This course provides learners with a baseline understanding of common cyber security threats, vulnerabilities, and risks. An overview of how basic cyber attacks are constructed and applied to real systems is also included. Examples include simple Unix kernel hacks, Internet worms, and Trojan horses in software utilities. Network attacks such as distributed denial of service (DDOS) and botnet- attacks are also described and illustrated using real examples from the past couple of decades. Familiar analytic models are outlined such as the confidentiality/integrity/availability (CIA) security threat framework, and examples are used to illustrate how these different types of threats can degrade real assets. The course also includes an introduction to basic cyber security risk analysis, with an overview of how threat-asset matrices can be used to prioritize risk decisions. Threats, vulnerabilities, and attacks are examined and mapped in the context of system security engineering methodologies.
Example Case Study Matrix (Part 2)
Loading...
Del curso dictado por New York University Tandon School of Engineering
Introduction to Cyber Attacks
521 calificaciones
Explore Related Videos
At Coursera, you will find the best lectures in the world. Here are some of our personalized recommendations for you
New York University Tandon School of Engineering
521 calificaciones
Curso 1 de 4 en SpecializationIntroduction to Cyber Security
De la lección
Introducing Security Risk Analysis
This module introduces basic engineering and analysis methods for managing cyber security risk to valued assets.
Conoce a los instructores
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
Computer Science
Hi, folks.
So in this video what we're going to do is build on
the example network that we started with in our previous video.
So we'd laid out the different assets that exist in a typical network.
We came up with seven.
And we'd agreed that we would take those seven,
map them against the three threat types, confidentiality, integrity, and
availability/denial of service, and come up with a matrix.
So that's kind of cool, like gives us the ability now to look at each one.
So let's look row by row.
And what I'm going to do is I'm going to cheat a little bit.
When you're watching a cooking show, and
the cook just brings out the cake and it's all made.
[LAUGH] He's had to make that or he made it before.
So I've already gone through and in my own mind,
done a risk management assessment for each of the different cells.
Let me try and justify some of them.
I won't go through all 21, but we'll go through a handful of them.
I'll try and justify where I think they came from, and
help you understand how you might do it.
And by the way, you do not have to agree.
You may decide that something else is important.
Remember, we were talking about
determining asset priority in a previous discussion,
and I had you running into your house picking up what you thought was important.
Well, you might do something different than say your roommate.
You run in and grab one thing.
Your roommate grabs something else.
So it's not that there's no right answer,
because there are some answers that we don't make a lot of sense.
Like if your roommate runs into a burning house and takes a newspaper out,
you're going to say, what did you do that for?
There's almost no justification for that.
But if you grab cash and
your roommate grabs an important book, they're both justifiable.
So that's something I want to make sure you have in your mind.
As you work through these exercises, as you do the system security analysis,
as you become an expert security consultant making a whole bunch of money
doing consulting work, you want to be able to justify your answer.
You want something that is reasonably justifiable.
That makes sense?
If you can do that, I'm happy.
Once you can justify, I'm happy.
Can't justify, I'm not happy.
So let's go through the first one.
So mobiles.
In a typical enterprise today, I put confidentiality,
integrity, and availability low.
Now, you might totally disagree with that.
The reason I put it low is because I think all the interesting stuff is happening
out in the cloud.
So your mobile, and I've spent almost a lifetime in mobility,
is a window into other assets, so it's important.
I can't walk 30 seconds without my mobile, I feel like I'm in a panic, but
it's not the mobile, it's what it represents.
So the ability to access things is really what's critical.
So for me the way I've interpreted this, is that the information that I grab,
that's where I'm going to be placing highs and mediums.
But the mobile itself for me, I decided that it's been low, you may disagree but
I can justify it.
PCs, I made confidentiality and
integrity a little bit higher only because most of you watching me right
now tend to store a lot of interesting stuff on your PCs, you just do.
Like if you're a hacker and you have your choice of where to steal things from,
you're always going to pick the PC because the PC has tons of files,
directories, information, your tax forms, whatever.
There's probably a treasure trove of interesting stuff there,
whereas the mobile, not so much, but you might use the mobile to gain access to
things that would exist in the cloud, so I put the PCs a little higher.
Local area network, I put it low across the board.
I think your local Wi-Fi, yes, somebody can maybe listen into Wi-Fi and
maybe the nasty kid next door is using your Wi-Fi to go out and
surf the Internet or whatever, as a risk it's not zero, but I put it at low.
Storage, I think this is a little bit more interesting now.
Like if we decide that the company that we were sort of positing in our
seven asset kind of characterization,
let's say they're in the business of writing software.
Most companies nowadays are,
it's hard to find any company now in any industry that's not writing software or
some type that's part of their intellectual property.
Well, the storage software is probably the most important thing they do, and
certainly then the integrity of that software is it resides in storage
is supremely important.
There's no question about it.
I said low availability, look, if this was a service provider,
let's say this was your local phone company, your telecommunications company.
You might decide that storage will be a little bit more important from
an availability perspective, but I'm just thinking the assumption that it's not.
Email, calendar, I just put across the board as medium.
There's a lot of confidential stuff that gets sent around in email.
I want to make sure that's protected.
Here in the United States we just had an election where some hacking into email was
pretty consequential.
So you'd never put that as zero, but I don't think there's too many companies
that would say that email and calendar would be their top risks.
So I put them in the medium.
Business support.
Again, high integrity of your financials are embedded in there.
You want people mocking around with that.
That is absolutely critical keeping that.
And you might say that if customer lesser in there,
you could justify that being high, I didn't, but you could.
You could make that determination, in which case you might go medium to high.
And then, finally, your website, I think that for
most companies this is about the most important asset.
It's your customer-facing, visibility.
If you're an e-commerce site, it's where you do business.
So I said high in terms of confidentiality and integrity.
So again, you see my thought process here.
I said I was cheating.
I really baked the cake.
If we were doing this together, we'd be doing a threat tree,
doing a full risk analysis under each cell.
Maybe doing it as a team really coming to some consensus about what we
think will be their appropriate ratings.
And notice, another shortcut is low, medium, high.
I just picked that as a very simple scale.
You might decide that you want to pick a scale from 1 to 10 or
from 1 to 1,000 if you really want some sensitivity.
If you were doing this for a nuclear power plant,
do you think it would be overkill to have scales from 1 to 1,000?
To have big teams doing the risk assessment
in each of the different thread asset matrix components and
really coming through a general consensus that you properly characterize risk.
That's how it's done.
If you were wondering, if you think,
how do you possibly do security in something like a nuclear power plant?
This is it.
I'm showing you.
This is not familiar to most of you.
You're looking at this going, what is this?
This is not cyber security, but I'm showing you, this is how you do it.
You make determinations, risk management determinations.
Now, behind all of these, as you'll see in the next video,
we're going to make some decisions about what to do, and
that's where we start talking about the things that are familiar.
So for example, if we decide to put cryptography somewhere, well,
it's going to be driven by this.
I'm not going to put cryptography somewhere for the heck of it.
By this, would I be encrypting all the mobiles?
Is that worth spend my money?
If I have $1 to spend on something, am I putting encryption on the mobiles?
No, I'm doing something probably that the integrity of
some of my important assets, in the website, you get the point?
So you're going to making those decisions and you'll see that coming up, but
now, let's do a little quiz here,
just as a little test of our understanding of how this works.
So we said, what justifies making the mobile piece low and
then the website high, and we said hackers don't care.
Mobile information beacons, website information
might include some important adds, some important products or things.
And then mobile Android.
The answer's C.
I mean the fact that the website probably includes so
much consequential information for your company, makes me say hi, now if you run
a website that's just a little marketing thing with nothing important and
if it got knocked out you wouldn't care less, then you wouldn't put high,
you'd put a lower point.
Remember, it's all about this being justifiable.
Not about being correct or incorrect that it be justifiable.
So in the next video, we'll go on and we'll start learning a little bit about
how safeguards connect up with the risk analysis activities.
So I'll see you in the next one.
Explora nuestro catálogo
Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.
Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.
© 2019 Coursera Inc. Todos los derechos reservados.
