Lesson 1: The Security Mindset

Question 1

security mindset

Answer 1

requires you to think like an adversary; how could a malicious party circumvent the goals of a system or product?

understanding techniques for circumventing a defense

Question 2

computer security

Answer 2

field that studies how systems work in the presence of adversaries

Question 3

think like a defender

Answer 3

know what you’re defending and against whom

weigh benefits vs costs: no system is ever completely secure

exercise “rational paranoia”

Question 4

how do you think like an attacker?

Answer 4

1. look for weakest links
2. identify assumptions that security depends on
3. do not think like the designer of the system; do not constrain yourself; think outside the box

Question 5

how do you think like a defender?

Answer 5

1. security policy: what are you trying to defend?
2. threat models: who are your adversaries?
3. assessing risk: what’s worst case scenario
4. countermeasures

Question 6

What should a security policy consider?

Answer 6

• what assets are you defending?
• what security properties do you want to enforce?
  e. g: authenticity (how do you know the sender is really the sender), integrity (no one has tampered with data), confidentiality (how can i ensure that only certain authorized parties can actually see this data), availability (how do i prevent attacker who is blocking access to my data)

Question 7

what are key ideas when considering threat models

Answer 7

• who is the adversary?
• what are they capable of?
• what kind of attacks do we want to prevent?
• what attacks should we ignore?

Question 8

How do we assess risk?

Answer 8

• what would security breaches cost us?

• • direct costs: money, property
• • indirect costs: reputation

• how likely are these costs?

• • probability of attacks?
• • probability of success?