Information Security Awareness Overview

Information Security Awareness Overview
Slide Note
Embed
Share

Information Security Awareness covers fundamental topics like security fundamentals, risk analysis, threat identification, security assessments, and more. It emphasizes the protection of information resources from unauthorized access, theft, or damage. Goals include preventing unauthorized access, detecting intrusion, and ensuring business continuity. Understanding vulnerabilities, risks, and threats is essential in safeguarding data and systems.

  • Information Security
  • Awareness
  • Risk Analysis
  • Threat Identification
  • Data Protection
jahniya
jahniya Follow

Uploaded on Mar 12, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Overview on Information Security Awareness

  2. Information Security Topics 1. Identifying Security Fundamentals 2. Analyzing Risk 3. Identifying Security Threats 4. Conducting Security Assessments 5. Implementing Host and Software Security 6. Implementing Network Security 7. Managing Identity and Access 8. Implementing Cryptography 9. Implementing Operational Security 10.Addressing Security Incidents 11.Ensuring Business Continuity

  3. 1. Security Fundamentals Identify Information Security Concepts Identify Basic Security Controls Identify Basic Authentication and Authorization Concepts Identify Basic Cryptography Concepts

  4. Information Security The protection of available information or information resources from unauthorized access, attack, theft, or data damage. organizations must secure confidential data. Data in all forms must be protected. It minimizes business risks

  5. Goals of Information Security Goals Particulars Preventing unauthorized access to information. Prevention Intrusion detection in network and unauthorized access. Detection Resilience and recover from disaster and intrusion damage for business continuity. Recovery

  6. Risk A concept that indicates exposure to the chance of damage or loss, and signifies the likelihood of a hazard or dangerous threat. Risk is associated with system, power, network, and physical losses and it can affect people, practices, and processes.

  7. Vulnerabilities Any condition that leaves a device open to attack. Improperly configured or installed hardware or software. Delays in applying and testing software and firmware patches. Untested software or firmware patches. Bugs in software or OSs. Misusing software or communication protocols. Poorly designed networks. Poor physical security. Insecure passwords. Design flaws in software or OSs. Unchecked user input.

  8. Threats Any event or action that could potentially cause damage to an asset. Information Security Threats are Change of Information Interruption of Services Denial of Access Damage to Hardware Damage to facilities

  9. Attacks A technique used to exploit a vulnerability in an application or physical computer system without the authorization to do so. Attacks can be in the form of Physical security attacks Software based attacks Social Engineering Attacks Attack to Web or mobile application Network based attack

  10. Controls Countermeasures that you need to put in place to avoid, mitigate, or counteract security risks due to threats and attacks. Preventive Controls Biometric Access Controls Detection Controls Camera Correction Controls Alert System

  11. Types of Controls Prevention controls: prevent a threat or attack from exposing a vulnerability. Detection controls: discovers if a threat or vulnerability in network. Connection controls: Mitigate the consequences of a threat or attack.

  12. Security Management Process Identify security controls: Detecting problems and deciding how to protect system. Implement security controls: Installing control mechanisms for mitigation of threat. Monitoring security controls: detecting and solving any security issues for business continuity. Monitoring Identification Implementation

  13. CIA Triad Three principles of security control and management: Confidentiality, Integrity, and Availability. Confidentiality CIA Integrity Availability

  14. CIA Triad Principle Description Keeping information and communications protected from unauthorized access. Encryption & access control Confidentiality Keeping organizational information accurate, free of errors and unauthorized modification. Hashing, digital signatures, certificates Integrity Ensuring access to authorized persons to data. Patching. Availability

  15. Non-repudiation Non-Repudiation: This is to ensure that person who sent a transmission or created data remains associated with the data. Accountability Accountability: Determining who to hold responsible for a particular activity.

  16. Identification The process by which a claim is made about the nature of a entity. Authentication Authentication: Method of validating a particular entity s or individual s unique credentials.

  17. Authenticating Factors Something you are Fingerprints & retinal patterns Something you have Key or ID card Something you know Password or PIN Somewhere you are or are not GPS location Something you do Keystroke patterns

  18. Authorization The process of determining rights and privileges assigned to a particular entity. After identification and authentication are successful, a system determine which resources the entity is authorized to access. Identification Authentication Authorization

  19. Access Control The process of determining and assigning privileges to resources and data. Accounting & Auditing Accounting: The process of tracking and recording system activities and resource access. Auditing: The portion of accounting that allows security professionals examining logs and other details.

  20. Principles of Least Privileged The principle says that users and software should be given have the minimal level of access that is necessary for them to perform the duties. Applies to facilities, hardware, software, and information. Assign required level of access to perform the necessary tasks.

  21. Privilege Management Privilege management: The use of authentication and authorization mechanisms to provide access control to centralized or decentralized administration of user and group. Accounting/ Auditing Access Control Authorization Administrator Authentication

  22. Identifying Basic Security Controls Password Tokens physical or virtual storing authentic information like ID badge, smart card. Biometrics These are Fingerprint scanners, Retinal scanners

  23. Multi-factor Authentication An authentication scheme that requires validation of two or more distinct authentication factors. Bank debit card: card (token) PIN (password). Eg: Authenticator app for email or other applications.

  24. Mutual Authentication A security mechanism that requires each party in a communication verifies the identity of every other party. The service or resource verifies the client s credentials, while the client verifies the credentials of the service or resource. Prevents clients from sending confidential information to non-secure servers. Helps to prevent man-in-the-middle attacks.

  25. Basic Cryptographic Concepts Cryptography is the science of hiding information, most commonly by encoding and decoding a secret code used to send messages. Based on mathematics & computer science. Protects data in transit and data during storage.

  26. Encryption and security goals Confidentiality Integrity Non-repudiation Authentication Access control

  27. Encryption and Decryption Encryption: A security technique that converts data from plaintext form into coded (or ciphertext) form so that only authorized person read the data. Plaintext: Unencrypted data that is meant to be encrypted before transmission. Ciphertext: Encoded data. Decryption: A cryptographic technique that converts ciphertext to plaintext. Cleartext: Unencrypted, readable data that is not meant to be encrypted.

  28. Encryption & Decryption Cipher Text Plain Text Encryption Cipher Text Decryption Plain Text

  29. Few important terms Key -A specific piece of information that is used in conjunction with an algorithm to perform encryption and decryption. Symmetric Encryption - A two-way encryption scheme in which encryption and decryption are both performed by the same key (shared key encryption).

  30. Few important terms Asymmetric Encryption: A two-way encryption scheme that uses paired public and private keys. Private key: The component of asymmetric encryption that is kept secret by one party during two-way encryption. Public key: The component of asymmetric encryption that can be accessed by anyone. Key generation: The process of producing a public and private key pair by using a specific application.

  31. 2. Risk Analysis Analyze Organizational Risk Analyze the Business Impact of Risk Risk Management Component of Risk Analysis Phases of Risk Analysis Categories of Threat Types Risk Analysis Methods

  32. 2. Risk Analysis Risk Calculation Risk Response Techniques Risk Mitigation and Control Change Management

  33. Risk Management The process involves identifying risks, analyzing risk, developing a response strategy and mitigating their future impact for business continuity. Assessment Mitigation analysis Response

  34. Risk analysis Method Method Description descriptions and words to measure the amount and impact of risk, such as High, Medium, and Low. Qualitative Based on numeric values. Risk data is compared to historic records, experiences, industry best practices, statistical theories, and tests. Quantitative descriptions and numeric values. Semi-quantitative

  35. Risk Response Technique Response Technique Description Acknowledgement of the risk that the risk involved is not entirely avoidable Accept Allocate the responsibility of risk to another agency, or to a third party, such as an insurance company. Transfer Eliminate the risk altogether by eliminating the cause. Avoid Actions to protect against possible attacks. Take pro-active steps Taking precautionary measures (data backup) Mitigate

  36. Guidelines for Risk Analysis Define organizational expectations for security. Identify assets requiring protection Determine vulnerabilities Determine possible threats to assets. Determine the threats and its impact. Risk analysis. Identify countermeasures. Documentation of whole process.

  37. Business Impact Analysis A systematic activity that identifies organizational risks and determines their impact on ongoing, business-critical operations and processes. It involves Vulnerability assessments and evaluations Determine risks and their effects Business continuity plan (BCP)

  38. 3. Identifying Security Threats Types of Attack & Attackers Social Engineering Attacks Malware attack Software-Based Threats Network-Based Threats Wireless Threats Physical Threats

  39. Types of Threats Hackers, script kiddies, Organised Criminals, rogue nations, non-state actors, insiders & competitors Attack using social engineering Impersonation Phishing Using Exploits and malicious code Virus, Adware, Spyware, Trojan horses, Keyloggers Ransomware

  40. Types of Threats Man in the middle attack DDoS attack Distributed denial of service attack

  41. Types of Threats Privilege Escalation IP and MAC Spoofing ARP Poisoning or Spoofing A network-based attack where an attacker with access to the target network redirects an IP address to the MAC address of a computer that is not the intended recipient. DNS Poisoning or Spoofing A network-based attack where an attacker exploits the open nature of DNS to redirect a domain name to a different IP address. Also known as DNS spoofing.

  42. Software Attacks Any attack that targets software resources, including operating systems, applications, services, protocols, and files carried out using software or scripts comes in this category.

  43. Application Attacks Application attack: A software attack that targets web-based and other client-server applications. Attack Description Injects malicious scripts into trusted websites. Scripts to run when a user visits the site. Cross-site scripting (XSS) SQL injection. injection attacks Buffer overflow Exploits fixed data buffer sizes in a target piece of software.

  44. 4. Conducting Security Assessment Identify Vulnerability Assess Vulnerability Implementing Penetration Testing

  45. Identifying Vulnerability Host Vulnerability Software Vulnerability Encryption Vulnerability Network Architecture Vulnerability Account Vulnerabilities Operations Vulnerability

  46. Penetration Testing Techniques Reconnaissance Initial exploitation Escalation of privilege Pivoting Persistence

  47. 5. Implementing Host & Software Security Implement Host Security Implement Cloud and Virtualization Security Implement Mobile Device Security Incorporate Security in the Software Development Lifecycle

  48. 6. Implementing Network Security Configure Network Security Technologies Secure Network Design Elements Implement Secure Networking Protocols and Services Secure Wireless Traffic

  49. 7. Managing Identity and Access Implement Identity and Access Management Configure Directory Services Configure Access Services Manage Accounts

  50. 8. Implementing Cryptography Select Cryptographic Algorithms Configure a Public Key Infrastructure Enroll Certificates Back Up and Restore Certificates and Private Keys Revoke Certificates

Related


Airport Security Market to be Worth $25.27 Billion by 2031

Airport Security Market to be Worth $25.27 Billion by 2031

Kavya
KEERTHI SECURITY - Best Security Agencies In Bangalore

KEERTHI SECURITY - Best Security Agencies In Bangalore

KeerthiSecurity
CAMPUS SECURITY AUTHORITY (CSA) TRAINING CAMPUS SECURITY AUTHORITY (CSA) TRAINING

CAMPUS SECURITY AUTHORITY (CSA) TRAINING CAMPUS SECURITY AUTHORITY (CSA) TRAINING

croix
Sens Security Your Premier Personal Security Firm

Sens Security Your Premier Personal Security Firm

Shivneil
Sens Security Your Premier Personal Security Firm

Sens Security Your Premier Personal Security Firm

Shivneil
Sens Security Your Premier Personal Security Firm

Sens Security Your Premier Personal Security Firm

Shivneil
Role of Security Champions in Organizations

Role of Security Champions in Organizations

irvin
Clover Flex Annual Security Awareness Training for Point of Service Collections Staff

Clover Flex Annual Security Awareness Training for Point of Service Collections Staff

lylah
Roles of a Security Partner

Roles of a Security Partner

zaara
Certification and Training in Information Security

Certification and Training in Information Security

buck
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

joso_597
Security in World Politics

Security in World Politics

eisenberg_k
IPv6 Security and Threats Workshop Summary

IPv6 Security and Threats Workshop Summary

lori_4
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

kol_lov
UIC Security Division Overview and International Activities

UIC Security Division Overview and International Activities

hadri
Automating Security Operations Using Phantom

Automating Security Operations Using Phantom

gwe_sad
Importance of Security in Web Development

Importance of Security in Web Development

kharmync
HTTP Security Headers for Web Apps

HTTP Security Headers for Web Apps

pembroke_l
Modular Security Analysis for Key Exchange and Authentication Protocols

Modular Security Analysis for Key Exchange and Authentication Protocols

area290
Revolutionizing Security Testing with BDD-Security

Revolutionizing Security Testing with BDD-Security

sbre
Comprehensive DevOps Security Training Overview

Comprehensive DevOps Security Training Overview

jahv_808
Office 365 Email & Security Workshop Highlights

Office 365 Email & Security Workshop Highlights

agte243

More Related Content