Information Security : Attacks and Vulnerabilities.
Introduction to information security : Asset, Access Control, CIA, Authentication, Authorization, Risk, Threat, Vulnerability, Attack, Attack Surface, Malware, Security-Functionality-Ease of Use Triangle.
3. TERMINOLOGIES:
• Information security –
The state of being protected against the unauthorized use of information, especially
electronic data, or the measures taken to achieve this.
• Asset –
1. An asset is any item of economic value owned by an individual or corporation.
2. Assets can be real—such as routers, servers, hard drives, and laptops—or assets
can be virtual, such as formulas, databases and spreadsheets.
• Access Control-
1. Access control (AC) is the selective restriction of access to a place or resource.
2. The act of accessing may mean consuming, entering, or using.
3. Permission to access a resource is called authorization.
4. • CIA :
• Confidentiality-
Confidentiality addresses the secrecy and privacy of information.
• Integrity-
1. Integrity provides for the correctness of information. It allows users of
information to have confidence in its correctness.
2. Integrity must be protected in two modes: storage and transit.
• Availability-
1. Availability simply means that when a legitimate user needs the
information, it should be available.
2. Denial of service (DoS) is an attack against availability.
5. • Authentication-
1. The process of identifying an individual, usually based on a username and
password.
2. Authentication merely ensures that the individual is who he or she claims to
be but says nothing about the access rights of the individual.
• Authorization-
Authorization is the function of specifying access rights/privileges to resources.
• Risk-
Risk is the probability or likelihood of the occurrence or realization of a threat.
6. • Threat-
1. A threat sets the stage for risk and is any agent, condition, or
circumstance that could potentially cause harm, loss, or damage.
2. Threats can result in destruction, disclosure, modification, corruption of
data, or denial of service.
• Vulnerability-
1. A vulnerability is a weakness in the system design, implementation,
software, or code, or the lack of a mechanism.
2. If the organization is vulnerable to any of these threats, there is an
increased risk of successful attack.
• Attack-
An attack is an action that is done on a system to get its access and extract
sensitive data.
7. • Attack Surface-
1. The attack surface of a software environment is the sum of the different
points where an unauthorized user (the "attacker") can try to enter data to
or extract data from an environment.
2. Keeping the attack surface as small as possible is a basic security measure.
• Malware-
Malware is any software intentionally designed to cause damage to a
computer, server or Computer network.
• Risk Assessment-
A risk assessment is a process to identify potential security hazards and
evaluate what would happen if a hazard or unwanted event were to occur.
8. • Security-Functionality-Ease of Use Triangle-
1. There is an inter dependency between these three attributes.
2. When security goes up, usability and functionality come down.
3. Any organization should balance between these three qualities to arrive at a
balanced information system.
4. The relationship between the concepts of security, functionality and ease of
use.
5. The use of a triangle is because an increase or decrease in any one of the
factors will have an impact on the presence of the other two.
Functionality Easy to use
Security