Re: How to create security awareness in top management

[David Jacoby <security () outpost24 com>]

Hi!

I do agree with what William Woodhams wrote. It is a good idea to show them
real attacks, but you also need to change focus in your presentation and not
talk about technical information, how overflows work and how easy it is 
to exploit
a SQL injection. What you really need to focus on is to inform your 
management
on how does there vulnerabilities affect your organization. If someone 
successfully
exploits any present vulnerability how does that affect your organization.

May the attacker steal sensitive information?
May the attacker obtain administrative/root privileges? (and how does 
that affect you)
May the attacker inject its own code to your web applications?
May the attacker modify content?
May the attacker invade your integrity?
May the attacker affect your availability?

What you should read more about is the C.I.A (Confidentiality, 
Integrity, Availably)
There are tons of websites and books discussing this, this is how you 
easily can
measure the impact of vulnerabilities.

I hope this makes sense.

Best regards,
David Jacoby





itsec.info skrev:
> Hi all
>
> I have got a job to make top management aware that their company must
> take care about information security (presentation and discussions).
>
> I will not go into too much technical details and I would like to start
> with some good stories which show in an easy and understandable way
> that information security is needed.
>
> Does anybody has some information where I can take out some good ideas to
> start with?
>
> --
> Any help is very much appreciated.
> Regards,
> Mike
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>   


--
David Jacoby
Vice President Customer Experience
http://www.outpost24.com

phone: +46-(0)455-612311
fax  : +46-(0)455-13960
email: dj () outpost24 com



This communication contains information which is confidential
and may also be privileged. It is for the exclusive use of the
intended recipient(s). If you are not the intended recipient(s)
please note that any for of distribution, copying or use of this
communication or the information in it is strictly prohibited
and may be unlawful. If you have received this communication in
error please return it to the end.


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------