Zusammenfassung der Ressource
Security + - Risk Management
- Aula 2 - The CIA - Confidentiality, integrity, Availability
- Objetivos da Segurança da Informação
- THE CIA // O CID
- Confidencialidade
- Visualização / manuseio de dados
- Manter os dados secretos de quem não precisa acessá-los
- Integridade
- Enviar / Transmitir / Receber / Guardar
- Nenhuma alteração/deleção sem autorização pode ocorrer
- Disponibilidade
- Garantir que informaçao esteja disponivel
- Acesso de um usuário autorizado
- Complementar o CID
- Accountability & Audition
- Logging
- Quem acessou esse arquivo?
- Quem fez esta alteração?
- Non Repudiation
- Usuario
- Não pode negar que fez tal ação. Ele não pode apagar rastros
- Quick Review
- The goal of security is Defined as CIA
- CIA stands for confidentiality, integrity, and availability
- Dont forget auditing, accountability and non-repudiation
- Aula 3 - Threat Actors
- Attributes
- Internal? / External?
- What is the intention? What's the goal?
- How Sophisticated is? More sophisticated = more dangerous
- Using open user inteligence? It means, facebook, twitter, shodan, etc etc
- Types of Threat Actors
- Script kiddies
- easily blocked
- Dont have sophistication
- Use Pre-made tools
- Trivial attack knowledge
- Hacktivist
- Motivation/intent/ ideology
- Organized crime
- Group of people working togetter
- money
- Nation States / Advanced Persistent Threat (APT)
- probably the biggest issue
- Big resources
- Big sophistication
- between governments
- Insiders
- somebody who is in the structure of company
- not always an employee
- has access to information
- who can access asset
- Competitors
- between organizations
- Its like coca cola vs pepsi
- less common today
- Aula 4 - What is Risk?
- Assets
- Computers
- equipments
- plants
- people
- intangible things
- Vulnerabilities
- weakness to an asset
- leaves it open to bad things happening to it
- example
- default user name in a server
- server room unlocked
- garbage in street with confidential data
- Threats
- Action
- Negative event that exploits a vulnerability
- Example
- someone reads the garbage
- someone unauthorized running into your server room
- someone unauthorized get access to your server
- method to Protect our stuff from bad things
- Likelihood
- The level of certainty (certeza) that something will happen
- two ways to measure
- Quantitative likelihood
- numbers, statistics, historic
- your power supply have a MTBF of 100 000 hours
- Qualitative likelihood
- things that its so hard put numbers to measure
- customer loyalty (lealdade de cliente)
- Impact
- The harm caused by a threat
- measurements
- quantitative
- cost
- labor (trabalho)
- people work hours lost
- time
- how is the ETR?
- qualitative
- corporate reputation
- Guide for risk management
- N1ST SP 800-300
- quick review
- Threats exploit vulnerabilities to harm assets
- assets can have vulnerabilities
- use SP 800-30 as part of risk assessment