Chapters 1 & 2

About the course



Chapter 1


Computer Security: protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).


The CIA Triad




Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.



Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.



Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.

The CIA Triad


More Terminology (1)

Adversary (threat agent)

An entity that attacks, or is a threat to a system.


An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.


An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.


An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.

More Terminology (2)

Security Policy

A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.

System Resource (Asset)

Data contained in an information system; or a service provided by a system; or a system capability, such as processing or bandwidth; or an item of system equipment (i.e., a system component, firmware, software, or documentation); or a facility that houses system operations and equipment.


A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.


A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.

Types of Attacks

Threat Consequences

unauthorized disclosure

exposure, interception, inference, intrusion


masquerade, falsification, repudiation


incapacitation, corruption, obstruction


misappropriation, misuse

Levels of Impact

levels of impact


Policy, Mechanism, Service

Fundamentals of Security Design

fundamentals of security design


Challenges Continued


Chapter 1 Summary

Chapter 2


How do we know who a user really is?

Is there some way to verify?

Who are you?

How can I, who is obviously Chris Sexton, know who you are?

Who are you?


We need ways to verify a user’s identity.

What do you suggest?

Education Discount Examples
  • Email verification
  • ID card scans
  • SSO login verification

How can these methods be defeated?


The set of methods we use to establish that a claim of identity is true.

This is different than authorization. Authentication only verifies an identity. It says nothing about what a user is allowed to do.

Three Factor Authentication

In order to verify a user, we will require a multi-factor verification of their identity including:

Something you know


Weak Passwords and Habits

Password managers

Let’s shop for tools to make passwords better.

Wirecutter: The Best Password Managers (Currently slightly out of date)

Something you have

Do you have 2FA enabled on all services yet?

Do you have a YubiKey?

2FA key management

Do you use Google Authenticator?

Stop that.

  • Authy
  • 1Password
  • LastPass (Premium)

Something you are

Many methods of "Something you are" do not translate well to general services, but may be applicable to sensitive resources.


Up next

Next time, we will discuss biometrics for authentication and discuss authorization and access control.