The course begins with three fundamental questions that frame the entire discipline:
The official NIST definition (NISTIR 7298) states:
Computer Security: Measures and controls that ensure confidentiality, integrity, and availability of information system assets including hardware, software, firmware, and information being processed, stored, and communicated.
This definition covers three dimensions: the objectives (CIA triad), the assets (hardware, software, firmware, information/data, telecommunications), and the means (measures and controls). A threat model is a structured way of identifying potential threats, vulnerabilities, and risks to a system — a systematic approach to understanding possible attack vectors, threat actors, and the potential impact of successful attacks.
The scope goes beyond pure data: it includes hardware, software, firmware, information/data, and telecommunications. Security is not just about keeping secrets — it is about preserving the correct functioning of the entire system.
The CIA triad is the foundation of computer security. It defines three core objectives for protecting data and services. Use the explorer below to click each component and study its definition, sub-concepts, examples, and related threats.
FIPS 199 formalises these three objectives in terms of requirements and the definition of a loss of security in each category. A loss of confidentiality is the unauthorised disclosure of information; a loss of integrity is the unauthorised modification or destruction of information; a loss of availability is the disruption of access to or use of information or an information system.
The textbook (Stallings, 4th ed.) emphasises that data and services are the core elements to protect. Confidentiality covers both data confidentiality and privacy; integrity covers both data integrity and system integrity; availability covers both data and services availability.
Although the CIA triad is well established, many security professionals add two more concepts to present a complete picture:
| Concept | Definition | Example |
|---|---|---|
| Authenticity | The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or a message originator. | Verifying that users are who they say they are; checking that each input arriving at the system came from a trusted source. |
| Accountability | The requirement for actions of an entity to be traced uniquely to that entity. | Finding the originator of a transmission or action; audit logs that support non-repudiation, deterrence, fault isolation, intrusion detection, and legal action. |
FIPS 199 includes authenticity under integrity. Accountability makes it possible to trace a security breach to a responsible party — essential because truly secure systems are not yet achievable.
FIPS 199 defines three levels of impact on organisations or individuals should there be a breach of security (a loss of confidentiality, integrity, or availability):
| Level | Definition | Example |
|---|---|---|
| Low | The loss could have a limited adverse effect on organisational operations, assets, or individuals. | A temporary online poll is defaced; minor degradation but functions continue. |
| Moderate | The loss could have a serious adverse effect; significant degradation, significant damage or financial loss. | A university public website goes down — causes embarrassment but not critical. |
| High | The loss could have a severe or catastrophic adverse effect; mission capability is lost; major damage, loss of life or life-threatening injuries. | A hospital patient allergy database is corrupted — could result in death and massive liability. |
The textbook provides detailed examples of assets at each level of impact. For instance, student grade information has a high confidentiality requirement (regulated by FERPA in the US), while directory information such as departmental lists may have a low or no confidentiality rating. A hospital patient’s allergy information has a high integrity requirement because inaccurate information could result in serious harm.
Computer security is not as simple as it first appears. The textbook highlights ten key challenges:
Remember the phrase: “computer security is a process and not a product.” The asymmetric nature of the game is a frequently examined concept: attackers need a single weakness; defenders must secure every entry point.
The textbook defines a consistent set of terms that are used throughout the course. Master these definitions precisely:
| Term | Definition |
|---|---|
| Adversary (threat agent) | An entity that attacks, or is a threat to, a system. |
| Attack | An assault on system security that derives from an intelligent threat; a deliberate attempt to evade security services and violate the security policy of a system. (Note: some attacks like certain DoS are not necessarily “intelligent.”) |
| Countermeasure | An action, device, procedure, or technique that reduces a threat, vulnerability, or attack by eliminating or preventing it, by minimising the harm, or by discovering and reporting it. |
| Risk | An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. Often visualised with a risk matrix. |
| Security policy | A set of rules and practices that specify how a system or organisation provides security services to protect sensitive and critical system resources. |
| System resource (asset) | Data; a service provided by a system; a system capability; an item of system equipment; a facility that houses system operations and equipment. |
| Threat | A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. |
| Vulnerability | A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy. |
You will be asked to distinguish between a threat (potential) and an attack (threat carried out). A vulnerability is the weakness that a threat exploits; the countermeasure is what reduces the associated risk. The password policy of an organisation (e.g., strong passwords and expiration) is a classic example of a security policy.
The relationship between assets, threats, vulnerabilities, and countermeasures is summarised in the following model:
flowchart TD
O[Owners] -->|wish to minimise| R[Risk]
O -->|value| A[Assets]
A -->|wish to abuse| T[Threats]
A -->|may damage| TH[Threat Agents]
T -->|increase| R
TH -->|give rise to| AT[Attacks]
V[Vulnerabilities] -->|increase| R
AT -->|exploit| V
C[Countermeasures] -->|reduce| R
C -->|impose| O
In this model, owners place value on their assets and wish to minimise risk. Threat agents (adversaries) give rise to attacks that exploit vulnerabilities, increasing risk. Countermeasures reduce risk but may themselves impose new costs or introduce new vulnerabilities. Residual vulnerabilities always remain — the goal is to minimise the residual level of risk.
Security vulnerabilities in a system resource fall into three general categories, each corresponding to one element of the CIA triad:
| Vulnerability | Description | CIA Aspect |
|---|---|---|
| Corrupted | The system does the wrong thing or gives wrong answers; stored data values differ from what they should be because of improper modification. | Loss of integrity |
| Leaky | Someone who should not have access to information obtains such access. | Loss of confidentiality |
| Unavailable / very slow | Using the system or network becomes impossible or impractical. | Loss of availability |
Memorise which CIA element corresponds to each vulnerability: corrupted → Integrity, leaky → Confidentiality, unavailable → Availability. This is a common exam question.
Attacks can be classified along two fundamental dimensions: active vs passive, and inside vs outside. Use the explorer below to navigate the different attack types.
Passive attacks attempt to learn or make use of information from the system but do not affect system resources. They are difficult to detect, so the emphasis is on prevention (e.g., encryption) rather than detection. The two main types are release of message contents (eavesdropping on unencrypted communication) and traffic analysis (observing patterns, frequency, and length of messages even when encrypted).
Active attacks involve modification of the data stream or the attacked system. The goal is to detect them and recover. The four main types are:
Inside attacks are initiated by an entity inside the security perimeter (an “insider”) who is authorised to access system resources but uses them in unauthorised ways. Outside attacks are initiated from outside the perimeter by an unauthorised or illegitimate user. On the Internet, outside attackers range from amateur pranksters to organised criminals, international terrorists, and hostile governments.
RFC 4949 describes four kinds of threat consequences. Each consequence represents the result of a successful attack and maps to a specific security objective:
| Consequence | Threat to | Attack Types | Examples |
|---|---|---|---|
| Unauthorised Disclosure | Confidentiality | Exposure, Interception, Inference, Intrusion | An insider leaks credit card numbers; sniffing packets on a LAN; traffic analysis; bypassing access controls |
| Deception | Integrity (data or system) | Masquerade, Falsification, Repudiation | Trojan horse posing as legitimate software; a student altering grades; denying having sent a message |
| Disruption | Availability or system integrity | Incapacitation, Corruption, Obstruction | Physical destruction of hardware; backdoor logic; overloading a system with traffic |
| Usurpation | System integrity | Misappropriation, Misuse | Theft of service via DDoS botnet; disabling security functions |
For each threat consequence, you should be able to: (1) name it, (2) say which CIA objective it threatens, (3) list the attack types, and (4) give examples. This is one of the most frequently examined areas of Chapter 1.
The textbook categorises computer and network assets into four groups, each with specific threats across the CIA dimensions:
| Asset Category | Availability threat | Confidentiality threat | Integrity threat |
|---|---|---|---|
| Hardware | Equipment stolen or disabled | Unencrypted USB drive stolen | — |
| Software | Programs deleted | Unauthorised copy made | Program modified to cause failure or unintended task |
| Data | Files deleted | Unauthorised read; statistical inference | Files modified or fabricated |
| Communication lines & networks | Messages destroyed; lines rendered unavailable | Messages read; traffic patterns observed | Messages modified, delayed, reordered, duplicated; false messages fabricated |
The scope of computer security involves four levels of protection: (1) access to data must be controlled (protection), (2) access to the computer facility must be controlled (user authentication), (3) data must be securely transmitted through networks (network security), and (4) sensitive files must be secured (file security).
The WannaCry ransomware (2017) is a textbook example of multi-dimensional impact: it encrypted data (integrity), demanded payment (availability), and spread through network vulnerabilities. It affected the CIA triad across software, data, and communication lines simultaneously.
An attack surface consists of the reachable and exploitable vulnerabilities in a system. Examples of attack surface components include:
Vulnerabilities over enterprise networks, WAN, or the Internet. Includes protocol vulnerabilities, DoS, disruption of links, and intruder attacks.
Vulnerabilities in application, utility, or operating system code. A particular focus is web server software.
Vulnerabilities created by personnel or outsiders: social engineering, human error, trusted insiders.
An attack surface analysis is a systematic assessment of the scale and severity of threats to a system. It helps developers and security analysts understand where security mechanisms are needed, and guides priorities for testing and strengthening security. The use of defense in depth (layering) and attack surface reduction complement each other in mitigating security risk.
An attack tree is a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities. The root of the tree is the attacker’s goal; branches represent progressively more detailed subgoals.
Nodes are either AND-nodes (all subgoals must be achieved) or OR-nodes (at least one subgoal must be achieved). Branches can be labelled with values representing difficulty, cost, or other attack attributes.
The following Mermaid diagram illustrates an attack tree for Internet banking authentication compromise:
flowchart TD
R[Bank Account Compromise] --> A[User credential compromise]
R --> B[User credential guessing]
R --> C[Injection of commands]
R --> D[Security policy violation]
R --> E[Use of known authenticated session]
A --> A1[User surveillance]
A --> A2[Theft of token and notes]
A --> A3[Malicious software installation]
A3 --> A3a[Hidden code]
A3 --> A3b[Worms]
A3 --> A3c[E-mails with malicious code]
A --> A4[Sniffing]
A --> A5[Social engineering]
A5 --> A5a[Web page obfuscation]
B --> B1[Brute force attacks]
C --> C1[Pharming]
C --> C2[Active MITM]
E --> E1[Session hijacking with preset session ID]
This attack tree was developed by considering three components: the user terminal and user (UT/U), the communication channel (CC), and the Internet banking server (IBS). Using such a tree, security analysts can assess the risk of each attack path and design appropriate countermeasures.
Know the difference between AND-nodes and OR-nodes in attack trees. Understand that leaf nodes represent specific attack initiation methods. You may be asked to develop a simple attack tree (e.g., for gaining access to a physical safe).
Despite years of research, no foolproof techniques exist to prevent all unauthorised actions. The following 13 design principles guide the development of protection mechanisms. Click through the tabs to explore them by category:
Security measures should be as simple and small as possible. Simple designs are easier to test, verify, and maintain. Complex designs have more opportunities for exploitable flaws.
Access decisions should be based on permission rather than exclusion; the default is lack of access. A mistake tends to fail by refusing permission (safe) rather than allowing it.
Every access must be checked against the access control mechanism. Systems should not rely on cached access decisions.
Security mechanisms should be open rather than secret (e.g., encryption algorithms are public even if keys are secret). Open designs can be reviewed by many experts.
Multiple privilege attributes should be required to access a restricted resource (e.g., multifactor authentication: password + smart card).
Every user or process should operate with the least set of privileges necessary to perform the task. Role-based access control is a good example.
Minimise the functions shared by different users to reduce unintended communication paths and make verification easier.
Three contexts: (1) public access isolated from critical resources, (2) user processes/files isolated from each other, (3) security mechanisms isolated from tampering.
A specific form of isolation based on object-oriented functionality. Internal structures are accessible only through designated entry points.
Security functions should be developed as separate, protected modules. A modular architecture allows upgrading individual parts without redesigning the entire system.
Security mechanisms should not interfere unduly with users’ work. If mechanisms hinder usability, users may turn them off. Security must match the user’s mental model.
Use multiple, overlapping protection approaches so that the failure of any single approach does not leave the system unprotected.
A program or interface should always respond in the way least likely to astonish the user. The security mechanism should be transparent enough for the user to intuitively understand how security goals map to protections.
You must be able to list and briefly define all 13 principles. The first eight (from Economy of mechanism to Psychological acceptability) were originally proposed by Saltzer and Schroeder in 1975 and have withstood the test of time. KISS rule = Economy of mechanism.
A security mechanism is designed to perform four functions:
No single mechanism can support all services. Different mechanisms address different requirements: authentication, authorisation, availability, confidentiality, integrity, non-repudiation. Moreover, countermeasures may introduce new vulnerabilities, and residual vulnerabilities may remain. The goal is to minimise the residual level of risk to the assets — that is, to implement mitigation.
Is prevention always possible? No. That is why detection and recovery are of primary importance. Not all attacks can be prevented, so resilient systems must be designed to detect breaches and recover from them.
A comprehensive computer security strategy, following [LAMP04], involves three aspects:
The first step is to develop a security policy — an (ideally formal) statement of rules and practices that specify how a system or organisation provides security services. When developing a policy, a security manager must consider:
And must balance trade-offs between ease of use and security, and between the cost of security and the cost of failure and recovery.
Four complementary courses of action:
Assurance is the degree of confidence that the security system meets its requirements and that the implementation meets its specifications. It is expressed as a degree of confidence, not absolute proof.
Evaluation is the process of examining a computer product or system against certain criteria, involving testing and possibly formal analytic or mathematical techniques.
Section 1.3 “Security Functional Requirements” (FIPS 200 — 17 security areas) is not examinable per the professor’s scope notes. Section 1.7 on “Standards” (NIST, ISOC, ITU-T, ISO) is also not examinable but is strongly suggested reading.
The tutorials provide hands-on experience with the concepts taught in this chapter. The following annotated code walkthrough shows the key steps for performing an attack surface analysis using nmap and related tools. Each command is explained in terms of the security concepts it relates to.
Probing a host that does not belong to you by means of port scanning is considered an offensive procedure. In some countries, it can be illegal. These operations are for educational and defensive purposes only.
A pharming attack redirects a victim’s web traffic to a fake server. The course tutorial (T5) demonstrates this through three steps: (1) clone the target website, (2) set up a fake HTTP server, (3) redirect requests. On a local network, this can be done by modifying DNS parameters provided via DHCP, installing a rogue DHCP server, or modifying the /etc/hosts file. For HTTPS, the attacker must also compromise the browser’s trusted certificate store — which can be done via a simple configuration change without special privileges.
This attack illustrates multiple concepts from the chapter: masquerade (the fake website pretends to be the real one), deception (the victim receives false data), and integrity (the trust chain of certificates is subverted). It also highlights the human attack surface and the importance of certificate revocation mechanisms.
The following questions are drawn from real past exams. Use them to test your preparation. Each answer is grounded in the slides and textbook.
Computer security (NIST definition) is the protection afforded to an automated information system to attain the objectives of preserving the integrity, availability, and confidentiality of information system resources. It includes hardware, software, firmware, information/data, and telecommunications.
Confidentiality covers two related concepts: (1) data confidentiality — private or confidential information is not made available or disclosed to unauthorised individuals; (2) privacy — individuals control what information related to them may be collected, stored, and to whom it may be disclosed.
Integrity guards against improper information modification or destruction, including ensuring non-repudiation and authenticity. Data integrity ensures that information and programs are changed only in a specified and authorised manner. System integrity ensures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorised manipulation.
Availability ensures timely and reliable access to and use of data and services. A loss of availability is the disruption of access to or use of information or an information system.
Confidentiality, Integrity, and Availability. These three concepts embody the fundamental security objectives for both data and for information and computing services.
Authenticity is the property of being genuine and being able to be verified and trusted. It provides confidence in the validity of a transmission, a message, or a message originator. FIPS 199 includes authenticity under integrity.
Accountability generates the requirement for actions of an entity to be traced uniquely to that entity. It supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
KISS stands for “Keep It Simple, Stupid” and corresponds to the principle of Economy of mechanism: security measures should be as simple and small as possible. Simple designs are easier to test, verify, and maintain, and have fewer exploitable flaws.
Security requires regular and constant monitoring. It is not something you buy and install once; it is an ongoing process of assessment, adaptation, and improvement. Good security is invisible when working, and bad security only becomes visible after a security incident. Additionally, security is costly and often seen as an impediment, but this ongoing process view is essential.
Examples: an insider releases credit card numbers; unencrypted data is intercepted on a network; statistical analysis reveals underlying personal data. Loss of confidentiality is very damaging for assets with a high confidentiality rating, such as student grade information (regulated by FERPA) or patient medical records.
Examples: a student alters grades; a database of patient allergies is falsified. Loss of integrity is very damaging when the consequences are severe or catastrophic, such as the hospital allergy database example — inaccurate information could result in serious harm or death and expose the hospital to massive liability.
Examples: files are deleted; communication lines are rendered unavailable; authentication services are interrupted. Loss of availability is very damaging for critical services such as authentication systems for banking, where interruption causes large financial loss and prevents customers from accessing resources.
An adversary (threat agent) is an individual, group, organisation, or government that conducts or has the intent to conduct detrimental activities against a system.
An attack is any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself. It is a deliberate attempt to evade security services and violate the security policy of a system.
A threat is a potential for violation of security — a circumstance or event that could breach security and cause harm. An attack is a threat that is actually carried out (threat action). In other words, the threat is the potential; the attack is the realisation. Some threats are not very “intelligent,” for example certain Denial of Service attacks are rather simple.
A countermeasure is an action, device, procedure, or technique that reduces a threat, vulnerability, or attack by eliminating or preventing it, by minimising the harm it can cause, or by discovering and reporting it so that corrective action can be taken.
Risk is an expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. It is often visualised using a risk matrix that maps likelihood against impact.
A security policy is a set of rules and practices that specify or regulate how a system or organisation provides security services to protect sensitive and critical system resources. Example: an organisation’s password policy (strong passwords, expiration) is part of its security policy.
A system resource (asset) is a major application, general support system, high-impact program, physical plant, mission-critical system, personnel, equipment, or a logically related group of systems. More broadly: data, a service provided by a system, a system capability, an item of equipment, or a facility.
A threat is any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image, or reputation), organisational assets, individuals, other organisations, or the nation through an information system via unauthorised access, destruction, disclosure, modification of information, and/or denial of service.
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Example: a software bug, or users not properly educated to deal with email phishing.
A system is corrupted when it does the wrong thing or gives wrong answers, because data values have been improperly modified. This is a loss of integrity. It can be serious depending on the criticality of the data (e.g., hospital records).
A system is leaky when someone who should not have access to information obtains such access. This is a loss of confidentiality. It can range from minor (directory information) to catastrophic (exposure of classified data).
A system is unavailable when using it becomes impossible or impractical (e.g., very slow or completely unresponsive). This is a loss of availability. It affects both data availability and services availability.
Passive attacks attempt to learn or make use of information but do not affect system resources. They are difficult to detect; emphasis is on prevention (encryption). Active attacks involve modification of the data stream or the attacked system. They are difficult to prevent; emphasis is on detection and recovery.
Inside attacks are initiated by an entity inside the security perimeter (an “insider”) who is authorised to access system resources but uses them in unauthorised ways. Outside attacks are initiated from outside the perimeter by an unauthorised or illegitimate user.
Unauthorised disclosure is a threat to confidentiality. Exposure: sensitive data directly released (deliberate or by error). Interception: unauthorised entity directly accesses data in transit. Inference: indirect access by reasoning from characteristics (e.g., traffic analysis). Intrusion: unauthorised access by circumventing security protections.
Deception is a threat to integrity (data or system). Masquerade: posing as an authorised entity (e.g., Trojan horse). Falsification: altering or replacing valid data or introducing false data. Repudiation: falsely denying responsibility for an act.
Disruption is a threat to availability or system integrity. Incapacitation: disabling a system component (e.g., physical destruction, malware). Corruption: unauthorised modification that alters system functioning (e.g., backdoor logic). Obstruction: hindering system operation (e.g., overloading, disabling communication links).
Usurpation is a threat to system integrity. Misappropriation: assuming unauthorised logical or physical control of a resource (e.g., theft of service via botnet). Misuse: causing a component to perform a function detrimental to security (e.g., disabling security functions).
The four categories are: Hardware, Software, Data, and Communication lines & networks. Each can be attacked across all three CIA dimensions: availability (e.g., theft/destruction), confidentiality (e.g., unauthorised copy/read), and integrity (e.g., modification/fabrication). See Table 1.3 in the textbook for a full breakdown.
Traffic analysis is a passive attack in which the attacker observes the pattern of traffic on a network (e.g., the amount of traffic between particular pairs of hosts, frequency and length of messages) to infer information, even when the message contents themselves are encrypted.
A replay attack involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorised effect. A typical example is a Man-In-The-Middle (MITM) attack where authentication sequences are captured and replayed.
1) Economy of mechanism, 2) Fail-safe defaults, 3) Complete mediation, 4) Open design, 5) Separation of privilege, 6) Least privilege, 7) Least common mechanism, 8) Psychological acceptability, 9) Isolation, 10) Encapsulation, 11) Modularity, 12) Layering (defense in depth), 13) Least astonishment.
Security measures should be as simple and small as possible. Simple designs are easier to test and verify thoroughly, have fewer exploitable flaws, and require less maintenance. This is also known as the KISS principle.
Access decisions should be based on permission rather than exclusion. The default situation is lack of access. A design mistake in a permission-based mechanism tends to fail by refusing permission (safe), while an exclusion-based mechanism tends to fail by allowing access (unsafe).
Every access must be checked against the access control mechanism. Systems should not rely on cached access decisions. In practice, this is resource-intensive and rarely fully implemented (e.g., once a file is opened, permission changes are not rechecked on each read).
The design of a security mechanism should be open rather than secret. Encryption algorithms should be public and subject to expert review, even if keys must remain secret. This is the philosophy behind NIST’s standardisation of encryption algorithms.
Multiple privilege attributes should be required to achieve access to a restricted resource. Example: multifactor authentication requires both a password and a smart card. It can also refer to dividing a program into parts with limited privileges.
Every user or process should operate using the least set of privileges necessary to perform the task. Example: role-based access control. System administrators should use ordinary accounts for daily activities and only use privileged accounts when necessary.
The design should minimise the functions shared by different users, providing mutual security. This reduces unintended communication paths and the amount of shared hardware/software, making it easier to verify security implications.
Security mechanisms should not interfere unduly with users’ work. If mechanisms are too burdensome, users may disable them. Security must reflect the user’s mental model of protection to avoid errors.
Isolation applies in three contexts: (1) public access systems isolated from critical resources, (2) individual user processes/files isolated from each other, (3) security mechanisms isolated from tampering. Physical or logical isolation may be used.
Encapsulation is a specific form of isolation based on object-oriented functionality: data objects are accessible only through the procedures of the protected subsystem, and procedures may be called only at designated entry points.
Security functions should be developed as separate, protected modules (e.g., a common cryptographic module used by many protocols). A modular architecture allows individual parts to be upgraded without redesigning the entire system.
Layering (also called defense in depth) uses multiple, overlapping protection approaches addressing people, technology, and operations. If one layer fails, others still provide protection. Example: multiple firewalls based on different technologies.
A program or user interface should always respond in the way least likely to astonish the user. The authorisation mechanism should be transparent enough for the user to intuitively understand how their security goals map to the provided protections.
An attack surface consists of the reachable and exploitable vulnerabilities in a system. Examples: open ports, services inside a firewall, code processing incoming data (e-mail, PDF, etc.), APIs, employees with access to sensitive data. Three categories: Network attack surface (network vulnerabilities), Software attack surface (application/OS code vulnerabilities), Human attack surface (social engineering, human error).
Attack surface analysis is a systematic assessment of the scale and severity of threats to a system. It makes developers and security analysts aware of where security mechanisms are required and guides priorities for testing, strengthening security, or modifying the service.
An attack tree is a branching, hierarchical data structure representing a set of potential techniques for exploiting vulnerabilities. The root is the attacker’s goal. Leaf nodes represent ways to initiate an attack. Nodes are either AND-nodes (all subgoals must be achieved) or OR-nodes (at least one subgoal must be achieved).
A security policy is a set of rules specifying how a system provides security services. Factors: value of assets, system vulnerabilities, potential threats and likelihood. Trade-offs: ease of use vs security; cost of security vs cost of failure and recovery. Security policy is ultimately a business decision.
Prevention: stopping attacks from succeeding (ideal but not always possible). Detection: identifying attacks when prevention fails (e.g., intrusion detection). Response: halting an ongoing attack. Recovery: restoring correct operation after an attack succeeds (e.g., backup restoration).
Assurance is the degree of confidence that the security system design meets its requirements and that the implementation meets its specifications. It is expressed as a degree of confidence, not an absolute proof.
Evaluation is the process of examining a computer product or system against certain criteria. It involves testing and may involve formal analytic or mathematical techniques.
Unauthorised disclosure is a threat consequence in which an entity gains access to data for which it is not authorised. It is a threat to confidentiality. It can result from exposure, interception, inference, or intrusion.
DoS stands for Denial of Service. It is an active attack that prevents or inhibits the normal use of communication facilities. A DDoS (Distributed Denial of Service) uses multiple compromised systems (a botnet) to launch the attack simultaneously, making it harder to block. Example: the Mirai botnet.
An online attack interacts directly with the target system in real time (e.g., attempting passwords on a login page) — countermeasures include rate limiting and account lockout. An offline attack works on captured data without interacting with the system (e.g., cracking a stolen password hash) — countermeasures include strong encryption and salting. In the context of the textbook, this distinction applies to brute force and password guessing attacks.
Test your knowledge with these quick self-assessment questions:
Confidentiality, Integrity, and Availability.
Passive attacks are difficult to detect because they do not alter data. The emphasis is on prevention, typically through encryption.
An AND-node requires all of its subnodes’ goals to be achieved. An OR-node requires at least one.
Fail-safe default. The default situation is lack of access, so mistakes tend to fail safely.
A threat is a potential for security violation; an attack is a threat that is actually carried out (threat action).
Unauthorised disclosure (exposure, interception, inference, intrusion) is a threat to confidentiality.
Layering — using multiple, overlapping protection approaches so that the failure of any single layer does not leave the system unprotected.
Network attack surface, Software attack surface, Human attack surface.
Security requires regular and constant monitoring. It is not a one-time purchase or installation but an ongoing activity of assessment, adaptation, and improvement.
Data integrity ensures information is changed only in authorised ways. System integrity ensures the system performs its intended function in an unimpaired manner.