Vulnerabilities and Controls

• There are many vulnerabilities (weaknesses that can allow harm to occur) in a computer system.
• The attack surface is the system's full set of vulnerabilities both actual and potential
  • Physical hazards
  • human error
  • malicious attacks
• The attack surface must be analyzed and controls or countermeasures be placed to protect the system.
• These can include controls that
  • prevent or block the vulnerability
  • deter or make it harder to attack via a vulnerability
  • deflect or move the attack to another target
  • mitigate or reduce the impact of the vulnerability, or of the attack should it occur
  • detect the attack either as it happens or after it occurs
  • recover what was lost due to an attack.
• They discuss security in the Middle Ages, read that on your own.
• They list several classes of controls
  • Physical controls: stop or block the attack by using something tangible
  • Procedural or administrative: use a command or agreement to advise people how to act.
    • Laws and regulations
    • copyrights and patents
    • contracts and agreements
  • Technical: use technology to counter threats
    • passwords
    • firewalls
    • access control in programs
    • encryption
• In general one control is probably insufficient
  • For example, all three types are in place to ensure you don't steal hardware
    • Door locks and security cameras
    • Laws against theft
    • BIOS and software passwords.
  • Such overlapping controls are called defense in depth.