Skip to content

INF4831 - Cyber Security

CH 1 - What is computer security

Main take away:

A threat seeks to cause harm by exploiting a vulnerability. A control seeks to prevent harm through securing the vulnerability.

Computer security is protecting assets: software, data, people, processes, hardware. - Data - company or personal data that could be damaging in the wrong hands. - Processes - company DNA, don't want it leaked.

1. Threats

Threat - a potential entity or situation that can cause harm to a company. With no vulnerabilities, threats cannot be realised. Examples: human error, hardware design flaws, software failure, natural disaster.

Confidentiality: The technology keeps personal items personal. Integrity: The technology reliably reads the data that was written. Using cryptographic hashing. Availability: The technology is available to authorized people when they want access to it.

Authentication: verifying the senders/users identity. Accountability or nonrepudiation - something sent cannot be denied Auditability - traceability of actions to a source.

2. Harm

Harm - The negative consequence of an actualized threat harm. - Interception undermines confidentiality - Modification and fabrication undermine integrity - Interruption undermines availability Different assets have different values that may even change over time. Choosing which assets to protect and against what is called risk management.

2.1. Risk management

  • We cannot protect against all risk.
  • A control or countermeasure is the way in which one addresses a threat.
  • Risk can passed on (to insurance).
  • Risk that is not covered by a control is called residual risk
  • Perception of what a risk is is influenced by association (events already experienced), affect (feelings about the risk) and reason. They are about equally weighted.
    • People pay attention to the impact if it is a high dread event and to the likelihood if it is a low dread event.
  • impact and likelihood are taken into account when assessing risk (both are almost impossible to measure).

2.2. Attackers

  • Method - how the attack is done. Use of skills, knowledge and tools.
  • Opportunity - the time and access when it is done.
  • Motive - why it is done.
  • Removing one of these and the attack can be rendered null.

3. Vulnerabilities

Vulnerability - A weakness in a system. e.g. not verifying a user may lead to unauthorized data manipulation. Vulnerabilities can occur in procedures, design or implementation.

The attack surface is the full set of system vulnerabilities - physical hazards, outside attacks, inside attacks, mistakes, impersonations.

4. Controls

Control - a countermeasure to protect against vulnerabilities and attacks. The harm of a threat is blocked by control of a vulnerability.

4.1. Ways to control attacks

  • prevent - blocking the attack or closing the vulnerability
  • deter - make the attack harder
  • deflect - make another target more attractive or this one less attractive.
  • mitigate - make the impact of an attack less severe.
  • detect - track and report an attack.
  • recover - from the effects of an attack. Cost and effectiveness are balanced with likelihood and impact of harm.

4.2. Types of controls

  • Physical controls stop or block an attack by using something tangible
    • walls and fences
    • locks
    • (human) guards
    • sprinklers and other fire extinguishers
  • Procedural or administrative controls use a command or agreement that requires or advises people how to act
    • laws, regulations
    • policies, procedures, guidelines
    • copyrights, patents
    • contracts, agreements
  • Technical controls counter threats with technology (hardware or software)
    • passwords
    • program or operating system access controls
    • network protocols
    • firewalls, intrusion detection systems
    • encryption
    • network traffic flow regulators

See also