no more cubes

Category: Security & Privacy

  • Security Training

    Security job skills training

    • SSCP exam
    • A series of university courses in general information security

    Security awareness training

    • A series of newsletters, with general information security
    • Business-unit walk-through

  • Computer fallacies

    Fallacy vs. Principle

    Fallacy Principle
    Information wants to be free People are in control of what information is released or shared
    Laws are clear about the legality of all actions Users should take responsibility for their action
    Hacking is OK as long as it doesn’t hurt anybody It is unethical to access information without having permission to do so.
    Plagiarism doesn’t count on the internet. Piracy is illegal no matter what tool is used to copy the information.
    If a software program is working, it must be working correctly. Software is prone to human error.
    You can’t be sued for libel for the contents of a private email. People are responsible for their words and accusations on the internet.

  • Risk Response Types

    • Risk avoidance: shutdown of servers when there is suspicion of virus infection
    • Risk transfer: hardware insurance to theft, loss and fire damage
    • Risk acceptance: let employees receive private emails in company accounts
    • Risk mitigation: implement multi-factor authentication to protect trade-secrets

  • Stages of Risk Assessment Process

    • Risk Determination quantify the probability of attack, it’s impact, and the adequacy of current or planned controls.
    • Control recommendations considers the effectiveness, performance impacts, safety and reliability of control options.
    • Likelihood determination considers the capability and motivation of threat sources in terms of vulnerability.
    • Results documentation presents the threat and vulnerability pairings with associated cost-benefit data.
    • Impact Analysis quantifies or rates potential losses to integrity, availability and confidentiality of relevant data.

  • Types of Risk Assessment

    1. Qualitative
      • The financial officer’s estimate that password scanning attacks are highly probable.
      • The IT manager’s opinion on what impact a flood would have on the server room.
    2. Quantitative
      • The cost to the company for being offline for one day / it’s servers being offline for one day.
      • The expected, total number of DDoS attacks per year

  • Importance of Risk Management

    Risk Management is important, because it:

    • enables identification and protection of all critical assets
    • helps ensure legal compliance

  • Risk assessment process

    • Threat identification is the review of technical and technical events that may damage a system
    • System characterization is the review of system and data criticality and sensitivity
    • Control analysis is the review of current and planned countermeasures against security requirements checklists.
    • Vulnerability identification is the review of system security procedures, design, implementation, or internal controls that may fail during attacks.

  • Spanning-Tree Analysis

    Maps all possible threats to an information system according to general risk categories.

  • SOMAP

    Security Officers Management and Analysis Project. A Swiss non-profit organization.

  • Value at Risk (VAR)

    The Value at Risk (VAR) framework knows four stages:

    • Identify threats
    • Estimate likelyhood
    • Estimate VAR
    • Mitigate risk