Harm

Notes

• 1.3 of the book
• The negative consequences of an actualized threat is harm.
• While we might not be able to place an actual value to the asset harmed, we can generally locate the value of an asset on a scale
  • low to high value
  • low to high importance
• The book lists a 2010 report by Symantec surveying prices of goods offered on underground web pages.
• I have found something more modern
  • This is a blog post, so it has not been vetted.
  • It is on a cyberscurity provider, so it is selling their services.
• There is always a trade off in vulnerabilities, harm and the cost of the controls
  • Money and time are always limitations
    • Staff and resources
    • Who do you hire and how many, what quality, ...
    • What services to you pay for, develop, ...
  • But also in usability/accessibility
• Choosing what threats to mitigate, and to what level is called risk management.
  • And you need to balance this carefully.
  • This is a high level cybersecurity activity
• Risk that remains uncovered is called residual risk
• Risk Management involves
  • Knowing the assets you want to protect
  • Prioritizing/selecting those assets you wish to protect
    • Based on value
    • Or harm due to loss
    • Cost of protection
  • Selecting controls to purchase and implement
• Remember
  • We probably don't know all assets
  • We probably don't know all the vulnerabilities of these assets
  • We probably only have a relative knowledge of the value of these assets.
• To help us decide on a strategy however, the authors encourage us to consider Method-Motive-Opportunity
  • Method: the skills and knowledge, tools, and other things needed to attack an asset
    • For may systems deep information about the system is available
      • Source code
      • Detailed specifications
    • Well financed threats may be able to duplicate complete systems.
    • There are many tools available to hackers
      • I plan to do a lab on John the Ripper a password cracking too.
      • Frequently when a vulnerability is discovered, a detailed report of the vulnerability is published.
        • These are to prove to the provided that a vulnerability exits.
        • And frequently contain information on how to exploit this vulnerability.
        • Sometimes rootkits or scripts that exploit the vulnerability are issued as well.
        • People who apply these without knowledge are called script kiddies
    • Remember, after the first $10,000, I can hire someone to help me out!.
  • Motive
    • Why would someone want to attack your systems?
    • Money
    • Revenge
    • Intellectual Curiosity
    • To show it can be done
    • Just for Fun
    • Because you are an easy target
    • To gain a tool for later attacks on others
    • Often it is difficult to determine the motive of an attacker
  • Opportunity
    • Public systems are public, so full opportunity.
    • Controlling opportunity is important.
• Understanding method-motive-opportunity is helpful when planning a risk management plan.