170 likes | 585 Views
FORE SEC Academy Security Essentials. Defense-In-Depth. Defense in-Depth Agenda. Chapter 7 : Defense in-Depth Chapter 8 : Basic Security Policy Chapter 9 : Access Control and Password Management Chapter 10 : Incident Handling Foundations Chapter 11 : Information Warfare
E N D
FORESEC AcademySecurity Essentials Defense-In-Depth
Defense in-Depth Agenda • Chapter 7 : Defense in-Depth • Chapter 8 : Basic Security Policy • Chapter 9 : Access Control and Password Management • Chapter 10 : Incident Handling Foundations • Chapter 11 : Information Warfare • Chapter 12 : Web Communications and Security
Defense in-Depth We have covered: networking, IP, IP behaviour, basic traffic analysis, routing, host perimeter defense. Now, we add security policy, password strength and assessment, incident handling, information warfare and web security.
Three Bedrock Principles • Confidentiality = Rahasia • Integrity = Integritas • Availability = Ketersediaan
Identity, Authentication &Authorization • Don’t Authentication and Identity mean the same thing? • If we have Authentication and Identity then do we need Authorization?
Authentication • Based on: - Something you know - Something you have - Something you are
Data Classification • We classify data with differing levels of sensitivity • Why do we put labels on our data? • You can’t protect it all so some data requires more protection than others
Threats • Activity that represents possible danger • Can come in different forms & from different sources • You can’t protect against all threats • Protect against the ones that are most likely or most worrisome based on: - Business goals - Validated data - Industry best practice
Vulnerabilities • Weaknesses that allow threats to happen • Must be coupled with a threat to have an impact • Can be prevented (if you know about them)
Relating Risk, Threat andVulnerability Risk = Threat x Vulnerability
The Threat Model • Threat • Vulnerability • Compromise Vulnerabilities are the gateways by which threats are manifested.
Five Lessons from History • Morris worm – Availability – 1988 • Melissa - Availability – 1999 • W32.SirCam worm - Confidentiality – 2001 • Code Red II - Integrity – 2001 • Blaster worm - Availability and Integrity - 2003