6.1 Flashcards
What is security? (when we say an organization/person is secure)
- It can do what it wants, when it wants
- It can keep a secret
- It can prevent an adversary from doing the same
What is security? (when we say a system is secure)
We say a system (say, a network) is secure if an organization can use it without reducing its own security
Nothing is secure by default.
You need to take measures to make it secure.
Name 4 security layers.
Physical
Communications
Technical
Human
The security layers are…
cumulative. And overlap.
What is the goal of the physical layer? How can you reach that goal?
The goal is to keep physical things from theft or damage
There are many ways to do this:
Physical barriers
Surveillance
Violence
Physical security is the most effective, but is also
stupid.
Why you need the communication layer?
Because you want to communicate with another place:
* Without an adversary knowing what is said
* And perhaps without the adversary knowing that communication even happened
You can try to communicate
Secretly: Whispering, steganography - the adversary does not know you are communicating
By misdirection: Slang – the adversary knows you are communicating but not about what
By transformation: Ship semaphores, encryption – the enemy knows what you are talking about, but not what you are saying
Communications can also cover
the movement of materials
Communications can cover movement of materials, but nowadays modern communication technology changed. This led to…
inventions such as cryptography, steganography, frequency hopping, denial of service attacks and more
Technical security refers to…
any security measure that requires a computer to implement it, or which is targeted at a computer
Technical security includes…
Cryptography (it overlaps with the communications layer)
Privilege escalation attacks and other attacks on the operating system
Intrusion detection and prevention
Honey pots
The human layer refers to…
security issues that result from the fact that any organization is made up of people
The weakest part of any security system is…
the people involved.
How do we mitigate the problem with people?
Make sure everyone involved knows only what they need to know in order to do their job (compartmentalization)
Surveillance:
- Watch people’s social media, financial transactions, travel plans and so on
- Look for suspicious patterns
Minimize a person’s attack surface
- A personal attack surface is the sum total of ways that an adversary can gain leverage over a person
- Leverage can be used to make a person do something they perhaps ordinarily would not
Make sure all the systems contributing to security support the three A’s
Authentication
Authorization
Accounting
AAA works for
all scales of system and across all layers