Professional Documents
Culture Documents
Definitions
Vulnerability - weakness in system/algorithm/protocol, etc., which can allow harm to
occur
Threat - condition that can exercise a vulnerability
Incident - a threat exploits a vulnerability, causing harm
Harm - negative consequence of an actualized threat
Control/Countermeasure - prevent, diagnose, respond to threats
Computer security
Protection of assets
hardware
software
data
people
processes, etc.
Asset value
1. Off-the-shelf (replaceable)
2. Unique (irreplaceable)
1. Subject - who
2. Object - what
3. Access mode - how
Integrity
Preserved integrity can mean the item is:
precise
accurate
unmodified
modified only in acceptable ways
modified only by authorized people/processes
consistent
internally consistent
meaningful and usable
Availability
Object/Service is available if:
Characterization
Harm
Characterization of harm
Risk management
Problems
Method-Opportunity-Motive
All 3 are necessary for an attack to succeed
Method
Skills, knowledge, tools, and other things with which to perpetrate the attack.
Script kiddie - Person who downloads an complete attack code package and only needs to
enter a few details to identify the target and let the script perform the attack
Opportunity
When to execute an attack
Motive
money, fame, self-esteem, politics, terror, etc.
Vulnerability
attack surface - the full set of vulnerabilities of a system
Controls
Dealing with harm:
Grouping controls
1. Physical - locks, walls, fences, guards, sprinklers, etc.
2. Procedural/Administrative - laws, procedures, guidelines, copyrights, contracts, etc.
3. Technical - passwords, OS access controls, network protocols, encryption, etc.