security basics

security

protecting systems, data, services against adversaries — whether deliberate (malicious hackars, insider threats) or accidental (human error, software bugs, hardware failure). Any security claim → relative to a threat model

CIA triad

foundational framework for characterising security. Decomposes security in 3 independent properties (each has a prevent side and a permit side)

roles of CIA triad properties

specifying what security means for a concrete scenario, diagnosing what went wrong after a breach

confidentiality

preserving authorised restrictions on info access and disclosure, including means for protecting personal privacy and proprietary information.

Confidentiality failures

unauthorised access may be intentional (intruder breaking into a network), and unintentional (careless employee mailing the wrong attachment). Both are confidentiality failures.

confidentiality failures impacts

Privacy: personal health, financial, location data exposed

Economy: stolen credentials enable fraud, identity theft, financial transactions on behalf of victims

integrity

guarding against improper information modification or destruction, and includes ensuring non-repudiation and authenticity

integrity levels covered

Data integrity: data has not been altered in an unautharised manner, System integrity: the system performs its intended function, free from unauthorized manipulation

integrity related sub-property authenticity

Authenticity: the property of being genuine and verifiable — confidene in the validity of a message or its generator (Is thismessage really from who it claims?)

integrity related sub-property auditability

(non-repudiation) protection against an individual falsely denying having performed a particular action, such as sending a message or approving a transaction. (can we prove who did that?)

integrity attack example

FCC’s net neutrality got 2 million identical comments under the names of real (some deceased) peoplegenerated by bots. Violated integrity, polluted democratic process, undermined the trustworthiness of online public resources

availability

ensuring timely and reliable access to and use of information

availability violations

both psysical and cyber: Infrastructure failures (network/hardware outages, power cuts), infrastructure overload (traffic spikes), cyber attacks: DDoS and ransomware

availability failure impact

Economic: — revenue loss for companies during downtime and Rights-based — (censorship, suppresion of communication = attack on democratic freedoms)

CIA triad interdependence

properties are not independent. compromising one cascades into violations of the others. Security design must satisfy all 3 simultaneously

confidentiality breach → integrity breach

an attacker that bypasses access controls to read a confidential financial report can also modify the numbers, violating integrity. (eavesdropping → tampering)

confidentiality protection → blocks availability

attacker’s view: ransomware encrypts files (data is confidential - no access with no key). Victim’s view: total availability failure.

integrity breach → confidentiality breach

if attacker modifies a user-database record to change a password, they can then log in as that user - violating confidentiality. Controlling data grants access.

integrity breach → availability failure

corrupting a criticaldatabase can crash service or produce invalid outputs. denial of service achieved via data corruption.

availability attacks → exfiltration windows (C)

during DDoS attack (primary goal: deny service), chaos and overloaded defences may let the attacker exploit vulnerabilities to exfiltrate confidential data simultaneously

availability failure → currupts data (I)

server crash during critical data synchronisation operation can leave replicas inconsistent

domino effect phishing attack

1) user’s credentials stolen (C) 2) attacker logs in and modifies account details (I) 3) the changes cause the system to lock the legitimate user out of their own acc (A)

Robust security strategy must prevent, detect, recover from all 3 cases.

implementation of CIA triad

it is too abstract to implement directly. First it needs to be instantiated into concrete rules, then enforced by technical means.

security policy

declarative relus specifying what’s allowed and not. a formal instantiation of CIA properties for a specific use case.ex: bank tellers: may read account balances, managers: see full transactions.

security service

capability that enforces one or more security policies; easier to integrate than raw mechanisms. TLS: provides C + I for data in transit. Access Control service - enforces who can access what.

security mechanism

low level tech device or function providing ONE security service; rated y strength and assurance. Ex: AES encryption (mechanism inside TLS); hash functions; password-based auth; digital certificates

security service examples

TLS/ HTTPS; CIA goals: C, I (data in transit); mechanisms: AES, ECDH, digital certificates, MACs for Integrity.

Access control (auth + authorisation): C, I (data at rest); mechanisms: password/biometric authentification; isolation boundaries; audit logs.

authorisation vs authentication

authentication: are you who you claim to be? verifying identity of user to grant acces

authorisation: what are yo allowed to do? granting or denying access rights to a verified identity.

authentication always preceeds authorisation

risk, vulnerabilities, threats relationship

Risk = Likelyhood x Impact, likelyhood = from threats exploiting vulnerabilities, impact = measured against CIA tried from each stakeholder’s perspective.

vulnerability

weakness in a system, app, network, or procedure that can bve exploited or trigerred by threat source to violate the security policy. characterized: 1) how easy it is to identify, 2) how easy it is to exploit

vulerability types

hidden backdoors: C, I; software bugs: buffer overflow, C, I, A ; weak passwords: C, I

threat

any circumstance, event with the potential to adversely impact systems, operations, or individuals through unauthorised access, destruction, disclosure, or modification, or denial of service. Threat: deliberate or unintentional.

threat characterisation

intent (propensisty to attack) x capability (ability to successfully attack)

threat type

1) Hackers (credential theft) mechanisms: password cracking, network sniffing, social engineering (C); 2) Denial-of-service attacks: flooding service with bogus requests (A) 3) Virus: self-replicating, requires user action to activate. (I,A); 4) Worm: self replicating no user action needed, propagates over network (I, A)

attack

realisation of sepcific threat - the actual attempt to collect, disrupt, deny, degrade or destroy information system resources. exploints vunerabilty; risk materialises as impact.

attribution problem

cyber attacks are difficult to attribute to their true source. Attackers use anonimity layers and infrastructure in multiple countries. This is a systemic weakness in current cyber governance - not just technical problem

Risk = Likelyhood x Impact

likelyhood(how probable the attack is) x impact (ow much damage it causes from each stakeholder’s perspective). This is done through Risk Matrix - axes are likelyhood(1-5) and impact severity (1-5). A risk score of 25 (5×5) highest priority; 1×1 lowest priority

threat model

structured representation of all security-relevant information about an application or system. answers 4 questions : what are we working on? What can go wrong? What are we going to do ab it? Did we do a good job?

impact is stakeholder-relativ

same breach can have different impacts on different stakeholders.

risk management process

identifying, assessing, treating risks to CIA - not eliminating all risk but reaching acceptable risk level.

risk management steps

Identification: enumerate assets(what do we protect?), vulnerabilities (what weaknesses exist), threats (who/what could exploit them?) and existing controls, 2) Assesment: each threat - likelyhood, impact. compute vulnerability pair, risk score, prioritise. 3) treatment: select appropiate controls to reduce risk to an acceptable level. controls may be preven

security and human behavior

human behavior - largest attack surface. If security controls are too complex,users bypass them, weakening overall posture more than the vulnerability they were meant to fix.