diff --git a/pages/总复习2023t1.md b/pages/总复习2023t1.md index 9912620..662db70 100644 --- a/pages/总复习2023t1.md +++ b/pages/总复习2023t1.md @@ -2185,7 +2185,219 @@ l marketing issues l red tape (bureaucracy) - ## Topic 19 - - + - What is Cybersecurity?\n什么是网络安全? + Cybersecurity is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber attacks + 网络安全是应用技术、程序和控制来保护系统、网络、程序、设备和数据免受网络攻击。 + It aims to reduce the risk of cyber attacks, and protect against the unauthorised exploitation of systems, networks and technologies + 它的目的是减少网络攻击的风险,并保护系统、网络和技术不被非法利用。 + Increasingly implemented through laws and regulations + 越来越多地通过法律和法规来实施 + Three distinct legal elements: information security, privacy and data protection, and cybercrime + 三个不同的法律要素:信息安全、隐私和数据保护,以及网络犯罪 + Information Security信息安全 + Seeks to protect all information assets, whether in hard copy or in digital form + 寻求保护所有的信息资产,无论是硬拷贝还是数字形式的信息。 + Information is one of the most valuable assets + 信息是最有价值的资产之一 + Good business practice + 良好的商业惯例 + Digital revolution changed how people communicate and conduct business + 数字革命改变了人们的沟通方式和业务开展方式 + Digital revolution changed how people communicate and conduct business + 数字革命改变了人们的沟通方式和业务开展方式 + Privacy and Data Protection隐私和数据保护 + Number of different, but related concepts + 不同但相关的概念的数量 + Control of personal data + 个人数据的控制 + Control = the ability to specify the collection, use, and sharing of their data + 控制=有能力指定收集、使用和分享他们的数据 + Personal information – private x publicly available + 个人信息--私人的x公开的 + Data privacy are the regulations, or policies, that governs the use of my data when shared with any entity, while data protection is the mechanism — that is, the tools and procedures — to enforce the policy and regulation, including the prevention of unauthorized access or misuse of the data that I agreed to share + 数据隐私是管理我的数据在与任何实体共享时的使用的法规或政策,而数据保护是执行政策和法规的机制,即工具和程序,包括防止未经授权访问或滥用我同意共享的数据。 + Information Security x Privacy信息安全x隐私 + Information security and privacy are closely related, but distinct concepts + 信息安全和隐私是密切相关的,但又是不同的概念 + Privacy is an individual’s right to control the use and disclosure of their own personal information + 隐私是个人控制自己的个人信息的使用和披露的权利。 + Information security is the process used to keep data private + 信息安全是用于保护数据隐私的过程 + Security is the process; privacy is the result + 安全是过程;隐私是结果 + Cybercrime网络犯罪 + Cybercrime is an act that violates the law, by using information and communication technology (ICT) to either target networks, systems, data, websites and/or technology or facilitate a crime + 网络犯罪是一种违反法律的行为,它利用信息和通信技术(ICT),以网络、系统、数据、网站和/或技术为目标,或为犯罪提供便利。 + Cybercrime knows no physical or geographic boundaries and can be conducted with less effort, greater ease, and at greater speed and scale than traditional crime + 网络犯罪不受物理或地理边界的限制,与传统犯罪相比,可以更省力、更容易、更快速、更大规模地进行。 + Drivers of Cybersecurity网络安全的驱动因素 + Legal and regulatory法律和监管 + Growing legal framework establishing safeguarding and information obligation + 建立保障和信息义务的法律框架不断增强 + Growing enforcement as a response to ineffective self-regulation + 作为对无效自律的回应,执法力度不断增强 + Commercial商业 + Growing awareness of risk, economic and legal consequences, trustworthiness of business transactions + 对风险、经济和法律后果、商业交易的可信度的认识不断提高 + Technical技术 + With technological innovation comes opportunities as well as risks + 技术创新带来了机遇,也带来了风险 + Information Security信息安全 + Information Security I + Processes, procedures and infrastructure to preserve: – confidentiality – integrity, and – availability of information + 流程、程序和基础设施,以保持 - 信息的保密性 - 完整性,以及 - 可用性 + Information Security II + + Confidentiality保密性 + Confidentiality I + Confidentiality means that only people with the right permission can access and use information + 保密性是指只有获得适当许可的人才能访问和使用信息。 + Protecting information from unauthorised access at all stages of its life cycle + 保护信息在其生命周期的所有阶段免遭未经授权的访问 + Information must be created, used, stored, transmitted, and destroyed in ways that protect its confidentiality + 信息的创建、使用、存储、传输和销毁必须以保护其机密性的方式进行。 + Confidentiality II + Ensuring confidentiality – encryption, access controls + 确保保密性 - 加密、访问控制 + Compromising confidentiality – (intentional) shoulder surfing, social engineering; (accidental) publication + 破坏保密性--(故意)肩上冲浪、社会工程;(意外)发布 + It may result in identity theft, threats to public safety + 它可能导致身份被盗,威胁到公共安全 + Example + + Integrity + Integrity means that information systems and their data are accurate + 完整性意味着信息系统及其数据是准确的 + Changes cannot be made to data without appropriate permissions + 没有适当的权限,不能对数据进行更改 + Ensuring integrity – controls ensuring the correct entry of information, authorization, antivirus + 确保完整性--确保信息的正确输入、授权、防病毒的控制。 + Compromising integrity – (intentional) employee or external attacks; (accidental) employee error + 破坏完整性--(故意的)雇员或外部攻击;(意外的)雇员错误 + Example + + Authentication认证 + Specific to integrity and confidentiality considerations + 具体到完整性和保密性的考虑 + Authentication is the process of validating the identity of a registered user or process before enabling access to protected networks and systems. + 认证是在允许访问受保护的网络和系统之前验证注册用户或程序的身份的过程。 + Analogue : signatures, handwriting, in person attestation, witnesses, notary + 类比:签名、笔迹、当面证明、证人、公证 + Digital : username and password, digital signatures, fingerprints or face recognition + 数字化:用户名和密码、数字签名、指纹或面部识别 + Availability可利用性 + Availability is the security goal of making sure information systems are reliable + 可用性是确保信息系统可靠的安全目标。 + Data is accessible + 数据是可以访问的 + Individuals with proper permission can use systems and retrieve data in a dependable and timely manner + 拥有适当权限的个人可以使用系统,并以可靠和及时的方式检索数据。 + Ensuring availability – recovery plans, backup systems + 确保可用性--恢复计划、备份系统 + Compromising availability – (intentional) denial of service (DoS) attack, (accidental) outage + 破坏可用性 - (故意)拒绝服务(DoS)攻击,(意外)中断 + Example + + Information Security信息安全 + = Mitigating risks to the trustworthiness of information of corporations and governments by the:=减轻公司和政府的信息可信度的风险,由: + Development of strategies and制定战略和 + Implementation to technologies and procedures in order to preserve its confidentiality, integrity, and availability实施技术和程序,以保护其机密性、完整性和可用性 + Information Security Key Concepts信息安全的关键概念 + Risk management as means to justify information security laws = process of listing the all the relevant factors and taking steps to control them where possible + 风险管理是证明信息安全法的手段=列出所有相关因素并尽可能采取措施控制它们的过程。 + There are four main concepts: Vulnerabilities ,Threats ,Risks ,Safeguards + 有四个主要概念: 脆弱性、威胁、风险、保障措施 + Vulnerabilities 漏洞 + Vulnerabilities I + = weakness or flaw in the information system that can be exploited= 信息系统中可被利用的弱点或缺陷 + Construction, design mistake建筑、设计错误 + Flaws in how internal safeguards are used/not used, based on:在如何使用/不使用内部保障措施方面存在缺陷,依据是: + People + Process + Facility 设施 + Technology + Vulnerabilities II + People + separation of duties principle职责分离原则 + two or more people need to split a critical task functions两个或两个以上的人需要分担一个关键任务的职能 + Process + flaws in organization’s procedures + missing step in a checklist /no checklist + failure to apply hardware and software patches + = patch is a software/code that updates a program to address security problems=补丁是一种软件/代码,用于更新程序以解决安全问题 + Vulnerabilities III + Facility + flaws in physical infrastructure有形基础设施的缺陷 + fences, locks, CCTV cameras围栏、门锁、闭路电视摄像机 + Technology + design flaws设计缺陷 + unpatched applications, improperly configured equipment未打补丁的应用程序,配置不当的设备 + Successful attacks take place when vulnerability is exploited成功的攻击发生在漏洞被利用的时候 + Threats  + Threats I + = anything that can cause harm to an information system – successful exploits of vulnerabilities=任何能对信息系统造成伤害的东西 - 成功利用漏洞的行为 + Relationship between a vulnerability and a threat脆弱性和威胁之间的关系 + An organization does not have sufficient controls to prevent an employee from deleting critical computer files (lack of controls – vulnerability). An employee could delete files by mistake (employee – source of threat) (deleting critical files – threat). If the files are deleted, successful exploit of the vulnerability has taken place. If the file is not recoverable, the incident harms the organizations and its security. Availability is compromised. + 一个组织没有足够的控制措施来防止员工删除关键的计算机文件(缺乏控制措施--漏洞)。雇员可能会错误地删除文件(雇员-威胁源)(删除关键文件-威胁)。如果文件被删除,就说明已经成功利用了该漏洞。如果文件无法恢复,该事件就会损害组织和它的安全。可用性受到影响。 + Threats II + Human + Internal and external, includes well-meaning employees and external attackers内部和外部,包括善意的雇员和外部攻击者 + Natural + uncontrollable events (fire, flood)不可控制的事件(火灾、洪水) + Technology and operational + operate inside information systems (malicious code, hardware and software failures)在信息系统内部操作(恶意代码、硬件和软件故障)。 + Physical and environmental – lack of physical securit物理和环境--缺乏实体安全y + Accidental or intentional意外或故意的 + Internal or external attackers内部或外部攻击者 + Threats III + Threats to information, networks, systems have increased对信息、网络、系统的威胁已经增加 + More devices, more use, more ‘always on’更多的设备,更多的使用,更多的 "永远在线"。 + More complex networks with greater ‘attack surface’更复杂的网络,有更大的 "攻击面"。 + Bring your own device (BYOD) means that end points of corporate networks no longer in their control; more points of entry into enterprise networks自带设备(BYOD)意味着企业网络的终端不再受其控制;有更多的点进入企业网络 + More devices with IoT; smart watches possibly not connected to enterprise authentication systems更多的设备具有物联网功能;智能手表可能没有与企业认证系统相连 + Attacks have grown more sophisticated攻击已变得更加复杂 + Sony’s servers wiped after internal communications stolen, but held for months索尼的服务器在内部通信被盗后被抹去,但被扣留了几个月 + Attacks that take months to achieve goals; undetected需要数月才能实现目标的攻击;未被发现的攻击 + 'Ransomware’ = threat to encrypt data unless paid赎金软件"=威胁要加密数据,除非付费 + SolarWind cyberattackSolarWind的网络攻击 + Risks  + Risks I + + + Risks II + + + Risks III + + + Safeguards + Safeguards I + = safeguard reduces the harm posed by information security vulnerabilities or threats=保障措施减少信息安全漏洞或威胁所带来的危害 + + + Safeguards II + + Safeguards III + Safeguards can be put in place at all layers of the system:保障措施可以在系统的所有层级落实到位: + + 可以在系统的所有层实施安全措施 :\n在物理硬件或设备层,例如,通过物理保护服务器机房免受水淹;\n在各种软件层,例如通过安装最新的补丁;\n在网络层,例如通过使用虚拟专用网 (“VPN”);而且,\n在用户层,确保所有人员接受适当的培训,以识别网络钓鱼电子邮件和其他形式的社会工程。 + Exercise + + Information Security Management + + 有效评估组织的安全需求,评估和选择各种安全产品和策略 将信息分类 确定法律义务 评估漏洞、威胁和风险 保护 有许多挑战 标准的发展 + ISO/IEC + 27001 + + 27001:2022信息安全管理系统 全球最著名的信息安全管理系统标准 (ISMS) 它定义了 ISMS必须满足的要求 该标准为各种规模和各种行业的公司提供了建立、实施、维护和持续改进信息安全管理系统的指导 符合 ISO/IEC 27001标准意味着一个组织或企业已经建立了一个系统来管理与公司拥有或处理的数据的安全性相关的风险 + + ISMS规范 从自上而下的角度衡量、监控和控制安全管理的方法 第 2部分定义了一个六步“流程”,本质上是 : 定义安全策略 定义 ISMS的范围 进行风险评估 管理风险 选择要实施的控制目标和控制 准备一份适用性声明 + 27002 + + 27002:2022信息安全、网络安全和隐私保护—信息安全控制 本文档提供了一套通用信息安全控制参考,包括实施指南 本文档旨在供以下组织使用 : 在基于 ISO/IEC27001的信息安全管理系统 (ISMS)的范围内; 根据国际公认的最佳实践实施信息安全控制; 用于制定特定于组织的信息安全管理准则 确定每项控制的目标、工作原理以及公司如何成功实施 + Summary + + 信息安全是保护信息这一宝贵资产的研究和实践\n信息安全的主要目标是保护信息的机密性、完整性和可用性 (CIA)\n关键的信息安全概念包括漏洞、威胁、风险和安全措施\n实施信息安全的法律义务和激励措施\n标准的重要性 - LATER 概率论 (隔了一个周末) collapsed:: true SCHEDULED: <2023-06-19 Mon>