Effiong Ndarake Effiong, - PowerPoint PPT Presentation


PPT – Effiong Ndarake Effiong, PowerPoint presentation | free to download - id: 3dad05-YWZjY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Effiong Ndarake Effiong,


Information Security and IT Convergence Effiong Ndarake Effiong, Chartered IT Professional, Chartered Engineer. MBCS,CITP,MCSE,CCNA,ITIL,MIAM,NCLA,MCTS,CEH,CHFI,DCTS ... – PowerPoint PPT presentation

Number of Views:21
Avg rating:3.0/5.0
Slides: 54
Provided by: itedgeconv
Tags: ccna | effiong | ndarake


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Effiong Ndarake Effiong,

Information Security and IT Convergence
  • Effiong Ndarake Effiong,
  • Chartered IT Professional, Chartered Engineer.
    CTS, CEng, Security

Easy Life.
  • Internet Banking
  • Mobile Money.
  • Business Processes Outsourcing
  • Cashless Practice.
  • E-commerce and the likes.
  • Congratulations!!!
  • The World is in your palm, Butare we safe?

Come let us reason Together.
  • The top security concerns every institution
    should consider before launching a mobile banking
    platform are
  • How the online and mobile banking channels can
    work together to offer opportunities for growth
    and adoption in the realm of secure peer-to-peer
  • Why and how the mobile channel should be
    leveraged in a secure way to reach
    non-traditional members and customers.
  • The best security is to cease to exist or never
    use these technologies.
  • We cant stop business, so we must protect our
    selves and conduct our business in a secure way,
    that why we are here.

Getting Started
  • A password requirement (a four-digit PIN) to
    unlock all mobile device is one of many methods
    that prevents an unauthorized user from accessing
    phones once it is in their physical possession.
    This PIN should not be left at the factory
  • Mobile device are to be kept handy at all times.
  • Downplay of mobile device, there is no need to
    advertise to thieves that you have a mobile
    device. Use of portable device in public areas
    should be avoided as much as possible.
  • Back up all files - If portable device is stolen,
    it's bad enough that someone else may be able to
    access all information. To avoid losing all of
    the information, make backups of important
    information and store the backups in a separate
    location. Not only for accessibility of the
    stolen information, but also for identification
    and reporting of exactly what information is at

  • Do you value the contents of your smartphone?
    Imagine what could be at stake if it were lost,
    stolen, or infected by mobile malware all your
    contacts, messages, emails, photos It's
  • Mobile Security is a
  • complete security solution
  • for your smartphone. It helps
  • protect the contents of your
  • phone, enables safe mobile web
  • browsing, and can assist you if your phone is
    lost or stolen

Mobile Security Pertaining to Bluetooth
  • Blue jacking Blue jacking is a user-based
    threat that occurs when users with malicious
    intent send text messages anonymously to
    Bluetooth enabled devices that are set to use
    discoverable mode and are physically located
    within 10m of the attacking devices. Users with
    malicious intent can target individuals or they
    can broadcast anonymous messages to all
    discoverable devices in the area. Bluetooth
    enabled phones, personal device assistants, and
    laptops can search for other devices within a
    short range, so users with malicious intent who
    are located in crowded public areas can send
    anonymous messages easily and without detection.

Bluesnarfing Blue bugging
  • Bluesnarfing is a device-based threat that occurs
    when device manufacturers implement the
    specification for Bluetooth technology
    incorrectly, allowing users with malicious intent
    to use Bluetooth technology to connect to devices
    without notifying the authorized users, and
    access device information without the knowledge
    or consent of the authorized users.
  • Blue bugging is a device-based threat that occurs
    when device manufacturers implement security
    mechanisms for Bluetooth technology improperly.
    Blue bugging also occurs when users with
    malicious intent use Bluetooth technology to
    access phone commands on devices without
    notifying or alerting the authorized users. This
    vulnerability enables the users with malicious
    intent to make calls, send and read text
    messages, access and add contacts to contact
    lists, eavesdrop on phone conversations, and
    connect to the Internet, all without detection or

Best protection practices for Bluetooth security
  • Leave the Discoverable option on the BlackBerry
    device set to No.
  • If the Discoverable option on the BlackBerry
    device is set to Yes, deny requests to pair with
    unknown Bluetooth enabled devices.
  • When pairing a BlackBerry device with another
    Bluetooth enabled device, set the Discoverable
    option to 2 Minutes. The BlackBerry device is
    discoverable for two minutes, as long as it
    should take to complete the pairing.
  • Complete device pairings in private, uncrowded
    areas only.
  • Choose to encrypt Bluetooth data traffic both to
    and from the BlackBerry device. The BlackBerry
    Enterprise Solution uses the Bluetooth passkey to
    generate encryption keys. BlackBerry devices use
    Bluetooth Security Mode 3 and the highest
    encryption key length that is available on the
    paired device (minimum 8 bits, maximum 128
  • Protect the assigned name of a BlackBerry device.
    If a user with malicious intent knows the name of
    the BlackBerry device, the device is vulnerable
    to an attack, even when it is not discoverable.

Additional tips.
  • Exercise extreme caution when opening e-mail or
    instant messaging clients (AIM, ICQ, Skype, etc.)
  • Scan attachments with anti-virus software, even
    if it is from a trusted source.
  • Forbid opening attachments from unknown or
    untrusted senders.
  • Never tick the keep me sign in or remember my
    password checkbox.
  • Never response to any mail requesting for your
    card PIN.
  • Avoid unnecessary surveys that collect personal
  • Ensure your Consultants and Partners signed
    detail NDA
  • There is no such thing like total security or
    online privacy, try and maintained maximum

The Need for security analysis
  • What are we Concerned About?
  • So What are we Trying to Protect?
  • Why are Intrusions so Often Successful?
  • Threat Agents
  • Information Security Awareness
  • Security Policies

What is Information security
  • Information security means protecting information
    and information systems from unauthorized access,
    use, disclosure, disruption, modification,
    perusal, inspection, recording or destruction.

coverage ?
  • However, information security does not cover only
    the information itself but also the entire
    infrastructure that facilitates its use.
  • It covers hardware, software, threats, physical
    security and human factors, where each of these
    components has it is own characteristics.

Why ?
  • Information security plays a major role in the
    internet age of technology. Given that the number
    of organization security breaches is increasing
    daily, and the more accessible the information,
    the greater the hazards, it is inevitable that
    security will need to be tightened.

More ?
  • As the number of employees, applications and
    systems increase, the management of the
    organizations information becomes much more
    difficult and consequently vulnerabilities
    potentially increase.
  • To determine secure use of hardware and software
    as well as facilitating and encouraging secure
    employee behaviour, organizations make use of
    information security policies.

The Trend
Data compromise investigation also raise an issue
of great concern

Balancing information Security and Access.
  • Information security should balanced protection
    and availability. It is possible to allowed
    system to have unrestricted access, so that it is
    available to everyone, anywhere, anytime through
    any means.
  • However, this kind of access poses a danger to
    the integrity of the information. On the other
    hand, complete information security of an
    information system is would not allow any one

The security functionality and Ease of Use
  • Level of security in any system can be defined by
    the strength of any of these three component.

What are we Concerned About?
Fraud / Forgery
Unauthorized Information Access
Interception or Modification of Data
So What are we Protecting?
  • Our Assets
  • Our Network Infrastructure.
  • Availability of our Network.
  • Confidential Personal Data.
  • Our Corporate Image
  • Our reputation

Where are the data?
  • Information security protect data and
    information in three dimensions.
  • Information stored physically (Documents, etc)
  • Information stored electronically (Computers,
    etc) or in transit (network)
  • Information stored in human brain (staff and

Why are Intrusions so Often Successful?
  • Poor detection, response, and escalation
  • No formal policies or non-existent procedures for
    proactive auditing, and/or event management
  • Limited use of authentication and/or
    authorization systems
  • Ignorance of logical and/or organizational
    boundaries within a network infrastructure

Any Threat ?
  • Threats or dangers facing an organizations
    people, information, and systems, fall into the
    following twelve general categories.
  • Act of Human error or failure Act performed
    without intent or malicious purpose by an
    authorized user (these are the reasons why
  • constitute one of the
  • greatest threats to the
  • information security.

This is the file where is my balance?
  • Compromise to intellectual property Use of
    another persons intellectual property without
    proper payment or attribution to the source.
  • Deliberate Act of Espionage or Trespass Act
    involving an unauthorized individual gaining
    access to the information the organization
  • is trying to protect.

Send Me ..., else Ill publish them on net
  • Deliberate Act of information Extortion Act
    involving an attacker or trusted insider stealing
    information from a computer system and demanding
    compensation for its return or for an agreement
    not to disclose the information.
  • Deliberate Act of Sabotage or Vandalism Assault
    on the electronic face of an organization - that
    is, your website.

Physical security challenge
  • Deliberate Act of Theft The illegal taking of
    another property.

Earthquake, flood, etc.
  • Deliberate software Attacks Attacks that occur
    when an individual or group designs and lunches
    software such as viruses and worms, to
    deliberately attacked systems.
  • Forces of Nature Event resulting from forces of
    nature, or act of God and posing some of the most
    dangerous threat as they are often unexpected and
    can occur with very little or even no warning.

  • Deviation from Quality of service - Situations in
    which a product or service is not delivered to
    the organization as expected.
  • Technical hardware Failures or Errors Failures
    or errors that occur when a manufacturer
    distributes equipment containing a known or
    unknown flaw.

  • Technical Software failures or Errors Failures
    or errors resulting from software with unknown,
    hidden faults.
  • Technological Obsolescence State of an
    organization having infrastructure that is
    antiquated or outdated and can, therefore, lead
    to unreliable and untrustworthy system.

Attack, Threat, Vulnerability. How are they
  • Attack uses Threat Agent to exploit
  • An attack is a deliberate act that takes
    advantage of a vulnerability to compromise a
    controlled system.
  • A threat agent damages or steals an
    organizations information or physical asset.
  • Vulnerability is an identified weakness in a
    controlled system, where controls are not in
    present or are no longer effective.

How does it work
  • Major types of attacks are
  • Malicious code Attacks that include the
    execution of viruses, worms, Trojan horses and
    active web scripts with the intent to destroy or
    steal information.

  • Back door Attack in which an attacker gains
    access to system or network resources through an
    access path that bypasses usual security

Password Cracking
  • Cracking Attacks involving attempt to reverse
    calculate a password may use d brute force
    approach or a dictionary attack.

Since I cant get it, you too wouldnt
  • Denial of-service (DOS) Attacks in which the
    attacker sends such a large number of connection
    or information request to a target that the
    target system cannot handle them. Distribute
    denial-of-service (DDOS) attacks involves the
    lunch of a coordinated streams of requests
    against a target from many locations at the same

DDOS Zombies
I am the person you have been looking for
  • Spoofing Attack in which an intruder sends
    messages to a computer with an IP address that
    indicates that the message is coming from a
    trusted host.


See me before you go!
  • Man-in-the-middle (MITM) or TCP Hijacking
    Attacks in which an attacker sniffs packets from
    the network, modifies them and insert them back
    into the network.

Time is Money
  • Spam Attacks involving sending unsolicited
    commercial e-mail.
  • Mail bomb Attack in which an attacker route
    large quantity of e-mail to a target.

What are you carrying?
  • Sniffers programs of devices that can monitor
    data travelling over a network.

Hello, I am from, I
  • Social engineering - Attacks in which an
    attacker uses social skills to convince people to
    reveal access credential or confidential

Its too much for me
  • Buffer Overflow Attacks involving an
    application error, the attacker can gain control
    over the target system, or take advantage of some
    other unintended consequence of the failure.

Its time to hack
  • Timing attack Attacks that work by exploring
    the content of a web browsers cache.

Does it really matter?
  • Information security performs four important
    functions for an Organization.
  • Protect the organizations ability to function.
  • Enables the safe operations of the applications
    implemented in the organizations IT system

Much more than important
  • Protect the data the organization collect and
  • Safeguard the technology assets in use in the

How do we decide?
  • To make sound decisions about information
    security, management must be inform about threat
    facing the organization, its people,
    applications, data, and information systems.

Where do we start from?
  • Defense in depth.

Training and retraining
  • Users training.
  • Educate your user as a way to combat information
    security breach.
  • Structural training
  • Includes all employees and management
  • E-mail monthly security updates

Security policies
  • Information security policy
  • Acceptable used policy.
  • Audit policy.
  • Non disclosure agreement.
  • Data retention Policy.
  • Backup Policy
  • Business Continuity and Disaster recovery policy.
  • etc

Continuos Assesments.
  • Vulnerability Assesment.
  • Security auditing
  • Ethical hacking / penetration Testing
  • Digital forensics Audit

  • Update virus signature database automatically
  • SpyBot and Ad-Aware Help protect against spyware
    and adware
  • Windows Defender is excellent too
  • Firewalls
  • Hardware (enterprise solution)
  • Software (personal solution) Can be combined
  • Intrusion Prevention System (IPS)
  • Intrusion Detection System (IDS)
  • Monitors your network 24/7

The bad news
  • It is bad that you have been hack, but worst that
    you dont even know that you have been hack.

  • Hacked your network and fixed the vulnerability
    before the bad Guys do.
  • To catch a criminal you must think like one, not
    necessarily becoming one.

  • Contact
  • Effiong Ndarake Effiong
  • IT Manager,
  • MicroCred Microfinance Bank Nigeria Ltd
  • Kaduna, Nigeria
  • 2348067856536, 2347087889898, 2348174120636
  • efficacy.group_at_yahoo.com, eeffiong_at_microcred.org
  • Thank you
About PowerShow.com