infosec 101
play

InfoSec 101 Introduction to Information Security for (non-IT) - PowerPoint PPT Presentation

Feb 25, 2023 •114 likes •421 views

InfoSec 101 Introduction to Information Security for (non-IT) Professionals Fabian Lischka, Larry Salibra, Leonhard Weese FCC, Hong Kong, 2015-02-26 V0.97 from 2015-03-12 Content I n t r o d u c t i o n D i s c l a i m e r s

  1. InfoSec 101 Introduction to Information Security for (non-IT) Professionals Fabian Lischka, Larry Salibra, Leonhard Weese FCC, Hong Kong, 2015-02-26 V0.97 from 2015-03-12

  2. Content ● I n t r o d u c t i o n – D i s c l a i m e r s ● Suggested Best Practices – Basics: Passwords, Phishing – Communication: Browsing, VPN, Email, Chat ● Questions 2015-02-26 InfoSec 101 Page 2 of 30

  3. Introduction: What can go wrong? ● Examples: – Film journalist in Syria: Gov't confjscated laptop – AP Twitter account hacked: Phishing – GCHQ captured journalists' emails (BBC, NYT, …) – Hackers used hotel Wi-Fi to steal executive's data ● Can our recommendations protect you? Attack Opportunistic Targeted Hackers/Criminals Yes Yes, likely Gov't/WFO (NSA,...) Yes (but red fmag?) Well.... 2015-02-26 InfoSec 101 Page 3 of 30

  4. Introduction: Why should you care? ● “Even if the men in suits aren't after you, there are benefjts to everyday crypto” J e n n i f e r V a l e n t i n o D e V r i e s , W S J – ● Benefjts: – Relieved/confjdent sources – Practice – Network effect – Red fmag: Help your fellow journalists 2015-02-26 InfoSec 101 Page 4 of 30

  5. Introduction: Disclaimer ● Red fmag! ● Requires discipline ● Weakest link property ● Only introduction! – Do not rely on this in life-and-death situations – No protection against WFO, governments, etc. 2015-02-26 InfoSec 101 Page 5 of 30

  6. Introduction: Disclaimer 2015-02-26 InfoSec 101 Page 6 of 30

  7. Best Practices: Passwords ● 3 Attacks: – Dictionary + trial and error – Database breaches (LinkedIn, Gawker, …) – “I lost my password” ● 3 Counter measures: – Good passwords! – No re-use – No security questions ● Problem: Confmict ● Solution: Password Managers 2015-02-26 InfoSec 101 Page 7 of 30

  8. Best Practices: Passwords ● Bad passwords – What you love – Words related to site – Dictionary words, patterns (`1234`, `qwerty`, `abcd`) ● Tricks: all well known! – Appending: password123, password! – Substitutions: p@55word – Simple composition: password123angel! 2015-02-26 InfoSec 101 Page 8 of 30

  9. Best Practices: Passwords ● LinkedIn breach (2012), Gawker breach (2010) 2015-02-26 InfoSec 101 Page 9 of 30

  10. Best Practices: Passwords ● Good technique (“Schneier Scheme”): – 1st letter of long passphrase – Example: Wo hěn xǐhuān HK, IT security, and (sometimes) 9 hours sleep → W h x H K , I T s & ( s t ) 9 h s ● Good technique (“xkcd scheme”): – 4 or 5 randomly selected words – Example: Keelhaul, cleistogamy, evince, vacuum → Keel3clei6evin9vacu 2015-02-26 InfoSec 101 Page 10 of 30

  11. Best Practices: Password Managers ● Purpose: Different passwords for different sites – Master Password ● Recommended: – Apple only, simple: iCloud Keychain – Free, open source: pwsafe, or KeePass – Commercial, with support: 1Password, or LastPass ● Disadvantages: – Compromise 2015-02-26 InfoSec 101 Page 11 of 30

  12. Best Practices: Avoid Phishing 2015-02-26 InfoSec 101 Page 12 of 30

  13. Best Practices: Avoid Phishing, Malware ● Fake email lures you to malicious website – "log in" on fake site, or hit by d r i v e - b y exploit – Spearphishing ● Pitfalls: 1) www.mybank.com → www.phishy.net 2) www.mybank.com.domain.bla.phishy.net ● Prevention: – Don't click! – Don't install! 2015-02-26 InfoSec 101 Page 13 of 30

  14. Best Practices: Disk Encryption ● Purpose: Protect data on your laptop – Hotel, stolen, border ● Forget your password, say Hasta la vista! ● Available: – Smartphones: Automatic (on latest: iOS 8, Android L) – OS X: FileVault – Windows: BitLocker ● External drives: – OS X: Format as encrypted disks (Disk Utility) 2015-02-26 InfoSec 101 Page 14 of 30

  15. Best Practices: Browsing ● You leave a massive data trail – Search engines, social networks – Cookies – IP address ● Recommended Tools: – Adblock Plus – AlwaysHTTPS – Ghostery – Privacy Badger 2015-02-26 InfoSec 101 Page 15 of 30

  16. Best Practices: Browsing – Search ● Recommended for anonymous search: – DuckDuckGo: Can set as default eg in Safari – Ixquick: non-Google sources – StartPage: Google source ● Not recommended: Bing, Google, Yahoo ● DuckDuckG “Bangs”: !s, !g, !v, !w 2015-02-26 InfoSec 101 Page 16 of 30

  17. Best Practices: Browsing – Tor ● Tor – Routes through extra hops, encrypted – Torbrowser (OS X, Win), OnionBrowser (iOS), Orbot (Android) – .onion, eg 3g2upl4pq6kufc4m.onion (DuckDuckGo) ● Best Practices: – Do not divulge private information – Don't open documents while online ● Disadvantages: – Slower – Final hop in the clear 2015-02-26 InfoSec 101 Page 17 of 30

  18. Best Practices: VPNs ● One extra hop: – From device e ncrypted to VPN server "somewhere" – From VPN server unencrypted to destination ● Benefjts: – Protects from interception "nearby" – Allows to circumvent censorship ● Recommended: – AirVPN – ZenMate. Free. Only browser ● Test: www.ipleak.net with/without 2015-02-26 InfoSec 101 Page 18 of 30

  19. Short Excursion: Encryption ● Encryption: – Plain Text + key + algo = ciphertext – Transmit/store ciphertext – Ciphertext + key + algo = Plain Text ● Disadvantage: must have same key ● Solution: Asymmetric (aka Public Key) ● Problems: – Key management, MITM ("fjnger prints" OOB) 2015-02-26 InfoSec 101 Page 19 of 30

  20. Short Excursion: Levels of Security ● Can send message across: – U n e n c r y p t e d Server: Alice Bob Abcd Abcd Abcd – Partially Server: Alice Bob Abcd Xy#! Xy#! – End-to-End Server: Alice Bob Xy#! Xy#! Xy#! 2015-02-26 InfoSec 101 Page 20 of 30

  21. Best Practices: Email & PGP ● Standard: PGP/GPG to encrypt any text – PGP: original (1991), GPG: open source – Both implement OpenPGP ● Command line tool, but various apps available ● Recommended: – GPG4Win: GPG for Windows – GPGTools: GPG for OS X, with Mail integration. – IPGMail: GPG for iOS. ● For key management, consider keybase.io 2015-02-26 InfoSec 101 Page 21 of 30

  22. Best Practices: Email & PGP ● Note: Meta data not encrypted – Sender, recipient, subject, length, time, frequency of mails → Use generic subject ("cat pictures") ● Key generation: – 4096 bits, RSA – Expiry date, say 2 years ● Allows to retire key ● Can always extend, link to new key – Strong passphrase ● Beware of drafts stored in clear text on the mail server 2015-02-26 InfoSec 101 Page 22 of 30

  23. Best Practices: Chat ● Recommended (End-to-end encrypted): – iMessage (Apple only) – Signal (iOS), TextSecure (Android) – Telegram (using “Secret Chat”) ● MITM attack – Remedy: Out-of-band key comparison ● Not recommended: Anything else. SMS. 2015-02-26 InfoSec 101 Page 23 of 30

  24. Best Practices: Voice ● Recommended (End-to-end encrypted): – FaceTime (Apple only) – Signal (iOS), Redphone (Android) ● Free, encrypted calls ● Not recommended: – Normal phone calls – Google Hangout (Voice/Video), Skype 2015-02-26 InfoSec 101 Page 24 of 30

  25. Miscellaneous: Information Leaks ● Your phone is a tracking device ● You might reveal more than you thought – Phone number, email can be googled – Reverse Image Search (TinEye, Google) – Images: EXIF ● Recommended (but complicated): E x i f T o o l ● I P a d d r e s s → I S P → y o u ● Cookies 2015-02-26 InfoSec 101 Page 25 of 30

  26. Miscellaneous: Multiple Accounts ● Recommended: Separate accounts on your computer – Work – Private – Project XYZ ● Shared folders – move information in a controlled matter ● Disadvantage: – Have to re-enter passwords etc. ● Advantage: – Makes information leaks less likely 2015-02-26 InfoSec 101 Page 26 of 30

  27. Miscellaneous: Defense in Depth ● Multiple layers of protection: – O n e l a y e r b r o k e n , s t i l l s e c u r e ● Examples: – Agree on code words for sensitive entities – Cut message in many pieces, transmit... ● … part on iMessage, part on Signal/Redphone, part on Telegram, part on Wickr, part on phone: “meet”, “Carl”, “Sunday”, “10 am”, “Wagyu Lounge”, “red shoes” – Use TOR over a VPN 2015-02-26 InfoSec 101 Page 27 of 30

  28. Best Practices: More ● Not covered: – Deleting Data – Cloud Storage – Whistleblowing (“SecureDrop”) ● Please check http://fabianlischka.github.io/InfoSec101 2015-02-26 InfoSec 101 Page 28 of 30

  29. Finally: Advanced Steps ● Highly sensitive information → m u c h m o r e careful, systematic, paranoid ● Tools: – OpSec – VMs (Virtual Machines) – Tails (The amnesic incognito live system) 2015-02-26 InfoSec 101 Page 29 of 30

  30. Questions? ● More resources & links: http://fabianlischka.github.io/InfoSec101/ 2015-02-26 InfoSec 101 Page 30 of 30

Recommend

Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Dr. med. Christina Czeschik www.serapion.de Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide ide BalCCon 2k17 Sept 16, 2017, Novi Sad How to Make Users Behave Safely? Explain things to them?

566 views • 52 slides
InfoSec Training and Awareness Program Training & Employee InfoSec Yearly In-person

InfoSec Training and Awareness Program Training & Employee InfoSec Yearly In-person

InfoSec Training and Awareness Program Training & Employee InfoSec Yearly In-person Whitepapers, InfoSec Spear Awareness Comms Intranet Site Security Security Brochures E-mailbox Phishing Awareness Awareness Exercises

389 views • 36 slides
InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who am I? Samiux is an Information Security Enthusiast. - OSCE, OSCP, OSWP - Blogger - Linux user Hobbies : - Programming - Reading

261 views • 12 slides
Flex your Flex your InfoSec InfoSec muscles! muscles! Zuzana Bitterova Zuzana Bitterova

Flex your Flex your InfoSec InfoSec muscles! muscles! Zuzana Bitterova Zuzana Bitterova

Flex your Flex your InfoSec InfoSec muscles! muscles! Zuzana Bitterova Zuzana Bitterova This presentation is about Passion This presentation is NOT about Embracing change how to become an expert in the information security area

975 views • 49 slides
So basically same as a lot of us here: Wants to do cool InfoSec stuff, Wants to Stay out of Jail

So basically same as a lot of us here: Wants to do cool InfoSec stuff, Wants to Stay out of Jail

Changing Legal Landscape for Infosec Who I am: Elissa Shevinsky CEO of Jekudo Privacy Company @ElissaBeth and @Jekudo_Cat on Twitter Writer/Journalist Cautious Security Researcher So basically same as a lot of us here: Wants to do cool

472 views • 17 slides
HTTP/2 & InfoSec Anderson Dadario Topics HTTP Today Why HTTP/2 How it works

HTTP/2 & InfoSec Anderson Dadario Topics HTTP Today Why HTTP/2 How it works

HTTP/2 & InfoSec Anderson Dadario Topics HTTP Today Why HTTP/2 How it works What is relevant to your InfoSec job 2 HTTP Today Using HTTP 1.1 since 1997 / 1999 Connection: keep-alive Head of Line

376 views • 21 slides
Statewide IT, InfoSec and Privacy Update S eptember 2019 Re c e nt Suc c e sse s o f Sha re d

Statewide IT, InfoSec and Privacy Update S eptember 2019 Re c e nt Suc c e sse s o f Sha re d

Statewide IT, InfoSec and Privacy Update S eptember 2019 Re c e nt Suc c e sse s o f Sha re d Se rvic e s $71,000 pe r ye ar for age nc ie s as we ll as $1.2 million in c ost avoide d by not ope r ating the DT O Pr int and Mail fac

327 views • 13 slides
Fig Leaf Security @haroonmeer - 2011 #disclaimer Who am i ? & Why this talk? A

Fig Leaf Security @haroonmeer - 2011 #disclaimer Who am i ? & Why this talk? A

Fig Leaf Security @haroonmeer - 2011 #disclaimer Who am i ? & Why this talk? A chance to meet our heroes! like Simple Nomad! thegnome: we expected thegnome: we got beard this is my rant.. The infosec industry ZA infosec

1.09k views • 64 slides
Cheapskate! Free and Excellent Infosec Career Resources Nathan Chan, CISSP C|EH 2019 Oct 11 1

Cheapskate! Free and Excellent Infosec Career Resources Nathan Chan, CISSP C|EH 2019 Oct 11 1

Cheapskate! Free and Excellent Infosec Career Resources Nathan Chan, CISSP C|EH 2019 Oct 11 1 / 48 Who Am I Three careers Flight Simulation both trainers and engineering Software Tester Security Worked in defense,

777 views • 48 slides
SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec Security Researcher @Safebreach Presented at DEFCON, DEEPSEC, Hackfest @bemikre Contents 1. Windows IoT Core 2. Live SirepRAT

967 views • 74 slides
INFOSEC: TOdayS INvISIblE baTTlESpaCE CapT JErad SaylEr, USaF Chief of Offensive Cyber

INFOSEC: TOdayS INvISIblE baTTlESpaCE CapT JErad SaylEr, USaF Chief of Offensive Cyber

INFOSEC: TOdayS INvISIblE baTTlESpaCE CapT JErad SaylEr, USaF Chief of Offensive Cyber Operations Work at HQ Air Force Space Command Grew up in Beulah, ND Commissioned 2009 from UND ROTC program Computer Science Degree from

645 views • 18 slides
Reversing P25 Radio Scanners Let's beat a dead horse. Super Quick Presentation Founder of

Reversing P25 Radio Scanners Let's beat a dead horse. Super Quick Presentation Founder of

Reversing P25 Radio Scanners Let's beat a dead horse. Super Quick Presentation Founder of an obscurely named infosec company (see footer) founded at the end of 2011 infosec dev, pentests president, lead coder, chief janitor

405 views • 37 slides
A Recareering Framework @fuzzing_panda A Recareering Framework 1. Framework a. Recon b.

A Recareering Framework @fuzzing_panda A Recareering Framework 1. Framework a. Recon b.

A Recareering Framework @fuzzing_panda A Recareering Framework 1. Framework a. Recon b. Vulnerability Analysis c. Exploitation 2. Life Hack 3. A word to the wise history | grep -v infosec history | grep -v infosec How did I recareer into

697 views • 21 slides
Smart Grid IoT Security Kwaku Sarpong Manu About Me Computer Engineer Novice InfoSec researcher

Smart Grid IoT Security Kwaku Sarpong Manu About Me Computer Engineer Novice InfoSec researcher

Smart Grid IoT Security Kwaku Sarpong Manu About Me Computer Engineer Novice InfoSec researcher Signals Intelligence Cyanide and Happiness junkie Twitter: @_kwaku__ Electricity, Water and Gas What is Smart Grid IoT? Internet of things

764 views • 21 slides
iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA Dashboard Integrated with Network Layer (PacketX , UPAS) Field WiFi /BLE /ZigBee Layer (ArcRan iSecMaster) Endpoint Layer (Comodo)

549 views • 13 slides
. IoT or Internet of {Things,Threats} Thomas (@nyx__o) Malware Researcher at ESET CTF lover

. IoT or Internet of {Things,Threats} Thomas (@nyx__o) Malware Researcher at ESET CTF lover

. IoT or Internet of {Things,Threats} Thomas (@nyx__o) Malware Researcher at ESET CTF lover Open source contributor Olivier (@obilodeau) Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec

1.25k views • 104 slides
InfoSec Cinema Rogue One: a Star Wars Story 26 th of April 2018 WELCOME! Important No fire

InfoSec Cinema Rogue One: a Star Wars Story 26 th of April 2018 WELCOME! Important No fire

InfoSec Cinema Rogue One: a Star Wars Story 26 th of April 2018 WELCOME! Important No fire alarms planned today Description of the activity Short description of the activity (this) Movie Screening Discussion Purpose of the

500 views • 33 slides
RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 Orlando, FL Presen

RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 Orlando, FL Presen

RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 Orlando, FL Presen sented ed b by: Francis Brown & Rob Ragan Bishop Fox www.bishopfox.com Agenda O V E R V I E W Qu Quic ick k Over erview ew

853 views • 57 slides
Infosec & counter-surveillance writing what powerful people don't want written means you have

Infosec & counter-surveillance writing what powerful people don't want written means you have

Infosec & counter-surveillance writing what powerful people don't want written means you have something to hide Arjen Kamphuis arjen@gendo.ch Have you been using: Have you been using: e-mail e-mail video or voice chat video or voice

511 views • 50 slides
InfoSec and Privacy Professional Development SAP Success Factors Learning Management System

InfoSec and Privacy Professional Development SAP Success Factors Learning Management System

InfoSec and Privacy Professional Development SAP Success Factors Learning Management System What a learning management system can do for you MySCLearning Agenda Overview of LMS Functionality Review purpose of the LMS Overview of

724 views • 48 slides
G r o w i n g C o m p l e x i t y Source: Obregon, L. (2015). Secure

G r o w i n g C o m p l e x i t y Source: Obregon, L. (2015). Secure

G r o w i n g C o m p l e x i t y Source: Obregon, L. (2015). Secure architecture for industrial control systems. SANS Institute InfoSec Reading Room . Source:

739 views • 26 slides
SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY

SOCIAL ENGINEERING THREATS & COUNTERMEASURES IN AN OVERLY CONNECTED WORLD SHANE MACDOUGALL TACTICAL INTELLIGENCE INC. About Me InfoSec since 1989

1k views • 79 slides
How To Buy And Hack an ATM Leigh-Anne Galloway & Timur Yunusov About us

How To Buy And Hack an ATM Leigh-Anne Galloway & Timur Yunusov About us

How To Buy And Hack an ATM Leigh-Anne Galloway & Timur Yunusov About us Appsec/websec/banksec/infosec Incident response (payment investigation) No experience with ATM acquisition L_AGalloway a66at THE BIRTH OF AN IDEA HISTORY OF

770 views • 57 slides
Cyber Security Awareness Month! infosec@ucop.edu October is National Cyber Security Awareness

Cyber Security Awareness Month! infosec@ucop.edu October is National Cyber Security Awareness

October is National Cyber Security Awareness Month! infosec@ucop.edu October is National Cyber Security Awareness Month! October is National Cyber Security Awareness Month! 2 National Cyber Security Awareness Month at UCOP: 8 Important

1.04k views • 9 slides

More recommend