Vulnerabilitys and Controls

Notes

• This finshes chapter 1.
• Vulnerabilities
  • The combination of a threat and a vulnerability is know as an attack vector.
  • A system's full set of vulnerabilities is known as the attack surface
    • access control (electronic)
    • access control (physical)
    • errors/flaws in software/configuration
    • physical hazards
    • human error
    • human actions (deliberate breaking of the system)
• Controls
  • We can :
    • prevent - block the attack or close vulnerability
    • deter - make it too hard
    • deflect - make another target more attractive
    • mitigate - reducing the impact if it occurs
    • detect - at least know it is happening
    • recover - put it back after it happens.
  • We frequently do multiples of these.
  • They identify controls in the following classes
    • Physical controls
      • Locks
      • Guards
      • Sprinklers and fire extinquishers
    • Procedural or Administrative
      • Laws and regulations
      • policies, procedures and guidelines
      • Training
    • Technical
      • Patching systems
      • passwords
      • encrypion
      • Controling network traffic