DevoxxFR 2024 Reproducible Builds with Apache Maven
Improve Cybersecurity with Deterrence, Awareness, Procedures & Logging
1. Making systems more secure
•
Strategies that can be used to improve cybersecurity
Making systems more secure, 2013
Slide 1
2. Improving cybersecurity
•
Deterrence
–
•
Increase the costs of making an attack on your systems
Awareness
–
Improve awareness of all system users of security risks and
types of attack
Making systems more secure, 2013
Slide 2
3. Improving cybersecurity
•
Procedures
–
•
Design realistic security procedures that can be followed by
everyone in an organisation (including the boss)
Monitoring and logging
–
Monitor and log all system operations
Making systems more secure, 2013
Slide 3
4. Deterrence
•
It is impossible to develop a completely secure
personal, business and government system. If an
attacker has unlimited resources and motivation, it
will always be possible to invoke some attacks on a
given system.
Making systems more secure, 2013
Slide 4
5. Deterrence
•
However, attackers NEVER have unlimited resources
and motivation so, an aim of security is to increase
the costs of making a successful attack to such an
extent that attackers will (a) be deterred from
attacking and (b) will abandon attempted attacks
before they are successful
Making systems more secure, 2013
Slide 5
6. Diverse authentication systems
•
Use strong passwords and multiple forms of
authentication
•
Login/password + personal question or biometric
•
Attacker has to break two levels of authentication to
gain access
Making systems more secure, 2013
Slide 6
8. Encryption
• Use https protocol to encrypt
information whilst in transit across the
Internet
• Encrypt confidential information stored
on your system
Making systems more secure, 2013
Slide 8
10. Password security
• Password strength measurement
– https://passfault.appspot.com/password_stre
ngth.html#menu
• Calculates how long it would take to
break a password using a brute force
attack, using a standard PC
Making systems more secure, 2013
Slide 10
15. Encryption
•
Encryption is the process of encoding information in
such a way that it is not directly readable. A key is
required to decrypt the information and understand it
•
A systematic transformation is applied to the
information, based on the key, to transform it to a
different form.
•
The original information can only be recovered if the
reader has the key that can be used to reverse the
transformation
Making systems more secure, 2013
Slide 15
17. •
Used sensibly, encryption can contribute to
cybersecurity improvement but is not an answer in
itself
–
Security of encryption keys
–
Inconvenience of encryption leads to patchy utilisation and
user frustration
–
Risk of key loss or corruption – information is completely lost
(and backups don’t help)
–
Can make recovery more difficult
Making systems more secure, 2013
Slide 17
18. Awareness
• Educate users into the importance of
cyber security and provide information
that supports their secure use of
computer systems
• Be open about incidents that may have
occurred
Making systems more secure, 2013
Slide 18
19. Awareness
• Take into account how people really are
rather than how you might like them to
be
• People have human failings and
inevitably will make mistakes
Making systems more secure, 2013
Slide 19
20. • Bad security advice
– Many security guidelines and rules are
unrealistic and cannot be followed in
practice by users
– Use a different password for every website
you visit
Making systems more secure, 2013
Slide 20
21. • Good security advice
– If you use the same password for everything, an
attacker can get access to your accounts if they
find that out
– Use a different passwords for all online bank
accounts and only reuse passwords when you
don’t really care about the accounts
Making systems more secure, 2013
Slide 21
22. Procedures
• Businesses should design appropriate
procedures based around the value of the
assets that are being protected
• If you simply apply the most secure
procedures to all information, this will disrupt
work and users are more likely to try to
circumvent these procedures
Making systems more secure, 2013
Slide 22
23. • If information is not confidential, then it
often makes sense to make it public
• This reduces the need for users to
authenticate to access the information
Making systems more secure, 2013
Slide 23
24. • Cybersecurity awareness procedures
for all staff including the most senior
management
• Recognise reality – people will use
phones and tablets and derive
procedures for their safe use
Making systems more secure, 2013
Slide 24
25. Monitoring and logging
• Monitoring and logging means that
you record all user actions and so
keep track of all accesses to the
system
Making systems more secure, 2013
Slide 25
26. • Use tools to scan log frequently looking
for anomalies
• Can be an important deterrent to insider
attacks if attackers know that they have
a chance of being discovered through
the logging system
Making systems more secure, 2013
Slide 26
27. Summary
• Improving cybersecurity depends on
– Deterrence
– Awareness
– Effective procedures
– Monitoring and logging
Making systems more secure, 2013
Slide 27
Hinweis der Redaktion
Mystery why some organisations limit length of passwords and do not allow characters apart from letters and numbersSay you live at 15 south street so make up a password you can remember:SO51street Cracked in < 1 daySO_51_street Cracked in 23 years