quartz/content/notes/02-concepts-and-roles.md

---
title: "02-concepts-and-roles"
aliases: 
tags: 
- comp210
- lecture
sr-due: 2022-07-17
sr-interval: 3
sr-ease: 250
---

- [slides](https://blackboard.otago.ac.nz/bbcswebdav/pid-2956897-dt-content-rid-18930757_1/courses/COMP210_S2DNI_2022/Lecture_02%281%29.pdf)

# News
- [more personal email scams](https://theconversation.com/email-scams-are-getting-more-personal-they-even-fool-cybersecurity-experts-186009)
	- They have more knowledge about your personal information
- [deakin university attack](https://australiancybersecuritymagazine.com.au/up-to-10000-students-targeted-in-deakin-university-cyberattack/)
	- staff credentials were leaked and acces to students information was gathered
- [rusian hackers attack lithuania](https://www.reuters.com/world/europe/russian-hacker-group-says-cyber-attacks-continue-lithuania-2022-06-28/)
- [attacks against india](https://www.indiatoday.in/india/story/prophet-row-international-hackers-cyber-attacks-india-nupur-sharma-remark-1961941-2022-06-13)
- [retbleed attack affects AMD and Intel CPUs (spectre-based speculative-execution attacks)](https://thehackernews.com/2022/07/new-retbleed-speculative-execution.html)

# Vulnerabilities
- a potential weakness in an asset
	- or in its defense security control
- e.g., flaws in software packages or an unprotected system port

exploit is the technique used to attack

- [RAND report r-609-1 (1979)](https://i.imgur.com/GEVLIq1.png)
- need to be aware of vulnerabilities

e.g.,
- websites can steal browser data via extension APIs

# Security services and control
- services
	- the intended security goal or property (C.I.A provides the three main security services)
	- confidentiality
	- integrity
	- awareness
- controls
	- the mechanisms employed to implement the services
	- encryption
	- firewalls
	- awareness

## Controls
- physical controls
	- facility protection
	- guards
	- locks
	- monitoring
	- environment controls
	- intrustion detection
- technical controls
	- network security
	- cryptography
	- forensics
	- user authentication
	- etc
- administrative controls
	- policies
	- standards
	- procedures
	- guidelines
	- personnel screening
	- awareness training

- Preventive 
	- e.g., "prevent exposure of critical information"
	- control - e.g., encrpytion
- detective
	- e.g., "we want to warn attempts of intrustions"
	- control - e.g., intrusion detection systems
- corrective
	- reduce/fix damage
	- e.g., "we want to repair our system in case of errors"
	- conrtol - e.g., restoration point mechanisms (e.g., version control systems like [git](notes/git.md))

- we need security controls for all info states:
	- storage
		- information storage containers
		- electronic, physical, human
	- transmission
		- physical or electronic
	- processing
		- physical or electronic

# CIA
- a security service provides a high level security property

## Confidentiality
- information should not be available to unauthorised people
- divided into:
	- secrecy: protecting business data
	- privacy: protecting personal data
	- anonymity: hide who is engaging in what actions
- threats: information theft, unintentional disclosure
- controls: encyption, access control, perimeter defense
- general controls: secure systems development, and incident response

## Integrity
- data integrity: should not be corruped, tampered, altered with etc in an unauthorised manner
- system inegrity: accuracy and completeness
- threats: data and system corruption, loss of accountability
- controls: 
	- hashing, cryptographic integrity check and encryption
	- authentiation, access control
	- digital signing
	- config management and change control 
- general controls: Secure Systems Development and Incident Response

## Availability
- information should be accessible and usable upon demand by an authorised entity
- main threat: DoS
- controls:
	- redundancy of resources
	- load balancing
	- software and data backups
- general controls: Secure Systems Development and Incident Response

## Additionally properties
- accuracy - free from mistakes and erors
- authenticity - genuine or original
- utility - serve a purpose (e.g., census data)
- possession - ownership or control (importat for privacy)

# Privacy and Actors
- [facebook gdpr](https://techcrunch.com/2018/04/17/facebook-gdpr-changes/)

## GDPR
- To protect specific aspects of information that may be related to natural persons (personal information) 
- Prevent unauthorized collection and storage of personal information 
- Make sure your personal information is correct 
- Ensure transparency and access for data subjects 
- Provide adequate information security (C.I.A) around personal information 
- Define clear responsibilities around personal information 
- GDPR became EU law on 25 May 2018 (General Data Protection Regulation)

- [who can see my email](https://i.imgur.com/34R3hJx.png)

## Actors
- threat actors
	- those responsible for the security incident
- (security) Hacker
	- uses technical skills and knowledge to uncover bugs or exploits
- Attacker
	- may use other (non-technical) means to exploit data and system (the malicious intention is what matters here)

- intelligence agencies
- law enforcement
- nation states
- independents (hackers, criminals, private surveillance, manufacturers etc)

- [motivaitions](https://i.imgur.com/74qgpsc.png)

## Skills and focus of actors
- low skill & low focus
- high skill & low focus
- high skill & high focus
	- intelligence agencies
	- highly sophicticated

# Shared responsibility
- business needs first
- [information securty functions](https://i.imgur.com/apXn7Qb.png)
- [protecting the functionality of an organization](https://i.imgur.com/pT1nL8E.png)
- [enablling safe operation of applications](https://i.imgur.com/Ytzlqhc.png)
- [safeguarding technology assets in organizations](https://i.imgur.com/gNgScT8.png)

# Balance

- [balance](https://i.imgur.com/df1LZuP.png)