Seminar on Hacking Powerpoint Presentation
Posted In:
Seminar on Hacking
.
By Wasim
Midterm Questions and Answers on Computer Security
Posted In:
Midterm Questions and Answers on Computer Security
.
By Wasim
Chapter-5 Cyberspace Infrastructure from Computer Network Security and Cyber Ethics
1. Explain in detail TCP/IP Protocol Architecture
TCP/IP has Four Layers:
Application Layer: Application layer protocols are those used for the exchange of user information. Protocol uses here are Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP) etc.
Host-to-Host Transport Layer: The core protocols of the Transport layer are Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
TCP provides a one-to-one, connection-oriented, reliable communications service.
UDP provides a one-to-one or one-to-many, connectionless, unreliable communications service.
Internet Layer: The Internet layer is responsible routing of IP packet. The core protocols of the Internet layer are IP, ARP (Address Resolution Protocol, ICMP (Internet Control Message Protocol), and IGMP (Internet Group Management Protocol).
The Internet Protocol (IP) is a routable protocol responsible for IP addressing, routing, and the fragmentation and reassembly of packets.
Network Interface Layer:
The Network Interface layer (also called the Network Access layer) is responsible for placing TCP/IP packets on the network medium and receiving TCP/IP packets off the network medium.
Hardware Devices: Hubs, Switch, Bridge etc hardware devices used here.
2. Write short notes on Ethernet.
Ethernet is a frame-based computer networking technology for local area networks (LANs). It is Network of two or more Computers.
Standard Name: IEEE 802.3 Local Area Network (LAN) protocols.
Protocol: data are transmitted using the popular Carrier-Sense Multiple Access/Collision Detection (CSMA/CD) protocol
Ethernet Technologies:
Three data rates are currently defined for operation over optical fiber and twisted-pair cables. They are:
1. 10 Mbps - 10Base-T Ethernet (IEEE 802.3)
2. 100 Mbps - Fast Ethernet (IEEE 802.3u)
3. 1000 Mbps - Gigabit Ethernet (IEEE 802.3z)
Ethernet Network Elements:
Ethernet LANs consist of network nodes and interconnecting media. The network nodes fall into two major classes:
1. Data terminal equipment (DTE)
2. Data communication equipment (DCE)
Chapter-4 Morality, Technology and Value from Computer Network Security and Cyber Ethics
1. Define Technology and list three components of Technological process?
Technology is a rational process of creating a means to order and transform matter, energy, and information to realize certain valued ends.
Technological processes have three components: Inputs, Engines and Outputs.
2. How to make good use of Technology?
Value of any technology depends on how we use the technology. Every technology should have a regulated policy. New Laws to strengthen, new moral and ethical concepts and massive education campaign to make good use of technology.
Chapter-1 All Security Involves Trade-offs from Beyond Fear
1. List 5-step process to analyze and evaluate security systems, technologies, and practices.
The Five Steps process are as follows:
1. What assets are you trying to protect?
2. What are the risks to these assets?
3. How well does the security solution mitigate those risks?
4. What other risks does the security solution cause?
5. What costs and trade-offs does the security solution impose?
2. Define Attack and Assets
Attack means intentional unwarranted actions. An attack is a specific way to attempt to break the security of a system or a component of a system.
Assets are the objects of attack. Assets can be as small as a single diamond and as
large as a nation’s infrastructure.
Chapter-2 Security Trade-offs Are Subjective from Beyond Fear
1. Define Threat and Risk.
Threat: A potential way an attacker can attack a system.
Risk: A likelihood of threat and seriousness of successful attack.
2. Define Risk Management.
It’s figuring out which attacks are worth worrying about and which ones can be ignored. “Threat determines the risks, and the risks determine the countermeasures”.
Chapter-3 Security Trade-offs depend on power and agenda (Summary) from Beyond Fear
1. Why do we need proxies for easy security trade-offs?
Proxies are the players who act in the interest of other players. Proxies are the intermediate person that has specializations in their field. Everyone can’t do everything. So proxies are needed.
For E.g.: Hiring a building inspector to evaluate the physical condition of house. This cannot be done by everyone unless you are having expertise in it.
2. Which are the two players that create security problems?
Attacker and the Attack (Assets owner) are the two players that create security problems. If no attacker than there would be no security problems.
Questions from Cryptography Presentation
1. Explain Public key Cryptography or Asymmetric Cryptography
Public key Cryptography was introduced by Diffie and Hellman in 1976, where each person gets a pair of keys, called the public key and the private key. Each person's public key is shared while the private key is kept secret known only to the recipient of the message. Messages are encrypted using the intended recipient's public key and can only be decrypted using his private key. Communications involve only public keys, and no private key is ever transmitted or shared.It is called asymmetric encryption because it uses two keys i.e. public key and a private key.
E.g.: RSA encryption, PGP (Pretty Good Privacy)
2. Explain Private Key Cryptography or Symmetric Key Cryptography
Private Key Cryptography is a cryptographic method in which the same key is used to encrypt and decrypt the message. It also called Symmetric encryption because it uses only singe key. Symmetric-key cryptography is sometimes called as secret-key cryptography
A problem with private-key cryptography is that the sender and the recipient of the message must agree on a common key via some alternative secure channel.
E.g.: Data Encryption Standard (DES), triple-DES (3DES), Advanced Encryption Standard (AES).
Chapter-5 Cyberspace Infrastructure (Summary) from Computer Network Security and Cyber Ethics
Posted In:
Computer N/W Security and Cyber Ethics Ch-5
.
By Wasim
Protocols: A set of rules and conventions for sending information over a network.
Computer Communication Networks:
A computer communication network system consists of hardware, software and human ware
Hardware:
Host: Each computer in a network is known as host. Each host has a unique hostname and IP address assign to it.
Network Elements: Hubs, Bridges, Routers and Gateways are used to connect the host/hosts on the network.
Software:
All application software that are required to configure the network elements for successful networking.
Humanware:
Users who connect with different host/hosts and share resources on the network.
Network Types:
In general there are three types of Network:
1. LAN: Local Area Network. It covers a small room to a large building. High speed connectivity with low cost setup.
2. MAN: Metropolitan Area Network. It covers a city or 10-15 miles in range.
3. WAN: Wide Area Network. Covers large geographical areas. Requires routers, switch etc costly device to setup.
Network Topology:
1. WAN Network:
1. Mesh Topology: Each node is connected with more than one host. Interconnected links result in network reliability in case of any failure nodes.
2. Tree Topology: Generalization of Bus Topology. Root node is at that highest level and other nodes share parent-child relationship. Transmission from any element in the network propagates through the network and is received by all elements in the network.
2. LAN Network:
1. Bus Topology: Only one element in the network can have control of the bus at any one time. Failure of one node can bring down whole network.
2. Star Topology: All elements in a network are connected with a central element such as hub or switch.
3. Ring Topology: Token ring technology is used for transmitting data on the network.
Ethernet:
Standard Name: IEEE 802.3 Local Area Network (LAN) protocols.
Protocol: data are transmitted using the popular Carrier-Sense Multiple Access/Collision Detection (CSMA/CD) protocol
Ethernet Technologies:
10 Mbps - 10Base-T Ethernet (IEEE 802.3)
100 Mbps - Fast Ethernet (IEEE 802.3u)
1000 Mbps - Gigabit Ethernet (IEEE 802.3z)
10-Gigabit - 10 Gbps Ethernet (IEEE 802.3ae).
Transmission Control Systems:
The concept of representation of data for transmission, either as an analog or a digital signal, is called an encoding scheme.
Two Types of Encoding:
1. Digital to Analog Encoding: It carries Sine wave with a Carrier signal. A Carrier signals has Amplitude, Frequency, and Phase shift.
2. Digital to Digital Encoding: Information is converted into bits i.e. zeros and ones.
Transmission Media:
It has two Categories
1. Wired Transmission: Fiber Optics cable, Twisted pair cable, Co-axial cables are used.
2. Wireless Transmission: Radio wave communication, Laser beam, Microwave and Infrared.
Connecting Devices:
HUB: Hub is a broadcasting device. It connects LAN components with identical protocols.
Bridges: Bridges filter incoming data packets, known as frames, for address before they are forwarded.
Switches: Intelligent devices that are also known as high-performance bridges.
Routers: Perform routing of IP packets. Routers interconnect two of more heterogeneous networks.
Gateways: They provide translation between networking technologies such as OSI model and TCP/IP protocol stack. A router with added translation functionality is a gateway.
Communication Service:
Connection Oriented: Three-way handshake to transfer data over a network. Acknowledgements of packet send and received. E.g.: TCP/IP protocol
Connectionless: No Handshaking. No Acknowledgement of packet sends or received. E.g.: UDP protocol
Data Switching:
Circuit Switching: Networks reserve the resources needed for the communication session before the session begins.
Packet Switching: Do not require any resources to be reserved before a communication session begins.
OSI Model and TCP/IP Model:
OSI model functions as the network communication protocol standard, but it is not widely used. TCP/IP is widely used. Both model use two protocol stacks, one at source and destination.
OSI Model has Seven Layers:
Application Layer: Protocol use here are SMTP, HTTP, FTP, SNMP etc
Presentation Layer: It responds to service requests from the Application Layer and issues service requests to the Session Layer.
Session Layer: It establishes, manages and terminates the connections between the local and remote application.
Transport Layer: TCP and UDP protocol are use here.
Network Layer: Routing of IP packet.
Data Link Layer: Switches and Bridges are used here.
Physical Layer: Bits of zeros and ones are converted here. Hub is used at this layer.
TCP/IP has Five Layers:
Application Layer: Protocol use here are SMTP, HTTP, FTP, SNMP etc
Transport Layer: TCP and UDP protocol are use here.
Network Layer: Routing of IP packet.
Data Link Layer: Switches and Bridges are used here.
Physical Layer: Bits of zeros and ones are converted here. Hub is used at this layer.
Computer Communication Networks:
A computer communication network system consists of hardware, software and human ware
Hardware:
Host: Each computer in a network is known as host. Each host has a unique hostname and IP address assign to it.
Network Elements: Hubs, Bridges, Routers and Gateways are used to connect the host/hosts on the network.
Software:
All application software that are required to configure the network elements for successful networking.
Humanware:
Users who connect with different host/hosts and share resources on the network.
Network Types:
In general there are three types of Network:
1. LAN: Local Area Network. It covers a small room to a large building. High speed connectivity with low cost setup.
2. MAN: Metropolitan Area Network. It covers a city or 10-15 miles in range.
3. WAN: Wide Area Network. Covers large geographical areas. Requires routers, switch etc costly device to setup.
Network Topology:
1. WAN Network:
1. Mesh Topology: Each node is connected with more than one host. Interconnected links result in network reliability in case of any failure nodes.
2. Tree Topology: Generalization of Bus Topology. Root node is at that highest level and other nodes share parent-child relationship. Transmission from any element in the network propagates through the network and is received by all elements in the network.
2. LAN Network:
1. Bus Topology: Only one element in the network can have control of the bus at any one time. Failure of one node can bring down whole network.
2. Star Topology: All elements in a network are connected with a central element such as hub or switch.
3. Ring Topology: Token ring technology is used for transmitting data on the network.
Ethernet:
Standard Name: IEEE 802.3 Local Area Network (LAN) protocols.
Protocol: data are transmitted using the popular Carrier-Sense Multiple Access/Collision Detection (CSMA/CD) protocol
Ethernet Technologies:
10 Mbps - 10Base-T Ethernet (IEEE 802.3)
100 Mbps - Fast Ethernet (IEEE 802.3u)
1000 Mbps - Gigabit Ethernet (IEEE 802.3z)
10-Gigabit - 10 Gbps Ethernet (IEEE 802.3ae).
Transmission Control Systems:
The concept of representation of data for transmission, either as an analog or a digital signal, is called an encoding scheme.
Two Types of Encoding:
1. Digital to Analog Encoding: It carries Sine wave with a Carrier signal. A Carrier signals has Amplitude, Frequency, and Phase shift.
2. Digital to Digital Encoding: Information is converted into bits i.e. zeros and ones.
Transmission Media:
It has two Categories
1. Wired Transmission: Fiber Optics cable, Twisted pair cable, Co-axial cables are used.
2. Wireless Transmission: Radio wave communication, Laser beam, Microwave and Infrared.
Connecting Devices:
HUB: Hub is a broadcasting device. It connects LAN components with identical protocols.
Bridges: Bridges filter incoming data packets, known as frames, for address before they are forwarded.
Switches: Intelligent devices that are also known as high-performance bridges.
Routers: Perform routing of IP packets. Routers interconnect two of more heterogeneous networks.
Gateways: They provide translation between networking technologies such as OSI model and TCP/IP protocol stack. A router with added translation functionality is a gateway.
Communication Service:
Connection Oriented: Three-way handshake to transfer data over a network. Acknowledgements of packet send and received. E.g.: TCP/IP protocol
Connectionless: No Handshaking. No Acknowledgement of packet sends or received. E.g.: UDP protocol
Data Switching:
Circuit Switching: Networks reserve the resources needed for the communication session before the session begins.
Packet Switching: Do not require any resources to be reserved before a communication session begins.
OSI Model and TCP/IP Model:
OSI model functions as the network communication protocol standard, but it is not widely used. TCP/IP is widely used. Both model use two protocol stacks, one at source and destination.
OSI Model has Seven Layers:
Application Layer: Protocol use here are SMTP, HTTP, FTP, SNMP etc
Presentation Layer: It responds to service requests from the Application Layer and issues service requests to the Session Layer.
Session Layer: It establishes, manages and terminates the connections between the local and remote application.
Transport Layer: TCP and UDP protocol are use here.
Network Layer: Routing of IP packet.
Data Link Layer: Switches and Bridges are used here.
Physical Layer: Bits of zeros and ones are converted here. Hub is used at this layer.
TCP/IP has Five Layers:
Application Layer: Protocol use here are SMTP, HTTP, FTP, SNMP etc
Transport Layer: TCP and UDP protocol are use here.
Network Layer: Routing of IP packet.
Data Link Layer: Switches and Bridges are used here.
Physical Layer: Bits of zeros and ones are converted here. Hub is used at this layer.
Chapter-4 Morality, Technology and Value (Summary) from Computer Network Security and Cyber Ethics
Posted In:
Computer N/W Security and Cyber Ethics Ch-4
.
By Wasim
Technology is a rational process of creating a means to order and transform matter, energy, and information to realize certain valued ends. Technological processes have three components: Inputs, Engines and Outputs.
Value of any technology depends on how we use the technology. Our Value systems are scaled on good and bad technologies.
The value we derive from the technology and the value we used in decision making while using the technology is based on one’s beliefs and Moral Value system.
Moral Dilemmas, Decision Making, and Technology
A dilemma is a difficult choice, not just any difficulty or problem. Dilemmas are usually caused by advances in technology. Advances in computer technology create a multitude of possibilities that never existed before.
Making Good Use of Technology
Every technology should have a regulated policy. New Laws to strengthen, new moral and ethical concepts and massive education campaign make good use of technology.
Strengthening the Legal System
Many laws on the books are in serious need of review and revision. Updating the legal system is complex task. Relevant and needed laws should be created quickly.
Moral and Ethics Education
1. Formal Education: Formal education of ethics should start in elementary schools. One should teach the use of computers and the Internet responsibly. Not giving personal information and identification, should not create and distribute viruses, download copyrighted materials off the Internet, or misuse the technology etc.
2. Advocacy: Advocacy is a mass education strategy works with public, corporations and governments to enhance public education through awareness. It is intended to make people part of the message.
Value of any technology depends on how we use the technology. Our Value systems are scaled on good and bad technologies.
The value we derive from the technology and the value we used in decision making while using the technology is based on one’s beliefs and Moral Value system.
Moral Dilemmas, Decision Making, and Technology
A dilemma is a difficult choice, not just any difficulty or problem. Dilemmas are usually caused by advances in technology. Advances in computer technology create a multitude of possibilities that never existed before.
Making Good Use of Technology
Every technology should have a regulated policy. New Laws to strengthen, new moral and ethical concepts and massive education campaign make good use of technology.
Strengthening the Legal System
Many laws on the books are in serious need of review and revision. Updating the legal system is complex task. Relevant and needed laws should be created quickly.
Moral and Ethics Education
1. Formal Education: Formal education of ethics should start in elementary schools. One should teach the use of computers and the Internet responsibly. Not giving personal information and identification, should not create and distribute viruses, download copyrighted materials off the Internet, or misuse the technology etc.
2. Advocacy: Advocacy is a mass education strategy works with public, corporations and governments to enhance public education through awareness. It is intended to make people part of the message.
Chapter-3 Security Trade-offs depend on power and agenda (Summary) from Beyond Fear
Posted In:
Beyond Fear Chapter-3
.
By Wasim
A Player means different parties, each with his or her subjective perceptions of risk, tolerances for living with risk, and willingness to make various trades-offs.
An Agenda means players own analysis of the security situation and internal and external non-security considerations.
Two Players that create security problems: Attacker and the Attack (Assets owner). If no attacker than there would be no security problems.
A policy of security system is defined by a single player to many players. House policy is defined by a single person whereas the corporate and credit card system policy requires role of many players. A policy may be simple or complex depends upon the unit.
Proxies are the players who act in the interest of other players. Proxies are the intermediate person that has specializations in their field. Everyone can’t do everything. So proxies are needed.
For E.g.: Hiring a building inspector to evaluate the physical condition of house. This cannot be done by everyone unless you are having expertise in it.
· Security Theater: security countermeasures that provide the feeling of security instead of the reality.
E.g.: Taper-resistant packaging. It’s easy to poison many foods and over the counter medicines right through the seal by using a syringe.
· Nokia spends far more on battery security than on communications security. Battery security system senses when a 3rd-party battery is used and switches into maximum power-consumption, wearing the battery down faster, thus insuring that consumers stick to Nokia batteries.
· In economics, externality occurs when one player's decision affects other players not involved in the decision.
For E.g.: A company saves much money by dumping toxic waste in a river, and everyone suffers because of contaminated water.
· Security system is based on a policy defined by one or more of the players (usually the asset owner) and the perceived risk against those assets. Security will always be a balancing game between various players and their agendas.
An Agenda means players own analysis of the security situation and internal and external non-security considerations.
Two Players that create security problems: Attacker and the Attack (Assets owner). If no attacker than there would be no security problems.
A policy of security system is defined by a single player to many players. House policy is defined by a single person whereas the corporate and credit card system policy requires role of many players. A policy may be simple or complex depends upon the unit.
Proxies are the players who act in the interest of other players. Proxies are the intermediate person that has specializations in their field. Everyone can’t do everything. So proxies are needed.
For E.g.: Hiring a building inspector to evaluate the physical condition of house. This cannot be done by everyone unless you are having expertise in it.
· Security Theater: security countermeasures that provide the feeling of security instead of the reality.
E.g.: Taper-resistant packaging. It’s easy to poison many foods and over the counter medicines right through the seal by using a syringe.
· Nokia spends far more on battery security than on communications security. Battery security system senses when a 3rd-party battery is used and switches into maximum power-consumption, wearing the battery down faster, thus insuring that consumers stick to Nokia batteries.
· In economics, externality occurs when one player's decision affects other players not involved in the decision.
For E.g.: A company saves much money by dumping toxic waste in a river, and everyone suffers because of contaminated water.
· Security system is based on a policy defined by one or more of the players (usually the asset owner) and the perceived risk against those assets. Security will always be a balancing game between various players and their agendas.
Chapter-2 Security Trade-offs Are Subjective (Summary) from Beyond Fear
Posted In:
Beyond Fear Chapter-2
.
By Wasim
Security Trade-offs is Subjective:
Risk assessment is subjective
People’s basic desire or values are subjective. Security decisions are based on personal judgments.
Extreme trade-offs are easy:
Protect yourself from credit card fraud by never using a credit card.
Prevent yourself from Mad Cow Disease by never eating meat products.
Prevent terrorists from boarding on planes by grounding all planes.
Swiss door locks on homes are secure and hard to pick. Lock has a key that can't be easily duplicated by common equipment. The key can only be duplicated by lock manufacturer at written request of property owner. So generally, many Swiss families have only 1 or 2 house keys.
Most shoplifting takes place in fitting rooms. If we remove fitting rooms, resulting decrease in profits from sales would be greater than the cost of shoplifting.
Threat: A potential way an attacker can attack a system.
Risk: A likelihood of threat and seriousness of successful attack.
Risk Management: It’s figuring out which attacks are worth worrying about and which ones can be ignored.
“Threat determines the risks, and the risks determine the countermeasures”.
Different people & organizations have different tolerances for risk, making value judgments about the risk. Because of this fact, security is subjective and will be different for different people, as each one determines his own risk and evaluates the trade-offs for different countermeasures.
Perceived risk and Actual risks:
1. People exaggerate dramatic but rare risks and downplay common risks. We worry more about earthquakes, terrorism, & kidnappers instead of slipping in our bathroom.
2. People have trouble estimating risks for anything that is not normal to them.
3. Personified risks are seen as greater than anonymous risks.
4. People underestimate risks they take willingly and overestimate risks they can't control.
5. People overestimate risks that are publicized.
Rapid advance of Technology and its getting more complicated and specialized, that it has become impossible for normal person to learn everything they need to know about all the risks.
"Because we do not understand the risks, we make bad security trade-offs."
If the trade-offs were subjective, there would be no such thing as a bad trade-off, only a trade-off perceived to be bad by someone. Security policy is based on the agenda of the major players.
Chapter-1 All Security Involves Trade-offs (Summary) from Beyond Fear
Posted In:
Beyond Fear Chapter-1
.
By Wasim
· This book is about how to analyze and evaluate security measures.
· Most of the time, we hear about the security when it fails. Security effectiveness can be extremely hard to measure.
· Beyond Fear is Schneier attempt to demystify security for the post 9/11 general public. The 9/11 terrorist operation was small, efficient, relatively low-tech, very strictly disciplined, highly compartmentalized, and extremely innovative.
· We constantly make security trade-offs every day. Like brushing teeth, locking the house, the car we purchase and drive, candy bar we buy etc
· People make security trade-offs naturally, choosing more or less security as situations change.
· The goal of this book is to help you move beyond fear, and give you the tools to start making sensible security trade-offs.
· Security is both a feeling and a reality.
· Security is about preventing adverse consequences from the intentional and unwarranted actions of others.
1. Security system: set of things put in place or done to prevent negative consequences. Security is about prevention. It can be attacked, can have flaws, and can fail.
2. Security concerns itself with intentional actions. Safety means protecting assets from unintentional actions. Security means preventing assets from intentional actions.
3. Security requires the concept of an attacker who performs intentional and unwarranted actions.
4. An attack means intentional unwarranted actions. An attack is a specific way to attempt to break the security of a system or a component of a system.
5. Assets are the objects of attack. Assets can be as small as a single diamond and as large as a nation’s infrastructure.
6. A countermeasure means individual, discrete, & independent security components which together make up a security system.
· Security is complex that can be broken down into smaller and simpler steps. The 5-step process to analyze and evaluate security systems, technologies, and practices are as follows:
1. What assets are you trying to protect?
2. What are the risks to these assets?
3. How well does the security solution mitigate those risks?
4. What other risks does the security solution cause?
5. What costs and trade-offs does the security solution impose?
· A better understanding of trade-offs leads to a better understanding of security, and consequently to more sensible security decisions.
· Two Schneier's concepts:
1. Everyone involved in a security decision has their own agenda.
2. Every security decision involves tradeoffs.
· By understanding these concepts, we can make rational decisions about whether and how proposed security measures should be implemented, rather than being driven by fear.
· Most of the time, we hear about the security when it fails. Security effectiveness can be extremely hard to measure.
· Beyond Fear is Schneier attempt to demystify security for the post 9/11 general public. The 9/11 terrorist operation was small, efficient, relatively low-tech, very strictly disciplined, highly compartmentalized, and extremely innovative.
· We constantly make security trade-offs every day. Like brushing teeth, locking the house, the car we purchase and drive, candy bar we buy etc
· People make security trade-offs naturally, choosing more or less security as situations change.
· The goal of this book is to help you move beyond fear, and give you the tools to start making sensible security trade-offs.
· Security is both a feeling and a reality.
· Security is about preventing adverse consequences from the intentional and unwarranted actions of others.
1. Security system: set of things put in place or done to prevent negative consequences. Security is about prevention. It can be attacked, can have flaws, and can fail.
2. Security concerns itself with intentional actions. Safety means protecting assets from unintentional actions. Security means preventing assets from intentional actions.
3. Security requires the concept of an attacker who performs intentional and unwarranted actions.
4. An attack means intentional unwarranted actions. An attack is a specific way to attempt to break the security of a system or a component of a system.
5. Assets are the objects of attack. Assets can be as small as a single diamond and as large as a nation’s infrastructure.
6. A countermeasure means individual, discrete, & independent security components which together make up a security system.
· Security is complex that can be broken down into smaller and simpler steps. The 5-step process to analyze and evaluate security systems, technologies, and practices are as follows:
1. What assets are you trying to protect?
2. What are the risks to these assets?
3. How well does the security solution mitigate those risks?
4. What other risks does the security solution cause?
5. What costs and trade-offs does the security solution impose?
· A better understanding of trade-offs leads to a better understanding of security, and consequently to more sensible security decisions.
· Two Schneier's concepts:
1. Everyone involved in a security decision has their own agenda.
2. Every security decision involves tradeoffs.
· By understanding these concepts, we can make rational decisions about whether and how proposed security measures should be implemented, rather than being driven by fear.
