Как мы сделали security awareness в QIWI

•

1 gefällt mir•1,008 views

Чтобы повысить уровень осведомленности сотрудников о проблемах информационной безопасности, в QIWI проводились викторины, квесты и CTF. Усвоенный материал проверяли с помощью внутреннего фишинга, подброса инфицированных носителей и пентеста.

Technologie

Security Awareness
in QIWI
Ekaterina Pukhareva

2
Who am I ?
IS Department QIWI
▪ security awareness
▪ IT compliance
▪ vulnerability management

3
Why we do it? Profit?
Reduction of possible incidents
Raise understanding of responsibility in company as a whole
Loyalty
Open IT company (focus on user convenience without restrictions)
Personal ~ 1300
Different level of awareness
Budget ~ 1 000 000 rub/year for awareness

4
Awareness programs
▪ Regular trainings on secure coding techniques
▪ Thematic conferences
▪ Welcoming book for new employees
▪ Subscriptions (vulners, SANS..)
▪ Annual security weeks

5
Awareness programs
Security week 2014
▪ Posters
▪ Competitions
▪ Videos

6
▪ Quest
▪ CTF
Awareness programs
Security week 2015

7
Awareness programs
Security week 2016
▪ Quiz
▪ Lectures

8
Checks
▪ “BadUSB”
▪ Internal phishing
▪ Penetration test (inc. social engineering)

11
▪ Clicked on the phishing link
▪ Clicked on the phishing link and logged in
▪ Notified about the incident
Checks

12
▪ What is phishing..
▪ Which is bad, because..
▪ Why so necessary to notify about the incident
Communications

13
How to make it efficient?
▪ Regular notifications
▪ Alive checks and explanations
▪ Writing policies
▪ Testing

14
Technical prevention measures:
▪ SIEM
▪ Antispam
▪ IPS
▪ Sandbox
▪ 2factor authentication
..
How to make it efficient?

Weitere ähnliche Inhalte

Ähnlich wie Как мы сделали security awareness в QIWI

Procurement fraud is a clear and present risk for organisations across all sectors. The move to outsourced services has created the opportunity for fraud to occur any stage of the contract process. Exploitation of an organisations purchasing, procurement and contract systems can cause untold damage in terms of revenue and reputation. However with appropriate controls, accountable tendering processes and strict prevention strategies the opportunities for fraud can be significantly reduced.

Procurement Fraud: Identifying, Investigating & Managing Risk

ICFE Group of Companies

SMi Group's 5th annual Oil & Gas Cyber Security 2015

Dale Butler

Certified Threat Intelligence Analyst (CTIA) from EC-Council is a credentialing certification and training program. This highly valued certification has been exclusively devised in collaboration with threat intelligence and cybersecurity experts worldwide to empower organizations effectively to identify and mitigate security risks with extensive processing and analysis of available threat information. The CTIA is a specialist level training and certification that demonstrates security professionals the structured approach to acquiring threat intelligence. The CTIA certified candidates attain a competitive edge over other information security professionals. This threat intelligence certification course delivers standards-based, intensive practical skills to the most essentially required threat intelligence across information security.

CTIA Training.pptx

Infosec Train

CTIA Training.pptx

Infosec Train

2020 FRsecure CISSP Mentor Program - Class 1

FRSecure

GMD Speeh for ISO 27001 Certificate Presentation

FirstBank, Nigeria

There's a data explosion underway and it's a lucrative market for cyber criminals. Charities with their complex contexts and valuable data are an obvious target and so it's essential Cyber threats are addressed in Charities' risk strategies. This presentation set outs the current situation, what the potential consequences are and who could be impacted before explaining what can be done about it and how to approach the challenge. Presentation to representatives from the UK Charities sector at the Charity Finance Group's annual IT, Data, Insights and Cyber Security Conference.

Cyber Attacks aren't going away - including Cyber Security in your risk strategy

James Mulhern

EC-Council’s Certified Incident Handler v2 (E|CIH) certification and training imparts and validates extensive skills to address post-security breach consequences in the organization by condensing the financial and reputational impact of the incident. This E|CIH program has been devised by globally recognized cybersecurity and incident handling & response practitioners. The certification is highly ranked and helps enhances the employability of cybersecurity professionals worldwide.

ECIH Training.pptx

Infosec Train

2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...

Neil Curran MSc CISSP CRISC CGEIT CISM CISA

The Perimeter within Modern Business - does it exist?

ZoneFox

What is Information Security and why you should care ...

James Mulhern

According to the latest research from cyber security firm, Kamino, 45% of financial advisers had experienced a cyber incident last year. Julian Plummer, founder of Kamino, delves into why cyber security is a very real issue for financial advisers and their clients, and the types of cyber incidents that are impacting the financial planning industry. He also provides easy to implement measures to help you improve the cyber security of your practice.

Netwealth educational webinar: Peace of mind in a digital world

netwealthInvest

ISACA talk - cybersecurity and security culture

Craig McGill

Cybersecurity: An FBI perspective: how cyber criminals exploit the goodness o...

Ruth Edmonds

The digital transformation of businesses involving an enormous range of devices for various functions such as data collection, storage, integration, management, and computing, has raised alarming information and data security concerns in all industry sectors. CND v2 is a skill-based certification program developed by the EC-council that focuses on the training of network administrators in protecting, detecting, and responding to the threats on the network

CND v2 Training.pptx

CND v2 Training.pptx

CND v2 Training.pptx

CND v2 Training.pptx

Digipowa Company Presentation : Your Journey to Financial Freedom and Digital...

Coleen Milford

Best Practices for Security Awareness and Training

Kimberly Hood

Ähnlich wie Как мы сделали security awareness в QIWI (20)

Procurement Fraud: Identifying, Investigating & Managing Risk

SMi Group's 5th annual Oil & Gas Cyber Security 2015

CTIA Training.pptx

2020 FRsecure CISSP Mentor Program - Class 1

GMD Speeh for ISO 27001 Certificate Presentation

Cyber Attacks aren't going away - including Cyber Security in your risk strategy

ECIH Training.pptx

2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...

The Perimeter within Modern Business - does it exist?

What is Information Security and why you should care ...

Netwealth educational webinar: Peace of mind in a digital world

ISACA talk - cybersecurity and security culture

Cybersecurity: An FBI perspective: how cyber criminals exploit the goodness o...

CND v2 Training.pptx

Digipowa Company Presentation : Your Journey to Financial Freedom and Digital...

Best Practices for Security Awareness and Training

Mehr von Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Positive Hack Days

Как мы собираем проекты в выделенном окружении в Windows Docker

Positive Hack Days

Типовая сборка и деплой продуктов в Positive Technologies

Positive Hack Days

1. Что такое BI. Зачем он нужен. 2. Что такое Qlik View / Sense 3. Способ интеграции. Как это работает. 4. Метрики, KPI, планирование ресурсов команд, ретроспектива релиза продукта, тренды. 5. Подключение внешних источников данных (Excel, БД СКУД, переговорные комнаты).

Аналитика в проектах: TFS + Qlik

Positive Hack Days

Использование анализатора кода SonarQube

Positive Hack Days

Развитие сообщества Open DevOps Community

Positive Hack Days

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Positive Hack Days

Approof — статический анализатор кода для проверки веб-приложений на наличие уязвимых компонентов. В своей работе анализатор основывается на правилах, хранящих сигнатуры искомых компонентов. В докладе рассматривается базовая структура правила для Approof и процесс автоматизации его создания.

Автоматизация построения правил для Approof

Positive Hack Days

Задумывались ли вы когда-нибудь о том, как устроены современные механизмы защиты приложений? Какая теория стоит за реализацией WAF и SAST? Каковы пределы их возможностей? Насколько их можно подвинуть за счет более широкого взгляда на проблематику безопасности приложений? На мастер-классе будут рассмотрены основные методы и алгоритмы двух основополагающих технологий защиты приложений — межсетевого экранирования уровня приложения и статического анализа кода. На примерах конкретных инструментов с открытым исходным кодом, разработанных специально для этого мастер-класса, будут рассмотрены проблемы, возникающие на пути у разработчиков средств защиты приложений, и возможные пути их решения, а также даны ответы на все упомянутые вопросы.

Мастер-класс «Трущобы Application Security»

Positive Hack Days

Формальные методы защиты приложений

Positive Hack Days

Эвристические методы защиты приложений

Positive Hack Days

Теоретические основы Application Security

Positive Hack Days

Разработка наукоемкого программного обеспечения отличается тем, что нет ни четкой постановки задачи, ни понимания, что получится в результате. Однако даже этом надо программировать то, что надо, и как надо. Докладчик расскажет о том, как ее команда успешно разработала и вывела в промышленную эксплуатацию несколько наукоемких продуктов, пройдя непростой путь от эксперимента, результатом которого был прототип, до промышленных версий, которые успешно продаются как на российском, так и на зарубежном рынках. Этот путь был насыщен сложностями и качественными управленческими решениями, которыми поделится докладчик

От экспериментального программирования к промышленному: путь длиной в 10 лет

Positive Hack Days

Немногие разработчики закладывают безопасность в архитектуру приложения на этапе проектирования. Часто для этого нет ни денег, ни времени. Еще меньше — понимания моделей нарушителя и моделей угроз. Защита приложения выходит на передний план, когда уязвимости начинают стоить денег. К этому времени приложение уже работает и внесение существенных изменений в код становится нелегкой задачей. К счастью, разработчики тоже люди, и в коде разных приложений можно встретить однотипные недостатки. В докладе речь пойдет об опасных ошибках, которые чаще всего допускают разработчики Android-приложений. Затрагиваются особенности ОС Android, приводятся примеры реальных приложений и уязвимостей в них, описываются способы устранения.

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Positive Hack Days

Разработка любого софта так или иначе базируется на требованиях. Полный перечень составляют бизнес-цели приложения, различные ограничения и ожидания по качеству (их еще называют NFR). Требования к безопасности ПО относятся к последнему пункту. В ходе доклада будут рассматриваться появление этих требований, управление ими и выбор наиболее важных. Отдельно будут освещены принципы построения архитектуры приложения, при наличии таких требований и без, и продемонстрировано, как современные (и хорошо известные) подходы к проектированию приложения помогают лучше строить архитектуру приложения для минимизации ландшафта угроз.

Требования по безопасности в архитектуре ПО

Positive Hack Days

Доклад посвящен разработке корректного программного обеспечения с применением одного из видов статического анализа кода. Будут освещены вопросы применения подобных методов, их слабые стороны и ограничения, а также рассмотрены результаты, которые они могут дать. На конкретных примерах будет продемонстрировано, как выглядят разработка спецификаций для кода на языке Си и доказательство соответствия кода спецификациям.

Формальная верификация кода на языке Си

Positive Hack Days

Механизмы предотвращения атак в ASP.NET Core

Positive Hack Days

SOC для КИИ: израильский опыт

Positive Hack Days

Honeywell Industrial Cyber Security Lab & Services Center

Positive Hack Days

Credential stuffing и брутфорс-атаки

Positive Hack Days

Mehr von Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes

Как мы собираем проекты в выделенном окружении в Windows Docker

Типовая сборка и деплой продуктов в Positive Technologies

Аналитика в проектах: TFS + Qlik

Использование анализатора кода SonarQube

Развитие сообщества Open DevOps Community

Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...

Автоматизация построения правил для Approof

Мастер-класс «Трущобы Application Security»

Формальные методы защиты приложений

Эвристические методы защиты приложений

Теоретические основы Application Security

От экспериментального программирования к промышленному: путь длиной в 10 лет

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Требования по безопасности в архитектуре ПО

Формальная верификация кода на языке Си

Механизмы предотвращения атак в ASP.NET Core

SOC для КИИ: израильский опыт

Honeywell Industrial Cyber Security Lab & Services Center

Credential stuffing и брутфорс-атаки

Kürzlich hochgeladen

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Histor y of HAM Radio presentation slide

vu2urc

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Real Time Object Detection Using Open CV

Khem

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Advantages of Hiring UIUX Design Service Providers for Your Business

Pixlogix Infotech

Kürzlich hochgeladen (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Powerful Google developer tools for immediate impact! (2023-24 C)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

GenCyber Cyber Security Day Presentation

2024: Domino Containers - The Next Step. News from the Domino Container commu...

What Are The Drone Anti-jamming Systems Technology?

Apidays New York 2024 - The value of a flexible API Management solution for O...

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Histor y of HAM Radio presentation slide

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Exploring the Future Potential of AI-Enabled Smartphone Processors

Real Time Object Detection Using Open CV

[2024]Digital Global Overview Report 2024 Meltwater.pdf

Finology Group – Insurtech Innovation Award 2024

Automating Google Workspace (GWS) & more with Apps Script

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

How to Troubleshoot Apps for the Modern Connected Worker

Advantages of Hiring UIUX Design Service Providers for Your Business

Как мы сделали security awareness в QIWI

1. Security Awareness in QIWI Ekaterina Pukhareva

2. 2 Who am I ? IS Department QIWI ▪ security awareness ▪ IT compliance ▪ vulnerability management

3. 3 Why we do it? Profit? Reduction of possible incidents Raise understanding of responsibility in company as a whole Loyalty Open IT company (focus on user convenience without restrictions) Personal ~ 1300 Different level of awareness Budget ~ 1 000 000 rub/year for awareness

4. 4 Awareness programs ▪ Regular trainings on secure coding techniques ▪ Thematic conferences ▪ Welcoming book for new employees ▪ Subscriptions (vulners, SANS..) ▪ Annual security weeks

5. 5 Awareness programs Security week 2014 ▪ Posters ▪ Competitions ▪ Videos

6. 6 ▪ Quest ▪ CTF Awareness programs Security week 2015

7. 7 Awareness programs Security week 2016 ▪ Quiz ▪ Lectures

8. 8 Checks ▪ “BadUSB” ▪ Internal phishing ▪ Penetration test (inc. social engineering)

9. 9 Checks Internal phishing

10. 10 Checks Internal phishing

11. 11 ▪ Clicked on the phishing link ▪ Clicked on the phishing link and logged in ▪ Notified about the incident Checks

12. 12 ▪ What is phishing.. ▪ Which is bad, because.. ▪ Why so necessary to notify about the incident Communications

13. 13 How to make it efficient? ▪ Regular notifications ▪ Alive checks and explanations ▪ Writing policies ▪ Testing

14. 14 Technical prevention measures: ▪ SIEM ▪ Antispam ▪ IPS ▪ Sandbox ▪ 2factor authentication .. How to make it efficient?

15. 15 Thank you!

Как мы сделали security awareness в QIWI

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Как мы сделали security awareness в QIWI

Ähnlich wie Как мы сделали security awareness в QIWI (20)

Mehr von Positive Hack Days

Mehr von Positive Hack Days (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Как мы сделали security awareness в QIWI