First-handout Flashcards
Resources that can be misused
> Data
Time
Trust
Monetary
Threat
A certain way that an attacker can put a system at risk like eavesdrop, fraud, access denial
Threat model
collection of threats A collection of attackers abilities like a powerful attacker can read and modify all communications and generate messages on a communication channel
Vulnerability
Systematic artifact/tool that exposes the user, data, or system to a threat like buffer overflow, or key leakage
Source of vulnerabilities
> Bad software/hardware
Bad design
Bad policy / configuration
System misuse
Adversary
Entity trying to bypass the security infrastrucure
Types of adversaries
Curios and clueless like script kiddies
Casual attackers seeking to understand systems
Malicious groups of largely sophisticated users
Competitors
governments
Also there are insider adversary and outsider adversary
true
Attack
when someone tries to exploit vulnerabilities
Kinds of attacks
> Passive like eavesdropping
Active like password guessing
Denial of service
Distributed Denial of service
Example attacks
> IP spoofing, port scanning, ping of death, ARP poisoning, routing manipulation, DNS spoofing
> Spyware, adware, worms, viruses, spam
Security terminology
Trust (degree to which an entity is expected to behave)
What the entity is not expected to do — Not expose passwords
what the entity is exposed to do (obligations)
obtain permissions, refresh
Trust model
Describes for a particular environment who is trusted to do what
Security model
combination of trust and threat model that addresses the set of perceived risks
Every design must have a security model
true