Podcast
Questions and Answers
What principle ensures that access levels are minimized to only what is necessary for an application to function?
What principle ensures that access levels are minimized to only what is necessary for an application to function?
Which of the following describes privilege creep?
Which of the following describes privilege creep?
What is essential for complete mediation in security?
What is essential for complete mediation in security?
Which strategy helps to prevent unnecessary privilege accumulation in an organization?
Which strategy helps to prevent unnecessary privilege accumulation in an organization?
Signup and view all the answers
What is the recommended default practice for application access?
What is the recommended default practice for application access?
Signup and view all the answers
Which component contributes to a layered defense strategy?
Which component contributes to a layered defense strategy?
Signup and view all the answers
Which approach involves granting elevated privileges only as needed?
Which approach involves granting elevated privileges only as needed?
Signup and view all the answers
What does the principle of Secure Defaults emphasize in software design?
What does the principle of Secure Defaults emphasize in software design?
Signup and view all the answers
How does the Least Privilege Principle enhance software security?
How does the Least Privilege Principle enhance software security?
Signup and view all the answers
What is the purpose of Separation of Duty in software security?
What is the purpose of Separation of Duty in software security?
Signup and view all the answers
What is Privilege Creep and why is it a concern in software security?
What is Privilege Creep and why is it a concern in software security?
Signup and view all the answers
What is Complete Mediation and how does it affect system security?
What is Complete Mediation and how does it affect system security?
Signup and view all the answers
What does the concept of 'Least Privilege' emphasize?
What does the concept of 'Least Privilege' emphasize?
Signup and view all the answers
Which of the following best describes 'Secure Defaults'?
Which of the following best describes 'Secure Defaults'?
Signup and view all the answers
In coding practices, what measure is advised to maintain security by limiting access?
In coding practices, what measure is advised to maintain security by limiting access?
Signup and view all the answers
What does 'Deny by Default' imply in access control?
What does 'Deny by Default' imply in access control?
Signup and view all the answers
Complete mediation in security contexts refers to what?
Complete mediation in security contexts refers to what?
Signup and view all the answers
What is a potential consequence of privilege creep?
What is a potential consequence of privilege creep?
Signup and view all the answers
Which mechanism helps ensure that access to sensitive information requires multiple conditions to be met?
Which mechanism helps ensure that access to sensitive information requires multiple conditions to be met?
Signup and view all the answers
What principle stresses minimizing shared mechanisms among users in a system?
What principle stresses minimizing shared mechanisms among users in a system?
Signup and view all the answers
Failure in a system should be designed to do what according to fail-safe principles?
Failure in a system should be designed to do what according to fail-safe principles?
Signup and view all the answers
Which of the following reflects a proper understanding of 'Separation of Duty'?
Which of the following reflects a proper understanding of 'Separation of Duty'?
Signup and view all the answers
Study Notes
Course Information
- Course Name: Cybersecurity Fundamentals
- Course Code: CSC 1029
Week 2 Agenda
- What is Cybersecurity and Types of Attacks
- Cybersecurity Objectives
- What are we protecting
- Cost of Cybersecurity
- Your Next Move: Software Developer Vulnerabilities
- Threat Model: STRIDE
- Types of Attacks
- Importance of Software Security
- TODO and Resources for Help
Objectives
- Understanding cybersecurity and its importance
- Knowing what is being protected from attackers
- Learning from historical and current events, emerging trends
What is Cybersecurity?
- Read CompTIA article (link provided).
- Watch YouTube video (link provided).
Objectives of Cybersecurity
- Read CompTIA resource on the State of Cybersecurity for 2024 Market Overview through to Policy (link provided).
- Students to determine top objectives for Cybersecurity.
What are we Protecting?
- Review 16 Critical Infrastructure Sectors (link provided).
Cost of Cybersecurity
- Estimated global cost of cybercrime in 2021: $6.1 trillion.
- Estimated global spending on cybersecurity in 2022: $172.5 billion.
- U.S. job openings requesting cybersecurity-related skills: 714,548 (Source: CyberSeek).
Your Next Move: Software Developer
- Read CompTIA blog on Your Next Move Software Developer (link provided).
Vulnerabilities
- Review the National Vulnerability Database (link provided).
- Explore visualizations of vulnerabilities.
Threat Model: STRIDE
- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
Types of Attacks
- Social engineering (organization penetration, IT infrastructure exploration, phishing, spam, spoofing, man in the middle)
- Attacks on application's software (Cross-site scripting (XSS), Buffer overflows, SQL code injection, Time/logic bombs, Back door)
- Attacks on supporting infrastructure (Denial of Service (DoS), Viruses, Worms, Trojans, Spyware, Adware)
- Physical attacks (external drives, flash sticks, bringing down the system, stealing hardware)
Importance of Software Security
- Engineering software to function correctly under malicious attacks
- Addressing security vulnerabilities in early stages of development.
- Security as a risk management practice (link to article provided)
- Software Security refers to many aspects related to software including detecting malicious attack, Continuing function under attack, and maintaining confidentiality, integrity, and availability
Cybersecurity Principles
- Complete provided interactive lesson
SDL Secure Design Principles
- Safer applications start with secure design
- Assume all applications can be compromised
- Core SDL secure design principles: Attack Surface Reduction, Basic Privacy, Threat Modeling, Defense in Depth, Least Privilege, Secure Defaults.
Attack Surface Reduction
- Attack surface is any part of an application human or another program can access
- Minimize exposed attack surface - malicious users find and exploit
Basic Privacy
- Privacy vs Security (empowering users to control personal information and security establishing measures protecting confidentiality).
- Privacy and security are key factors in trusted applications.
Threat Modeling
- Process to understand threats to an application
- Threats and vulnerabilities different
- Vulnerabilities are specific ways a threat is exploitable (e.g., coding errors)
- Steps are identifying, defining, validating, mitigating, and validating.
Defense in Depth
- Assumes that software and hardware will fail
- Trusted applications (security and privacy features).
- Most applications can be compromised when only one layer is breached (firewall)
- Layers defend the application
Least Privilege
- If an application is compromised, the potential damage is contained and minimized
- Trust with reluctance, need-to-know
- Evaluate application minimally (default is no access)
- Minimum access level for application functions.
- Privileges elevated only when needed, release afterward.
Privilege Creep and Complete Mediation
- Gradual accumulation of access rights beyond what an individual needs for their job.
- Occurs when a job changes and new privileges are granted.
- Every access check must be efficient, restricting caching of information
Separation of Privilege or Duty
- Access based on multiple conditions (multi-factor authentication)
- Separation of duties/two-person rule
- Coding with limited global variables, local data and arguments
- Permission to access = Authorization
- Define access to objects and who should access them
Least Common Mechanism
- Minimize mechanism common to multiple users (dependence on all users)
- Every shared mechanism is a potential information path
Secure Defaults
- Deploy applications with secure configurations by default
- Ensures safer user experience from the start.
- Favor white-listing over black-listing (if some action fails, the default is deny-access)
- Simplicity is favored
Deny by Default and Fail-Safe
- Everything not explicitly permitted is forbidden (by default)
- Fail-safe engineering design responds in the event of a specific failure type, avoiding harm
- System design to prevent unsafe consequences
MGM Casino Cyberattack (2023)
- Read article on the attack (link provided)
- Evaluate if MGM followed secure design principles (Attack Surface Reduction, Basic Privacy, Threat Modeling, Defense in Depth, Least Privilege, Secure Defaults).
Pre-work Grade/TODO's
- Post weekly discussion question and research solution to D2L.
- Complete Week 2 Content Module to 100% in D2L.
Questions/Help/Clarification
- Student office hours (appointments and drop-ins).
- Email address
- RRCC on-campus tutoring
- 24/7 online tutoring available in D2L
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Test your understanding of the key concepts covered in Week 2 of Cybersecurity Fundamentals. This quiz includes questions on types of attacks, cybersecurity objectives, and the importance of software security. Dive deeper into what we are protecting against cyber threats and the associated costs.