Incident Response Plan Review
msh3av3t3
415-week8-2018spring-21may.pptx415 - Information Systems Security Week 8 – 21May
TED - Why Hackers Make Good Citizens
Catherine Bracy
https :// www.ted.com/talks/catherine_bracy_why_good_hackers_make_good_citizens?language=en
10 min
FTK vs EnCase vs ?
What did you find as strengths and weaknesses of both?
What else did you look at?
A Day in the Life of an Ethical Hacker
Trend micro – zd-net
https :// www.youtube.com/watch?v=7RT18TFJvpo
5 min
Logging and Monitoring Activities through Intrusion Detection and Prevention and Security Information and Event Management (SIEM)
Defense in Depth: model, a complete and secure access control environment employs multiple layers of policy, technology, and process working together to ensure that the desired security posture is maintained.
An intrusion detection system (IDS) is a technology that alerts organizations to adverse or unwanted activity. An IDS can be implemented as part of a network device, such as a router, switch, or firewall, or it can be a dedicated IDS device monitoring traffic as it traverses the network. When used in this way, it is referred to as a network IDS, or NIDS. An IDS can also be used on individual host systems to monitor and report on file, disk, and process activity on that host. When used in this way, it is referred to as a host-based IDS, or HIDS.
IDS attempts to detect activities on the network or host that are evidence of an attack and warn administrators or incident-response personnel of the discovery, but it does not take any action on the problems found.
an intrusion prevention system (IPS) is a technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. An IPS permits a predetermined set of functions and actions to occur on a network or system; anything that is not permitted is considered unwanted activity and blocked. The IPS is engineered specifically to respond in real time to an event at the system or network layer. By proactively enforcing policy, IPS can thwart not only attackers but also authorized users attempting to perform an action that is not within policy. Fundamentally, IPS is considered an access control and policy enforcement
Need to tune IDS
A critical operational requirement for establishing IDS capabilities is the need to tune the IDS to the unique traffic patterns generated by the organization. For example, without proper tuning, the activity associated with a company’s custom-developed application may appear to an IDS as unwanted or suspicious activity, forcing the generation of multiple alerts.
(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 806). CRC Press. Kindle Edition.
Security Information and Event Management
Security Information and Event Management (SIEM) is a term used to describe a group of technologies that aggregate information about access controls and selected system activity to store for analysis and correlation. Logs and system information may be collected for a variety of reasons including but not limited to:
Internal accountability and non-repudiation
Risk management functions
Performance monitoring and trending
Event correlation and root cause analysis
Incident response
Investigations
SIEM Characteristics
Store raw information from various systems logs
Aggregate the information in a single repository
Normalize the information to make comparisons more meaningful
Analytical tools that can process, map, and extract target information
Alerting and reporting tools
SIEMs and the functions they provide are becoming indispensable to many organizations as they offer the ability to get “near real time” reporting on events and incidents as they occur in network and information systems. In spite of the insight and reporting provided, SIEMs can be extremely complex and expensive to implement and maintain. They are often the central data system and decision support system for the security operation centers (SOC) of large organizations.
Continuing Monitoring as a Service (CMaaS)
The security architect needs to be able to design a continuous monitoring system that will meet the needs of the organization. The security practitioner needs to be able to implement the design that the security architect provides and to do so correctly in order to ensure that the organization’s critical infrastructure is protected. An area of interest with regards to continuous monitoring that the security architect should become familiar with is Continuous Monitoring as a Service (CMaaS).
Egress Monitoring
Egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is the information flow from a private computer network to the Internet that is being monitored and controlled. TCP/ IP packets that are being sent out of the internal network are examined via a router, firewall, or similar edge device. Packets that do not meet security policies are not allowed to leave the network. Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.
For the security practitioner, the typical recommendations are that all traffic except that emerging from a pre-identified and screened set of servers would be denied egress. In addition, only select protocols such as HTTP/ HTTPS, SMTP, and SIP are typically allowed transit access out of the network as well.
Egress Issues
Single Point of Failure
May require policy changes and administrative work for new applications
May have a limited number of address blocks
Need to be aware of standards such as PCI
Data Leak / Loss Prevention (DLP)
By focusing on the location, classification, and monitoring of information at rest, in use, and in motion, this solution can go far in helping an enterprise get a handle on what information it has and in stopping the numerous leaks of information that are potentially occurring daily.
Defining Data Leak Prevention
Locate and catalog sensitive information stored throughout the enterprise.
Monitor and control the movement of sensitive information across enterprise networks.
Monitor and control the movement of sensitive information on end-user systems.
These objectives are associated with three primary states of information: data at rest, data in motion, and data in use. Each of these three states of data is addressed by a specific set of technologies provided by DLP solutions:
Data at rest – identify and log where specific types of information are stored thoughout the enterprise
DLP - Data in Motion
Data in Motion – selectively capture and analyze network traffic
Passively monitor the traffic,
Recognize the correct data streams to capture
Assemble the collected packets
Reconstruct the files carried in the data stream
Perform the same analysis that is done on the data at rest to determine whether any portion of the file contents is restricted by its rule set
If sensitive data are detected flowing to an unauthorized destination, the DLP solution has the capability to alert and optionally block the data flows in real or near real time, again based on the rule set defined within its central management component. Based on the rule set, the solution may also quarantine or encrypt the data in question.
Data in Use End Point
Data in use primarily refers to monitoring data movement stemming from actions taken by end-users on their workstations, whether that would entail copying data to a thumb drive, sending information to a printer, or even cutting and pasting between applications. DLP solutions typically accomplish this through the use of a software program known as an agent, which is ideally controlled by the same central management capabilities of the overall DLP solution. Implementing rule sets on an end-user system has inherent limitations, the most significant being that the end-user system must be able to process the rule sets applied. Depending on the number and complexity of the rules being enforced, it may be necessary to implement only a portion of the entire rule set, which can leave significant gaps in the overall solution.
Policy Creation and Management – Policies (rule sets) dictate the actions taken by the various DLP components. Most DLP solutions come with preconfigured policies (rules) that map to common regulations. It is just as important to be able to customize these policies or build completely custom policies.
Directory Services Integration – Integration with directory services allows the DLP console to map a network address to a named end-user.
Workflow Management – Most full DLP solutions provide the capacity to configure incident handling, allowing the central management system to route specific incidents to the appropriate parties based on violation type, severity, user, and other such criteria.
Backup and Restore – Backup and restore features allow for preservation of policies and other configuration settings.
Reporting – A reporting function may be internal or may leverage external reporting tools.
Organizational Data Classification, Location, and Pathways
Enterprises are often unaware of all of the types and locations of information they possess. It is important, prior to purchasing a DLP solution, to identify and classify sensitive data types and their flow from system to system and to users. This process should yield a data taxonomy, or classification system, that will be leveraged by various DLP modules as they scan for and take action on information that falls into the various classifications within the taxonomy.
Once the data have been identified and classified appropriately, further analysis of processes should facilitate the location of primary data stores and key data pathways. Frequently, multiple copies and variations of the same data are scattered across the enterprise on servers, individual workstations, tape, and other media.
It is also important to understand the enterprise’s data lifecycle. Understanding the lifecycle from point of origin through processing, maintenance, storage, and disposal will help uncover further data repositories and transmission paths.
Protect critical business data and intellectual property: The primary benefit of DLP is the protection of information that is critical for the organization. Enterprises maintain many types of information that they must protect for competitive, regulatory, and reputational reasons.
Improve compliance: DLP can help an enterprise meet regulatory requirements related to protecting and monitoring data containing private customer and financial information. DLP solutions typically come with preconfigured rules that address data types impacted by significant regulations such as payment card industry (PCI), GLBA, and HIPAA. Leveraging these rule sets can simplify efforts to protect data impacted by these regulations.
Reduce data breach risk: When a DLP solution reduces the risk of data leaks, the financial risk to the enterprise decreases.
Enhance training and awareness: While most enterprises have written policies, such policies may be forgotten over time. DLP solutions alert, and at times block, data movement that is in violation of policy and provide an ongoing education component to help ensure that users maintain an awareness of policies associated with sensitive data.
Improve business processes: One of the key intangibles of DLP is the development of new policies, controls, and testing that help identify broken business processes. Often, the step of simply assessing and cataloging business processes in preparation for a DLP implementation can provide great insights to the security actors in the enterprise.
Optimize disk space and network bandwidth: An important benefit of DLP solutions is the identification of stagnant files and streaming videos that consume a large amount of IT resources such as storage on file servers and network bandwidth. Purging stale files and preventing nonbusiness-related streaming video files can reduce
Detect rogue/ malicious software: Another key intangible of DLP is identifying malicious software that attempts to transmit sensitive information via email or an Internet connection. Network Drogue transmission of sensitive information outside the enterprise. This is not always guaranteed because the transmissions may be encrypted. But even in that case, a system that has a rule set that will alert or block data streams it cannot decrypt can prove to be a strong addition to malware defenses.
Steganography
Steganography is the science of hiding information. Whereas the goal of cryptography is to make data unreadable by a third party, the goal of steganography is to hide the data from a third party.
Covert channels
Hidden text within webpages
Hiding files in “plain sight” (what better place to hide a file than with an important sounding name in the c:\ winnt\ system32 directory?)
Null ciphers (e.g., using the first letter of each word to form a hidden message in an otherwise innocuous text)
Steganographic Methods
cover_medium + hidden_data + stego_key = stego_medium
Configuration Management
The set of artifacts (configuration items) under the jurisdiction of CM
How artifacts are named How artifacts enter and leave the controlled set
How an artifact under CM is allowed to change.
How different versions of an artifact under CM are made available and under what conditions each one can be used
How CM tools are used to enable and enforce CM
CMMI Steps for CM
Capability Maturity Model Integration (CMMI) is a standard tool
Identify the configuration items, components, and related work products that will be placed under configuration management.
Establish and maintain a configuration management and change management system for controlling work products.
Create or release baselines for internal use and for delivery to the customer.
Track change requests for the configuration items.
Control changes in the content of configuration items.
Establish and maintain records describing configuration items.
Perform configuration audits to maintain the integrity of the configuration baselines.
Security Operations Concepts
Maintaining Operational Resilience – When it comes to day-to-day operations, few things are more important than maintaining the expected levels of service availability and integrity. Organizations require critical services to be resilient. When negative events affect the organization, the operations staff is expected to ensure minimal disruption to the organization’s activities. This includes anticipating such disruptions and ensuring that key systems are deployed and maintained to help ensure continuity. They are also expected to maintain processes and procedures to help ensure timely detection and response.
Protecting Valuable Assets – Security operations are expected to provide day-to-day protection for a wide variety of resources, including human and material assets. They may not be responsible for setting strategy or designing appropriate security solutions. At a minimum, they will be expected to maintain the controls that have been put into place to protect sensitive or critical resources from compromise.
Controlling System Accounts – Under the current regulatory environment, there has been a renewed focus on maintaining control over users (subjects) that have access to key business systems. In many cases, these subjects have extensive or unlimited capabilities on a given system; these are privileges that could be misused or abused. Operations security will be expected to provide checks and balances against privileged accounts as well as maintain processes that ensure that there continues to be a valid business need for them.
Managing Security Services Effectively – No security operations will be effective without strong service management and the processes that are put into place to ensure service consistency. These include key service management processes common to most IT services such as change, configuration, and problem management. It will also include security-specific procedures such as user provisioning and Help/ Service Desk procedures. In today’s security operations, there is also considerable focus on reporting and continuous service improvement practices. These themes are discussed in the detailed sections below.
Key Operational Processes and Procedures
Controlling Privileged Accounts: ID Management, Identity and Access management (IAM) – control and audit the ID’s, be careful of ones that can execute scripts
Need to Know / Least Privilege – limit to the lowest level
Managing Accounts Using Groups and Roles – rights and privileges to be assigned to groups or a role as opposed to individual accounts – Role Based Access Control (RBAC)
Privileged Accounts
Root or Built-in Administrator Accounts
Service Accounts – used by system services and core applications – automated programs – LDAP, Database management systems
Administrator Accounts – assigned to named individuals
Power Users – greater privileges than normal users
Separation of Duties
System administrator enjoy the highest level of privilege on most systems
Least Privilege – The system administrator often does not require access to every system and function in an organization. Determine what access is needed and apply accordingly.
Monitoring – If possible, the system administrator’s actions should be logged and sent to a separate system that the system administrator does not control. The logs should be reviewed with change or configuration management requests to determine if only authorized actions are taking place.
Separation of Duties – An administrator should not have the ability to engage in malicious activities without collusion.
Background Investigation – A background investigation should be conducted to determine if the system administrator has abused the role in the past or may be vulnerable to blackmail or extortion attempts.
Job Rotation – System administrators should be subject to job rotation. Job rotation ensures another individual must perform the original system administrator’s duties and also review their work.
Operators
They provide day-to-day operations of the mainframe environment, ensuring that scheduled jobs are running effectively and troubleshooting problems that may arise. They also act as the arms and legs of the mainframe environment, loading and unloading tape and results of job print runs. Operators have elevated privileges but less than those of system administrators.
Implementing the Initial Program Load (IPL) – This is used to start the operating system. The boot process or initial program load of a system is a critical time for ensuring system security.
Monitoring Execution of the System – Operators respond to various events, to include errors, interruptions, and job completion messages.
Volume Mounting – This allows the desired application access to the system and its data.
Controlling Job Flow – Operators can initiate, pause, or terminate programs. This may allow an operator to affect the scheduling of jobs. Controlling job flow involves the manipulation of configuration information needed by the system. Operators with the ability to control a job or application can cause output to be altered or diverted, which can threaten the confidentiality.
Operators
Bypass Label Processing – This allows the operator to bypass security label information to run foreign tapes (foreign tapes are those from a different data center that would not be using the same label format that the system could run). This privilege should be strictly controlled to prevent unauthorized access.
Renaming and Relabeling Resources – This is sometimes necessary in the mainframe environment to allow programs to properly execute. Use of this privilege should be monitored because it can allow the unauthorized viewing of sensitive information.
Reassignment of Ports and Lines – Operators are allowed to reassign ports or lines. If misused, reassignment can cause program errors, such as sending sensitive output to an unsecured location. Furthermore, an incidental port may be opened, subjecting the system to an attack through the creation of a new entry point into the system
Operators
Least Privilege – The systems operator often does not require access to every system and function in an organization. Determine what access is needed and apply accordingly.
Monitoring – If possible, the operator’s actions should be logged and sent to a separate system that the operator does not control. The logs should be reviewed with change or configuration management requests to determine if only authorized actions are taking place.
Separation of Duties – An operator should not have the ability to engage in malicious activities without collusion.
Background Investigation – A background investigation should be conducted to determine if the operator has abused the role in the past or may be vulnerable to blackmail or extortion attempts.
Security Administrators - The role of security administrators is to provide oversight for the security operations of a system. The aspects of security operations in their purview include account management, assignment of file sensitivity labels, system security settings, and review of audit data.
Help/ Service desk personnel are responsible for providing front line support for all users. While they may be supplemented by automated systems, they are typically responsible for some aspects of account management.
Ordinary Users – access is limited to normal user activities
Account Validation - Reviews of account activity are necessary to determine the existence of inactive accounts. Those accounts found to be inactive due to the departure of an individual from the organization should be removed from the system.
Job Rotation - Job rotations reduce the risk of collusion of activities between individuals.
Information Life Cycle: Several important information security activities surround the lifecycle of information to protect it, ensure it is available to only those who require access to it, and finally to destroy it when it is no longer needed.
Determine the impact the information has on the mission of the organization.
Understand the replacement cost of the information (if it can be replaced).
Determine who in the organization or outside of it has a need for the information and under what circumstances the information should be released.
Know when the information is inaccurate or no longer needed and should be destroyed.
Service Level Agreement
A service-level agreement (SLA) is simply a document describing the level of service expected by a customer from a supplier, laying out the metrics by which that service is measured, and the remedies or penalties, if any, should the agreed-upon levels not be achieved. Usually, SLAs are between companies and external suppliers, but they may also be between two departments within a company (these are referred to as Operational Level Agreements, or OLAs).
SLA
Sets expectations – agreed upon levels, description of services
Reporting, escalation, service times, up time, penalties, security
Provided by the service provider
Protects both sides,
Review for changes
Need exit strategy - need sunset date so it is easy to exit, what to do with data – you still own it
Removable Media
The organization does not know when information is leaving the enterprise.
The organization does not know if the information is breached.
The user has little incentive to report breaches.
Monitor and restrict USB and port, monitor writable dvd or discs
Mandatory encryption, log information the is transferred to media, a remote wipe capability, a geo-locate capability
Backups vs Archives
Backups are conducted on a regular basis and are useful in recovering information or a system in the event of a disaster. Backups contain information that is regularly processed by the system users.
Information that is needed for historical purposes, but not in continual use, should be saved and removed from the system as an archive.
(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 831). CRC Press. Kindle Edition.
Cloud Storage
Made up of many distributed resources, but it still acts as one. Highly fault tolerant through redundancy and distribution of data. Highly durable through the creation of versioned copies.
(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 831). CRC Press. Kindle Edition.
Cloud Concerns
When data is distributed, it is stored at more locations, increasing the risk of unauthorized physical access to the data. The risk of unauthorized access to data can be mitigated through the use of encryption, which can be applied to data as part of the storage service or by on-premises equipment that encrypts data prior to uploading it to the cloud.
The number of people with access to the data who could be compromised (i.e., bribed or coerced) increases dramatically. Encryption keys that are kept by the service user, as opposed to the service provider, limit the access to data by service provider employees.
It increases the number of networks over which the data travels. Instead of just a local area network (LAN) or storage area network (SAN), data stored on a cloud requires a WAN (wide area network) to connect them both.
When you are sharing storage and networks with many other users/ customers, it is possible for other customers to access your data, sometimes because of erroneous actions, faulty equipment, a bug, or because of criminal intent. This risk applies to all types of storage and not only cloud storage. The risk of having data read during transmission can be mitigated through encryption technology. Encryption in transit protects data as it is being transmitted to and from the cloud service. Encryption at rest protects data that is stored at the service provider. Encrypting data in an on-premises cloud service on-ramp system can provide both kinds of encryption protection.
Hard Copy records – need to protect
Disposal – documents, files, media, hardware
Wipe clean
Fold, spindle, mutilate – in other words, destroy it
Presentations
3 shots left……This is week 8
Incident Response
Incident Management –combines people, process, and technology
Want a effective and efficient response
Your Incident response plan review is due next Tue
Security Metrics
Availability
Attacks detected, blocked, trends, locations from IP addresses
Malware or Spam measurements
Dashboards, Reporting
Detection – Intrusion Systems
Signature- or Pattern-Matching systems – Examine the available information (logs or network traffic) to determine if it matches a known attack.
Protocol Anomaly-Based systems – Examine network traffic to determine if what it sees conforms to the defined standard for that protocol, for example, as it is defined in a Request for Comment or RFC.
Statistical-Anomaly-Based systems – Establish a baseline of normal traffic patterns over time and detect any deviations from that baseline. Some also use heuristics to evaluate the intended behavior of network traffic to determine if it intended to be malicious or not. Most modern systems combine two or more of these techniques together to provide a more accurate analysis before it decides whether it sees an attack or not.
Response
The containment strategy should be driven by several criteria including:
The need to preserve forensic evidence for possible legal action.
The availability of services the affected component provides.
The potential damage that leaving the affected component in place may cause.
The time required for the containment strategy to be effective.
The resources required to contain the affected component.
Reporting
policies and procedures need to be in place to determine how an incident escalates and should address:
Does the media or an organization’s external affairs group need to be involved?
Does the organization’s legal team need to be involved in the review?
At what point does notification of the incident rise to the line management, middle management, senior management, the board of directors, or the stakeholders?
What confidentiality requirements are necessary to protect the incident information?
What methods are used for the reporting? If email is attacked, how does that impact the reporting and notification process?
Recovery
Remediation and Review
Root Cause Analysis (RCA) - RCA is an intensive process involving numerous individuals from across different disciplines to determine why something happened and how to prevent it in the future. RCA involves reviewing system logs, policies, procedures, security documentation, and network traffic capture if available to first piece together the history of the event that caused the incident.
Problem Management - While incident management is concerned primarily with managing an adverse event, problem management is concerned with tracking that event back to a root cause and addressing the underlying problem.
Security Audits and Reviews – precursor to mitigation
Independent 3rd party, internal and external reviews, penetration,
Preventative Measures against attacks
Unauthorized Disclosure – sensitive information is leaked
Destruction Interruption and Theft
Corruption and Improper Modification
Network Intrusion Detection
Install a Tap and listen, can fail if traffic is encrypted
Can block communications:
Block packets at the source
Inject reset packets into the TCP network,
force remote system to cancel communications
Force hardware to terminate ports/connection
Host based intrusion – run directly on host
IDS Analysis Engine methods
Pattern matching = signature analysis
Anomaly detection
Stateful Matching Intrusion Detection
Statistical Anomaly Based Intrusion Detection
Protocol Anomaly Based Intrusion Detection
Traffic Anomaly-Based Intrusion Detection
Lists
Whitelist - permit
Black list – deny
Greylisting – tell the sending email server to resend – spammers will blindly transmit and won’t understand the resend command – real email will go through.
Change Management Process
Requests
Impact Assessment
Approval / Disapproval
Build and Test
Notification
Implementation
Validation
Documentation
Develop a Recovery Strategy
Surviving Site – operates in multiple sites
Self-Service – can transfer to another site
Internal Arrangement – use internal rooms to support organization functions
Reciprocal Agreement / Mutual Aid Agreements
Dedicated Alternate Sites
Work from Home
External Suppliers
No Arrangement
Backup Storage Strategy
MTD – What is your maximum tolerable down time
RTO – What is your recovery time objectives?
Recovery Site Strategies
Dual Data Center
Internal Hot Site
External Hot Site
Warm Site – cooling / cabling / networks
Cold Site – empty shell
How to fail
Fail Safe – mechanisms focus on failing with a minimum of harm to personnel or systems – generally doors are open
Fail Secure – failing in a controlled manner to block access while the system is unavailable – power failure would remained locked
Event Management Requirements
Strategy must be consistent regardless of event
Need to establish an assessment process
Event ownership needs to be defined
Management teams identified
Response team identified
Process for gathering of key decision makers
Methods of communication need to be defined
Goals of Event Management
Single Source of Information
Triage
Rapid Escalation
Consistent problem management
Rumor control
Make sure Everyone who need to know does
Allow the problem solvers room to solve
Playbook which documents key roles and responsibilities
Crisis management vs Crisis leadership
| Managing | Leading |
| React | Anticipate |
| Short-term | Long-term |
| Process | Principles |
| Narrow | Wide focus |
| Tactical | Strategic |
Final Project – Business Security Plan
You are responding to an RFP or Request For Proposal from a company for an overall business security plan
It includes ethical hacking components
It is hard copy only – no presentation
Plan Sections
What sections should be in the plan?
What concepts should we cover?
Business Security Plan
Research and build what you would put into a detailed security plan for an organization:
Policies – samples or areas that they should include
Procedures –
What standards do you suggest following
Testing – penetration testing
Internal and external
Training – what training would you offer employees (details)
Format
Make sure it is very professional:
cover,
executive summary
table of contents
security analysis & review
security testing - penetration test
training
conclusion
Policies
Make sure that you include:
Sample Electronic Use Policy – Computer, Email, and Internet Use
Social Media Policy
Incident Response Policy and Procedures
Ethical Hacking Component
The plan needs to show exact steps and procedures on how you would test security on a company.
Internal threats
External threats
Detailed procedures, what you expect to find
TED – Fighting Viruses, Defending the Net
Mikko Hypponen
https:// www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net
17 min
It's been 25 years since the first PC virus (Brain A) hit the net, and what was once an annoyance has become a sophisticated tool for crime and espionage. Computer security expert Mikko Hyppönen tells us how we can stop these new viruses from threatening the internet as we know it.
Incident Response Plan
Preparing an Incident Response Plan
Data breaches have become inevitable for organizations across all industries and of all sizes. Therefore, it’s important that organizations are ready to respond when the inevitable data breach occurs.
https://www.youtube.com/watch?v=HQctLrPOTNY
2 min
Skillset – Incident Response Plan
This Incident Response Plan training video is part of the CISSP FREE training course from Skillset.com (https://www.skillset.com/certificatio...).
https :// www.youtube.com/watch?v=PhROeWMPBqU
7 min
Presentations
Not much time left
CISSP Pop Quiz
A review – no it will not be handed in……
TED – Everyday Cybercrime and What We Can Do About It
James Lyne
https:// www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it
17min
How do you pick up a malicious online virus, the kind of malware that snoops on your data and taps your bank account? Often, it's through simple things you do each day without thinking twice. James Lyne reminds us that it's not only the NSA that's watching us, but ever-more-sophisticated cybercriminals, who exploit both weak code and trusting human nature.
What do the Experts think
So looking at the various TED talks how would you summarize their comments?
Think about:
What is the most common threats?
What is the biggest weakness?
How to protect your organization?
Next Week
Security in the Software Development Lifecycle
SOC – Security Operations Center
Incident Response Plan Review is due
Look at some samples
Provide a comparison / contrast review
Discussion Boards
Discuss one key point of an Incident Response Plan
Discuss one issue or concern for intrusion prevention systems
