Overview of the lesson
We cannot start a meaningful exploration of computer security without defining the subject itself. Hence, in this lesson, we will outline several terms that security people use all the time.
What you'll learn
So far, we discussed all kinds of technical topics on this platform: what web applications are, how they work, what is a server and the list can go on. But nothing about security. Here is the good news — the waiting has ended! In this course, we will explore the core principles of computer security, what makes an application vulnerable, different defense mechanisms, and many others!
|Objective||To understand what security is and learn several terms that are used in security industry.|
However, we cannot start a meaningful exploration of computer security without defining the subject itself. So, let’s begin the discussion by answering the most obvious question: what is security?
Whether you work in the IT industry or not, you probably noticed that security buzzwords come and go in the media. They are all over the Internet — a new data breach here, a malware or phishing campaign there, millions of devices at risk due to a security bug, financial information of thousands stolen, social media accounts of a large company got hacked. But what’s this “security” thing that people keep talking about?
Let's consult the dictionaries:
Security: the quality or state of being secure such as
a: freedom from danger : SAFETY
b: freedom from fear or anxiety
c: freedom from the prospect of being laid off //job security
a: free from danger
b: affording safety //a secure hideaway
c: TRUSTWORTHY, DEPENDABLE //a secure foundation
d: free from risk of loss
a: freedom from risk and the threat of change for the worse
b: freedom from danger; safety
So, we can say that security is freedom from danger, a threat, or a risk. In the context of information security, it refers to the risks, threats, and dangers related to computing devices such as computers, smartphones, IoT, servers, networks, but also covers the data stored on these devices.
The primary goal of security is simple: to make sure that technology does only what it is supposed to, and nothing else. Security's job is not necessarily to stop hackers and prevent breaches but to work towards the same goal as the rest of the company and help the business move forward. For instance, if the company's goal is to make money, the security department should make sure that the organization doesn't lose money due to a lack of security measures.
Each industry has its own jargon terms, and security makes no exception. In this field, you will often encounter terms such as vulnerability, attack, threat, exploit, and the list can go on. So, before diving deeper into your learning journey, it is imperative to make sure we all talk the same language. Don't worry — we won't overwhelm you with all of it (we have a glossary for that). We'll cover additional terms and technologies in more detail as we explore further.
A vulnerability is a weakness of a system that allows an attacker to perform unauthorized actions such as viewing sensitive data of other users, destroy or modify data. Vulnerabilities are, in most cases, caused accidentally by our fallible ability to design secure systems.
Over time, studies suggested that the number of vulnerabilities grows with the complexity of a system. Other studies showed this correlation is vague and almost impossible to demonstrate   . While the relationship between complexity and vulnerabilities can’t be generalised, there is one thing we can be sure of — there is no absolutely secure system.
Vulnerabilities, by their nature, are to be discovered. They simply exist in software — but until one finds and uses them, they are latent.
A cyber attack is when an attacker uses a vulnerability to gain unfair benefitse.g., financial, social, cheat access controls, or inflict damage on systems. Usually, it is a multi-step process. To make things easier to understand, we will use an example in which an attacker wants to get access to someone else’s account on uphack.io. Here are the steps involved:
In the last few years, many great security tools emerged. Some of them even made the exploitation of specific vulnerabilities (e.g., SQL Injection) as easy as inserting the target URL and pressing the Start button. While their purpose was to speed up the job of ethical hackers, some people used them as their primary weapon to substitute the competence and actual security knowledge.
Such people are called script-kiddies. They lack the expertise and solely rely on already existing hacking tools to hack into systems without even understanding how these tools work or what’s going on behind the scenes. Motivated by curiosity, mischievous, or simply to show-off, they are opportunistic attackers that don’t have a target in mind. Instead, they use automated scanners to find targets vulnerable to low-hanging vulnerabilities.
Next, there are cybercriminals or hackers. In contrast to skiddies, a hacker is usually highly skilled, operating individually, or as a part of criminal organisations. Motivated by financial gains, they are interested in financial information or a large number of personally identifiable information (PII) that can be sold on the black market. Hackers are usually opportunistic attackers, but they can be much more patient, persistent, well-funded, and stealth compared to skiddies.
On the top of the chain are the state-sponsored attackers. They could have unlimited patience and funding to achieve their purpose, and are motivated by either the political, commercial, or military interests of their country, instead of financial gain. This type of attacker targets critical infrastructures and services of a country. This includes — but not limited to — fuel pipelines, power grids, nuclear reactors, healthcare, or financial sectors. One example of such an attack is Stuxnet — a malicious worm designed to sabotage Iran’s nuclear program.
An exploit is a tool, a method, or a command that allows an attacker to take advantage of a vulnerability.
A security threat refers to anything that can put a system or its information at risk. This includes viruses, backdoors, vulnerabilities, and even natural disasters.
But what’s the difference between an attack and a thread then?
A threat is a circumstance that has the potential to inflict harm, while an attack is the attempt to cause damage. Here is a simple example to illustrate this.
If you don’t regularly update your operating system to the latest version, your computer may have lots of vulnerabilities. The fact that one day an attacker could target your computer because you don’t update your OS represents a threat. Once an attacker founds out your system is vulnerable, he will attempt to exploit it. That is an attack.
So, let’s recap: A threat is any bad thing that can happen to a system. A threat exists because there is a vulnerability; hence, a vulnerability makes a threat possible. An attack is a deliberate attempt to exploit that vulnerability.
Risk is the likelihood of a threat to transform into an attack. Also, it refers to the harm that such an attack would cause. The commonly used formula to calculate the risk is the probability of a threat multiplied by the chances of a vulnerability to exists multiplied by the maximum impact of a successful attack:
Risk = Thread * Vulnerability * Impact/Severity
The impact of a vulnerability depends on the likelihood that it will be successfully exploited. In contrast, likelihood depends on the existing security mechanisms, the difficulty of the attack, and the type of potential attacks. For example, an SQL Injection vulnerability is considered highly dangerous as it is both easy to find and exploit, and can have a serious impact.
This lesson, hopefully, sheds some light on what computer security is and the terms commonly used in this industry. While many other concepts need to be explained, we'll cover them in the next lessons, as we explore further.