1. Thomas Levy

2. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security 7.Security Architecture & Design

3. Agenda Continued 7.Business Continuity & Disaster Recovery Planning 8.Telecommunications & Network Security 9.Application Security 10.Operations Security 11.Legal, Regulations, Compliance & Investigations 12.Summary

4. Aims: CIAN To be able to protect information assets ensuring: Confidentiality Integrity Availability Non – repudiation

5. Common Business Attacks DNS BGP XSS XSRF DoS Injection

6. Information Security & Risk Management Security Baselines Audit Frameworks Reporting Risk Management

7. Access Control Information & User Classification Access Control Categories and Types Threats to Access Control Access Control Assurance

8. Cryptography Confidentiality, Integrity & Authenticity Data Storage Data Transmission Symmetric vs Asymmetric Digital Signatures & Envelopes End to End Encryption

9. Physical Security Additional layers of security which work in conjunction with the technical layers to provide a greater defence in depth

10. Security Architecture & Design Software Hardware

11. Business Continuity & Disaster Recovery Planning Failure to prepare is preparing to fail Revenue Loss Additional Expenses Damaged Reputation

12. Telecommunications & Network Security OSI model TCP / IP model

13. Application Security Buffer Overflows Malicious Software Social Engineering Trapdoors

14. Operations Security Misuse prevention Continuity of operations Fault tolerance Data protection Configuration management Patch management

15. Legal, Regulations, Compliance & Investigations Privacy Liability Computer Crime Incident Handling & Response Capability

16. Summary 1.Secure the weakest link 2.Practise defence in depth 3.Fail securely 4.Follow the principle of least privilege 5.Compartmentalise 6.Keep it simple 7.Promote privacy 8.Remember that hiding secrets is hard 9.Be reluctant to trust 10.Use your community resources