BIE-UKB Lecture 01 Recall: Introduction to Cyber Security

Terms

• Information Security
  • Cyber Security
• Dependability - the measure of RAMS parameters
  • Reliability
  • Availability
  • Maintainability
  • Safety/Security
  • Some additional parameters: Durability
• EU Directives NIS (2016/1148), NIS 2 (2022/255), Czech Cyber Security Law (Law 181/2014)
  • Event - vent, that may lead to a breach of security
  • Incident - breach of security/integrity/availability in the system or service due to the cyber security event
• Cyber Threat
  • Any event with the potential to adversely impact organizational operations (process) assets, or individuals through
• Basic Principles
  • Defense in Depth
  • Separation of Duty (SoD)
  • Least Privilege/Need-to-know
    • Zero-trust

Security (Counter)Measures

• Increase the attack costs - in terms of time or (any type of additional) expenses
• Technical Measures
  • HW/SW used to detect or prevent security events/incidents
• Organizational Measures
  • process supporting technical measures
• Methodology: Process + Roles

Fail-Safe vs. Fail-Secure

• default state is secure/safe
• sometimes in contradiction (layered approach to achieve both), sometimes complementary

Side-channel attacks

• 199(8)9 Kocher et. al.
• processed data could be guessed from time/power/EMC data dependency (RSA: length of operation depends on secret used key bits)
• AMD/Intel CPUs - Examples: Meltdown/Spectre

BIE-UKB Lecture 02 Notes: Risk Management

• planning - What/When

Risk Management

• process of identifying, assessing, and controlling threats
• PDCA Process: Plan-Do-Check-Act
• Aims:
  • minimize, monitor and control the probability or impact of bad events
  • minimize costs/resource utilization
  • maximize opportunities
• Risk Analysis
  • formal guidelines (one of many) ISO/IEC 27005
  • internal methodology (!)
• Primary asset depends on Supporting asset
  • primary asset is information/process/service essential for an organization enabled by a supporting asset
  • hierarchical decomposition: scope/level
  • Primary Asset Owner
  • Primary Asset valuation:
    • CIA Triad: Confidentiality, Integrity, Availability
    • often RAMS parameters in parallel
• Vulnerability - a weakness or an opportunity, which can be exploited (probability + cost!)
• Risk - measure of danger severity (potential for loss or damage when threat exploits vulnerability)
  • Synonyms sometimes used: Threat, Danger
  • Accept
  • Transfer
  • Mitigate - reduce/minimize impact
  • Avoid - disable (minimize probability)
  • risk impact/probability chart or matrix
• Example - Research Project Risk Analysis:
  • project with an implicitly limited scope, clear roles, and asset values
  • risk catalog -> threat and vulnerability assessment is performed at the same time en-block (mentor-driven brainstorming)
  • risk probabilities and severities are evaluated by Key project team members (Asset Owners)
  • average over-risk probability (P) and severity (S) are computed for each risk
  • overall risk measure/significance is computed as P*S
  • overall risk is evaluated by thresholding
  • multiple categories, not only technical/organizational risks