introduction to cybersecurity for generalists
play

Introduction to cybersecurity for Generalists James Davenport - PowerPoint PPT Presentation

Feb 02, 2023 •222 likes •394 views

Introduction to cybersecurity for Generalists James Davenport University of Bath 16 May 2019 James Davenport Introduction to cybersecurity for Generalists 1 / 16 CM50209: Security and Integrity Course is 6 ECTS (12 CATS) credits, in Semester

  1. Introduction to cybersecurity for Generalists James Davenport University of Bath 16 May 2019 James Davenport Introduction to cybersecurity for Generalists 1 / 16

  2. CM50209: Security and Integrity Course is 6 ECTS (12 CATS) credits, in Semester 2 Available on many MSc (including generalist MSc, and corresponding L7 Degree Apprenticeship), also MComp. Been running for many years, but IoC was an opportunity to rethink Tried to hire a Teaching Fellow, but failed, so I taught it myself Partly based on experience as a Fulbright CyberSecurity Scholar at NYU in 2017 James Davenport Introduction to cybersecurity for Generalists 2 / 16

  3. Overview (inherited) Aims: 1 To develop an understanding of the difficulties of security - everyone wants it but no-one can define it. 2 To develop the ability to analyse the security threats to a proposed design. 3 To develop the ability to propose realistic counter-measures, where available. Learning Outcomes: After taking this unit, the student should be able to: 1 describe common security models; 2 discuss what it means for a given system to be ’secure’; 3 identify security weaknesses in proposed systems. James Davenport Introduction to cybersecurity for Generalists 3 / 16

  4. Assessment (inherited format; own exercises) 50% Individual coursework on own experience of PCI DSS online. Buy from three different online vendors: capture both the HTML and the wire data, and analyse for weaknesses. 30% Group coursework: pick an OWASP weakness and give a 30-minute presentation on it. * Four self-select groups of five — next time I might force groups; not sure how this one will work with Degree Apprentices. 20% Class text (essentially an examination) James Davenport Introduction to cybersecurity for Generalists 4 / 16

  5. Course Overview (12 teaching weeks) I 1 Introduction, resources [And08], CIA triangle. But “In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved. [ISO18].” Proven security [Pau99] but problems with “Plan B” procedures [Com14, “POODLE”]. James Davenport Introduction to cybersecurity for Generalists 5 / 16

  6. Course Overview (12 teaching weeks) II 1b Payment Card System: [UK 19a]. Scale of system. The Adverline attack [Zor19, Kli19] James Davenport Introduction to cybersecurity for Generalists 6 / 16

  7. Course Overview (12 teaching weeks) III 2 Cryptography for Security Engineers. Kerckhoffs’ Principle [Ker83]. Don’t “roll your own”. 3 PCI DSS [Pay18b, Pay18a]. Hosted compliance [UK 19b]. 4 SQL Injection (example of OWASP for CW2). Lack of understanding [TS19]. Students work on capturing their own PCI DSS data for CW1. 5 Passwords: attacks, salt [MT79], policies, secure storage. Difficulty of correct implementation [NDTS18]. 2FA. Biometrics: weaknesses in practice [RMR17, BRT + 17]. 6 Access controls (Unix permissions, ACL, setuid, etc.). Principle of least privilege. 7 Vulnerability Scans versus Penetration Testing. PenTest tools [Gri19]. Guest lecture: automobile security. 8 “Consolidation week”: no new material. James Davenport Introduction to cybersecurity for Generalists 7 / 16

  8. Course Overview (12 teaching weeks) IV 9 Forensics Principles, ACPO “guidelines” [Ass12]. Importance of ISMS [ISO18] and SIEM. Norsk Hydro as a current example [Clu19, Mun19]. Cyberinsurance, analogy with London Fire Brigade. 10 Guest Lecture (a CISO). Also two group presentations. 11 CSRF (prevented by Token-Based Mitigation, implemented by frameworks); XSS (destroys TBM protection). See https://github.com/OWASP/CheatSheetSeries/blob/ master/cheatsheets/Cross_Site_Scripting_ Prevention_Cheat_Sheet.md . Also two group presentations. 12 Revision and Class Test. James Davenport Introduction to cybersecurity for Generalists 8 / 16

  9. References I R.J. Anderson. Security Engineering: A Guide to Building Dependable Cryptosystems (second edition). Wiley , 2008. Association of Chief Police Officers. ACPO Good Practice Guide for Digital Evidence (version 5, October 2011). ACPO , 2012. P. Bontrager, A. Roy, J. Togelius, N. Memon, and A. Ross. DeepMasterPrint: Fingerprint Spoofing via Latent Variable Evolution. https://arxiv.org/abs/1705.07386 , 2017. James Davenport Introduction to cybersecurity for Generalists 9 / 16

  10. References II G. Cluley. In its ransomware response, Norsk Hydro is an example for us all. https://www.grahamcluley.com/ in-its-ransomware-response-norsk-hydro-is-an-example-for- 2019. Computer Emergency Response Team. Alert (TA14-290A) SSL 3.0 Protocol Vulnerability and POODLE Attack. https://www.us-cert.gov/ncas/alerts/TA14-290A , 2014. James Davenport Introduction to cybersecurity for Generalists 10 / 16

  11. References III R.A. Grimes. Penetration testing on the cheap and not so cheap. https://www.csoonline.com/article/2622078/ hacking-penetration-testing-on-the-cheap-and-not-so-cheap. html , 2019. ISO/IEC. ISO/IEC 27000:2018 (E): Information technology - Security techniques - Information security management systems - Overview and vocabulary. https://standards.iso.org/ittf/ PubliclyAvailableStandards/c073906_ISO_IEC_27000_ 2018_E.zip , 2018. James Davenport Introduction to cybersecurity for Generalists 11 / 16

  12. References IV A. Kerckhoffs. La cryptographie militaire. Journal des sciences militaires , 9:5–38, 1883. URL: http://www.petitcolas.net/kerckhoffs/crypto_ militaire_1.pdf . Y. Klijnsma. New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks. https: //www.riskiq.com/blog/labs/magecart-adverline/ , 2019. James Davenport Introduction to cybersecurity for Generalists 12 / 16

  13. References V Robert Morris and Ken Thompson. Password security: A case history. Commun. ACM , 22(11):594–597, November 1979. URL: http://doi.acm.org/10.1145/359168.359172 , doi:10.1145/359168.359172 . P. Muncaster. Norsk Hydro Admits Ransomware Costs May Have Hit $41m. https://www.infosecurity-magazine.com/news/ norsk-hydro-ransomware-costs-hit-1-1/ , 2019. A. Naiakshina, A. Danilova, C. Tiefenau, and M. Smith. Deception Task Design in Developer Password Studies: Exploring a Student Sample. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). USENIX Association , pages 297–313, 2018. James Davenport Introduction to cybersecurity for Generalists 13 / 16

  14. References VI L.C. Paulson. Inductive Analysis of the Internet Protocol TLS. ACM Trans. Information and System Security , 2:332–351, 1999. Payment Card Industry Security Standards Council (PCI SSC). PCI DSS Quick Reference Guide. https://www.pcisecuritystandards.org/documents/ PCI_DSS-QRG-v3_2_1.pdf , 2018. Payment Card Industry Security Standards Council (PCI SSC). Requirements and Security Assessment Procedures Version 3.2.1. https://www.pcisecuritystandards.org/documents/ PCI_DSS_v3-2-1.pdf , 2018. James Davenport Introduction to cybersecurity for Generalists 14 / 16

  15. References VII A. Roy, N. Memon, and A. Ross. MasterPrint: Exploring the Vulnerability of Partial Fingerprint-based Authentication Systems. IEEE Transactions on Information Forensics and Security , 12:2013–2025, 2017. C. Taylor and S. Sakharkar. ’);DROP TABLE textbooks;–: An Argument for SQL Injection Coverage in Database Textbooks. In Proceedings of the 50th ACM Technical Symposium on Computer Science Education (SIGCSE ’19). ACM , pages 191–197, 2019. UK Finance. Card Payment Cycle. http://www.theukcardsassociation.org.uk/getting_ started/card-payment-cycle.asp , 2019. James Davenport Introduction to cybersecurity for Generalists 15 / 16

  16. References VIII UK Finance. How to be PCIDSS Compliant. http://www.theukcardsassociation.org.uk/security/ how_to_be_PCIDSS_compliant.asp , 2019. Z. Zorz. Compromised ad company serves Magecart skimming code to hundreds of websites. https://www.helpnetsecurity.com/2019/01/17/ magecart-supply-chain-attack/ , 2019. James Davenport Introduction to cybersecurity for Generalists 16 / 16

Recommend

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

368 views • 33 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
10 Tips to run successful Paid Marketing What we do We are specialists not generalists,

10 Tips to run successful Paid Marketing What we do We are specialists not generalists,

10 Tips to run successful Paid Marketing What we do We are specialists not generalists, accelerating your lead generation across search engines and social media channels. Our clients growth is our success Only a customer that you win Paid

738 views • 48 slides
Cybersecurity What you need to know Agenda Introduction Kevin Bobroske What is

Cybersecurity What you need to know Agenda Introduction Kevin Bobroske What is

Cybersecurity What you need to know Agenda Introduction Kevin Bobroske What is cybersecurity? Why should I care? What can I do about it? High level cyber framework overview Summary + QA Fun stuff BIO Kevin

546 views • 32 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
Analyze Your Audience Identify Readers: Semi-Technical Non-Technical Technical Generalists

Analyze Your Audience Identify Readers: Semi-Technical Non-Technical Technical Generalists

Analyze Your Audience Identify Readers: Semi-Technical Non-Technical Technical Generalists Operators Specialists Managers Fabricators Engineers Beginners Repair Shops PEs etc. etc. etc. www.booksbycarolinemiller.com, 2013

402 views • 17 slides
Twins 47% A. Bill Clinton B. Jeremy Irons A Generalists 28% C. Scarlett Johansson 24%

Twins 47% A. Bill Clinton B. Jeremy Irons A Generalists 28% C. Scarlett Johansson 24%

6/9/2016 Famous Twins Twins 47% A. Bill Clinton B. Jeremy Irons A Generalists 28% C. Scarlett Johansson 24% Perspective D. Bill Parer Meg Autry, MD Clinical Professor 1% Department Obstetrics, Gynecology, and Reproductive Sciences n

424 views • 11 slides
What The Hack! Aldo Leiva Jorge Rey Agenda Introduction Cybersecurity Trends Legal

What The Hack! Aldo Leiva Jorge Rey Agenda Introduction Cybersecurity Trends Legal

What The Hack! Aldo Leiva Jorge Rey Agenda Introduction Cybersecurity Trends Legal Framework For Cybersecurity Compliance How Are Organizations Getting Hacked Oops, you clicked on the link. Now what? Best Practices and

1.09k views • 36 slides
Generalists and Specialists Using Community Embeddings to Quantify Activity Diversity in Online

Generalists and Specialists Using Community Embeddings to Quantify Activity Diversity in Online

Isaac Waller walleris@cs.toronto.edu Ashton Anderson ashton@cs.toronto.edu University of Toronto The Web Conference 2019 Generalists and Specialists Using Community Embeddings to Quantify Activity Diversity in Online Platforms full-stack

633 views • 36 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
AUTOMATION The Generalists Workload Manager IMMUCOR USER GROUP MEETING 2016 C Michelle Roye

AUTOMATION The Generalists Workload Manager IMMUCOR USER GROUP MEETING 2016 C Michelle Roye

AUTOMATION The Generalists Workload Manager IMMUCOR USER GROUP MEETING 2016 C Michelle Roye MS(CLM), CLS, ASCP(MLS) Discuss the challenges and potential inefficiencies of a smaller transfusion service Describe the importance of audits

917 views • 25 slides
Safety in the Cloud An Introduction to Cybersecurity Frank Chen | Spring 2017 Agenda

Safety in the Cloud An Introduction to Cybersecurity Frank Chen | Spring 2017 Agenda

CS 88S Safety in the Cloud An Introduction to Cybersecurity Frank Chen | Spring 2017 Agenda Introductions Icebreaker Activity Administrative Myths & Realities Computers, Networks, Paradigms of Cybersecurity Frank Chen |

1.05k views • 50 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2019 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

212 views • 19 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2018 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

325 views • 18 slides
ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity Related to Subregional Seminar on Cybersecurity for Information and Communication Networks 21 June 2005 Lima, Peru Christine Sund Christine Sund

921 views • 48 slides
Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel

Being Strategic about Cybersecurity Regional Cybersecurity Forum, 29-30 Nov 2016, Grand Hotel Sofia, Bulgaria Mr. Joaqun Castelln , Operational Director Spanish National Security Department Ms. Anita TIKOS , Desk Officer for International

197 views • 15 slides
EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU in action about cybersecurity NIS Directive 5G Cybersecurity Act GDPR Contractual ISACs

EU Cybersecurity European policy overview e-IRG e-IRG 4 December 2019 Brussels Anni Hellman, Senior Expert, Permanent Representation of Finland to the European Union Seconded for the Finnish Presidency from the Directorate General

320 views • 28 slides
Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical

Cybersecurity Today CYBERSECURITY IN TODAYS WORLD Cyberattacks in Wyoming Medical Facilities Local Government Schools Law Enforcement Media Outlets The threat and how to think about it Ransomware has rapidly emerged as the most

398 views • 15 slides
MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity

MAYASEVENs Hacking Diary Who are we? Nop Phoomthaisong MAYASEVEN Team Cybersecurity Consultants, The Cybersecurity Expert Guys Cybersecurity Researcher 2 Agenda 1. Account Takeover via Forgot Password Function 2. Amazon S3

2.36k views • 75 slides
Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive

Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive

Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive Director EY Chair AICPA Trust Information Integrity Task Force Agenda Item 8-D IAASB Meeting, September 21-25, 2015 New York, USA Page 1 Increasing

444 views • 17 slides
CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the

CYBERSECURITY Situational awareness Franois Thill, Director Cybersecurity, Ministry of the economy Agenda The actual situation Strategy of the ministry Risk management a common language Some good practice examples 2 The

427 views • 21 slides
Infrastructure Cybersecurity Introduction to Concepts, Language, Policy About me Jack

Infrastructure Cybersecurity Introduction to Concepts, Language, Policy About me Jack

Understanding Critical Infrastructure Cybersecurity Introduction to Concepts, Language, Policy About me Jack Whitsitt | http://twitter.com/sintixerr | jack@energysec.org Broad Background Lived in a little hacker compound as a

850 views • 47 slides
Internet and CyberSecurity 101 U.S. National Cybersecurity, 10/5/06 presented by: Martin Casado

Internet and CyberSecurity 101 U.S. National Cybersecurity, 10/5/06 presented by: Martin Casado

Internet and CyberSecurity 101 U.S. National Cybersecurity, 10/5/06 presented by: Martin Casado Network vs. Internet a network is a system of computers that talk over some communication medium: phone line (analogue modem, DSL), cable,

957 views • 47 slides

More recommend