CPS 633

CIA of security

confidentiality, integrity and availability

confidentiality (cia of security)

only authorized people can learn the information

integrity (cia of security)

only authorized people can modify the information

availabilty (cia of security)

the authorized people are able to access resources

authorization

granting access to resources only to authorized principles

indentification

checking a subject identity

authentication

verifying that a principal, data or software is genuine

accountability

the ability to identify the principals responsible for past actions

asset

valuable resource which is protected. can be information, software, hardware and computing and communication services

vulnerability

weaknesses in a system that may be able to be exploited in order to cause loss or harm

threat

a loss or harm that might befall a system. there are four major categories of threats. interception, interruption, modification, fabrication

types of threats nautral causes

natural causes (fire, earthquake, flood, power failure)

types of threats human causes

benign, human error, unintentional mistakes in code
malicious targeted or directed attacks

attacks

an action that exploits a vulnerability

controls

removing or reducing a vulnerability. can control vulnerability to prevent an attack and defend against a threat. controls are physical, procedural and technical

asset value

depends on the perception of its importance with respect to the targeted security goals.

hardware objects of value

are computer, devices, network gear

software objects of value

OS, utilities, commercial applications, individual applications

data objects of value

documents, photos, class projects

how can we defend against an attack

prevent it, deter it (make it more expensive or harder), deflect it (make it look less attractive to attacker), mitigate it ( reducing the impact of the attack), detect it (notice that the attack is occuring), recover from it( mitigate the effects of the attack),

concept of privacy

controlling the information about you

concept of anonymity

hiding your identity

linkability

the property which allows an unauthorized party to learn separate actions to a principal

types of attacker

amateurs, malicious insiders, script kiddies, crackers, organized crime, industrial espionage agents, government cyber warriors, terrorists

risk

expected loss due to future harmful events

exposure factor

percentage of loss in the asset value in case of an attack

single loss expectancy

expected cost of one attack

annual loss expectancy

the expected cost of attacks over a year

risk management

risk reduction, risk transfer, risk acceptance, risk avoidance

cryptography

using math techniques to provide confidentiality and integrity

operating system and network controls

sandboxes, virtual machines, logs, network scans

independent control programs

password checker, virus scanner, intrusion detection systems

internal program controls

read and write in DBMS

development controls

quality standards followed by the developers such as input validations and input sanitization

policies

what is and what is not allowedp

procedures

how you enforce this policy

physical controls

walls, fences, locks, human guard

method opportunity motive model (mom model)

consider the motivations of the attacker, the opportunities for the adversary and the methods they can achieve their goals. (reduce their opportunities and methods they can use to attack)

simplicity and necessity

keep it simple so that you do not overlook anything. the more complicated it is, the harder it is for you to leave no loop holes

security policy informal

precisely describes the protection properties that a system must have

formal definition of confidentiality

confidentiality implies that there is information that must not be disclosed to some set of entities(people or roles). it has to be able to be disclosed to some entity

security policy formal

statement that partitions the states of the system into a set of authorized and unauthorized states

separation of duties

forbids an entity from completing the transaction on its own

military security policy

policy primarily protecting confidentiality. focuses on privacy

commercial security policy

policy primarily protecting integrity

role based access control

based on roles that users have within the system and rules stating what accesses are allowed to users in given roles

mandatory access control

system mechanism controls access to object, and individual cannot alter that access

discretionary access control

individual user sets access control mechanism to allow or deny access to an object

originator controlled access control

creator of information controls who can access information