Okay, so just a moment on who our adversaries are. And of course they're. The attacks can come from a wide range of directions just to go over a few, uh, terms that we use to describe script kiddies. And I'm sure that's a term that many of you have heard.
The idea behind your script, Kitty, is that it's a very derogatory term
in the field. What that means is somebody that has no real talent but is able to copy and paste code off of Google that they've looked up or whatever and uh, can unleash viruses and malicious code. And now we're out there. But they're not really intelligent enough to create the malware themselves. So that's a very derogatory term
on, and you'll hear that as
hackers throw that term around while you're just a script kiddie. So they understand about script kiddies is whether their skill is very high or not. They still pose a very serious threat, and I think in some ways they may pose a greater threat than some of the other types of Attackers. Because script kiddies often
if they're true, script kiddies
often don't understand the real ramifications of the code that they're using and can wind up causing a whole lot of damage without the rial intent to do so. So we cannot discount the damage that script kiddies can. You can do
now the term hacker hackers and neutral term, although most people feel like it has a negative connotation.
But really, the term hacker was used to describe somebody who was very, very good with computers, somebody who could take apart the computers, put it back together from both a conceptual and a physical or or more tangible matter. So somebody that was very good with coding. Somebody is very good with hardware,
um, somebody with a lot of talent, a lot of skills.
Now, over time, that's meant that's kind of morphed to be negative. But really, you know, we have white hat hackers and we have black hat hackers. White hat hackers are really are 10 testers. These air, the ones that are yeah, they're hacking into systems, but they're doing it with permission with the backing of the organization,
and they're doing it in a manner that can help the company strengthen their
They're, uh, security mechanisms. Now, Black Hat Hatters hackers, those air sometimes referred to as crackers. Those were the ones with ill intent. And then, of course, sometimes there's this group of folks that are in the middle and they're called great hat hackers. So what they might do is they might attempt to find an exploit.
Then they might notify the vendor of this exploit. But if the vendor doesn't respond, then they might release the exploit out on the Web. So both good and bad aspects now the elite and financial hear people talk about leet speak,
Um, basically being certain types of characters on the keyboard, being used to indicate comments or or to substitute for other terms, basically the elite. Just what it sounds like these are the folks with very, very high skill levels. Very, very talented in the world of coding.
Certainly step some steps and steps above script kiddies.
Now, when we talk about attacks, not all tax attacks are structured, non structured, highly structured. You know when it has to do with the skill set of the attack, you can also look at whether or not I'm not. The attack is purposefully targeted at your organization or if it's a random attack,
not all attacks are out to attack
kelly handwritten dot com or whatever my company site. Maybe, um, many attacks are just using whatever system out there is available. So what people have to understand is they have a responsibility when connected to the Internet to protect their systems, because I don't have to be after your computer specifically
to use your computer in a downstream attack. So
whether or not how structured the attack is how formalized the processes but also whether or not in the tack is targeted, that your organization or not, that becomes a factor.
Um, other adversaries can be. You know, we have seen in the news a lot lately where we have state sponsored cyberattacks. There's been some speculation North Korea that China and other countries have been involved in some of the compromises we've seen of late,
and we've seen a lot of late
the Office of Personnel Management here in the government that I. R s Sony took a big hit and the attack is is supposed to have been perpetrated by North Korea based on a film they were releasing. So, you know, it's very hard to prosecute terrorists when they're coming from another state and when they're sponsored by another state.
So we have to understand who the Attackers are, so that we can understand means that we can protect ourselves against those Attackers. Um, so these air this just a little bit of an overview about what we're looking for in the realm of defensive
coding, which is a lot of what we're going to talk about while we're in this chapter,
and a lot of it is based on what is the value of what I'm protecting.
Who would it be valuable to? What are the threats where my weaknesses so understanding who's out there and who would benefit from this information from the assets on protecting will have to do with the type of security mechanisms I implement. And if you'll remember, When I said how much securities enough, the answer was
and we have to keep that in mind. So understanding who's after our data will help us determine how much protection is necessary.
All right, now, the last seven years, just a quick wrap up of our module, the very basics of security. Ah, just getting started. We talk about some general concepts. We looked at the C I A triad. We also looked at the I Triple A if you'll remember the C I A. Confidentiality integrity availability.
Uh, then we have the I Triple A, which is identify, authenticate, authorize an account or audit on those two words could be used interchangeably. We talked about the principles of security. Keep your code open for peer review purposes. Keep things simple.
Integrate security into the design as opposed to adding it on later,
those basic principles. Then we talk about the security architecture, and we looked at getting our architecture by basing our structure on security models and access control models. If you'll remember, the security models were Bimba, Bella popular Clark Wilson, and we said there are many other security models but those air someone's to be aware of,
and then the access control models understanding how a subject can access a resource or an object. So do we have discretionary control, where the owner of the object is in charge, who have mandatory control where the labels are used to determine access or role based access control
where each user's assigned or I'm sorry? Each role within the organization has an account
and permissions rights. Privileges are added to that role rather than being added to individual users. And then the last piece we just talked about know thy enemy, who our adversaries are, and understanding that that may play into how much security we add into the code.
So this has been our first little section of module one.
We're gonna move into risk management next.