Cyber Security Mindset Flashcards
(14 cards)
Summarize the Security Mindset
-Learning to think like the attacker
-Thinking critically about the system being examined
-Understanding both technical and non-technical countermeasures
-Trying to see how you can break something
Example of the Mindset
Security professionals can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities.
Security Mindset vs Crime
Thinking about the weaknesses of a system is different than acting on those weaknesses.
Ex:
- Thinking about how encryption can be exploited allows one to make more secure systems.
Thinking Like a Defender Includes:
-Security policy
-Threat model
-Risk Assessment
-Countermeasures
Security Policy
What are we trying to protect?
What properties are we trying to enforce?
Confidentiality
Ensuring that information is accessible only to those authorized to view it.
Integrity
Ensuring that data is accurate and has not been altered in an unauthorized way.
Availability
Ensuring that systems and data are accessible and usable when needed by authorized users.
Privacy
Ensuring that personal or sensitive data is collected, stored, and used appropriately.
Authenticity
Ensuring that users, systems, and data are genuine.
Threat Model
Who are the attackers?
-Motives?
-Capabilities
-Access
Risk Assessment
- What would security breaches cost us?
-Direct costs: Money, property, safety…
-Indirect costs: reputation, future, business, well being.. - How likely are these costs?
-Probability of attacks?
-Probability of success?
Countermeasures
- Technical countermeasures
- What most of this course is about! - Non-technical countermeasures
-Law, policy, procedures, etc.
Security Costs
- No security mechanism is free
-Direct costs: design, implementation, enforcement, false positives
-Indirect costs: lost productivity, added complexity - Challenge is rationally weigh costs vs. risk
-Human psychology makes reasoning about high cost/low probability events hard
