Professional Documents
Culture Documents
10/09/2022 2
1
10/09/2022
10/09/2022 3
10/09/2022
Availability 4
2
10/09/2022
Loganathan R @HKBKCE 5
CIA Triad+
10/09/2022 6
3
10/09/2022
10/09/2022 7
4
10/09/2022
10/09/2022 10
5
10/09/2022
10/09/2022 11
Threats
Vulnerabilities
Attacks
10/09/2022 12
6
10/09/2022
10/09/2022 14
7
10/09/2022
10/09/2022 15
10/09/2022 16
8
10/09/2022
10/09/2022 17
10/09/2022 18
9
10/09/2022
Management
10/09/2022 19
Attacks
Release of Denial of
Traffic Masquerade
Message Contents Replay Modification Service
Analysis (Fabrication)
(Interception) (Interuption)
10/09/2022 20
10
10/09/2022
10/09/2022
related goals?
21
Phhw ph dw
flqhpda
10/09/2022
related goals? 22
11
10/09/2022
related goals? 23
10/09/2022
Transfer Rs.1000
Transfer Rs.1000 to Darth.
to Darth.
12
10/09/2022
Transfer Rs.1,000
to Darth. Transfer Rs.10,000
to Darth
25
10/09/2022
related goals?
10/09/2022
related goals? 26
13
10/09/2022
10/09/2022 27
10/09/2022 28
14
10/09/2022
10/09/2022 29
10/09/2022 30
15
10/09/2022
Attack trees
o are conceptual diagrams showing how an asset, or target, might
be attacked
o have been used to describe threats on computer systems and
possible attacks to realize those threats
Four ways you can use attack trees as part of application
security testing
o Discover vulnerabilities to multistep attacks in computer
networks and application design.
o Represent costs for each path along the tree.
o Improve the effectiveness of your testing strategy.
o Evaluate the cost and effectiveness of potential defenses.
10/09/2022 31
10/09/2022 32
16
10/09/2022
Prevention
Detection
Response
Recovery and remediation
Policy (what) vs. mechanism (how)
10/09/2022 33
10/09/2022 34
17
10/09/2022
the countermeasures are used to reduce vulnerabilities and deal with threats to system assets:
Access Control: (authorized users)
Awareness and Training: all people in organization
Audit and Accountability: all information system
Certification, Accreditation, and Security Assessments: (the controls)
Configuration Management: (hardware, software, firmware, and documentation)
Contingency Planning: ensure the availability of critical information resources.
Identification and Authentication: (users, processes, or devices)
Incident Response
Maintenance
Media, Physical, Environmental, System and Communications Protection
Planning
Personnel Security
Risk Assessment
Systems and Services Acquisition
System and Information Integrity
10/09/2022 35
10/09/2022 36
18
10/09/2022
1. Minimise attack surface area - Giảm thiểu vector tấn công vào hệ
thống
2. Establish secure defaults - Thiết lập cơ chế mặc định an toàn
3. The principle of Least privilege - Nguyên tắc đặc quyền tối thiểu
4. The principle of Defence in depth - Nguyên tắc bảo mật theo
chiều sâu, nhiều lớp
5. Fail securely - Nguyên tắc xử lý thất bại một cách an toàn
6. Don’t trust services - Không tin tưởng tuyệt đối vào dịch vụ
7. Separation of duties - Tách biệt về nhiệm vụ
8. Avoid security by obscurity - Tránh bảo mật bằng việc che giấu
9. Keep security simple - Giữ bảo mật một cách đơn giản
10. Fix security issues correctly - Vá lỗ hổng bảo mật một cách đúng
đắn
10/09/2022 37
10/09/2022 38
19
10/09/2022
10/09/2022 39
20