Introduction to information security

Copyright © 2012 siddhesh Hedulkar

•What is Information Security?

•Why Information Security?

•Why should we concern?

•Foundation Of Information Security

•Basic Security Truths

•10 Immutable Laws of Security

•What is Hacking?

•Types Of Hackers?

•Steps Of Hacking

•Business Impact Of Hacking

•Countermeasures Copyright © 2012 siddhesh Hedulkar

Information security means protecting

information and information assets

against theft, loss, damage, unauthorized

access or modification


•Overall financial losses from 530 survey respondents totalled $201,797,340.

•75% of organizations acknowledged financial loss, though only 47% could quantify them.

•More than 41.6% companies Experienced Security Incident

•Virus incidents (82 %) and insider abuse of network access or e-mail (i.e. pornography, pirated software, etc.) (75 %) still prevalent.

•76% of companies do not want to hire Information Security Consultants

Source: CSI/FBI Survey 2011


•“We have a good firewall, an anti-virus and know the

people we work with.”

•“ We don’t transact on the Internet, so why would

anybody hack our systems over the Internet?”

•“No one could possibly be interested in my

information”

•“So many people are on the Internet, I'm just a face in

the crowd. No one would pick me out. “

• “I'm busy. I can't become a security expert--I don't

have time, and it's not important enough”



•Security isn’t binary

•Security is more than technology

•Security is always a continual process

•100 % security is not possible

•If an attacker wants to get inside your system, he/she will and

there is nothing you can do about it

•The only thing you can do is make it harder for him to get in


Law #1: If a bad guy can persuade you to run his program on your

computer, it's not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it's

not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer,

it's not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it's

not your website any more

Law #5: Weak passwords trump strong security Copyright © 2012 siddhesh Hedulkar

http://technet.microsoft.com/en-us/library/cc722487.aspx

Law #6: A computer is only as secure as the administrator is

trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no

virus scanner at all

Law #9: Absolute anonymity isn't practical, in real life or on the Web

Law #10: Technology is not a panacea


Unauthorized attempts to bypass the security

mechanisms of an information system or network


•Black Hats

Individuals with extraordinary computing skills, resorting to malicious or

destructive activities. Also known as crackers

•White Hats

Individuals professing hacker skills and using them for defensive

purposes. Also known as security analysts

•Gray Hats

Individuals who work both offensively and defensively at various times

•Suicide HackersIndividuals who aim to bring down critical infrastructure

•Hacktivist

A hacktivist is a hacker who utilizes technology to announce a political

message. Web vandalism is not necessarily hacktivism.Copyright © 2012 siddhesh Hedulkar


Reconnaissance

Scanning

Enumeration

Reconnaissance

Gaining Access

Escalating Privilege

Covering Tracks

Creating Backdoors

Denial of Service Copyright © 2012 siddhesh Hedulkar

Business Risk

Financial Lost

Public Image/Trust

Intellectual Capital

Employee/Customer

Privacy

Litigation

Legislative Violation


•Get Firewall and Review configuration

•Practice Patch Management

•Proper network architecture and segregation

•Secure administrative access and correct

administrative privileges

•Secured configuration

•Backups and failover redundancy Copyright © 2012 siddhesh Hedulkar