IT 2030C Chapter 1: Chapter 1: Chapter 1 - Security from the Ground Up
Chapter 1 - Security from the Ground Up
Security Landscape
Malware, exploits weaknesses in peoples’ computers. It may damage hardware or software, or it may leak
information.
A worm is malware that constantly scans the Internet, searching for vulnerable computers. When the worm finds a
weakness, it burrows into the vulnerable computer and establishes itself on that computer.
The botnet’s operator may use this brigade of computers to send “spam” email.
Other botnets perform denial of service(DOS) attacks in which thousands of individual computers send
overwhelming amounts of traffic at a victim computer, blocking the flow of legitimate traffic.
Security decision-making falls into three categories:
Rule-based decisions:These are made for us by external circumstances or established, widely accepted
guidelines.
Relativistic decisions:These try to outdo others who are faced with similar security problems.
Requirements-based decisions:These are based on a systematic analysis of the security situation.
Rule-Based Desicions
Hunter’s dilemma: You are with a group of hunters who encounter an angry bear. The bear can run faster than
you can, so how do you escape? Cynics and survivors point out that you don’t have to outrun the bear; you only
have to outrun another hunter.
You don’t have to defeat any attack, you simply have to be harder to catch (or rob) than your neighbor.
Security decisions made for us—or those based on one-upmanship—are not always the best ones.
Requirements-Based Security
We identify and prioritize our security needs in a risk assessment process.
If you rely heavily on the software and the files it creates, make a back-up copy and store it away from the
hardware.
Relativistic security
Both rule-based and relativistic decisions often arise from security checklists, which identify various security
controls one might use.
Longer and more-challenging checklists promote relativistic security.
In requirements-based security, we can use our requirements to choose among competing checklists. If our
requirements lead us to choose multiple checklists, the requirements may also help us prune the lists.
We review each security control in a checklist and discard it if it doesn’t really address our requirements.
The Risk Management Framework (RMF) is a way to assess cybersecurity risks when developing large-scale
computer systems. There are six steps in the framework:
Categorize the information system: identify its goals, security risks, and requirements.
Select security controls: identify existing controls and additional ones required.
Implement security controls: construct the system containing the controls.
Assess security controls: verify that the controls work as required.
Authorize the information system: approve the system for operation and deploy it.
Monitor security controls: watch for security incidents and address them; also review the environment for
changes that affect security.
Sometimes your business does not require such complicated process (small-medium business). Instead you would
use a subset - Proprietor’s RMF (PRMF) which only contains 4 steps.
Establish system and security goals: identify the system’s goals, security risks, and requirements. We perform
a risk assessment and use it to produce a list of security requirements.
Select security controls: identify existing controls and additional ones required, and construct the system
containing the controls. We use the security requirements to identify the controls we require.
Validate the information system: verify that the controls work as required, approve the system for operation,
and deploy it. We test the system’s controls against the security requirements to ensure that we address our
risks.
Monitor security controls: watch for security incidents and address them; also review the environment for
changes that affect security. The system must contain security controls that keep records of security-relevant
operations and incidents.
Both forms of the RMF illustrate a systems engineering process: a way to plan, design, and build a complicated
system. These processes share some features.
Planning—early phases lay out the project’s expectations and requirements.
1.
2.
3.
a.
4.
a.
b.
c.
5.
a.
b.
c.
6.
a.
b.
7.
a.
b.
c.
d.
8.
a.
b.
c.
d.
e.
f.
9.
a.
b.
c.
d.
10.
a.
Document Summary
Chapter 1 - security from the ground up. It may damage hardware or software, or it may leak information. A worm is malware that constantly scans the internet, searching for vulnerable computers. When the worm nds a weakness, it burrows into the vulnerable computer and establishes itself on that computer. The botnet"s operator may use this brigade of computers to send spam email. a. Other botnets perform denial of service(dos) attacks in which thousands of individual computers send overwhelming amounts of tra c at a victim computer, blocking the ow of legitimate tra c. Rule-based decisions:these are made for us by external circumstances or established, widely accepted guidelines. Relativistic decisions:these try to outdo others who are faced with similar security problems. Requirements-based decisions:these are based on a systematic analysis of the security situation. Hunter"s dilemma: you are with a group of hunters who encounter an angry bear.
