The Ever-Present OSI/DoD Models
Ports, well-known and otherwise
NAT and Private Address Ranges (thanks JP)
Asset – anything valuable, such as information, software or a car stereo
Threat – any event or object that might result in a loss, like theft or fire damage
Threat Agent – any person or thing that can carry out a threat, like a thief or a flood
Vulnerability – a weakness in security, like an unprotected server or a hole in a fence
Exploit – actually taking advantage of a weakness, for instance by attacking an unprotected server or going through that hole in the fence
Risk – the likelihood that that an exploit will actually be performed
Risk management is what it’s all about: how much risk can you tolerate, and how much will you spend to avoid it?
Information Security Provides
- Integrity – Insurance that a message, software or other item hasn’t been changed in any way.
- Confidentiality – Only authorized persons have access to the information.
- Availability – Information is available to properly authorized users.
Basic Security Concepts
Layering -Providing multiple layers of protection: physical access control, a firewall, antivirus software, etc. The key concept is preventing one layer’s configuration from compromising other layers. If you leave workstations logged in overnight to distribute antivirus updates, you’ve weakened security with that compromise.
Limiting – Basically, limiting access, whether physical or logical.
Diversity – Using more than one type of a given security method; for instance, both a physical and a software firewall.
Obscurity – Limiting the information available to attackers. For example, your web server should not reveal that it’s Apache 1.2.
Simplicity – Put simply, don’t make your security layers hard to understand or configure.