P1:L1 The Security Mindset

Question 1

Why Security?

Answer 1

We worry about security when we have something of value and there is a risk that it could be harmed.

Question 2

Why Cyber Security?

Answer 2

• Individuals store a lot of sensitive data online
  
  • If stolen, criminals can profit from it.
• Societies rely on the internet
  - Nefarious parties could profit by controlling it

Question 3

Why Cyber Security?

Answer 3

Smart grids rely on cyber systems
-Whoever controls the grid controls the community infrastructure

Business and government propriety information is often stored on the internet.
-Unauthorized access could be economically or politically disasterous

Question 4

There are 2 kinds of companies…

Answer 4

those that have been hacked and know it

and those that have been hacked and don’t know it

Question 5

What is the security mindset

Answer 5

Who are the bad actors, what could they exploit… what will that attack be?
Threat source: who wants to do harm to us in our online lives?

Question 6

Cybercriminals

Answer 6

they want to profit from our sensitive data for financial gain

Question 7

Hacktivists

Answer 7

Activists who do not like something you are or something you do

Question 8

Nation-states

Answer 8

Countries do it for political advantage or for espionage

Question 9

Threat actors

Answer 9

exploit vulnerabilities to launch attacks

Question 10

Attacks

Answer 10

lead to compromises or security breaches

Question 11

Vulnerabilities

Answer 11

can be found in software, networks, and humans (weakest link)

Question 12

Questions to ask when in the security mindset?

For example… when Target was “breached”

Answer 12

1) what is of value? (Credit card data)
2) What is the threat source? (Cyber Criminals)
3) What vulnerability was exploited? (Phishing attack)

Question 13

Hacked/stolen data worth on the black market (as of March 2015):

Answer 13

1) 3 digit security code on your credit card = $2
2) Credit card information = $5 - $45
3) PayPal/Ebay account = $27
4) Health information = $10

Question 14

3 security requirements of sensitive information to strive for

Answer 14

1) Confidentiality (sensitive… should not be disclosed - only to authorized)
2) Integrity (Should not be changed or corrupted only to authorized)
3) Availability (Critical to use… if it goes away or can not be accessed… this is bad)

The CIA :-)\other conseqences (Stuxnet, physical)

Question 15

What security requirement is violated in a “data breach?”

Answer 15

Confidentiality

Question 16

What should the good guys do?

Answer 16

• Prevention
• Detection
• Response
• Recovery and remediation
• Policy (what) vs. mechanism (how)

Question 17

What is the estimated value of the world-wide losses due to cybercrime?

Answer 17

Close to $500 Billion (US) as of 2014

Question 18

How do we address Cyber Security?

By reducing vulnerabilities by following basic design principles for secure systems:

Answer 18

• complexity is the enemy (keep it simple (enemy of mechanism))
• Fail-safe defaults (access is controlled
• Complete mediation (System should never allow someone to bypass the monitor)
• Open design (Don’t count on a complex design or for one person to know… someone could easily reverse engineer)
• Least Privilege (Only have privileges for resources that you absolutely need)
• Psychological acceptability (People are the weak link… don’t ask people to do anything that puts burden on them)