Concepts Flashcards
What is cyber security?
Name examples of assets?
Cyber Security is a field that uses methods and techniques to protect a computer asset from harm.
Examples of Assets:
- Computer Hardware
- Software
- Data
Name examples of ‘harms’ that could effect an asset?
Examples:
- Physical Damage
- Unauthorised change, unauthorised use
- Denial of service
- Theft
Note: A harm may or may not cause a monetary gain or cost, but there’s usually some benefit to someone in causing it.
What is an asset?
Meaning: Anything that has value and is controlled by a computer system.
Examples:
- Files (music, films, information)
- Physical Devices (Critical Infrastructure)
What is meant by Risk?
Meaning: An estimation/likelihood of experiencing a loss or exposure due to a cyber attack.
Measures of risk:
- What could go wrong? - a hazard
- What would be the consequences?
- What are the chances of it happening?
- Risk = Expected cost x probability, measured qualitatively: Negligible, minor, major, survivable, existential.
What is meant by a threat?
Meaning: A circumstance / Situation that has the potential to cause loss or harm.
Something that may be attempted in an effort to subvert system security. (Performed by threat actors).
Studies in the form of a threat model:
- The points of attack against a system.
- Prioritised by their risk
- Vulnerabilities and countermeasures.
What is meant by an attack?
Meaning: An attempt to exploit a threat by some technical (or sometimes non-technical) means:
- Using an attack vector (also called an exploit).
- A means to act on malicious intent.
An exploitation of a system’s vulnerability.
Note: examples of attacks:
- Direct: steal the password
- Indirect: send email with a virus attachment that steals the password
- Really indirect: a distributed denial-of-service attack to stop anyone entering the password
What is meant by Identity?
Meaning: A means of proving you are who you say you are.
Note: This is the cornerstone of almost all of security;
- What should you be allowed to see? - information hiding.
- What should you be allowed to do? - agency.
Note: Also a concern in the real world: (Entry to a building, accessing a service)
What is meant by Privacy?
Meaning: A concept that involves the requirement that information can only be seen by those who have permission to see it (Confidentiality), or edit it, use it, or operate on it (Integrity).
Different degrees of privacy:
- Not know what the information is
- Not know that it exists
- Note: (It is hard to crack something you don’t know exists).
What is meant by Authentication?
Meaning: An act of proving a claimed identity - that you are who you say you are.
Note:
- Identity is a property
- Authentication is an action or a mechanism – usually of demonstrating that a given agent validly claims a given identity.
- “Identify yourself” is therefore a request for authentication
IRL:
(Note) There are social differences in people’s attitudes to being asked to identity themselves.
- Many countries have mandatory ID cards. Others don’t.
It does make things easier to identify someone, but is also a prime target for identity theft.
Digital:
(Note) The move from real-world to digital is highly consequential, Physical Tokens are hard to reproduce, Digital Tokens however are hard (Impossible) to prevent being reproduced. No physical presence, thus hard to validate possession.
What is meant by Anonymity
Meaning: the act of hiding or disguising their identity information.
Note: Sometimes people want to prevent associating an identity (With an actual Person, With a Stream of Actions, or with some data).
Often good reasons for this:
- Criticism of authority
- Engaging in legal-but-controversial actions.
- Fear of consequences
What is meant by Agency?
Meaning: Things/actions that an agent/user can do (once authenticated).
examples:
- View particular information
- Know particular information even exists
- Perform certain actions
Note: Limiting agency is access control
Meaning of access control: Mechanism for deciding if a particular action should be permitted when attempted.
Notes on Agents
In real life, we associate identity with people.
In the digital world, we associate identity with a particular piece of software.
- the software acts as your agent
- Allowed to perform actions as if it was really you.
- May be doing so under your direct control (e.g., you’re clicking a web page in a browser).
- May be automated (e.g., there’s a script that’s logged-in as you)
- Authentication may form a chain.
What is meant by Non-repudiation
Meaning: The inability to deny that an action happened and that it was performed by some agent.
Note: Ensures that a someone cannot deny the authenticity of their actions in a transaction or communication.
Note: This is essential for a large number of services where actions need to be committed;
- Once done, it cant be undone.
- Example: Paying cash for something vs paying via credit card.
What is meant by trust?
Meaning: A combination of identity and agency.
- “Should this person be allowed to perform this action?”
- “Should I believe information provided by this person?”
Note: Rather than mandate the access control policies upfront, determine them based on an agent’s prior actions.
- Also works well in anonymous situations.
- Leads to a need to be able to detect abuse and revoke trust at some later point – hopefully before harm.
What is meant by Reputation?
Meaning: in short, the sharing of trust?
Note: Trust in an agent migrates from one system to another.
Note: Possibly a model for distributed services.
- Trust is associated with the user themselves, not held within a single system.
- A bit like up-voting that occurs in some web sites: can only post after you’ve earned a positive-enough reputation
What is meant by Vulnerabilities?
Meaning: A weakness in a system that may be exploited to cause loss or harm.
For example, an unencrypted disc drive, a router with a default password, etc.
Note: Often appear gradually over time.
Note: Need to consider socio-technical vulnerabilities.
- Low-paid employees with high-trust jobs?
- Open wireless networks to allow customers to access using their own devices? (Opens up opportunity for attack).
Conclusion
● Security is a global property
● Of systems, not (just) of their individual components
* Small changes can open-up large vulnerabilities
* Key concepts
● Assets, threats, risk Identity, authentication, trust, reputation Vulnerabilities, attacks
* All can interact in complicated ways, which we need to understand as a whole
