Professional Documents
Culture Documents
Awareness
Importance of Information Security in today’s world
Social engineering
Hacking
Security controls [risk mitigation lattice]
Hands-on practices
Managing passwords (Office applications)
PDF conversion
Encryption
Importance of Information Security in today’s world
Why Security?
Evolution of technology focused on ease of use
Increased network environment and network-based
applications
Decreasing skill level needed for exploit
Direct impact of security breach on corporate asset base
and goodwill
Increasing complexity of computer infrastructure
administration and management
Essential Terminologies
Risk - The quantifiable likelihood of a threat taking advantage of
vulnerability in a system, or the probability that a threat will exploit
a vulnerability
Threat - An action or event that might compromise security. A
threat is a potential violation of security. OR Something that is a
source of danger; capabilities, intentions, and attack methods of
adversaries that can exploit or cause harm to a system
Vulnerability - Existence of a weakness, design or implementation
error that can lead to an unexpected and undesirable event
compromising the security of the system.
Attack - An assault on the system security that is derived from
intelligent threat.
Exploit - A defined way to breach the security of an IT System via
vulnerability
Essential Terminologies (Cont’d)
Exposure - The potential compromise associated with an attack
exploiting a corresponding vulnerability
Countermeasure – Action of reducing the impact of an attack,
detecting the occurrence of an attack, and/or assisting in the
recovery from an attack
Subject - Generally a person, process, or device that causes
information to flow among objects.
Object - A passive entity containing or receiving information;
Access to an object usually implies access to the information that it
contains
Essential Terminologies (Cont’d)
The DIKW Hierarchy helps define the jobs of security pros.:
Functionality
Computer-based:
Social engineering is carried out with the aid of
computers
More on Human-based Social Engineering
Eavesdropping or unauthorized listening of
conversations or reading of messages
Interception of any form such as audio, video,
or
written
Shoulder surfing
Dumpster Diving:
Trash-bins
Printer trash-bins
User desk for sticky notes
Dumpster diving targets:
Phones bills
Contact information
Financial information, etc.
More on Human-based Social Engineering
Tailgating
An unauthorized person with a fake ID badge
Piggybacking
Authorized person provides access to an unauthorized
person by keeping the secured door open.
Reverse Social engineering
The attacker creates a persona that appears to be in a
position to be in a position of authority so that employees
will ask him for information, rather than the other way
around
Reverse social engineering attack involves:
Sabotage
Marketing
Providing support