Professional Documents
Culture Documents
Presented by:
Dinesh O Bareja
CISA, CISM, ITIL
modification, or
destruction
Availability Integrity
Security Keeping
IT Running
Aligning Managing
IT with Complexity
Business
Regulatory
Value/Cost
Compliance
Organizations require a structured approach for managing these and other challenges.
ISACA
RGIT, Mumbai 02/24 www.opensecurityalliance.org
Why Information Security
Technology Process
People
MANAGEMENT COMMITMENT
RISK MANAGEMENT
ASSET INVENTORY AND MANAGEMENT
CHANGE MANAGEMENT
INCIDENT RESPONSE AND MANAGEMENT
CONFIGURATION MANAGEMENT
TRAINING AND AWARENESS
CONTINUOUS AUDIT
METRICS AND MEASUREMENT
VULNERABILITY ASSESSMENT
PENETRATION TESTING
APPLICATION SECURITY TESTING
DEVICE MANAGEMENT
LOG MONITORING, ANALYSIS AND MANAGEMENT
SECURE DEVELOPMENT
Hardware
Software
Data
Intellectual Property
Patents
Processes
Device Configurations
Plans
Designs / Blueprints
Criminal
Intent
Coercion
Greed
Show Off
Revenge
Attack
Curiosity
While the first incidents of hacking dealt with breaking into phone
systems, hackers also began diving into computer systems as
technology advanced.
Hacking became increasingly problematic during the 1980s and as a
result, in the US the Computer Fraud and Abuse Act was created,
imposing more severe punishments for those caught abusing computer
systems. In the early 1980s, the FBI made one of its first arrests
related to hacking.
As a result, several hacker groups coined the term 'cracker' in 1985 to
define a person who broke into computer systems and ignored hacker
ethics; however, the media continued to use the word hacker.
Grey Hat
Are borderline white/black hats. They Not to forget the
sometimes prank unsuspecting users and hatless..
cause general mayhem. While they think
this kind of activity is harmless, they may - Script Kiddies
face long periods of jail time if they ever get - The Hobbyist
found out.
- Insider
- Countries
Act Plan
Development,
Improvement
and
Maintenance
Cycle
Check Do
Monitor and Design and
Review the Implement the
ISMS ISMS
RGIT, Mumbai 02/24 www.opensecurityalliance.org
ISO 27001 Fundamental Principle
Act Plan
Check Do
RGIT, Mumbai 02/24 www.opensecurityalliance.org
ITIL
IT Governance Institute
C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION
PO2 Define the information
ME2 Monitor and evaluate
architecture.
internal control.
Efficiency Integrity PO3 Determine technological
ME3 Ensure compliance with
Effectiveness Availability direction.
external requirements.
Compliance PO4 Define the IT processes,
ME4 Provide IT governance. Confidentiality
organisation and
Reliability relationships.
MONITOR PLAN PO5 Manage the IT investment.
AND AND PO6 Communicate management
EVALUATE ORGANISE aims and direction.
IT PO7 Manage IT human resources.
DS1 Define and manage service RESOURCES PO8 Manage quality.
levels.
PO9 Assess and manage IT risks.
DS2 Manage third-party services.
PO10 Manage projects.
DS3 Manage performance and
capacity.
DS4 Ensure continuous service. Applications
Information
DS5 Ensure systems security. AI1 Identify automated solutions.
Infrastructure
DS6 Identify and allocate costs. People AI2 Acquire and maintain
DS7 Educate and train users. application software.
DELIVER ACQUIRE
DS8 Manage service desk and AND AI3 Acquire and maintain
AND
incidents. SUPPORT IMPLEMENT technology infrastructure.
DS9 Manage the configuration. AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical AI7 Install and accredit solutions
environment. and changes.
DS13 Manage operations.
IT Governance Institute
MANAGEMENT COMMITMENT
RISK MANAGEMENT
ASSET INVENTORY AND MANAGEMENT
CHANGE MANAGEMENT
INCIDENT RESPONSE AND MANAGEMENT
CONFIGURATION MANAGEMENT
TRAINING AND AWARENESS
CONTINUOUS AUDIT
METRICS AND MEASUREMENT
[ITIL]
ITIL Service Management Foundations Certificate
ITIL Service Manager
ITIL Practitioner
DRI - Institute for Continuity Management
ABCP - Associate Business Continuity Professional
CBCP - Certified Business Continuity Professional
CFCP - Certified Functional Continuity
MBCP - Master Business Continuity
Association of Certified Fraud Examiners (ACFE)
CFE - Certified Fraud Examiner
Forensics - EnCase
EnCE - EnCase Certified Examiner (EnCE)
CISCO
CCSP Cisco Certified Security Professional
2. IT security auditor Focus on auditing capabilities. As part of this, you must explore platforms like mainframes,
SAP, and core banking platforms as your areas of expertise.
3. Application security specialist Specialize in areas like secure coding, security testing tools and techniques,
secure design of web applications, and threat modelling.
4. Compliance specialist Focus on helping organizations comply to standards and regulations such as ISO 27001,
PCI DSS, HIPAA, FDA and Sarbanes-Oxley.
5. Security solutions architect Specialize in secure network architecture, security solutions procurement and
deployment, and hardening of infrastructure.
6. Security trainer Focus on spreading knowledge about information security, and create awareness at all levels.
7. Cyber law expert Combine knowledge of the Indian IT Act 2008 with IT knowledge and forensics know-how.
2. Creativity - Be it a penetration test or developing an automated way to carry out a particular activity,
a high level of creativity is a must in every aspect of a security professional's job. Thinking out of the
box is an almost daily activity for a security professional.
3. A never-say-die attitude - Security issues are typically complex, and often there are no easy
solutions. Quite often, the situations are also very high-pressure the client's been hacked, or
someone inside leaked out critical internal data, or systems have to be hardened before going live. A
seasoned security professional knows that there is a solution on the other side of every problem. And
he is willing to do what it takes to be as resourceful in finding the right solution.
4. Grasp of a wide range of subjects - Security is not just about policies and procedures or buffer
overflows or SQL injection. Most security issues stem from, and can be resolved, by human
intervention. A security professional should not only be well-versed with a wide range of technologies,
but should also be reasonably acquainted with the basics of psychology, economics, finance, and
physical security.
Application Development
Secure SDLC
Networking
Vulnerability Assessment
Penetration Testing On any given day, there
are approximately 225
System Hardening major incidences of
security breach
Device Support reported to the CERT
Coordination Center at
Wireless Security Carnegie Mellon
University.
Common Sense
Awareness
Regularly Update Patches
Anti Virus, anti spyware
Be careful on P2P filesharing .. what you download
Read the computer message(s)
Dont blindly click next > next > next
Be careful when you read email especially if it belongs to
someone else
Dont try to open every attachment
Keep your password to yourself
CybeSecurity Cyberethics Cybersafety
RGIT, Mumbai 02/24 www.opensecurityalliance.org
In Simple Words
Noticebored
Noticebored
Twitter Hack
Clicking Blindly
Dinesh O Bareja
M: +91.9769890505
E: dineshbareja AT gmail DOT com
E: dinesh AT opensecurityalliance DOT org
Twitter: @bizsprite
Linked In (India Information Security Community)
Thank You !
This document is a creation of Dinesh Bareja (securians.com) and is released in the public
domain under Creative Commons License (Attribution-Noncommercial 2.5 India)
http://creativecommons.org/licenses/by-nc-sa/2.5/in/.
Disclaimer: The practices listed in the document are provided as is and as guidance and the authors do
not claim that these comprise the only practices to be followed. The readers are urged to make
informed decisions in their usage. Feedback is solicited and you can access other topics at our
website www.opensecurityalliance.org
Contributors: Dinesh O Bareja Reviewers: Vicky Shah
Title: Information Security the profession; concepts, risks and more..
Version: 1.0 / February 2010
The title of the link was "Omigawd have you seen this I think we got
hacked!
. and people started clicking on the link and verifying their credentials.
From lalawaq.com