Professional Documents
Culture Documents
2
Disclaimer:
CIA Triad
3
CONFIDENTIALITY
Disclaimer:
4
Disclaimer:
INTEGRITY
5
AVAILABILITY
Disclaimer:
6
IDENTIFICATION
Disclaimer:
7
AUTHENTICATION
Disclaimer:
8
AUTHORIZATION
Disclaimer:
9
ACCOUNTABILITY
Disclaimer:
10
Disclaimer:
AUDITING
11
NONREPUDIATION
Disclaimer:
12
RELATED TERMINOLOGIES
• Asset
• Threat
• As defined by NIST SP 800-53,1 a threat is “any circumstance or event with the potential to adversely
Impact agency operations (including mission, functions, image, or reputation), agency assets, or
individuals through an information system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service.”
• Safeguard
• Vulnerability
• According to NIST SP 800-53, vulnerability is “weakness in an information system, system security
procedures, internal controls, or implementation that could be exploited or triggered by a threat
source.”
Disclaimer:
13
CONTROLS
14
THREAT MATRIX
Disclaimer:
15
TYPES OF ATTACK
• Passive Attack
• Active Attack
• Close-In Attack
• Insider Attack
• Distribution Attack
Disclaimer:
16
ADDITIONAL SYSTEM SECURITY CONCEPTS
• Complete Mediation
• Defense in depth
• Economy of mechanism
• Fail-safe
• Least common mechanism
• Least privilege
• Leveraging existing components
• Open design
• Psychological acceptability
• Separation of duties
Disclaimer:
• Weakest link
17
COMPLETE MEDIATION
18
DEFENSE IN DEPTH
• NIST SP 800-82 defines a defense-in-depth architecture strategy as
These are like guards at the entrance, checking who’s allowed in. It’s like having alarms that go off if someone tries to break in.
“the use of firewalls, the creation ofthink
demilitarized zones and intrusion detection capabilities, along
of this as a buffer area – like a waiting room before entering the main part of a building.
with effective security policies, training programs, and incident response mechanisms.”
19
ECONOMY OF MECHANISM
20
FAIL-SAFE
• NIST SP 800-123 explains the term fail-safe as follows: “If a failure occurs, the
system should fail in a secure manner, that is, security controls and settings
remain in effect and are enforced. It is usually better to lose functionality rather
than security.”
• Also, a fail-safe design should ensure that when a system recovers from a
failure, it should recover in a secure state, where only authorized users have
access to sensitive information.
Disclaimer:
21
LEAST COMMON MECHANISM
22
LEAST PRIVILEGE
principle of least privilege” means giving someone or something only the bare minimum
permissions they need to get their job done
Disclaimer:
23
LEVERAGING EXISTING COMPONENTS
Are the locks still working? Are the alarms up to date? It’s like making sure your car is roadworthy.
Optimizing Performance:
Think of this as tuning your guitar strings. You adjust them to get the best sound.
24
In security, it’s about fine-tuning your existing tools – making sure they work at their best. Like adjusting your home security cameras for better coverage.
OPEN DESIGN
25
PSYCHOLOGICAL ACCEPTABILITY
“psychological acceptability” means designing security systems in a way that feels natural
and easy for users to understand and use.
26
SEPARATION OF DUTIES
27
WEAKEST LINK
28
Policies, Standards, Guidelines, and Procedures
Disclaimer:
29
policy is like a set of rules or guidelines that everyone
in an organization must follow
Policies
30
Standards
31
Guidelines
32
Procedures
33
Malicious Code and Attacks
with ads.
34
Viruses and Worms
• ANSI/ISA-62443-1-1 –
• virus - “self-replicating or self-reproducing program that spreads by inserting
copies of itself into other executable code or documents,”
• worm - “computer program that can run independently, can propagate a
complete working version of itself onto other hosts on a network, and may
consume computer resources destructively.”
Disclaimer:
35
Trojan Horse
36
Logic Bomb
• A logic bomb is a type of Trojan horse that does not execute until a
preset condition is met; for example, at a specific time and date or
when some activity is performed on the host computer.
Disclaimer:
37
Mobile Code
38
Back Door
39
Scanning
40
Man-in-the-Middle
41
Social Engineering
Disclaimer:
42
Guessing Passwords
Disclaimer:
43
Denial of Service/Distributed Denial of Service
Disclaimer:
44
Disclaimer:
Replay
45
Dumpster Diving
46