Okay, so just a moment on who our adversaries are. And of course they're. The attacks can come from a wide range of directions just to go over a few, ah, terms that we use to describe script kiddies. And I'm sure that's a term that many of you have heard. The idea behind the script
it's a very derogatory term in the field. What that means is somebody that has no real talent but is able to copy and paste code off of Google that they've looked up or whatever and uh, can unleash viruses and malicious code. And now we're out there.
But they're not really intelligent enough to create the malware themselves, so that's a very derogatory term.
Ah, and you'll hear that as hackers throw that term around while you're just a script kiddie. So they understand about script kiddies is whether their skill is very high or not. They still pose a very serious threat, and I think in some ways they may pose a greater threat,
then some of the other types of Attackers. Because script kiddies often if they're true, script kiddies often don't understand the real ramifications of the code that they're using and can wind up causing a whole lot of damage without the rial intent to do so. So we cannot discount the damage that script kiddies can can do
now the term hacker hackers and neutral term, although most people feel like it has a negative connotation.
But really, the term hacker was used to describe somebody who was very, very good with computers, somebody who could take apart the computers, put it back together from both a conceptual and a physical or or more tangible matter. So somebody that was very good with codings money is very good with hardware.
Um, somebody with a lot of talent, a lot of skills now overtime. That's meant. That's kind of more to be negative. But really,
you know, we have white hat hackers and we have black hat hackers. White hat hackers are really are 10 testers. These air, the ones that are yeah, they're hacking into systems, but they're doing it with permission with the backing of the organization, and they're doing it in a manner that can help the company strengthen their their,
uh, security mechanisms.
Now Black Hat Hatters hackers those air sometimes referred to his crackers. Those were the ones with ill intent. And then, of course, sometimes there's this group of folks that are in the middle and they're called great hat hackers. So what they might do is they might attempt to find an exploit.
Then they might notify the vendor of this exploit. But if the vendor doesn't respond, then they might release the exploit out on the Web. So both good and bad aspects now the elite and financial hear people talk about leak speak,
Um, basically being certain types of characters on the keyboard, being used to indicate comments or or to substitute for other terms, basically the elite. Just what it sounds like these are the folks with very, very high skill levels. Very, very talented in the world of coding.
Um, certainly step some steps and steps above script kiddies.
Now, when we talk about attacks, not all tax attacks are structured, non structured, highly structured.
You know when it has to do with the skill set of the attack, you can also look at whether or not I'm not. The attack is purposely targeted at your organization or if it's a random attack, not all attacks are out to attack Kelly hindered in dot com or whatever. My company side Maybe, um,
many attacks are just using whatever system out
there is available. So what people have to understand is they have a responsibility when connected to the Internet to protect their systems, because I don't have to be after your computer specifically to use your computer in a downstream attack. So whether or not how structured the attack is how formalized the processes
but also whether or not in the tack is targeted, that your organization or not,
that becomes a factor.
Um, other adversaries can be. You know, we have seen in the news a lot lately where we have state sponsored cyberattacks. There's been some speculation North Korea that China and other countries have been involved in some of the compromises we've seen of late,
and we've seen a lot of late. The Office of Personnel Management here in the government that I. R s Sony took a big hit in the attack, is is supposed to have been perpetrated by North Korea based on a film they were releasing. So you know, it's very hard to prosecute terrorists when they're coming from another state and
when they're sponsored
So we have to understand
who the Attackers are, so that we can understand means that we can protect ourselves against those Attackers. Um, so these air this just a little bit of an overview about what we're looking for in the realm of defensive coding, which is a lot of what we're going to talk about while we're in this chapter,
and a lot of it is based on what is the value of what I'm protected
Who would it be valuable to? What are the threats where my weaknesses so understanding who's out there and who would benefit from this information from the assets on protecting will have to do with the talk of security mechanisms I implement. And if you'll remember, when I said how much security is enough, the answer was
and we have to keep that in mind. So understanding who's after our data
will help us determine how much protection is necessary.
All right, now, the last thing here is just a quick wrap up of our module, The very basics of security. Ah, just getting started. We talk about some general concepts. We looked at the C I A triad. We also looked at the I Triple A if you'll remember the C I. A. Confidentiality integrity, availability.
Ah, then we have the I Triple A, which is identify, authenticate, authorize an account or audit
on those two words could be used interchangeably. We talked about the principles of security. Keep your code open for peer review purposes. Keep things simple, integrate security into the design as opposed to adding it on later, those basic principles.
Then we talk about the security architecture, and we looked at getting our architecture
by basing our structure on security models and access control models. If you'll remember, the security models were Bimba, Bella popular Clark Wilson, and we said there are many other security models, but those air someone's to be aware of,
and then the access control models understanding how a subject can access a resource or an object.
So do we have discretionary control, where the owner of the object is in charge, who have mandatory control where the labels are used to determine access or role based access control where each user's assigned or I'm sorry? Each role within the organization has an account
and permissions rights. Privileges are added to that role rather than being added to individual users. And then the last piece we just talked about know thy enemy, who our adversaries are, and understanding that that may play into how much security we add into the code.
So this has been our first little section of module one.
We're gonna move into risk management next.