Ramy Al Damati

Objectives:



Recall essential terminology


List the elements of security


As with any new technology topic, terminology is used that must be learned to better understand the field. To be a security professional, you need to understand the relationship between threats, assets, and vulnerabilities.



Risk is the probability or likelihood of the occurrence or realization of a threat. There are three basic elements of risk: assets, threats, and vulnerabilities. Let’s discuss each of these.



An asset is any item of economic value owned by an individual or corporation. Assets can be real — such as routers, servers, hard drives, and laptops — or assets can be virtual, such as formulas, databases, spreadsheets, trade secrets, and processing time. Regardless of the type of asset discussed, if the asset is lost, damaged, or compromised, there can be an economic cost to the organization.


A threat is any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset. From a security professional’s perspective, threats can be categorized as events that can affect the confidentiality, integrity, or availability of the organization’s assets. These threats can result in destruction, disclosure, modification, corruption of data, or denial of service. Some examples of the types of threats an organization can face include the following:



Unauthorized Access


If userids and passwords to the organization’s infrastructure are obtained and confidential information is compromised and unauthorized, access is granted to the unauthorized user who obtained the userids and passwords.


Stolen/Lost/Damaged/Modified Data


A critical threat can occur if the information is lost, damaged, or unavailable to legitimate users.


Disclosure of Confidential Information


Anytimethere is a disclosure of confidential information, it can be a critical threat to an organization if that disclosure causes loss of revenue, causes potential liabilities, or provides a competitive advantage to an adversary.


Hacker Attacks


An insider or outsider who is unauthorized and purposely attacks an organization’s components, systems, or data.


Cyber Terrorism


Attackers whotarget critical, national infrastructures such as water plants, electric plants, gas plants, oil refineries, gasoline refineries, nuclear power plants, waste management plants, and so on.


Viruses and Malware


An entirecategory of software tools that are malicious and are designed to damage or destroy a system or data.


Denial of Service (DoS) or Distributed Denial of Service Attacks


An attack against availability that isdesigned to bring the network and/or access to a particular TCP/IP host/server to its knees by flooding it with useless traffic. Many DoSattacks, such as the Ping of Death and Teardrop, exploit limitations in the TCP/IP protocols. Like malware, hackers constantly develop new DoS attacks, so they form a continuous threat.


Natural Disasters, Weather, or Catastrophic Damage


Hurricanes, such as Katrina that hit New Orleans in 2005, storms, weather outages, fire, flood, earthquakes, and other natural events compose an ongoing threat.
If the organization is vulnerable to any of these threats, there is an increased risk of successful attack.



A vulnerability is a weakness in the system design, implementation, software or code, or the lack of a mechanism. A specific vulnerability might manifest as anything from a weakness in system design to the implementation of an operational procedure. Vulnerabilities might be eliminated or reduced by the correct implementation of safeguards and security countermeasures.



Vulnerabilities and weaknesses are common with software mainly because there isn’t any perfect software or code in existence. Vulnerabilities in software can be found in each of the following:



Firmware


This software is usually stored in ROM and loaded during system power up.


Operating System


This operating system software is loaded in workstations and servers.


Configuration Files


The configuration file and configuration setup for the device.


Application Software


The application or executable file that is run on a workstation or server.


Software Patch


This is a small piece of software or code snippet that the vendor or developer of the software typically releases as software updates, software maintenance, and known software vulnerabilities or weaknesses.


Vulnerabilities are not the only concern the ethical hacker will have. Exploits are a big concern, as they are a common mechanism used to gain access. That’s discussed next.



Defining an Exploit



An exploit refers to a piece of software, tool, or technique that takes advantage of a vulnerability that leads to privilege escalation, loss of integrity, or denial of service on a computer system. Exploits are dangerous because all software has vulnerabilities; hackers and perpetrators know that there are vulnerabilities and seek to take advantage of them. Although most organizations attempt to find and fix vulnerabilities, some organizations lack sufficient funds for securing their networks. Even those that do are burdened with the fact that there is a window between when a vulnerability is discovered and when a patch is available to prevent the exploit. The more critical the server, the slower it is typically patched. Management might be afraid of interrupting the server or afraid that the patch might affect stability or performance. Finally, the time required to deploy and install the software patch on production servers and workstations exposes an organization’s IT infrastructure to an additional period of risk.