07-05-2008

Security Basics

Teacher: Gael Reignier - gael.reigner@supinfo.com
Slides: Cyril Voisin



CISSP (Certified Information Systems Security Professional)

1.Introduction
2.Security basis
3.Introduction to cryptology



1.Introduction

Why Security ?

Definition:

make feel safe
stealing documents
encrypting
integrity

Expects:

learn how to set up a security policy
how to test & fix our security policy



Security depends on the context, so ti is all RELATIVE !

3 sides of security:

Human
Physical

Technologies (antivirus, directory, ipsec, pki ...)
People (enterprise admin, domain admin, users, soft engineer, service support)
Processes ( Risks, perf management, fixes, archives, incident response, backups ...)


2.Security Basis


C Confidentiality
I Integrity
A Availability


OSI

7 Application
6 Presentation
5 Session

4 Transport

3 Network

2 Data Link

1 Physical

Risk management

Where do you need to start?

defining rights for people
password

On what do we need to focus on?

users

How much we need to invest?

How would you do?



insurance testings: employ hackers to secure your network

ARO: Annualized Rate of Occurence

---

some infos on google: http://www.google.com/search?hl=en&client=safari&rls=en&q=SLE+ARO&btnG=Search∞

i add also this from : http://cissp.meetup.com/64/messages/boards/thread/2203587∞


SLE, ARO, ALE, residual risk

Answer: D.
The quantitative assessment process involves the following steps: Estimate potential losses (SLE), conduct a threat analysis (ARO), determine annual loss expectancy (ALE), and determine the residual risk after a countermeasure has been applied.

---

whole risk = value of the assets x threats x vulnerabilities

Slide 63 Burfer Overflow Example

Worm for W2K: http://en.wikipedia.org/wiki/Nimda_(computer_worm∞)

SQL Injection: http://xkcd.com/327/∞

Stored Procedures: sql statements save on the server, that you can execute.