Security Mindset
Understand past and recent.
- How things work and can be made to fail
- Trust, but verify
- Stop. Think. Connect.
- If you see something, say something
Business Email Compromise
- attacker obtains access to a business email account and imitates the owner
- man in the email attack
Archetypes: - false invoice scheme
- ceo fraud
- account compromise
- attorney impersonation
- data theft
Countermeasures - IDS rules to flag emails
- email rules reply different from
- color coding employee/internal vs external
- payment 2-factor
- confirmation requests 2-factor
Security Principles
Framework for all security programs.
-Economy of mechanism
-Fail-safe defaults
-Complete mediation
-Open design
-Separation of privilege
-Least privilege
-Least common mechanism
-User-friendly interface
Economy of mechanism
Keep things small and simple
Complexity is an enemy of security
Fail-safe
Anticipate how things can go wrong
Fail smart
Least privilege
Minimum privileges needed to do a job
Choke points and defense in depth
- only one way in or out (choke point)
- defense in depth (layers of security)
CIA
Confidentiality - Integrity - Availability
Confidentiality - who can see and read sensitive information
Integrity - limit who can change sensitive information
Availability - ensuring the information is there when we need it
Standard Organizations
-NIST
-ISO
-IEC
-PCI
