Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Cyber Security Awareness

3.187 visualizaciones

Publicado el

Seminar of Cyber Security Awareness at PT PJB (Pembangkitan Jawa Bali ) Surabaya 2018

Publicado en: Educación
  • Sé el primero en comentar

Cyber Security Awareness

  1. 1. Cyber Security: Be Paranoid Please Presented by M.Syarifudin, ST, OSCP, OSWP Surabaya, 17 April 2018 Seminar of Cyber Security Awareness PT PJB (Pembangkitan Jawa Bali) !1
  2. 2. Hello From Me • Information Security Trainer & Speaker • OSCP & OSWP Certified • Official Indonesian Kali Linux Translator • Homepage: fl3x.us !2
  3. 3. We are going to Talk About • IT Security Awareness • The Importance of Security Awareness • Cyber Attack Trend • Essential Tips • ISO 27001 Overview • Pentest is needed !3
  4. 4. IT Security Awareness • Vital for an organization • Entire organization’s responsibility • IT system increase in complexity • The technologies and vendors are not the indication of success !4
  5. 5. IT Security Awareness • Should be supported regularly • A requirement for compliance • Weak security culture in the organization • Need a security awareness program !5
  6. 6. Security Awareness Program • A Way to ensure that everyone at the organization has a sense of security. Then it will be their responsibility. !6
  7. 7. Security Awareness Program As A CULTURE ATTITUDES PRACTICES POLICIES PROCESSES SUCCESS !7
  8. 8. Security Awareness Program Components Communication Content Checklists Controls !8
  9. 9. Communication • Regular Conversation • Clear, Relevant, and Fun • Security is very important for business !9
  10. 10. Checklists • Keep organized for developing, delivering, and maintaining security awareness program • Who, What, When, Where, Why, How !10
  11. 11. Content • Some references about security • Security handbook for all employees • Training program • Group chat ( security issue and discussion ) • Role based guidelines !11
  12. 12. Controls • Some rules • Need an approval based on role • Prevention !12
  13. 13. The Importance of Security Awareness • Reduce the biggest risk (employees) • Improve the awareness for protecting sensitive information • Helping employees to handle information securely !13
  14. 14. The Importance of Security Awareness • Reduce the risks of mishandling information • Increase organizational understanding implementation of security best practice • Helping organization to prevent attacks !14
  15. 15. Cyber Attack Trend • Malware • Ransomware • Phishing • Web Application Attack • DoS !15
  16. 16. Bad Habits • Default password • Same password for all accounts • Disclose sensitive information !16
  17. 17. Essential Tips • IT team “sell” the awareness mindset • Remind each other regarding the information security • Keep your privacy and sensitive information • Avoid reuse password • Enable two step verification !17
  18. 18. Essential Tips • Make sure always using secure connection • Make sure to always use the original software • Always update the software and make sure it’s the latest version • Backup the data regularly • Avoid torrent download (pirates && not safe) !18
  19. 19. ISO 27001 • ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). • Helps organizations keep information assets secure !19
  20. 20. What is ISMS? • ISMS is a systematic approach to managing sensitive company information so that it remains secure. • By applying a risk management process. People Processes IT System !20
  21. 21. Pentest is needed !21
  22. 22. What is PenTest ? Real Attacks The Target Gain Access Application NetworkSystem 22
  23. 23. About PenTest 23 Compromise IT System Security Find SecurityVulnerabilitiesMust Have a Permission Be Creative Exploit the SecurityVuln. Bypass Security MechanismThink like an Attacker
  24. 24. Penetration Testing Execution Standard 24 Intelligence GatheringPre-engagement Threat ModellingVulnerability Analysis Exploitation Post Exploitation Reporting http://www.pentest-standard.org
  25. 25. Sample XSS Attack Vector Execute the JavaScript code Stealing Cookies Log in without credentials Get a shellG0t root !25
  26. 26. References • https://www.pcisecuritystandards.org/documents/ PCI_DSS_V1.0_Best_Practices_for_Implementing_Security _Awareness_Program.pdf • https://www.tripwire.com/state-of-security/security- awareness/how-to-build-a-successful-it-security- awareness-program/ • https://www.threatstack.com/blog/how-to-implement-a- security-awareness-program-at-your-organization/ • https://www.iso.org/isoiec-27001-information-security.html !26

×