Week1 Board Notes
It’s a goal to “spell it all out” in this course.
Don’t let any acronym go unexpanded, or new term go undefined.
When in doubt, ask!
- Stoll: Cuckoo’s Egg, with the sub-title “Tracking a Spy Through the Maze of Computer Espionage”
- Builder / Breaker / Defender - labels OWASP assigns to different security communities
- PCI DSS is the Payment Card Industry Data Security Standard. Remember, every retailer was compliant, until they weren’t!
- Chip + PIN - smartcard (something you have) and a PIN (something you know), common in Europe, but not the US.
- CISO / CSO: Chief Information Security Officer or Chief Security Officer. Or “Chief Sacrificial Offering” when something goes wrong. See A Tough Corporate Job Asks One Question: Can You Hack It?
- CIO: Chief Information Officer
- Risk assessment, acceptance, remediation: some quantitative assessments may take the form likelihood x frequency x impact; we can remediate risk to obtain some residual of the originally calculated risk (by deploying counter-measures for a known threat, for example); the remaining risk may be accepted to obtain a larger goal, such as new business, cost avoidance, etc.
- Don’t forget reputational damage when calculating impact. As Ben Franklin said, “It takes many good deeds to build a good reputation, and only one bad one to lose it.”
- Various models of the Cyber Attack Cycle, with phases such as Reconnaissance, Exploit, and repeating the sequence to move laterally as needed.
- Insider Threat is real, and there are numerous techniques for detecting -behaving authorized users that will also help when your own users’s credentials are being used by an adversary.
- Identity: The New Security Perimeter - because once you have authorized credentials, you can get through all those pesky firewalls, computer logins, etc.
- A classmates quips: “Security, Performance, Usability: Pick One”, a good joke on the old “Good, Fast, Cheap: Pick Two” triad.