Information security (InfoSec) is:

“Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.”

Cybersecurity is:

“The protection of information assets by addressing threats to information processed, stored, and transported by inter-networked information system.”

A vulnerability is:

• something that can be exploited by a threat. Specifically, the (USA) National Information Assurance Glossary (NIAG) defines vulnerability as “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.”
• For example, if a program has a security flaw, that is the vulnerability. 

A threat is:

• an attack that can exploit the security flaw to gain access to or disrupt a system
• “any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image, or reputation), organisational assets, individuals, other organisations, or the Nation through an information system via unauthorised access, destruction, disclosure, modification of information, and/or denial of service.” (NIST)

Confidentiality

• Authorised access only
• Protecting privacy

Integrity

• Data and system
• Protection from accidental or deliberate modification

Availability

• ... for legitimate users
• Prevention of DoS attacks etc

Authentication

• who are you - supports non-deniability

Authorisation

• what can you do?

Auditing

• Effective auditing and logging is the key to non-repudiation

• Focus on the business to ensure that information security is integrated into essential business activities.
• Deliver quality and value to stakeholders to ensure that information security delivers value and meets business requirements.
• Comply with relevant legal and regulatory requirements to ensure that statutory obligations are met, stakeholder expectations are managed, and civil or criminal penalties are avoided.
• Provide timely and accurate information on information security performance to support business requirements and manage information risk.
• Evaluate current and future information threats to analyse and assess emerging information security threats so that informed, timely action to mitigate risk can be taken.
• Promote continuous improvement in information security to reduce costs, improve efficiency and effectiveness, and promote a culture of continuous improvement in information security.

• Adopt a risk-based approach to ensure that risk is treated in a consistent and effective manner.
• Protect classified information to prevent disclosure to unauthorised individuals.
• Concentrate on critical business applications to prioritise scarce information security resources
• Develop systems securely to build quality, costeffective systems on which business people can rely.

• Act in a professional and ethical manner to ensure that information security-related activities are performed in a reliable, responsible and effective manner.
• Foster an information security-positive culture
• to provide a positive security influence on the behaviour of end users
• reduce the likelihood of security incidents occurring
• limit their potential business impact

• Technology has a role after all…
• Vulnerability scanners
• Detect known flaws in software and configurations
• Generate reports (with many false positives)
• Penetration testers ('Ethical hacking')
• Uses attack techniques
• Attempt to compromise system
• Reports on test results with recommendations

• The unsophisticated attackers, also known as 'script kiddies', are fairly common. They tend to strike targets of opportunity and typically use tools and techniques readily found on the Internet.

• Sophisticated attackers, sometimes known as hackers, typically have access to sophisticated tools and techniques.
• They have the skills to adapt these tools and techniques to the target environment.
• Often the motivation for such attacks is financial gain.
• Organised crime groups may employ these attackers for large cybercrime operations.

• Insiders can pose great danger to an organisation. While they may not necessarily have the same level of sophistication as other groups, they already have some access to network systems and information assets.
• Network defences are often focused on monitoring unauthorised external access, and internal access may go unnoticed.

• At the top end of the spectrum are state-sponsored attackers, also known as advanced persistent threats (APTs).
• APT groups are often responsible for espionage and cyberwarfare.
• According to Mandiant, a group known as APT1 compromised at least 141 organisations through a systematic campaign.
• Another example of the sophistication of these attacks is Stuxnet, an advanced malware used to attack Iran's nuclear program.

• Not all attackers or incidents fall neatly into these categories, and the threat landscape is constantly evolving. 

• Attack modelling and defence modelling form part of the overall process of threat modelling.
• Organisations need to evaluate the most appropriate model for their systems.
• When modelling a threat, both capabilities and intent must be considered.
• This is important because capabilities vary greatly.
• A lone “hacktivist” may have intent to do great harm, but may lack the capability of an organized crime syndicate. 

As an attacker, think about: