Download Threats Vulnerabilities and Risks PowerPoint Presentation

Iframe embed code :

<iframe src='https://www.slidesfinder.com/embedpresentation/MTUyOQ==' width='630' height='570' frameborder='0' marginwidth='0' marginheight='0' scrolling='no' allowfullscreen></iframe>

Presentation url :

Home / Computers & Web / Computers & Web Presentations / Threats Vulnerabilities and Risks PowerPoint Presentation

Threats Vulnerabilities and Risks PowerPoint Presentation

PowerPoint is the world's most popular presentation software which can let you create professional Threats Vulnerabilities and Risks powerpoint presentation easily and in no time. This helps you give your presentation on Threats Vulnerabilities and Risks in a conference, a school lecture, a business proposal, in a webinar and business and professional representations.

The uploader spent his/her valuable time to create this Threats Vulnerabilities and Risks powerpoint presentation slides, to share his/her useful content with the world. This ppt presentation uploaded by slidefu in Computers & Web ppt presentation category is available for free download,and can be used according to your industries like finance, marketing, education, health and many more.

About This Presentation

slidefu

Description : Powerpoint presentation of threats vulnerabilities and risks, for know more about.

Tags : threats | vulnerabilities | risks | virus attacks

Published on : Oct 19, 2019
Views : 2255 | Downloads : 4

Download Now

Share on Social Media

Threats Vulnerabilities and Risks Presentation Transcript

Slide 1 -

Threats, Vulnerabilities, and Risks

Slide 2 -

Terminology Threat--- a potential cause of an incident that may result in harm to a system or organization Vulnerability--- a weakness of an asset (resource) or a group of assets that can be exploited by one or more threats Risk--- potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability Example: In a system that allows weak passwords, Vulnerability--- password is vulnerable for dictionary or exhaustive key attacks Threat--- An intruder can exploit the password weakness to break into the system Risk--- the resources within the system are prone for illegal access/modify/damage by the intruder. Threat agent--- entities that would knowingly seek to manifest a threat

Slide 3 -

Who is the enemy? Why do they do it? Offenders Crackers--- mostly teenagers doing as intellectual challenge Information system’s criminals--- Espionage and/or Fraud/abuse---for a nation/company to gain a competitive advantage over its rivals Vandals--- authorized users and strangers (cracker or a criminal)---motivated by anger directed at an individual/organization/life in general

Slide 4 -

Motives of Cyber Criminal Power assurance--- to restore criminal’s self-confidence or self-worth through low-aggression means;---e.g. cyber stalking Power assertive--- to restore criminal’s self-confidence or self-worth through moderate- to high-aggression means---not to harm the victim but to get control of the victim; Anger (retaliatory)--- rage towards a person, group, institution, or a symbol--- the offender may believe that they are correcting some injustice Sadistic--- derive gratification from the pain/suffering of others Profit-oriented--- material or personal gain

Slide 5 -

Risk = Threats x Vulnerabilities Ref: http://simplicable.com/new/the-big-list-of-information-security-vulnerabilities

Slide 6 -

Types of Damage Interruption---destroyed/unavailable services/resources Interception---unauthorized party snooping or getting access to a resource Modification--- unauthorized party modifying a resource Fabrication---unauthorized party inserts a fake asset/resource

Slide 7 -

Components of a Threat Components Threat agents--- criminals, terrorists, subversive or secret groups, state sponsored, disgruntled employees,, hackers, pressure groups, commercial groups Capability--- software, technology, facilities, education and training, methods, books and manuals Threat inhibitors--- fear of capture, fear of failure, level of technical difficulty, cost of participation, sensitivity to public perception, law enforcement activity, target vulnerability, target profile, public perception, peer perception Threat amplifiers--- peer pressure, fame, access to information, changing high technology, deskilling through scripting, skills and education levels, law enforcement activity, target vulnerability, target profile, public perception, peer perception Threat catalysts--- events, technology changes, personal circumstances Threat agent motivators--- political, secular, personal gain, religion, power, terrorism, curiosity

Slide 8 -

Threat Agents Types Natural--- fire, floods, power failure, earth quakes, etc. Unintentional--- insider, outsider---primarily non-hostile Intentional--- Insider, outsider---hostile or non-hostile (curious) Foreign agents, industrial espionage, terrorists, organized crime, hackers and crackers, insiders, political dissidents, vendors and suppliers

Slide 9 -

Top ten Database Security Threats www.schell.com/Top_Ten_Database_Threats.pdf‎ 1. Excessive Privilege Abuse---users are granted database access privileges that exceed the requirements of their job function; e.g., a university administrator whose job requires only the ability to change student contact information may take advantage of excessive database update privileges to change grades 2. Legitimate Privilege Abuse ---- Users may abuse legitimate database privileges for unauthorized purposes; e.g. a rogue health worker who is willing to trade patient records for money 3. Privilege Elevation---Attackers may take advantage of database platform software vulnerabilities to convert access privileges from those of an ordinary user to those of an administrator. Vulnerabilities may be found in stored procedures, built-in functions, protocol implementations, and even SQL statements 4. Database Platform Vulnerabilities--- Vulnerabilities in underlying operating systems (Windows 2000, UNIX, etc.) and additional services installed on a database server may lead to unauthorized access, data corruption, or denial of service. 5. SQL Injection--- a perpetrator typically inserts (or “injects”) unauthorized database statements into a vulnerable SQL data channel. Using SQL injection, attackers may gain unrestricted access to an entire database 6. Weak Audit Trail--- Weak database audit policy represents a serious organizational risk on many levels.---regulatory risk, deterrence, and detection and recovery 7. Denial of Service (DoS)--- access to network applications or data is denied to intended users 8. Database Communication Protocol Vulnerabilities--- e.g., Four out of seven security fixes in the two most recent IBM DB2 FixPacks address protocol vulnerabilities; similarly, 11 out of 23 database vulnerabilities fixed in the most recent Oracle quarterly patch relate to protocols 9. Weak Authentication--- allowing attackers to assume the identity of legitimate database users by stealing or otherwise obtaining login credentials 10. Backup Data Exposure--- Backup database storage media is often completely unprotected from attack. As a result, several high profile security breaches have involved theft of database backup tapes and hard disks.

Slide 10 -

Ten web threats http://www.darkreading.com/vulnerability/10-web-threats-that-could-harm-your-busi/240150315 1. Bigger, Subtler DDoS Attacks---Distributed Denial of Service Attacks 2. Old Browsers, Vulnerable Plug-Ins---e.g., browser vulnerabilities and, more frequently, the browser plug-ins that handle Oracle's Java and Adobe's Flash and Reader. 3. Good Sites Hosting Bad Content---in VOHO watering hole attack, attackers infected legitimate financial and tech industry websites in Massachusetts and Washington, D.C., commonly accessed by their intended victims 4. Mobile Apps And The Unsecured Web--- bring-your-own-device movement has led to a surge in consumer-owned devices inside corporate firewalls 5. Failing To Clean Up Bad Input---e.g., Since 2010, SQL injection has held the top spot on the Open Web Application Security Project's list of top 10 security vulnerabilities 6. The Hazards Of Digital Certificates--- a series of hacks against certificate authorities gave attackers the tools they needed to issue fraudulent SSL certificates that could disguise a malicious website as a legitimate 7. The Cross-Site Scripting Problem--- An attacker going after a banking site with a cross-site scripting vulnerability could run a script for a login box on the bank's page and steal users' credentials. 8. The Insecure 'Internet Of Things‘--- Routers and printers, videoconferencing systems, door locks and other devices are now networked via Internet protocols and even have embedded Web servers. In many cases, the software on these devices is an older version of an open source library that's difficult 9. Getting In The Front Door--- Automated Web bots scrape from Web pages information that can give a competitor better intelligence on your business. 10. New Technology, Same Problems--- People click links all day long -- people are pretty trained to think that clicking a link on the Web is safe.

Slide 11 -

Major Security Threats on Information Systems http://ubiquity.acm.org/article.cfm?id=1117695 1. Intrusion or Hacking---gaining access to a computer system without the knowledge of its owner---Tools: . Poor Implementation of Shopping Carts, Hidden fields in the html forms, Client-side validation scripts, Direct SQL attack, Session Hijacking, Buffer Overflow Forms, Port Scan 2. Viruses and Worms--- programs that make computer systems not to work properly--- Polymorphic Virus, Stealth Virus, Tunneling Virus, Virus Droppers, Cavity Virus 3. Trojan Horse--- These programs are having two components; one runs as a server and another one runs as a client; data integrity attack, steal private information on the target system, store key strokes and make it viewable for hackers, sending private local as an email attachment. 4. Spoofing---fooling other computer users to think that the source of their information is coming from a legitimate user---IP Spoofing, DNS Spoofing, ARP Spoofing 5. Sniffing---used by hackers for scanning login_ids and passwords over the wires. TCPDUmp and Snoop are better examples for sniffing tools. 6. Denial of Service---The main aim of this attack is to bring down the targeted network and make it to deny the service for legitimate users. In order to do DoS attacks, people do not need to be an expert. They can do this attack with simple ping command

Slide 12 -

Vulnerabilities “Some weakness of a system that could allow security to be allowed.” Types of vulnerabilities Physical vulnerabilities Natural vulnerabilities Hardware/software vulnerabilities Media vulnerabilities (e.g., stolen/damaged disk/tapes) Emanation vulnerabilities---due to radiation Communication vulnerabilities Human vulnerabilities

Slide 13 -

How do the vulnerabilities manifest? The different types of vulnerabilities manifest themselves via several misuses: External misuse---visual spying, misrepresenting, physical scavenging Hardware misuse---logical scavenging, eavesdropping, interference, physical attack, physical removal Masquerading---impersonation, piggybacking attack, spoofing attacks, network weaving Pest programs---Trojan horse attacks, logic bombs, malevolent worms, virus attacks Bypasses---Trapdoor attacks, authorization attacks (e.g., password cracking) Active misuse---basic active attack, incremental attack, denial of service Passive misuse---browsing, interference, aggregation, covert channels

Slide 14 -

Examples of Information Security Vulnerabilities Ref: http://simplicable.com/new/the-big-list-of-information-security-vulnerabilities Information security vulnerabilities are weaknesses that expose an organization to risk. Through employees: Social interaction, Customer interaction, Discussing work in public locations, Taking data out of the office (paper, mobile phones, laptops), Emailing documents and data, Mailing and faxing documents, Installing unauthorized software and apps, Removing or disabling security tools, Letting unauthorized persons into the office (tailgating) , Opening spam emails, Connecting personal devices to company networks, Writing down passwords and sensitive data, Losing security devices such as id cards, Lack of information security awareness, Keying data Through former employees---Former employees working for competitors, Former employees retaining company data, Former employees discussing company matters Though Technology---Social networking, File sharing, Rapid technological changes, Legacy systems, Storing data on mobile devices such as mobile phones, Internet browsers Through hardware---. Susceptibility to dust, heat and humidity, Hardware design flaws, Out of date hardware, Misconfiguration of hardware

Slide 15 -

Examples of Information Security Vulnerabilities (Cont.) Through software---Insufficient testing, Lack of audit trail, Software bugs and design faults, Unchecked user input, Software that fails to consider human factors, Software complexity (bloatware), Software as a service (relinquishing control of data), Software vendors that go out of business or change ownership Through Network---Unprotected network communications, Open physical connections, IPs and ports, Insecure network architecture, Unused user ids, Excessive privileges, Unnecessary jobs and scripts executing , Wifi networks Through IT Management---Insufficient IT capacity , Missed security patches, Insufficient incident and problem management, Configuration errors and missed security notices , System operation errors, Lack of regular audits, Improper waste disposal, Insufficient change management, Business process flaws, Inadequate business rules, Inadequate business controls, Processes that fail to consider human factors, Overconfidence in security audits, Lack of risk analysis, Rapid business change, Inadequate continuity planning Lax recruiting processes Partners and suppliers---Disruption of telecom services, Disruption of utility services such as electric, gas, water, Hardware failure, Software failure, Lost mail and courier packages, Supply disruptions, Sharing confidential data with partners and suppliers

Slide 16 -

Risk and Risk management Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization Risk management--- “Process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost.” --- assessment of risk and the implementation of procedures and practices designed to control the level of risk Risk assessment--- “ assessment of threats to, impact on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.”---identification of the risk, analysis of the risk in terms of performance, cost, and other quality factors; risk prioritization in terms of exposure and leverage

Slide 17 -

Risk management Risk management Risk assessment Risk identification--- decision driver analysis, assumption analysis, decomposition Risk analysis--- cost models, network analysis, decision analysis, quality factor analysis Risk prioritization--- risk leverage, component risk reduction Risk control Risk management planning--- Risk avoidance, transfer, reduction, element planning, plan integration Risk resolution--- Simulations, benchmarks, analysis, staffing Risk monitoring--- Top 10 tracking, risk assessment, corrective action

Slide 18 -

Threat Matrix Capabilities of a threat versus type of vulnerabilities Similar to risk assessment or risk analysis matrix Goel and Chen use examples to illustrate a vulnerability matrix and a threat matrix (www.albany.edu/~goel/publications/goelchen2005.pdf‎) Duggan et al illustrate a threat profile matrix. (Sandia Report, SAND2007-5791)

Slide 19 -

Risk management Process of: assessing risk, taking steps to reduce it to an acceptable level, and maintaining that level of risk Five principle: I. Assess risk and determine needs Recognize the importance of protecting information resource assets Develop risk assessment procedures that link IA to business needs Hold programs and managers accountable Manage risk on a continuing basis II. Establish a central management focus Designate a central group for key activities Provide independent access to senior executives to the group Designate dedicated funding and staff Periodically, enhance staff technical skills III. Implement appropriate policies and related controls Link policies to business risks Differentiate policies and guidelines Support polices via the central IA group IV Promote awareness Educate user and others on risks and related policies Use attention-getting and user-friendly techniques V Monitor and evaluate policy and control effectiveness Monitor factor that affect risk and indicate IA effectiveness Use results to direct future efforts and hold managers accountable Be on the lookout for new monitoring tools and techniques

Slide 20 -

Federal System Risk Management Framework The National Institute of Standards and Technology has made available guidelines for applying risk management to Federal Information Systems. Refer to http://csrc.nist.gov/groups/SMA/fisma/rmf-training.html Go through the course at http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/rmf-training/index.html (Audio + slides)

Slide 21 -

Summary Threat, Vulnerability, and Risk are defined The enemies of information systems and their motives are briefly discussed Types of damage are classified Risk management is discussed Different types of threats with examples are discussed Different vulnerabilities and threats are described at depth

Slide 22 -

References Reference 1. Big List of Information Security Vulnerabilities, John Spacey, 2011 http://simplicable.com/new/the-big-list-of-information-security-vulnerabilities Reference 2. Top Ten Database Security Threats, Amichai Shulman, www.schell.com/Top_Ten_Database_Threats.pdf‎ Reference 3. 10 Web Threats that could harm your business, Robert Lemos, 2013, http://www.darkreading.com/vulnerability/10-web-threats-that-could-harm-your-busi/240150315 Reference 4. Information Security, John Peter Jesan, 2006. http://ubiquity.acm.org/article.cfm?id=1117695

Frequently Asked Questions

> About SlidesFinder?

Slidesfinder is a website that allows users to upload and share their PowerPoint presentations online. It provides a platform for individuals and businesses to share their ideas and knowledge through presentations, and for others to view and download these presentations for educational or professional purposes.
Slidesfinder offers a wide range of presentation topics and categories, including business, education, science, technology, health, and more. Users can also search for presentations using keywords, tags, or by category. The website provides tools to create professional presentations with rich media, animations, and graphics.

One of the key features of Slidesfinder is its user-friendly interface, which allows users to easily upload, view, and share presentations. Users can also embed their presentations in their websites or blogs using the website's embed code feature.
Slidesfinder also offers premium services, such as the ability to create private presentations and to download presentations in high-quality formats. However, the basic features of Slidesfinder are free to use, making it accessible to anyone who wants to share their ideas and knowledge through presentations.

> How do I register with SlidesFinder?

Go to registration page (you can see signup link on top of website page) https://www.slidesfinder.com/signup . If you have facebook/gmail account them just click on SIGN IN WITH FACEBOOK OR SIGN IN WITH GOOGLE button, by this you will be a registered member of slidesfinder without filling any form, required detail automatically will be fatch from your account. If you do not a Facebook account, then click on "Signup". Fill all required fields and you will be a registered member of slidesfinder.

> Is slidesfinder account confirmation is mandatory?

Yes it is mandetory to active your account to login.

> Do I need to signup/login on SlidesFinder before uploading a PowerPoint presentation?

Yes, you need to login with your account before uploading presentation. Your username will be displayed on your uploaded presentation. Your registered email id is needed for sending your stats of uploaded presentation.

Slidesfinder is a sharing website for PowerPoint presentations search and share. Find your interest in the form of powerpoint presentations on slidesfinder and save your valuable time . On Slidesfinder you get presentations from our huge library of professional ppt presentations. We believe in making your search INFORMATIVE and FUN. Find your best ppt presentation from a pool of PowerPoint presentations stacked under important industry categories like business & management, heath & Wellness,eduction & training etc. We provide unique informative PowerPoint presentation for marketers, presenters and educationists. These professional PowerPoint presentations are uploaded by professionals from across numerous industry segments.These ppt presentations are available for FREE download.

Not just finding your interest, but facilitate you broadcast your interest. We have created this platform for easy sharing of PowerPoint presentations, ensuring that these presentations get maximum exposure. Create your slidesfinder account and upload PowerPoint presentations for free, share on social media platforms and BUILD YOUR CROWD WITH PRESENTATION !!

The Great Buddha says, "Share your knowledge.It’s a way to achieve immortality"! So, start sharing knowledge and we are here to make that immortal !!

Re-productivity of content are not allowed. Without prior written permission from author, commercial use of any content is illegal.