What does secure mean?What does secure mean?You have been assigned a task of
finding a cloud provider who can provide a secure environment for the launch of a new web application.
What does secure imply?
What is a vulnerability?What is a threat?What is a control?
Vulnerabilities, Threats & Vulnerabilities, Threats & ControlsControls
Vulnerabilities, Threats & Vulnerabilities, Threats & ControlsControls
A vulnerability is a weakness in a system◦Allows a threat to cause harm.
A threat is a potential negative harmful occurrence◦Earthquake, worm, virus, hackers.
A control/Safeguard is a protective measure◦Reduce risk to protect an asset.
Vulnerabilities, Threats & Vulnerabilities, Threats & ControlsControls
Vulnerability = a weakness in a system◦Allows a threat to cause harm
Threat = a potential negative harmful occurrence◦Earthquake, worm, virus, hackers.
Control/Safeguard = a protective measure◦Reduce risk to protect an asset.
Figure 1-1 Threats, Controls, and Vulnerabilities.
Goals of SecurityGoals of SecurityWhat are the 3 goals of security?
CIA TriadCIA Triad
7
Con
fiden
tialit
y Integrity
Availability
Information Security
Note: From “Information Security Illuminated”(p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.
Information kept must be available only to authorized individuals
Unauthorized changes must be prevented
Authorized users must have access to their information for legitimate purposes
ThreatsThreats
04/21/23 8
Con
fiden
tialit
y Integrity
Availability
Information Security
Note: From “Information Security Illuminated”(p.5), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.
Disclosure A
lteration
Denial
Live Chat 4
Goals of SecurityGoals of SecurityWhat are the 3 goals of security?
Figure 1-3 Relationship Between Confidentiality, Integrity, and Availability.
Confidentiality
AvailabilityIntegrity Sec
ure
CIA TriadCIA Triad
ThreatsThreatsWhat types of threats were
discussed by the book?◦Hint: defined by their impact.
ThreatsThreatsInterception: gained access to an
asset. Wireless network, hacked system, etc. Impacts confidentiality.
Interruption◦Unavailability, reduced availability.
Modification◦Tamper with data, impacts integrity.
Fabrication◦Spurious transactions, impacts integrity.
Figure 1-2 System Security Threats.
Figure 1-4 Vulnerabilities of Computing Systems.
Figure 1-5 Security of Data.
Attacker NeedsAttacker NeedsWhat 3 things must an attacker
have?
An Attacker Must Have:An Attacker Must Have:Method: skills, knowledge, tools.
◦Capability to conduct an attackOpportunity: time and access to
accomplish attackMotive: a reason to want to
attack
Software VulnerabilitiesSoftware VulnerabilitiesDefine some different types.
◦There are many to chose from….
Software VulnerabilitiesSoftware Vulnerabilities
Logic Bomb: employee modification.Trojan Horse: Overtly does one thing
and another covertly.Virus: malware which requires a
carrierTrapdoor: secret entry points.Information Leak: makes information
accessible to unauthorized people.Worm: malware that self-propagates.
CriminalsCriminalsDefine different types of
computer criminals and their motive or motives?
Computer CriminalsComputer CriminalsScript Kiddies: AmateursCrackers/Malicious Hackers:
Black HatsCareer Criminals: botnets, bank
thefts.Terrorists: local and remote.Hacktivists: politically motivatedInsiders: employeesPhishers/Spear Phishers
MotivesMotivesFinancial gain: make money.Competitive advantage: steal
information.Curiosity: test skills.Political: achieve a political goal.Cause Harm/damage: reputation
or financialVendetta/Disgruntled: fired
employees.
Risk Risk What are the different ways a
company can deal with risk?
How to deal with RiskHow to deal with RiskAccept it: cheaper to leave it
unprotected.Mitigate it: lowering the risk to an
acceptable level e.g. (laptop encryption).
Transfer it: insurance model.Avoid it: sometimes it is better not
to do something that creates a great risk.
Book lists alternatives.
ControlsControlsEncryption: confidentiality, integrity
◦VPN, SSH, Hashes, data at rest, laptops.Software: operating system,
development.Hardware: Firewall, locks, IDS, 2-factor.Policies and Procedures: password
changesPhysical: gates, guards, site planning.
Types of ControlsTypes of ControlsPreventive: prevent actions.Detective: notice & alert.Corrective: correcting a damaged
system.Recovery: restore functionality after
incident.Deterrent: deter users from
performing actions.Compensating: compensate for
weakness in another control.
Figure 1-6 Multiple Controls.
PrinciplesPrinciples
Easiest Penetration: attackers use any means available to attack.
Adequate Protection: protect computers/data until they lose their value.
Effectiveness: controls must be used properly to be effective. Efficiency key.
Weakest Link: only as strong as weakest link.
Top Related