bep.education · Web viewTragedy What does it mean? Dilapidated What does it mean?
What does secure mean?
description
Transcript of What does secure mean?
What does secure mean?What does secure mean?You have been assigned a task of
finding a cloud provider who can provide a secure environment for the launch of a new web application.
What does secure imply?
What is a vulnerability?What is a threat?What is a control?
Vulnerabilities, Threats & Vulnerabilities, Threats & ControlsControls
Vulnerabilities, Threats & Vulnerabilities, Threats & ControlsControls
A vulnerability is a weakness in a system◦Allows a threat to cause harm.
A threat is a potential negative harmful occurrence◦Earthquake, worm, virus, hackers.
A control/Safeguard is a protective measure◦Reduce risk to protect an asset.
Vulnerabilities, Threats & Vulnerabilities, Threats & ControlsControls
Vulnerability = a weakness in a system◦Allows a threat to cause harm
Threat = a potential negative harmful occurrence◦Earthquake, worm, virus, hackers.
Control/Safeguard = a protective measure◦Reduce risk to protect an asset.
Figure 1-1 Threats, Controls, and Vulnerabilities.
Goals of SecurityGoals of SecurityWhat are the 3 goals of security?
CIA TriadCIA Triad
7
Con
fiden
tialit
y Integrity
Availability
Information Security
Note: From “Information Security Illuminated”(p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.
Information kept must be available only to authorized individuals
Unauthorized changes must be prevented
Authorized users must have access to their information for legitimate purposes
ThreatsThreats
04/20/23 8
Con
fiden
tialit
y Integrity
Availability
Information Security
Note: From “Information Security Illuminated”(p.5), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.
Disclosure A
lteration
Denial
Live Chat 4
Goals of SecurityGoals of SecurityWhat are the 3 goals of security?
Figure 1-3 Relationship Between Confidentiality, Integrity, and Availability.
Confidentiality
AvailabilityIntegrity Sec
ure
CIA TriadCIA Triad
ThreatsThreatsWhat types of threats were
discussed by the book?◦Hint: defined by their impact.
ThreatsThreatsInterception: gained access to an
asset. Wireless network, hacked system, etc. Impacts confidentiality.
Interruption◦Unavailability, reduced availability.
Modification◦Tamper with data, impacts integrity.
Fabrication◦Spurious transactions, impacts integrity.
Figure 1-2 System Security Threats.
Figure 1-4 Vulnerabilities of Computing Systems.
Figure 1-5 Security of Data.
Attacker NeedsAttacker NeedsWhat 3 things must an attacker
have?
An Attacker Must Have:An Attacker Must Have:Method: skills, knowledge, tools.
◦Capability to conduct an attackOpportunity: time and access to
accomplish attackMotive: a reason to want to
attack
Software VulnerabilitiesSoftware VulnerabilitiesDefine some different types.
◦There are many to chose from….
Software VulnerabilitiesSoftware Vulnerabilities
Logic Bomb: employee modification.Trojan Horse: Overtly does one thing
and another covertly.Virus: malware which requires a
carrierTrapdoor: secret entry points.Information Leak: makes information
accessible to unauthorized people.Worm: malware that self-propagates.
CriminalsCriminalsDefine different types of
computer criminals and their motive or motives?
Computer CriminalsComputer CriminalsScript Kiddies: AmateursCrackers/Malicious Hackers:
Black HatsCareer Criminals: botnets, bank
thefts.Terrorists: local and remote.Hacktivists: politically motivatedInsiders: employeesPhishers/Spear Phishers
MotivesMotivesFinancial gain: make money.Competitive advantage: steal
information.Curiosity: test skills.Political: achieve a political goal.Cause Harm/damage: reputation
or financialVendetta/Disgruntled: fired
employees.
Risk Risk What are the different ways a
company can deal with risk?
How to deal with RiskHow to deal with RiskAccept it: cheaper to leave it
unprotected.Mitigate it: lowering the risk to an
acceptable level e.g. (laptop encryption).
Transfer it: insurance model.Avoid it: sometimes it is better not
to do something that creates a great risk.
Book lists alternatives.
ControlsControlsEncryption: confidentiality, integrity
◦VPN, SSH, Hashes, data at rest, laptops.Software: operating system,
development.Hardware: Firewall, locks, IDS, 2-factor.Policies and Procedures: password
changesPhysical: gates, guards, site planning.
Types of ControlsTypes of ControlsPreventive: prevent actions.Detective: notice & alert.Corrective: correcting a damaged
system.Recovery: restore functionality after
incident.Deterrent: deter users from
performing actions.Compensating: compensate for
weakness in another control.
Figure 1-6 Multiple Controls.
PrinciplesPrinciples
Easiest Penetration: attackers use any means available to attack.
Adequate Protection: protect computers/data until they lose their value.
Effectiveness: controls must be used properly to be effective. Efficiency key.
Weakest Link: only as strong as weakest link.