introduction to cybersecurity for generalists
play

Introduction to cybersecurity for Generalists James Davenport - PowerPoint PPT Presentation

Feb 02, 2023 •222 likes •394 views

Introduction to cybersecurity for Generalists James Davenport University of Bath 16 May 2019 James Davenport Introduction to cybersecurity for Generalists 1 / 16 CM50209: Security and Integrity Course is 6 ECTS (12 CATS) credits, in Semester

  1. Introduction to cybersecurity for Generalists James Davenport University of Bath 16 May 2019 James Davenport Introduction to cybersecurity for Generalists 1 / 16

  2. CM50209: Security and Integrity Course is 6 ECTS (12 CATS) credits, in Semester 2 Available on many MSc (including generalist MSc, and corresponding L7 Degree Apprenticeship), also MComp. Been running for many years, but IoC was an opportunity to rethink Tried to hire a Teaching Fellow, but failed, so I taught it myself Partly based on experience as a Fulbright CyberSecurity Scholar at NYU in 2017 James Davenport Introduction to cybersecurity for Generalists 2 / 16

  3. Overview (inherited) Aims: 1 To develop an understanding of the difficulties of security - everyone wants it but no-one can define it. 2 To develop the ability to analyse the security threats to a proposed design. 3 To develop the ability to propose realistic counter-measures, where available. Learning Outcomes: After taking this unit, the student should be able to: 1 describe common security models; 2 discuss what it means for a given system to be ’secure’; 3 identify security weaknesses in proposed systems. James Davenport Introduction to cybersecurity for Generalists 3 / 16

  4. Assessment (inherited format; own exercises) 50% Individual coursework on own experience of PCI DSS online. Buy from three different online vendors: capture both the HTML and the wire data, and analyse for weaknesses. 30% Group coursework: pick an OWASP weakness and give a 30-minute presentation on it. * Four self-select groups of five — next time I might force groups; not sure how this one will work with Degree Apprentices. 20% Class text (essentially an examination) James Davenport Introduction to cybersecurity for Generalists 4 / 16

  5. Course Overview (12 teaching weeks) I 1 Introduction, resources [And08], CIA triangle. But “In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved. [ISO18].” Proven security [Pau99] but problems with “Plan B” procedures [Com14, “POODLE”]. James Davenport Introduction to cybersecurity for Generalists 5 / 16

  6. Course Overview (12 teaching weeks) II 1b Payment Card System: [UK 19a]. Scale of system. The Adverline attack [Zor19, Kli19] James Davenport Introduction to cybersecurity for Generalists 6 / 16

  7. Course Overview (12 teaching weeks) III 2 Cryptography for Security Engineers. Kerckhoffs’ Principle [Ker83]. Don’t “roll your own”. 3 PCI DSS [Pay18b, Pay18a]. Hosted compliance [UK 19b]. 4 SQL Injection (example of OWASP for CW2). Lack of understanding [TS19]. Students work on capturing their own PCI DSS data for CW1. 5 Passwords: attacks, salt [MT79], policies, secure storage. Difficulty of correct implementation [NDTS18]. 2FA. Biometrics: weaknesses in practice [RMR17, BRT + 17]. 6 Access controls (Unix permissions, ACL, setuid, etc.). Principle of least privilege. 7 Vulnerability Scans versus Penetration Testing. PenTest tools [Gri19]. Guest lecture: automobile security. 8 “Consolidation week”: no new material. James Davenport Introduction to cybersecurity for Generalists 7 / 16

  8. Course Overview (12 teaching weeks) IV 9 Forensics Principles, ACPO “guidelines” [Ass12]. Importance of ISMS [ISO18] and SIEM. Norsk Hydro as a current example [Clu19, Mun19]. Cyberinsurance, analogy with London Fire Brigade. 10 Guest Lecture (a CISO). Also two group presentations. 11 CSRF (prevented by Token-Based Mitigation, implemented by frameworks); XSS (destroys TBM protection). See https://github.com/OWASP/CheatSheetSeries/blob/ master/cheatsheets/Cross_Site_Scripting_ Prevention_Cheat_Sheet.md . Also two group presentations. 12 Revision and Class Test. James Davenport Introduction to cybersecurity for Generalists 8 / 16

  9. References I R.J. Anderson. Security Engineering: A Guide to Building Dependable Cryptosystems (second edition). Wiley , 2008. Association of Chief Police Officers. ACPO Good Practice Guide for Digital Evidence (version 5, October 2011). ACPO , 2012. P. Bontrager, A. Roy, J. Togelius, N. Memon, and A. Ross. DeepMasterPrint: Fingerprint Spoofing via Latent Variable Evolution. https://arxiv.org/abs/1705.07386 , 2017. James Davenport Introduction to cybersecurity for Generalists 9 / 16

  10. References II G. Cluley. In its ransomware response, Norsk Hydro is an example for us all. https://www.grahamcluley.com/ in-its-ransomware-response-norsk-hydro-is-an-example-for- 2019. Computer Emergency Response Team. Alert (TA14-290A) SSL 3.0 Protocol Vulnerability and POODLE Attack. https://www.us-cert.gov/ncas/alerts/TA14-290A , 2014. James Davenport Introduction to cybersecurity for Generalists 10 / 16

  11. References III R.A. Grimes. Penetration testing on the cheap and not so cheap. https://www.csoonline.com/article/2622078/ hacking-penetration-testing-on-the-cheap-and-not-so-cheap. html , 2019. ISO/IEC. ISO/IEC 27000:2018 (E): Information technology - Security techniques - Information security management systems - Overview and vocabulary. https://standards.iso.org/ittf/ PubliclyAvailableStandards/c073906_ISO_IEC_27000_ 2018_E.zip , 2018. James Davenport Introduction to cybersecurity for Generalists 11 / 16

  12. References IV A. Kerckhoffs. La cryptographie militaire. Journal des sciences militaires , 9:5–38, 1883. URL: http://www.petitcolas.net/kerckhoffs/crypto_ militaire_1.pdf . Y. Klijnsma. New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks. https: //www.riskiq.com/blog/labs/magecart-adverline/ , 2019. James Davenport Introduction to cybersecurity for Generalists 12 / 16

  13. References V Robert Morris and Ken Thompson. Password security: A case history. Commun. ACM , 22(11):594–597, November 1979. URL: http://doi.acm.org/10.1145/359168.359172 , doi:10.1145/359168.359172 . P. Muncaster. Norsk Hydro Admits Ransomware Costs May Have Hit $41m. https://www.infosecurity-magazine.com/news/ norsk-hydro-ransomware-costs-hit-1-1/ , 2019. A. Naiakshina, A. Danilova, C. Tiefenau, and M. Smith. Deception Task Design in Developer Password Studies: Exploring a Student Sample. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). USENIX Association , pages 297–313, 2018. James Davenport Introduction to cybersecurity for Generalists 13 / 16

  14. References VI L.C. Paulson. Inductive Analysis of the Internet Protocol TLS. ACM Trans. Information and System Security , 2:332–351, 1999. Payment Card Industry Security Standards Council (PCI SSC). PCI DSS Quick Reference Guide. https://www.pcisecuritystandards.org/documents/ PCI_DSS-QRG-v3_2_1.pdf , 2018. Payment Card Industry Security Standards Council (PCI SSC). Requirements and Security Assessment Procedures Version 3.2.1. https://www.pcisecuritystandards.org/documents/ PCI_DSS_v3-2-1.pdf , 2018. James Davenport Introduction to cybersecurity for Generalists 14 / 16

  15. References VII A. Roy, N. Memon, and A. Ross. MasterPrint: Exploring the Vulnerability of Partial Fingerprint-based Authentication Systems. IEEE Transactions on Information Forensics and Security , 12:2013–2025, 2017. C. Taylor and S. Sakharkar. ’);DROP TABLE textbooks;–: An Argument for SQL Injection Coverage in Database Textbooks. In Proceedings of the 50th ACM Technical Symposium on Computer Science Education (SIGCSE ’19). ACM , pages 191–197, 2019. UK Finance. Card Payment Cycle. http://www.theukcardsassociation.org.uk/getting_ started/card-payment-cycle.asp , 2019. James Davenport Introduction to cybersecurity for Generalists 15 / 16

  16. References VIII UK Finance. How to be PCIDSS Compliant. http://www.theukcardsassociation.org.uk/security/ how_to_be_PCIDSS_compliant.asp , 2019. Z. Zorz. Compromised ad company serves Magecart skimming code to hundreds of websites. https://www.helpnetsecurity.com/2019/01/17/ magecart-supply-chain-attack/ , 2019. James Davenport Introduction to cybersecurity for Generalists 16 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and

Section 1 Dr. Bruce Burton California Cybersecurity INTRODUCTION Institute 12/10/2018 1 OBJECTIVES Current cybersecurity statistics and implications Learn from past attacks Understand the NIST Cybersecurity Framework (CSF) &

368 views • 33 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
10 Tips to run successful Paid Marketing What we do We are specialists not generalists,

10 Tips to run successful Paid Marketing What we do We are specialists not generalists,

10 Tips to run successful Paid Marketing What we do We are specialists not generalists, accelerating your lead generation across search engines and social media channels. Our clients growth is our success Only a customer that you win Paid

738 views • 48 slides
Cybersecurity What you need to know Agenda Introduction Kevin Bobroske What is

Cybersecurity What you need to know Agenda Introduction Kevin Bobroske What is

Cybersecurity What you need to know Agenda Introduction Kevin Bobroske What is cybersecurity? Why should I care? What can I do about it? High level cyber framework overview Summary + QA Fun stuff BIO Kevin

546 views • 32 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
Analyze Your Audience Identify Readers: Semi-Technical Non-Technical Technical Generalists

Analyze Your Audience Identify Readers: Semi-Technical Non-Technical Technical Generalists

Analyze Your Audience Identify Readers: Semi-Technical Non-Technical Technical Generalists Operators Specialists Managers Fabricators Engineers Beginners Repair Shops PEs etc. etc. etc. www.booksbycarolinemiller.com, 2013

402 views • 17 slides
Twins 47% A. Bill Clinton B. Jeremy Irons A Generalists 28% C. Scarlett Johansson 24%

Twins 47% A. Bill Clinton B. Jeremy Irons A Generalists 28% C. Scarlett Johansson 24%

6/9/2016 Famous Twins Twins 47% A. Bill Clinton B. Jeremy Irons A Generalists 28% C. Scarlett Johansson 24% Perspective D. Bill Parer Meg Autry, MD Clinical Professor 1% Department Obstetrics, Gynecology, and Reproductive Sciences n

424 views • 11 slides
What The Hack! Aldo Leiva Jorge Rey Agenda Introduction Cybersecurity Trends Legal

What The Hack! Aldo Leiva Jorge Rey Agenda Introduction Cybersecurity Trends Legal

What The Hack! Aldo Leiva Jorge Rey Agenda Introduction Cybersecurity Trends Legal Framework For Cybersecurity Compliance How Are Organizations Getting Hacked Oops, you clicked on the link. Now what? Best Practices and

1.09k views • 36 slides
Generalists and Specialists Using Community Embeddings to Quantify Activity Diversity in Online

Generalists and Specialists Using Community Embeddings to Quantify Activity Diversity in Online

Isaac Waller walleris@cs.toronto.edu Ashton Anderson ashton@cs.toronto.edu University of Toronto The Web Conference 2019 Generalists and Specialists Using Community Embeddings to Quantify Activity Diversity in Online Platforms full-stack

633 views • 36 slides
Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland

Cybersecurity A presentation to the National Association of Black Accountants Cleveland Chapter Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix

685 views • 37 slides
AUTOMATION The Generalists Workload Manager IMMUCOR USER GROUP MEETING 2016 C Michelle Roye

AUTOMATION The Generalists Workload Manager IMMUCOR USER GROUP MEETING 2016 C Michelle Roye

AUTOMATION The Generalists Workload Manager IMMUCOR USER GROUP MEETING 2016 C Michelle Roye MS(CLM), CLS, ASCP(MLS) Discuss the challenges and potential inefficiencies of a smaller transfusion service Describe the importance of audits

917 views • 25 slides
Safety in the Cloud An Introduction to Cybersecurity Frank Chen | Spring 2017 Agenda

Safety in the Cloud An Introduction to Cybersecurity Frank Chen | Spring 2017 Agenda

CS 88S Safety in the Cloud An Introduction to Cybersecurity Frank Chen | Spring 2017 Agenda Introductions Icebreaker Activity Administrative Myths & Realities Computers, Networks, Paradigms of Cybersecurity Frank Chen |

1.05k views • 50 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2019 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

212 views • 19 slides
Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright

Formal Methods and CyberSecurity James Davenport University of Bath Former Fulbright CyberSecurity Scholar 4 September 2018 James Davenport Formal Methods and CyberSecurity CyberSecurity CyberSecurity failures abound: tens daily in the

325 views • 18 slides
ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity

ITU Mandate and Activities ITU Mandate and Activities Related to Cybersecurity Cybersecurity Related to Subregional Seminar on Cybersecurity for Information and Communication Networks 21 June 2005 Lima, Peru Christine Sund Christine Sund

921 views • 48 slides
Phishing: New Internet Financial Fraud Trend by Yuejin Du CNCERT/CC Feb. 24 th . 2005 APRICOT

Phishing: New Internet Financial Fraud Trend by Yuejin Du CNCERT/CC Feb. 24 th . 2005 APRICOT

Phishing: New Internet Financial Fraud Trend by Yuejin Du CNCERT/CC Feb. 24 th . 2005 APRICOT www.cert.org.cn Attendee Investigation National Computer network Emergency Response technical Team/Coordination Center of China Contents

374 views • 21 slides
Erik Whynot, Esq Founding Partner 300 N. Maitland Ave. Maitland, Florida ewhynot@mygwlaw.com

Erik Whynot, Esq Founding Partner 300 N. Maitland Ave. Maitland, Florida ewhynot@mygwlaw.com

Erik Whynot, Esq Founding Partner 300 N. Maitland Ave. Maitland, Florida ewhynot@mygwlaw.com OFFICES Maitland/Orlando | *Ft. Lauderdale T) 407-539-3900 * By appointment only F) 407-386-8485 HU HURRICA CANE NE PREPAREDNE NESS Do Don

234 views • 21 slides
Protecting Internet Threat Monitors: A Statistical Filtering Approach Yoichi Shinoda JAIST

Protecting Internet Threat Monitors: A Statistical Filtering Approach Yoichi Shinoda JAIST

Protecting Internet Threat Monitors: A Statistical Filtering Approach Yoichi Shinoda JAIST Mapping Internet Monitors Two papers were presented/published at the 14th USENIX Security Symposium (Aug. 2005). Mapping Internet Sensors with

353 views • 9 slides
Cybersecurity and Africa Benot MOREL Carnegie Mellon University Afrinic Cyberization of

Cybersecurity and Africa Benot MOREL Carnegie Mellon University Afrinic Cyberization of

Cybersecurity and Africa Benot MOREL Carnegie Mellon University Afrinic Cyberization of Africa The new big development in the cyberworld 6.8% penetration population today but the growth is phenomenal Changes the digital

462 views • 8 slides
Security Standards Information Security Prof Hans Georg Schaathun Hgskolen i lesund Autumn

Security Standards Information Security Prof Hans Georg Schaathun Hgskolen i lesund Autumn

Security Standards Information Security Prof Hans Georg Schaathun Hgskolen i lesund Autumn 2011 Week 4 Prof Hans Georg Schaathun Security Standards Autumn 2011 Week 4 1 / 1 Evolution of Standards Outline Prof Hans Georg

521 views • 36 slides
IOT AND SMART CITIES Sokwoo Rhee Associate Director of Cyber-Physical Systems Program National

IOT AND SMART CITIES Sokwoo Rhee Associate Director of Cyber-Physical Systems Program National

NIST IOT AND SMART CITIES Sokwoo Rhee Associate Director of Cyber-Physical Systems Program National Institute of Standards and Technology (NIST) US Department of Commerce NIST Integrated, hybrid networks of cyber and engineered physical

361 views • 25 slides
CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda Why are we here? Days 0

CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda Why are we here? Days 0

CISO 90 Day Plan Nelson Chen, M.SC. IT CISSP, CISA, CISM Agenda Why are we here? Days 0 30 Days 31 60 Days 61 90 Days 90+ Infinity & Beyond Avoiding Really Bad News! <Your Company Name Here> Data

675 views • 42 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides

More recommend