07-05-2008
Security Basics
Teacher: Gael Reignier - gael.reigner@supinfo.com
Slides: Cyril Voisin
CISSP (Certified Information Systems Security Professional)
1.Introduction
2.Security basis
3.Introduction to cryptology
1.Introduction
Why Security ?
Definition:
make feel safe
stealing documents
encrypting
integrity
Expects:
learn how to set up a security policy
how to test & fix our security policy
Security depends on the context, so ti is all RELATIVE !
3 sides of security:
Human
Physical
Technologies (antivirus, directory, ipsec, pki ...)
People (enterprise admin, domain admin, users, soft engineer, service support)
Processes ( Risks, perf management, fixes, archives, incident response, backups ...)
2.Security Basis
C Confidentiality
I Integrity
A Availability
OSI
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Risk management
Where do you need to start?
defining rights for people
password
On what do we need to focus on?
users
How much we need to invest?
How would you do?
insurance testings: employ hackers to secure your network
ARO: Annualized Rate of Occurence
some infos on google:
http://www.google.com/search?hl=en&client=safari&rls=en&q=SLE+ARO&btnG=Search∞
i add also this from :
http://cissp.meetup.com/64/messages/boards/thread/2203587∞
SLE, ARO, ALE, residual risk
The quantitative assessment process involves the following steps: Estimate potential losses (SLE), conduct a threat analysis (ARO), determine annual loss expectancy (ALE), and determine the residual risk after a countermeasure has been applied.
whole risk = value of the assets x threats x vulnerabilities
Slide 63 Burfer Overflow Example
Worm for W2K:
http://en.wikipedia.org/wiki/Nimda_(computer_worm∞)
SQL Injection:
http://xkcd.com/327/∞
Stored Procedures: sql statements save on the server, that you can execute.
There are no comments on this page. [Add comment]