Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Cybersecurity Fundamentals: Key Concepts and Security Strategies - Prof. Spognardi, Appunti di Sicurezza delle reti

A foundational overview of cybersecurity, covering essential definitions, security concepts, and strategies. It explains key terms such as threat agents, vulnerabilities, and attacks, distinguishing between active and passive attacks. The document also details the cia triad (confidentiality, integrity, availability) and various security measures like encryption, access control, backups, and physical protections. Additionally, it discusses principles like economy of mechanism, open design, separation of privilege, and least privilege, offering a comprehensive introduction to cybersecurity principles and practices. This resource is valuable for understanding the core elements of cybersecurity and how to implement effective security strategies. It also touches on attack surface analysis and security policy implementation.

Tipologia: Appunti

2024/2025

Caricato il 22/09/2025

davide-de-blasio
davide-de-blasio 🇮🇹

5 documenti

1 / 15

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
01
CYBERSECURITY DEFINITION  Prevention of damage to, protection of, and
restoration of computers, electronic communications systems, electronic
communications services, wire communication, and electronic communication,
including information contained therein, to ensure its availability, integrity,
authentication, confidentiality, and nonrepudiation.
(nonrepudiation → autore di una dichiarazione non potrà negare la paternità e la
validità della dichiarazione stessa, non ripudio associa azioni o cambiamenti a
un unico individuo (l'autore)).
COMPUTER SECURITY DEFINITION Measures and controls that ensure
confidentiality, integrity, and availability of information system assets
including hardware, software, firm-ware, and information being processed,
stored, and communicated.
ASSETS, itʼs a key concept  The things that are important for a person, a
company or an institution, to be protected. ex. Staff Address book, Patient
records, Equipments, Criminal records, Keys for net-banking.
What should be PROTECTED?  ex. Personal data  What is personal data?,
What can be done with the personal data?, Who can see them?, How do you
ensure this? ex. Company Data: Financial data, Patents, Internal information
about products, Personal data relating to staff files on customers, partners,
etc.. Information on technical aspects of the business
ASSETS of a COMPUTER SYSTEM
SECURITY CONCEPTS and RELATIONSHIP
01
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Anteprima parziale del testo

Scarica Cybersecurity Fundamentals: Key Concepts and Security Strategies - Prof. Spognardi e più Appunti in PDF di Sicurezza delle reti solo su Docsity!

CYBERSECURITY DEFINITION  Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.

(nonrepudiation → autore di una dichiarazione non potrà negare la paternità e la validità della dichiarazione stessa, non ripudio associa azioni o cambiamenti a un unico individuo (l'autore)).

COMPUTER SECURITY DEFINITION → Measures and controls that ensure confidentiality , integrity , and availability of information system assets including hardware, software, firm-ware, and information being processed, stored, and communicated.

ASSETS, itʼs a key concept  The things that are important for a person, a company or an institution, to be protected. ex. Staff Address book, Patient records, Equipments, Criminal records, Keys for net-banking.

What should be PROTECTED?  ex. Personal data  What is personal data?, What can be done with the personal data?, Who can see them?, How do you ensure this? ex. Company Data: Financial data, Patents, Internal information about products, Personal data relating to staff files on customers, partners, etc.. Information on technical aspects of the business

ASSETS of a COMPUTER SYSTEM

SECURITY CONCEPTS and RELATIONSHIP

THREAT AGENT  ADVERSARY  Who conducts or has the intent to conduct detrimental (dannose) activities. COUNTERMEASURE  A device or techniques that has as its objective the impairment (ostacolare) adversarial activity. RISK  A measure of the extent to which an entity is threatened (minacciata) by a potential circumstance or event. the adverse impacts that would arise if the circumstance or event occurs the likelihood of occurrence. THREAT  Any circumstance or event with the potential to adversely (negativo) impact organizational operations. VULNERABILITY  Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

The security of a system, application, or protocol is always relative to:

A set of desired properties An adversary with specific capabilities

ex. standard file access permissions in Linux and Windows are not effective against an adversary who can boot from a CD.  File access permissions are typically enforced by the operating system. These protections are only effective when the system is running under its normal operating environment, which enforces those permissions. If an adversary can boot the computer from an external device like a CD or a USB drive, they bypass the normal operating system entirely. Since the computer is now running from an external source, it doesn't enforce the file permissions set on the internal disk. The attacker gains full access to the filesystem because the system booted from the external

OUTSIDE ATTACK  Initiated from outside the perimeter, by an unauthorized or ille-gitimate user of the system (an “outsiderˮ). On the Internet, potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hostile governments.

SECURITY GOALS: CIA

Confidentiality, Integrity, Availability  CIA

The three concepts embody the fundamental security objectives for both data and for information and computing services.

CONFIDENTIALITY

CONFIDENTIALITY is the avoidance of the unauthorized disclosure of information.

Confidentiality involves the protection of data, providing access for those who are allowed to see it while disallowing others from learning anything about its content.

The tools for confidentiality are:

ENCRYPTION : the transformation of information using a secret, called an encryption key, so that the transformed information can only be read using another secret, called the decryption key (which may, in some cases, be the same as the encryption key).

ACCESS CONTROL : rules and policies that limit access to confidential information to those people and/or systems with a “need to know.ˮ This need to know may be determined by identity, such as a personʼs name or a computerʼs serial number, or by a role that a person has, such as being a manager or a computer security specialist. AUTHENTICATION : the determination of the identity or role that someone has. This determination can be done in a number of different ways, but it is usually based on a combination of: something the person has (like a smart card or a radio key fob storing secret keys), something the person knows (like a password), something the person is (like a human with a fingerprint).

AUTHORIZATION : the determination if a person or system is allowed access to resources, based on an access control policy. Such authorizations should prevent an attacker from tricking the system into letting him have access to protected resources. PHYSICAL SECURITY : the establishment of physical barriers to limit access to protected computational resources. Such barriers include locks on cabinets and doors, the placement of computers in windowless rooms, the use of sound dampening materials, and even the construction of buildings or rooms with walls incorporating copper meshes (called Faraday cages) so that electromagnetic signals cannot enter or exit the enclosure.

INTEGRITY

Integrity is the property that something has not be altered in an unauthorized way.

property that authentic statements issued by some person or system cannot be denied.

ACCOUNTABILITY

Accountability is the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Systems must keep records of their activities to permit later forensic analysis to trace security breaches (violazioni) or to aid in transaction disputes.

EXTENDED SECURITY PROPERTIES

ANONYMITY

Anonymity is the property that certain records or transactions not to be attributable to any individual.

The tools for anonymity are:

AGGREGATION : the combining of data from many individuals so that disclosed sums or averages cannot be tied to any individual. MIXING : the intertwining (intreccio) of transactions, information, or communications in a way that cannot be traced to any individual. PROXIES : trusted agents that are willing to engage in actions for an individual in a way that cannot be traced back to that person. PSEUDONYMS : fictional identities that can fill in for real identities in communications and transactions, but are otherwise known only to a trusted entity.

THREATS

THREAT CONSEQUENCES

UNAUTHORIZED DISCLOSURE is a threat to confidentiality. A circumstance or event whereby an entity gains access to data for which the entity is not authorized. DECEPTION is a threat to either system integrity or data integrity. A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. DISRUPTION is a threat to availability or system integrity. A circumstance or event that interrupts or prevents the correct operation of system services and functions. USURPATION is a threat to system integrity. A circumstance or event that results in control of system services or functions by an unauthorized entity.

THREAT and ATTACKS

INTERCEPTION → the eavesdropping of information intended for someone else during its transmission over a communication channel.

FALSIFICATION → unauthorized modification of information. ex. the man-in-the-middle attack, where a network stream is intercepted, modified, and retransmitted.

ATTACK SURFACES

It consist of the reachable and exploitable vulnerabilities in a system.

ATTACK SURFACE CATEGORIES

NETWORK ATTACK SURFACE

Vulnerabilities over an enterprise network, wide-area network, or the Internet. Included in this category are network protocol vulnerabilities, such as those used for a denial-of-service attack, disruption of communication links, and various forms of intruder attacks. SOFTWARE ATTACK SURFACE Vulnerabilities in application, utility, or operating system code. Particular focus is Web server software. HUMAN ATTACK SURFACE Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders.

DEFENSE in DEPTH and ATTACK SURFACE

An attack surface analysis is a useful technique for assessing the scale and severity of threats to a system.

A systematic analysis of points of vulnerability makes developers and security analysts aware of where security mechanisms are required.

The image illustrates the use of layering and attack surface reduction complement each other in mitigating security risk.

COMPUTER SECURITY STRATEGY

SECURITY POLICY

Formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources. SECURITY IMPLEMENTATION → Involves four complementary courses of action: Prevention Detection Response Recovery ASSURANCE Encompassing (comprende) both system design and system implementation, assurance is an attribute of an information system that provides grounds (basi) for having confidence that the system operates such that the systemʼs security policy is enforced. EVALUATION

FAIL-SAFE DEFAULTS

This principle states that the default configuration of a system should have a conservative protection scheme. → access decisions should be based on permission rather than exclusion. That is, the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted.

ex. when adding a new user to an operating system, the default group of the user should have minimal access rights to files and services. Unfortunately, operating systems and applications often have default options that favor usability over security. This has been historically the case for a number of popular applications, such as web browsers that allow the execution of code downloaded from the web server.

COMPLETE MEDIATION

The idea behind this principle is that every access to a resource must be checked for compliance with a protection scheme (conformità a un regime di protezione).  Systems should not rely on access decisions retrieved from a cache.

As a consequence, one should be wary (diffidare) of performance improvement techniques that save the results of previous authorization checks, since permissions can change over time. ex. an online banking web site should require users to sign on again after a certain amount of time, say, 15 minutes, has elapsed.

OPEN DESIGN

According to this principle, the security architecture and design of a system should be made publicly available. →

Security should rely (basarsi) only on keeping cryptographic keys secret. Open design allows for a system to be scrutinized (analizzato) by multiple parties, which leads to the early discovery and correction of security vulnerabilities caused by design errors. The open design principle is the opposite of the approach known as security by obscurity , which tries to achieve security by keeping

cryptographic algorithms secret and which has been historically used without success by several organizations.

SEPARATION of PRIVILEGE

This principle dictates that multiple conditions are required to achieve access to restricted resources or have a program perform some action.

ex. multifactor user authentication, which requires the use of multiple techniques, such as a password and a smart card, to authorize a user.

LEAST PRIVILEGE

Each program and user of a computer system should operate with the bare minimum (minimo indispensabile) privileges necessary to function properly.

If this principle is enforced, abuse of privileges is restricted, and the damage caused by the compromise of a particular application or user account is minimized.

ex. role-based access control  Each role is assigned only those permissions needed to perform its functions.

LEAST COMMON MECHANISM

In systems with multiple users, mechanisms allowing resources to be shared by more than one user should be minimized → providing mutual security.

ex. if a file or application needs to be accessed by more than one user, then these users should have separate channels by which to access these resources, to prevent unforeseen (impreviste) consequences that could cause security problems.

PHYSICOLOGICAL ACCEPTABILITY

This principle states that user interfaces should be well designed and intuitive , and all security-related settings should adhere (rispettare) to what an ordinary user might expect.

WORK FACTOR

According to this principle, when designing a security scheme, the cost of circumventing (aggirare) a security mechanism should be compared with the resources of an attacker.