What is Cybersecurity

Objectives

1. Define the field of cybersecurity

Notes

• I am basing this mostly on Pfleeger chapter 1.
• What is your definition of cybersecurity?
  • What do we mean by cyber?
  • What do we mean by security?
• Asset:
  • Something of value.
  • What are your cyber assets?
• Hardware
  • The computer
  • Devices
  • Network gear
• Software
  • Operating system
  • Utilities
  • Applications (word, PowerPoint, games)
  • Custom Software
• Data
  • Documents
  • Pictures
  • Music, videos (commercial)
  • Music, videos (personal)
  • Email
  • Projects, special personal work
• Would you add anything to the lists above?
• For the lists above, which have the most value?
  • What do we mean by value
    • Cost to purchase?
    • Cost to replace?
    • What is the value if something can't be replaced?
    • Is value "universal"?
      • Is every item equally valuable to all people?
      • Is the value of an item constant to someone throughout time?
    • Big question: Is there a precise measure of the value for every object at every time?
  • Pfleeger points out that when you go to the beach, you leave some assets sit out (blanket, umbrella, drink) while others you keep with you, locked up or with a trusted friend (wallet, keys, phone).
• In the cyber security world, we frequently refer to the Vulnerability-Threat-Control paradigm
  • A paradigm is a example, pattern or model
  • In this case, we are discussing a framework
  • This gives us a basis to discuss cybersecurity
• Vulnerability
  • A weakness in a system that could be exploited to cause harm.
  • When logging in frequently a user must supply a password.
    • That password is a weakness or vulnerability.
    • If someone other than the user gains access to that password, they could "become" the user.
  • An unlocked and unattended computer account is a vulnerability
    • Anyone walking by could gain user level access to a system.
  • It would be very difficult to build a useful system with no vulnerabilities.
  • Perhaps "What weaknesses could be taken advantage of?" is a good intuitive definition of a weakness.
• Threat
  • A threat is a set of circumstances that could cause harm.
  • A student attempting to change their grades in my grade book is a threat.
  • A power outage not allowing access to my grade book is a threat.
  • A student wishing to post my grade book for everyone to see is a threat.
  • Perhaps, "What could go wrong?" is a good intuitive definition of a threat.
• Control
  • A procedure, action, mechanism, ... that removes or reduces a vulnerability.
  • An "screen lock" program that locks the computer after 5 minutes
  • A locked door
  • Training that says not to walk away from your computer unlocked.
  • Perhaps "What can we do to detect, reduce or prevent a threat from exploiting a vulnerability?" is a reasonable intuitive definition of control.
• We will look at each of these in more detail later.
• But this paradigm describes the world of cybersecurity.
• The money in your wallet is an asset, use the threat-vulnerability-control paradigm to describe how you might protect your wallet.
  • Vulnerabilities include
    • The money needs to be accessable. This makes it easier for anyone to get at.
    • Generally a wallet is a single point of failure, if it is taken, you have no backup.
    • It has weak physical security
    • Storage is predictable.
  • Threats
    • Pickpocket
    • Dropped/lost/forgotten
  • Controls
    • Move to a more secure location
    • Chain to self
    • Habit of checking for presence
• If it describes how something is weak, it's probably a vulnerability.
• If it describes who or what causes harm, it's probably a threat.
• For now, at this level of discussion, please find a teammate and do homework 1.