Information security
Introduction to information security
Ransomware: malware (malicious software) that threatens to publish the victim’s personal data or
block access to it, unless a ransom (amount of money) is paid.
Security is about protecting assets (things one values; can be software, hardware, data, people, or
processes). The value of an asset is determined by the owner’s perspective, and by timing (the value
of a company’s plan decreases once it is released).
• A vulnerability is a weakness that could be exploited to cause harm to an asset
• A threat is a set of circumstances that could potentially cause harm to an asset
✓ A control is an action/device/procedure that prevents threats from exercising vulnerabilities
Two perspectives for looking at threats: (1) What bad things can happen to assets? (2) Who or what
can cause or allow those bad things to happen?
CIA triad
Three security properties of computers (a.k.a. C-I-A triad / security triad) and later added properties:
The ability of a system to (ensure that an asset can be…)
1. Availability; …used by any authorized parties
2. Integrity; …modified only by authorized parties
3. Confidentiality; …viewed only by authorized parties
4. Authentication; …confirm the identity of a sender
5. Nonrepudiation/accountability; …confirm that a sender cannot convincingly deny having sent
something
6. Auditability; …trace all actions related to a given asset
The CIA triad can be harmed by four actions:
- Interception (unauthorized party gets access to information), attack on confidentiality
- Interruption (a system is made unavailable for authorized parties), attack on availability
- Modification (changing/adding/deleting existing information), attack on integrity
- Fabrication (creating fake information to fool the system), can affect integrity
Confidentiality
- Difficulties: Who determines which parties are authorized? | To how much of certain data
can an authorized party have access? | Can an authorized party disclose data to others?
- Subject = the party (person/program/process), object = the data item, access mode = the
kind of access (read/write/execute), policy = authorization.
,Integrity
- Integrity has three particular aspects:
o Authorized actions // error detection & correction // separation & protection of
resources
Availability
- Availability entails: timely responses to requests, resources are allocated fairly, services and
systems are fault tolerant, the system/service can be used as intended
- Viewing, modifying, and using are the basic modes of access that computer security seeks to
preserve.
- Access should be small and centralized to preserve confidentiality and integrity, but a single
point of control means that a hacker can destroy availability by focusing on that single point.
Types of threats
Threats can be human or nonhuman. Human threats can be non-malicious/benign (unintentional
harm) or malicious (intentional). Malicious human threats can be random (attacker wants to cause
harm to any computer or user) or directed.
The Common Vulnerabilities & Exposures list (CVE) is a dictionary of publicly known security
vulnerabilities and exposures, and allows for evaluating the coverage of security tools and services.
The Common Vulnerability Scoring System (CVSS) provides a standard measurement system that
allows accurate and consistent scoring of vulnerability impact.
Advanced persistent threats come from organized, well financed, patient attackers. Typically the
attacks are silent, allowing the attackers to exploit the victim’s access rights over a long time.
Types of attackers
Many attackers show symptoms of Asperger syndrome (poor social skills, restlessness, exceptional
memorability, can focus on one task only).
Originally, attackers were individuals acting with motives of fun, challenge, or revenge
More recent attacks involve groups of people, often driven by financial gain
The novice attacker can use a crude attack, whereas the professional attacker wants a neat, robust,
and undetectable method that can deliver rewards for a long time.
Terrorists use computers as:
o Target of attack (e.g. for attention) | method of attack | enabler of an attack (e.g. get
locations of people) | enhancer of attack (e.g. spread propaganda to trigger radicals)
,Harm
Risk management means choosing which threats to control and what resources to devote to
protection. The risk that remains uncovered by controls = residual risk.
Spending for security is based on the impact and likelihood of potential harm, both of which are
nearly impossible to measure precisely.
A malicious attacker must have each of these 3 things to ensure success: method (how → skills,
knowledge), opportunity (when → time and access), and motive (why).
Script kiddie describes someone who downloads a complete attack code package and only needs to
enter a few details to identify the target and let the script perform the attack.
Attack surface = a system’s full set of vulnerabilities, actual and potential.
Controls
Controls/countermeasures can deal with harm in several ways:
• Prevent it, by blocking the attack or closing the vulnerability – deter it, by making the attack
harder to do – deflect it, by making the target less attractive or making another target more
attractive – mitigate it, by making its impact less severe – detect it – recover
There are 3 types of controls:
1- Physical controls (locks, guards, fire extinguishers)
2- Procedural/administrative controls (laws, regulations, policies, guidelines, copyrights,
patents, contracts, agreements)
3- Technical controls (passwords, encryption, network protocols, program controls)
Vulnerability-threat control paradigm:
, Cyber-risk management frameworks
Lecture
By using CS frameworks, you go from ‘reactive measures to security incidents’ to ‘comprehensive and
proactive cyber risk management’ and ‘intercorporate cyber security at the early stages of SDLC’.
The framework below is the ISO 31000 Risk Management Process.
• Establish the context: what/who/how/where/why
• Risk assessment: risk analysis can be qualitative as
well as quantitative
• Risk treatment: select cost-effective countermeasures
• Risk monitoring and review:
→ Security Operations Centre / SOC: monitoring
users and applications, threat intelligence,
continuous vulnerability scanning, security reporting
→ Network Operations Centre / NOC: firewalls and
antivirus, Intrusion Detection System (IDS), server
monitoring
→ Computer Security Incident Response Team /
CSIRT: incidents handling and response, analysis of
security incidents
*Regularly update the risk assessment*
Risk communication:
Communicate risks to:
• Security analysis team (during risk assessment) | management CEO stuff and investors |
auditors (accountants) | regulators | people who implement the selected security controls
(software developers, system administrators, security management)
Templates for risk communications:
NIST 800-30 (table row entry) SREP
