Lectures Flashcards
What are two key themes in the Computer Security course?
• Thinking about security – The “security mindset” – Threat modelling – Security principles – Current events • Technical aspects of security – Attacks – Defenses
What are 12 categories that an attacker may be motivated by?
- Access or Convenience
- Curiosity or Boredom
- Desire or Obsession
- Diplomacy or Warfare
- Malice or Revenge
- Money
- Politics
- Protection
- Religion
- Self-Promotion
- World View
- Unusual
What are eight ways to brainstorm about security?
- Adversary Motivations
- Adversary Resources
- Assets
- Threats
- Vulnerabilities
- Attack Techniques
- Risks
- Mitigations
What are eight categories of assets?
- Emotional Well-being
- Financial Well-being
- Personal Data
- Personal Well-being
- Relationships
- Societal Well-being
- The Biosphere
- Unusual Impacts
What are some targets of an adversary motivated by Access or Convenience?
- appointment-based online enrollment systems
- sales of limited tickets
- personal electronics with restricted permissions
What are some actions that an adversary motivated by Access or Convenience might take?
- modify personal electronics
- bypass company filtering to access personal e-mail
- access a protected wireless network
What are some targets of an adversary motivated by Curiosity or Boredom?
- acquaintances
- strangers
- institutions
- celebrities
What are some actions that an adversary motivated by Curiosity or Boredom might take?
- look up celebrity’s medical record
- browse personal photos
- attack a random system
What are some targets of an adversary motivated by Desire or Obsession?
- ex-boyfriend
- ex-girlfriend
- celebrities
- children
What are some actions that an adversary motivated by Desire or Obsession might take?
- harassing messages
- sexual blackmail
- covert webcam activation
- monitoring communications
- location tracking
What are some targets of an adversary motivated by Diplomacy or Warfare?
- public infrastructure
- cyber-physical
- communication
- emergency systems
What are some actions that an adversary motivated by Diplomacy or Warfare might take?
- gather data
- spread misinformation
- track individuals
- disable equipment
- cause distractions
- cause bodily harm
- disable communications
What are some targets of an adversary motivated by Malice or Revenge?
- ex-employer
- neighbor
- rival
What are some actions that an adversary motivated by Malice or Revenge might take?
- misinformation
- cause physical harm
- cause monetary damage
- cause emotional damage
What are some goals of an adversary motivated by Money?
- drain assets
- sell DoS services
- extort organization
- sell user data
- sabotage competitor’s system
- manipulate market
What are some actions that an adversary motivated by Money might take?
- steal data
- disclose data
- misinformation
- sabotage competitor’s system
What are some goals of an adversary motivated by Politics?
- alter, prevent, or invalidate votes
- discredit political figures
- alter the public’s understanding or impression
What are some actions that an adversary motivated by Politics might take?
- DoS attack
- steal data
- disclose data
- misinformation
What are some targets of an adversary motivated by Protection?
- employers
- government
- family
What are some actions that an adversary motivated by Protection might take?
- monitor behavior
- evade censorship
- preemptive attack
What are some goals of an adversary motivated Religion?
- spread information about beliefs
* discredit another group
What are some actions that an adversary motivated by Religion might take?
- disclose data
- misinformation
- cause physical harm
- cause monetary damage
What are some targets of an adversary motivated by Self-Promotion?
- systems with personal information
- prominent systems
- challenging systems
What are some actions that an adversary motivated by Self-Promotion might take?
- change grades
- redact information
- deface a corporate website
- crack an encryption scheme
What are some issues that an adversary might be motivated by?
- corporations
- environmentalism
- reproductive rights
- drugs
- violence
- sexuality
What are some actions that an adversary motivated by a World View might take?
- DoS attack
- disclose data
- misinformation
- cause physical harm
- cause monetary damage
What are some assets tied to a person’s Emotional Well-being?
- keepsakes
- peace of mind
- convenience
How might a person be harmed due to an attack on their assets tied to Emotional Well-being?
- cause of fear
- cause of anger
- cause of loneliness
- cause of confusion
What are some targets tied to a person’s Financial Well-being?
- electronic home-entry systems
* online bank credentials
What are some attacks that might affect a person’s Financial Well-being?
- theft
- extortion
- blackmail
What are some targets tied to a person’s Personal Data?
- medical records
- embarrassing pictures
- browsing history
What are some ways that an attacker might use a person’s Personal Data?
- perform identity theft
- perform blackmail
- delete financial records
What are some targets tied to a person’s Physical Well-being?
- access to food and water
- access to electricity
- an individual’s location
- medical devices
- cars
- medication or allergy records
What are some targets tied to a person’s Relationships?
- interpersonal
- inter-organizational
- international
How might a person be harmed due to an attack on their Relationships?
- damage a company’s reputation
* cause unnecessary tension/arguments between relations
What are some targets tied to a person’s Societal Well-being?
- online voting systems
- public infrastructure and cyber-physical systems
- government record databases
How might a person be harmed due to an attack on their Societal Well-being?
- create mass hysteria
- alter public discourse
- cause physical harm
- affect access to resources
What are some targets tied to the Biosphere?
- public infrastructure and cyber-physical systems
* data centers
How might a person be harmed due to an attack on the Biosphere?
- excessive resources are used up
- water sources are polluted
- fires are started
Reliability deals with…
Usability deals with…
Security deals with…
Reliability deals with accidental failures
Usability deals with avoiding “operating mistakes”
Security deals with intentional failures created by thinking adversaries
The approximation of risk:
Risk = ?
Risk = (value_of_asset) *
(likelihood_of_threat_succeeding) *
(damage to asset)
What are threats?
Threats are actions by adversaries who try to exploit vulnerabilities to damage assets.
What are three categories of security failures?
- requirement bugs (incorrect/problematic goals)
- design bugs (poor use of cryptography/source of randomness)
- implementation bugs (buffer overflow attacks)
