Testing for Vultnerabilities

Loading...

Del curso dictado por New York University Tandon School of Engineering

Introduction to Cyber Attacks

275 calificaciones

New York University Tandon School of Engineering

Introduction to Cyber Attacks

275 calificaciones

Curso 1 de 4 en SpecializationIntroduction to Cyber Security

This course provides learners with a baseline understanding of common cyber security threats, vulnerabilities, and risks. An overview of how basic cyber attacks are constructed and applied to real systems is also included. Examples include simple Unix kernel hacks, Internet worms, and Trojan horses in software utilities. Network attacks such as distributed denial of service (DDOS) and botnet- attacks are also described and illustrated using real examples from the past couple of decades. Familiar analytic models are outlined such as the confidentiality/integrity/availability (CIA) security threat framework, and examples are used to illustrate how these different types of threats can degrade real assets. The course also includes an introduction to basic cyber security risk analysis, with an overview of how threat-asset matrices can be used to prioritize risk decisions. Threats, vulnerabilities, and attacks are examined and mapped in the context of system security engineering methodologies.

De la lección

Understanding Basic Security Frameworks

This module introduces some fundamental frameworks, models, and approaches to cyber security including the CIA model.

Assignments and Reading2:53

Purpose of Cyber Security4:58

Adversary Types7:35

Vulnerability Types5:16

Threat Types5:22

Matching Quiz1:03

Matching Quiz Solution1:19

Confidentiality Threat6:06

Integrity Threat6:36

Availability Threat5:52

Fraud Threat5:15

Testing for Vultnerabilities4:58

Brute Force vs. Hueristic Attacks3:38

Crytanalysis5:07

Cryptanalyzing Caesar Cipher4:46

Welcome Jose Dominguez9:59

Conoce a los instructores

Dr. Edward G. Amoroso
Research Professor, NYU and CEO, TAG Cyber LLC
Computer Science

Now I want to talk to you about testing for vulnerabilities in this segment.

But let's start by talking about software testing.

There's a great computer scientist who lived, he died a few years ago.

His name was Edsger Dijkstra, absolutely wonderful computer scientist.

And in fact, in my opinion,

if computer science science had its Einstein, I think it was Dijkstra.

And what he taught us was so much about software, and why software, in some sense,

really is rooted in mathematics, and we have to be very careful about it.

But one of his major messages was around testing.

And how testing, kind of in his words, I'm going to paraphrase.

But he said testing is a good way to demonstrate the presence of a problem,

but it's terrible way to prove their absence.

Does that make sense?

When I test, I can show that there's a problem, no question.

If I find the problem, I test, it didn't work.

I go look, didn't work, I tested, you go, okay.

Now what can you conclude from that?

You can conclude that there's one problem.

If I fix that problem, can I extrapolate that to having fixed all of them?

No, and that's a problem in cybersecurity.

Look, a lot of you sitting there listening,

a lot of our learning community, probably think of penetration testing,

meaning doing some probes into systems,

as a pretty effective way of determining if there's a security problem.

You might be sitting in some town, or city,

or country, wherever you are, and maybe you even do some of this.

A shop owner, bank, a business, a government agency says, hey,

I see you know a little about cybersecurity.

Would you help me with my security?

And you say, of course, I'd be very happy to help you.

And perhaps very innocently and not being aware of the warning that we get from

Edsger Dijkstra, you roll in and it becomes your task or

your intent to do penetration testing.

Or to test for different types of flaws that would occur or

be existent in their system, right?

You'd roll in, you'd try this, you'd try that.

You'd try breaking in to this, you'd fuss around with that.

Maybe it's a medical device, you'd wear it, try to break it.

You'd connect it to weird stuff.

And then you'd have a breakthrough where you'd go, my gosh!

If I do this and that, it breaks, and you write it down.

And you produce a report, and you go back to your customer and say,

I did a bunch of testing.

And look, if you do this thing, wiggle the wire connected to this thing, it breaks.

Your customer is going to be very pleased.

You found a problem, they'll fix that problem, they'll pay you.

You go off, and what have you really shown?

You've proven that there's one problem, but

you've not demonstrated the absence of others.

Does that makes sense?

It's really important because so much of cybersecurity is

rooted in this idea that by penetration testing, by hacking,

by being a white-hat hacker, a benevolent hacker, by probing,

testing, and so on, that I can demonstrate the absence of security problems.

That is just not true, absolutely fundamental that you keep that in mind.

Because I think it arguably could be the biggest misconception that exists in

cybersecurity today.

And I think it plays to the enjoyment that a lot of us have in breaking into stuff.

Let's face it, it is fun to break into things.

If you're a little mischievous, then you probably find cybersecurity fascinating.

That's been experience, I've been at this for 31 years.

And I find that the types of people that are attracted to cybersecurity are often

the types of people who have that little malicious or mischievous streak.

Where they like to break things, and probe, and find problems, and

point those problems out.

There's nothing wrong with that.

I think that's something you should be proud of.

That's something that makes you a more intelligent person,

a more inquisitive person.

So don't lose that, but

recognize that there are limitations as we test for penetrations.

Now the theory, and we've got a chart that sort of shows that,

there's a theory that if there are a number of vulnerabilities between, say,

a subject and an object, then by testing, I might find one path through.

But if I find 1 path, there might be 50 other paths.

And in my report, I would say, hey, here I found these two or three vulnerabilities.

I found these paths, you'd be very happy, but I'm missing all the others.

You get the idea, but I think it's something that, as a learning community,

we need to keep in mind as we go through our material through these sessions, so

thanks.

Explora nuestro catálogo

Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.

Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.

© 2018 Coursera Inc. Todos los derechos reservados.

Descargar en la App Store

Consíguelo en Google Play