What does secure mean?What does secure mean?You have been assigned a task of

finding a cloud provider who can provide a secure environment for the launch of a new web application.

What does secure imply?

What is a vulnerability?What is a threat?What is a control?

Vulnerabilities, Threats & Vulnerabilities, Threats & ControlsControls

Vulnerabilities, Threats & Vulnerabilities, Threats & ControlsControls

A vulnerability is a weakness in a system◦Allows a threat to cause harm.

A threat is a potential negative harmful occurrence◦Earthquake, worm, virus, hackers.

A control/Safeguard is a protective measure◦Reduce risk to protect an asset.

Vulnerabilities, Threats & Vulnerabilities, Threats & ControlsControls

Vulnerability = a weakness in a system◦Allows a threat to cause harm

Threat = a potential negative harmful occurrence◦Earthquake, worm, virus, hackers.

Control/Safeguard = a protective measure◦Reduce risk to protect an asset.

Figure 1-1  Threats, Controls, and Vulnerabilities.

Goals of SecurityGoals of SecurityWhat are the 3 goals of security?

CIA TriadCIA Triad

7

Con

fiden

tialit

y Integrity

Availability

Information Security

Note: From “Information Security Illuminated”(p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.

Information kept must be available only to authorized individuals

Unauthorized changes must be prevented

Authorized users must have access to their information for legitimate purposes

ThreatsThreats

04/20/23 8

Con

fiden

tialit

y Integrity

Availability

Information Security

Note: From “Information Security Illuminated”(p.5), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.

Disclosure A

lteration

Denial

Live Chat 4

Goals of SecurityGoals of SecurityWhat are the 3 goals of security?

Figure 1-3  Relationship Between Confidentiality, Integrity, and Availability.

Confidentiality

AvailabilityIntegrity Sec

ure

CIA TriadCIA Triad

ThreatsThreatsWhat types of threats were

discussed by the book?◦Hint: defined by their impact.

ThreatsThreatsInterception: gained access to an

asset. Wireless network, hacked system, etc. Impacts confidentiality.

Interruption◦Unavailability, reduced availability.

Modification◦Tamper with data, impacts integrity.

Fabrication◦Spurious transactions, impacts integrity.

Figure 1-2  System Security Threats.

Figure 1-4   Vulnerabilities of Computing Systems.

Figure 1-5  Security of Data.

Attacker NeedsAttacker NeedsWhat 3 things must an attacker

have?

An Attacker Must Have:An Attacker Must Have:Method: skills, knowledge, tools.

◦Capability to conduct an attackOpportunity: time and access to

accomplish attackMotive: a reason to want to

attack

Software VulnerabilitiesSoftware VulnerabilitiesDefine some different types.

◦There are many to chose from….

Software VulnerabilitiesSoftware Vulnerabilities

Logic Bomb: employee modification.Trojan Horse: Overtly does one thing

and another covertly.Virus: malware which requires a

carrierTrapdoor: secret entry points.Information Leak: makes information

accessible to unauthorized people.Worm: malware that self-propagates.

CriminalsCriminalsDefine different types of

computer criminals and their motive or motives?

Computer CriminalsComputer CriminalsScript Kiddies: AmateursCrackers/Malicious Hackers:

Black HatsCareer Criminals: botnets, bank

thefts.Terrorists: local and remote.Hacktivists: politically motivatedInsiders: employeesPhishers/Spear Phishers

MotivesMotivesFinancial gain: make money.Competitive advantage: steal

information.Curiosity: test skills.Political: achieve a political goal.Cause Harm/damage: reputation

or financialVendetta/Disgruntled: fired

employees.

Risk Risk What are the different ways a

company can deal with risk?

How to deal with RiskHow to deal with RiskAccept it: cheaper to leave it

unprotected.Mitigate it: lowering the risk to an

acceptable level e.g. (laptop encryption).

Transfer it: insurance model.Avoid it: sometimes it is better not

to do something that creates a great risk.

Book lists alternatives.

ControlsControlsEncryption: confidentiality, integrity

◦VPN, SSH, Hashes, data at rest, laptops.Software: operating system,

development.Hardware: Firewall, locks, IDS, 2-factor.Policies and Procedures: password

changesPhysical: gates, guards, site planning.

Types of ControlsTypes of ControlsPreventive: prevent actions.Detective: notice & alert.Corrective: correcting a damaged

system.Recovery: restore functionality after

incident.Deterrent: deter users from

performing actions.Compensating: compensate for

weakness in another control.

Figure 1-6  Multiple Controls.

PrinciplesPrinciples

Easiest Penetration: attackers use any means available to attack.

Adequate Protection: protect computers/data until they lose their value.

Effectiveness: controls must be used properly to be effective. Efficiency key.

Weakest Link: only as strong as weakest link.