate asset base
and goodwill Increasing complexity of computer infrastructure
administration and management
-
8/8/2019 IT Security_Awareness & Training
4/13
Essential TerminologiesEssential Terminologies
Risk - The quantifiable likelihood of a threat taking advantage ofvulnerability in a system, or the probability that a threat will exploita vulnerability
Threat - An action or event that might compromise security. Athreat is a potential violation of security. OR Something that is asource of danger; capabilities, intentions, and attack methods ofadversaries that can exploit or cause harm to a system
Vulnerability - Existence of a weakness, design or implementation
error that can lead to an unexpected and undesirable eventcompromising the security of the system.
Attack - An assault on the system security that is derived fromintelligent threat.
Exploit - A defined way to breach the security of an IT System viavulnerability
-
8/8/2019 IT Security_Awareness & Training
5/13
Essential Terminologies (Contd)Essential Terminologies (Contd)
Exposure - The potential compromise associated with an attackexploiting a corresponding vulnerability
Counterm
easure
Action of reducing the impact of an attack,detecting the occurrence of an attack, and/or assisting in therecovery from an attack
Subject - Generally a person, process, or device that causesinformation to flow among objects.
Object - A passive entity containing or receiving information;
Access to an object usually implies access to the information that itcontains
-
8/8/2019 IT Security_Awareness & Training
6/13
-
8/8/2019 IT Security_Awareness & Training
7/13
Security ElementsSecurity Elements Commonly based on CIA (Confidentiality, Integrity &
Availability)
CIA + adds other elements: Identity, Privacy, Authentication,
Authorization, Accounting.
-
8/8/2019 IT Security_Awareness & Training
8/13
Security, Functionality, Ease of use TriangleSecurity, Functionality, Ease of use Triangle
The number of exploits is minimized when the number of weaknesses isreduced = Great Security
The more Security the less Functionality
Moving the ball toward security
Functionality
Security Ease of use
-
8/8/2019 IT Security_Awareness & Training
9/13
Attack Phases (I
T System
s)Attack Phases (I
T System
s)Reconnaissance
Passive: acquire informationwithout directly interactingwith the target
Active: Involves interactingwith the target directly by any
means
-
8/8/2019 IT Security_Awareness & Training
10/13
Social EngineeringSocial Engineering Concept:Concept:
Social engineering is the tactic or trick of gainingsensitive information by exploiting the basichuman nature such as: Trust Fear Desire to help
Social engineers attempt to gather information such as: Sensitive information
Authorization details Access details
-
8/8/2019 IT Security_Awareness & Training
11/13
Social Engineering (Contd)Social Engineering (Contd) Categories:Categories:
Human-based: Gathers sensitive information by interaction
Exploits trust, fear, helping nature of humans
Computer-based:
Social engineering is carried out with the aid ofcomputers
-
8/8/2019 IT Security_Awareness & Training
12/13
More on HumanMore on Human--based Social Engineeringbased Social Engineering Eavesdropping or unauthorized listening of
conversations or reading of messages Interception of any form such as audio, video,
orwritten Shoulder surfing Dumpster Diving:
Trash-bins
Printer trash-bins User desk for sticky notesDumpster diving targets: Phones bills Contact information
Financial information, etc.
-
8/8/2019 IT Security_Awareness & Training
13/13
More on HumanMore on Human--based Social Engineeringbased Social Engineering
Tailgating An unauthorized person with a fake ID badge
Piggybacking Authorized person provides access to an unauthorized
person by keeping the secured door open.
Reverse Social engineering The attacker creates a persona that appears to be in a
position to be in a position of authority so that employees
will ask him for information, rather than the other wayaround
Reverse social engineering attack involves:
Sabotage
Marketing
Providing support