SlideShare ist ein Scribd-Unternehmen logo

Cloud Security.pptx

Als PPTX, PDF herunterladen
Binod Rimal
Binod Rimal

cloud security

Bildung
1 von 26
Cloud Security 1
Key Security Concepts - CIA Confidentiality • Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity • Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity Availability • Ensuring timely and reliable access to and use of information To complete the picture: 1. Authenticity 2. Accountability 2
Levels of Impact Low The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals Moderate The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals High The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals 3
Vulnerabilities, Threats and Attacks • Vulnerabilities • Corrupted (loss of integrity) • Leaky (loss of confidentiality) • Unavailable or very slow (loss of availability) 4 • Threats • Capable of exploiting vulnerabilities • Represent potential security harm to an asset • Attacks (threats carried out) • Passive – attempt to learn or make use of information from the system that does not affect system resources • Active – attempt to alter system resources or affect their operation • Insider – initiated by an entity inside the security parameter • Outsider – initiated from outside the perimeter
Passive and Active Attacks Passive Attack Active Attack • Attempts to learn or make use of information from the system but does not affect system resources • Eavesdropping on, or monitoring of, transmissions • Goal of attacker is to obtain information that is being transmitted • Two types: – Release of message contents – Traffic analysis • Attempts to alter system resources or affect their operation • Involve some modification of the data stream or the creation of a false stream • Four categories: – Replay – Masquerade – Modification of messages – Denial of service 5
Countermeasures Dealing with security attacks • Prevent • Detect • Recover May itself introduce new vulnerabilities Residual vulnerabilities may remain Goal is to minimize residual level of risk to the assets 6
Trends have shaped cybersecurity • The increasing economic value of information • Computer networks are is part of the critical national framework • Third parties control information not under our control • Criminalisation of the internet • Ever increasing complexity of networks • Slower patching, faster exploits • Sophistication of threats • End user as attacker • Regulatory pressure Adapted from Scheiner (2006) 7 Video: https://www.youtube.com/watch?v=AuYNXgO_f3Y
Rationale for Protection • Cybersecurity is required in order to protect systems, data and information • We need to understand what the data and information is worth in order to determine the appropriate level of protection • Value can be defined or perceived – Impact on Talk Talk • https://www.theguardian.com/business/2015/oct/23/talktalk-cyber-attack- company-unsure-how-many-users-affected – Impact of WannaCry on NHS • https://www.chroniclelive.co.uk/news/north-east-news/nhs-cyber-attack- could-been-13818484 • https://www.theguardian.com/technology/2017/may/13/nhs-workers-and- patients-on-how-cyber-attack-has-affected-them • Organisational and public perception of value may be different from an attacker. • Value can change over time 8
CyberSecurity • Cyber security incorporates a range of domains, including – Application of information security standards – Implementation of secure infrastructure – Education of users – Creation of appropriate organisations • In order to prepare for and attempt to prevent attacks we need to be aware of the security implications and issues in terms of systems security and information security • Reduce risk • Minimize attack • Identify breaches • Build trust 9 In your opinion, what are the objectives of cybersecurity?
Introduction to Cyber Security Policies and Procedures Principle of least privilege 1. Grant access only to those who need it 2. Grant as little access as possible 3. Grant it only for as long as needed Principle of separation of risk 1. Removal of important elements from close proximity – avoids cascade 2. Separate application, host, network and business risk 3. Separate one application’s risk from another’s 4. Separate multiple systems risks 10 Defence in Depth Firewall, IDs, Access Control, File System Secrecy Kerckhoff’s principle – the security of a mechanism should not be dependent on the secrecy of the mechanism
Threat Landscape Examples: • Advanced persistent threats • Cyber crime (dependent and enabled) • Hactivism • Insider threats • Nuisance threats • etc. What cyber threats can you identify? 11
Advanced Persistent Threats • Attack profile – targeted, organised and funded attacks potentially associated to Nation State sponsorship or other powerful entities • Primary Objectives – typically medium to long term; exfiltration of intellectual property for purposes of eliminating years of R&D, competitive economic and/or nation state advantage • Attack methods – social engineering, spear phishing, drive-by download attacks, espionage, focused perimeter breaches 12
Cyber Crime • Attack profile – opportunistic, broad-based, often motivated by financial gain • Primary Objectives – typically short term; identity theft, credit card fraud, extortion, botnet creation & management • Attack methods – phishing attacks, hosting malware on legitimate websites, SPAM related attacks, cyber extortion techniques 13
Hactivism • Attack profile – organised attacks associated to group of individuals with political, ethical, religious, or retaliatory motives • Primary objectives – typically short term; cause havoc & chaos, disrupt operations, discredit and malign via disclosure of sensitive information • Attack methods – distributed denial of service attacks (DDOS), traditional hacking techniques, spear phishing 14
Insider Threats • Attack profile – legitimate internal user with hidden malicious intentions • masqueraders (those who operate under the identity of another user) • clandestine users (those who evade access controls and auditing) • misfeasors (those who have legitimate authorisation but misuse their privileges) • Primary objectives – short to long term; compromise of sensitive information, destruction, revenge, espionage, harassment • Attack methods – access via legitimate credentials and privileges, data exfiltration, physical and logical sabotage, surveillance 15
Nuisance Threats • Attack profile – unskilled attackers, scanners & crawlers, SPAM, worms/viruses, basic malware • Primary objectives – often unknown or irrelevant; recognition& status, reconnaissance, financial • Attack methods – automated scanners, public exploit kits, generic SPAM email, propagating worms/viruses, adware, scareware 16
Cyber Security in Organisations Cybersecurity Actions in Organisations • Ensure that there are clear processes and procedure to: – Define the cybersecurity environment, including risks, threats and implications of breaches. – Detect when a breach of cybersecurity has happened – including ways of identifying issues with policy and implementation of policy – Defend against potential threats and attacks – considering appropriate layers of security – Deter potential attackers and misusers – both from outside the organisation and inside. 17
Cyber Security in Organisations • Training and Awareness of Employees – Ensuring that there is a robust cybersecurity policy in the organisation – Ensuring that all staff are trained (and aware) of threats from cybersecurity – Raising awareness of the threat from social engineering 18
19 Source: https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/NCSC%2010%20Steps%20To%20Cyber%20Security%20NCSC.pdf
Source: https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/NCSC%20Cyber%20Attacks.pdf
The Threat Matrix Business Impact Probability of Threat Financial application crash DoS attack Application security earthquake Information leak E-mail content disclosure Wireless LANs OS systems security PDA/handhelds Internet worms Virus Privacy leak Web services breach Disgruntled employees Access management failure 21
SANS 20 Critical Security Controls • Overview: https://www.youtube.com/watch?v=vg6ck7ZSBrI • Infographic: https://uk.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf • Visit the main page: https://www.cisecurity.org/controls/ Outline: • Critical Control 1: Inventory of Authorized and Unauthorized Devices • Critical Control 2: Inventory of Authorized and Unauthorized Software • Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Critical Control 4: Continuous Vulnerability Assessment and Remediation • Critical Control 5: Malware Defences • Critical Control 6: Application Software Security • Critical Control 7: Wireless Device Control • Critical Control 8: Data Recovery Capability • Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps • Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services • Critical Control 12: Controlled Use of Administrative Privileges • Critical Control 13: Boundary Defence • Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs • Critical Control 15: Controlled Access Based on the Need to Know • Critical Control 16: Account Monitoring and Control • Critical Control 17: Data Loss Prevention • Critical Control 18: Incident Response and Management • Critical Control 19: Secure Network Engineering • Critical Control 20: Penetration Tests and Red Team Exercises 22
CIS Controls Version 8 23
RISK IQ’s Evil Internet Minute 24
Cloud Security Challenges 25 1. Data Breaches 2. Compliance With Regulatory Mandates 3. Lack of IT Expertise 4. Cloud Migration Issues 5. Unsecured APIs 6. Insider Threats 7. Open Source
Cloud Security Risks 26 1. Misconfiguration 2. Unauthorized Access 3. Insecure Interfaces/APIs 4. Hijacking of Accounts 5. Lack of Visibility 6. External Sharing of Data 7. Malicious Insiders 8. Cyberattacks 9. Denial of Service Attacks

Empfohlen

Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 csebhaskard8
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lecture 2 Threats and Strategy.pptx
Lecture 2 Threats and Strategy.pptxLecture 2 Threats and Strategy.pptx
Lecture 2 Threats and Strategy.pptxmoushalivindi
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Chapter 2 - Lesson 2.pptx
Chapter 2 - Lesson 2.pptxChapter 2 - Lesson 2.pptx
Chapter 2 - Lesson 2.pptxJhaiJhai6
 

Empfohlen

Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdfNdheh
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 csebhaskard8
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lecture 2 Threats and Strategy.pptx
Lecture 2 Threats and Strategy.pptxLecture 2 Threats and Strategy.pptx
Lecture 2 Threats and Strategy.pptxmoushalivindi
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Chapter 2 - Lesson 2.pptx
Chapter 2 - Lesson 2.pptxChapter 2 - Lesson 2.pptx
Chapter 2 - Lesson 2.pptxJhaiJhai6
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsBilalMehmood44
 
ch02_2.ppt
ch02_2.pptch02_2.ppt
ch02_2.pptIbrahimAl22
 
ch02_2.ppt
ch02_2.pptch02_2.ppt
ch02_2.pptgtrajasekaran1
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hackingchakrekevin
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015T. J. Saotome
 
Introduction to cyber security.pptx
Introduction to cyber security.pptxIntroduction to cyber security.pptx
Introduction to cyber security.pptxSharmaAnirudh2
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Kabul Education University
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptshahadd2021
 
IS Unit II.pptx
IS Unit II.pptxIS Unit II.pptx
IS Unit II.pptxLAVANYAsrietacin
 
Introduction to Computer Security
Introduction to Computer SecurityIntroduction to Computer Security
Introduction to Computer SecurityKamal Acharya
 
Ethical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptxEthical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptxJanani S
 
Security.ppt
Security.pptSecurity.ppt
Security.pptssuser50c54b
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptxMsVaishaliKumar
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskBeyondTrust
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber securitySweta Kumari Barnwal
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfssuserf98dd4
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresCarl B. Forkner, Ph.D.
 
3-UnitV_security.pptx
3-UnitV_security.pptx3-UnitV_security.pptx
3-UnitV_security.pptxSubhadipDutta36
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxPooja Bhuva
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 

Weitere ähnliche Inhalte

Ähnlich wie Cloud Security.pptx

Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsBilalMehmood44
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hackingchakrekevin
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015T. J. Saotome
 
Introduction to cyber security.pptx
Introduction to cyber security.pptxIntroduction to cyber security.pptx
Introduction to cyber security.pptxSharmaAnirudh2
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptshahadd2021
 
Introduction to Computer Security
Introduction to Computer SecurityIntroduction to Computer Security
Introduction to Computer SecurityKamal Acharya
 
Ethical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptxEthical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptxJanani S
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskBeyondTrust
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfssuserf98dd4
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresCarl B. Forkner, Ph.D.
 

Ähnlich wie Cloud Security.pptx (20)

Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
ch02_2.ppt
ch02_2.pptch02_2.ppt
ch02_2.ppt
 
ch02_2.ppt
ch02_2.pptch02_2.ppt
ch02_2.ppt
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
 
Introduction to cyber security.pptx
Introduction to cyber security.pptxIntroduction to cyber security.pptx
Introduction to cyber security.pptx
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
 
IS Unit II.pptx
IS Unit II.pptxIS Unit II.pptx
IS Unit II.pptx
 
Introduction to Computer Security
Introduction to Computer SecurityIntroduction to Computer Security
Introduction to Computer Security
 
Ethical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptxEthical Hacking and Network Defence 1.pptx
Ethical Hacking and Network Defence 1.pptx
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptx
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
3-UnitV_security.pptx
3-UnitV_security.pptx3-UnitV_security.pptx
3-UnitV_security.pptx
 

Kürzlich hochgeladen

On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxPooja Bhuva
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxUmeshTimilsina1
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...Amil baba
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 

Kürzlich hochgeladen (20)

On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 

Cloud Security.pptx

  • 2. Key Security Concepts - CIA Confidentiality • Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity • Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity Availability • Ensuring timely and reliable access to and use of information To complete the picture: 1. Authenticity 2. Accountability 2
  • 3. Levels of Impact Low The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals Moderate The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals High The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals 3
  • 4. Vulnerabilities, Threats and Attacks • Vulnerabilities • Corrupted (loss of integrity) • Leaky (loss of confidentiality) • Unavailable or very slow (loss of availability) 4 • Threats • Capable of exploiting vulnerabilities • Represent potential security harm to an asset • Attacks (threats carried out) • Passive – attempt to learn or make use of information from the system that does not affect system resources • Active – attempt to alter system resources or affect their operation • Insider – initiated by an entity inside the security parameter • Outsider – initiated from outside the perimeter
  • 5. Passive and Active Attacks Passive Attack Active Attack • Attempts to learn or make use of information from the system but does not affect system resources • Eavesdropping on, or monitoring of, transmissions • Goal of attacker is to obtain information that is being transmitted • Two types: – Release of message contents – Traffic analysis • Attempts to alter system resources or affect their operation • Involve some modification of the data stream or the creation of a false stream • Four categories: – Replay – Masquerade – Modification of messages – Denial of service 5
  • 6. Countermeasures Dealing with security attacks • Prevent • Detect • Recover May itself introduce new vulnerabilities Residual vulnerabilities may remain Goal is to minimize residual level of risk to the assets 6
  • 7. Trends have shaped cybersecurity • The increasing economic value of information • Computer networks are is part of the critical national framework • Third parties control information not under our control • Criminalisation of the internet • Ever increasing complexity of networks • Slower patching, faster exploits • Sophistication of threats • End user as attacker • Regulatory pressure Adapted from Scheiner (2006) 7 Video: https://www.youtube.com/watch?v=AuYNXgO_f3Y
  • 8. Rationale for Protection • Cybersecurity is required in order to protect systems, data and information • We need to understand what the data and information is worth in order to determine the appropriate level of protection • Value can be defined or perceived – Impact on Talk Talk • https://www.theguardian.com/business/2015/oct/23/talktalk-cyber-attack- company-unsure-how-many-users-affected – Impact of WannaCry on NHS • https://www.chroniclelive.co.uk/news/north-east-news/nhs-cyber-attack- could-been-13818484 • https://www.theguardian.com/technology/2017/may/13/nhs-workers-and- patients-on-how-cyber-attack-has-affected-them • Organisational and public perception of value may be different from an attacker. • Value can change over time 8
  • 9. CyberSecurity • Cyber security incorporates a range of domains, including – Application of information security standards – Implementation of secure infrastructure – Education of users – Creation of appropriate organisations • In order to prepare for and attempt to prevent attacks we need to be aware of the security implications and issues in terms of systems security and information security • Reduce risk • Minimize attack • Identify breaches • Build trust 9 In your opinion, what are the objectives of cybersecurity?
  • 10. Introduction to Cyber Security Policies and Procedures Principle of least privilege 1. Grant access only to those who need it 2. Grant as little access as possible 3. Grant it only for as long as needed Principle of separation of risk 1. Removal of important elements from close proximity – avoids cascade 2. Separate application, host, network and business risk 3. Separate one application’s risk from another’s 4. Separate multiple systems risks 10 Defence in Depth Firewall, IDs, Access Control, File System Secrecy Kerckhoff’s principle – the security of a mechanism should not be dependent on the secrecy of the mechanism
  • 11. Threat Landscape Examples: • Advanced persistent threats • Cyber crime (dependent and enabled) • Hactivism • Insider threats • Nuisance threats • etc. What cyber threats can you identify? 11
  • 12. Advanced Persistent Threats • Attack profile – targeted, organised and funded attacks potentially associated to Nation State sponsorship or other powerful entities • Primary Objectives – typically medium to long term; exfiltration of intellectual property for purposes of eliminating years of R&D, competitive economic and/or nation state advantage • Attack methods – social engineering, spear phishing, drive-by download attacks, espionage, focused perimeter breaches 12
  • 13. Cyber Crime • Attack profile – opportunistic, broad-based, often motivated by financial gain • Primary Objectives – typically short term; identity theft, credit card fraud, extortion, botnet creation & management • Attack methods – phishing attacks, hosting malware on legitimate websites, SPAM related attacks, cyber extortion techniques 13
  • 14. Hactivism • Attack profile – organised attacks associated to group of individuals with political, ethical, religious, or retaliatory motives • Primary objectives – typically short term; cause havoc & chaos, disrupt operations, discredit and malign via disclosure of sensitive information • Attack methods – distributed denial of service attacks (DDOS), traditional hacking techniques, spear phishing 14
  • 15. Insider Threats • Attack profile – legitimate internal user with hidden malicious intentions • masqueraders (those who operate under the identity of another user) • clandestine users (those who evade access controls and auditing) • misfeasors (those who have legitimate authorisation but misuse their privileges) • Primary objectives – short to long term; compromise of sensitive information, destruction, revenge, espionage, harassment • Attack methods – access via legitimate credentials and privileges, data exfiltration, physical and logical sabotage, surveillance 15
  • 16. Nuisance Threats • Attack profile – unskilled attackers, scanners & crawlers, SPAM, worms/viruses, basic malware • Primary objectives – often unknown or irrelevant; recognition& status, reconnaissance, financial • Attack methods – automated scanners, public exploit kits, generic SPAM email, propagating worms/viruses, adware, scareware 16
  • 17. Cyber Security in Organisations Cybersecurity Actions in Organisations • Ensure that there are clear processes and procedure to: – Define the cybersecurity environment, including risks, threats and implications of breaches. – Detect when a breach of cybersecurity has happened – including ways of identifying issues with policy and implementation of policy – Defend against potential threats and attacks – considering appropriate layers of security – Deter potential attackers and misusers – both from outside the organisation and inside. 17
  • 18. Cyber Security in Organisations • Training and Awareness of Employees – Ensuring that there is a robust cybersecurity policy in the organisation – Ensuring that all staff are trained (and aware) of threats from cybersecurity – Raising awareness of the threat from social engineering 18
  • 21. The Threat Matrix Business Impact Probability of Threat Financial application crash DoS attack Application security earthquake Information leak E-mail content disclosure Wireless LANs OS systems security PDA/handhelds Internet worms Virus Privacy leak Web services breach Disgruntled employees Access management failure 21
  • 22. SANS 20 Critical Security Controls • Overview: https://www.youtube.com/watch?v=vg6ck7ZSBrI • Infographic: https://uk.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf • Visit the main page: https://www.cisecurity.org/controls/ Outline: • Critical Control 1: Inventory of Authorized and Unauthorized Devices • Critical Control 2: Inventory of Authorized and Unauthorized Software • Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Critical Control 4: Continuous Vulnerability Assessment and Remediation • Critical Control 5: Malware Defences • Critical Control 6: Application Software Security • Critical Control 7: Wireless Device Control • Critical Control 8: Data Recovery Capability • Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps • Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services • Critical Control 12: Controlled Use of Administrative Privileges • Critical Control 13: Boundary Defence • Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs • Critical Control 15: Controlled Access Based on the Need to Know • Critical Control 16: Account Monitoring and Control • Critical Control 17: Data Loss Prevention • Critical Control 18: Incident Response and Management • Critical Control 19: Secure Network Engineering • Critical Control 20: Penetration Tests and Red Team Exercises 22
  • 24. RISK IQ’s Evil Internet Minute 24
  • 25. Cloud Security Challenges 25 1. Data Breaches 2. Compliance With Regulatory Mandates 3. Lack of IT Expertise 4. Cloud Migration Issues 5. Unsecured APIs 6. Insider Threats 7. Open Source
  • 26. Cloud Security Risks 26 1. Misconfiguration 2. Unauthorized Access 3. Insecure Interfaces/APIs 4. Hijacking of Accounts 5. Lack of Visibility 6. External Sharing of Data 7. Malicious Insiders 8. Cyberattacks 9. Denial of Service Attacks