You may have heard of PCI DSS (Payment Card Industry Data Security Standart) in several different places and might want to know what it is exactly. PCI DSS is enforced through the terms of a merchant agreement between a business that accepts credit cards and the bank that processes the business’s transactions and it has 12 READ MORE
Author: Fatih Mehmet UCAR
Amazon S3 and Glacier Services
AWS S3 is the storage provided by AWS which stands for Simple Storage Service and almost every service AWS provides uses S3 one way or another. S3 stores objects and object in this context means the data stored as well as metadata related to it. Maximum object size you can store on S3 is 5TB READ MORE
Quantitative Risk Analysis
Quantitative risk analysis is done in 6 steps. Assign Asset Value (AV) Calculate Exposure Factor (EF) Calculate Single Loss Expectancy (SLE) Assess the annualised rate of occurrence (ARO) Derive the annualised loss expectancy (ALE) Perform cost/benefit analysis of countermeasures Exposure Factor (EF) represents the percentage of loss when an asset is violated.It can also be READ MORE
Risk Terminology and Elements of Risk
Risk management includes vast amount of terminology. However, there are 9 main ones that should be clearly understood to be able to understand the context. Asset: An asset is anything that should be protected. It can be a computer file, a hardware, a software, a process, a product, a furniture, a person… Asset Valuation: This is the READ MORE
Plans in Software Development
There are 3 types of plans that as IT people need to be aware of and know the meaning. Strategic Plan Tactical Plan Operational Plan A strategic plan is a long-term plan that is fairly stable and defines goals, mission and objectives. Long term goals and visions for future are discussed as part of strategic READ MORE
Prioritization of Threats via DREAD System
DREAD system is designed to provide a rating for a threat by answering 5 main questions of which are: Damage Potential: How severe would the damage be? Reproducibility: How complicated is it for attacker to reproduce the exploit? Exploitability: How hard is it to perform the attack? Affected Users: How many user will likely to be READ MORE
Categorizing Threats with STRIDE
It is always helpful to categorise the threats in a formal way and then deal with them. Microsoft has developed a threat categorisation scheme called STRIDE which is an acronym that stands for below list: Spoofing Tampering Repudiation Information Disclosure Denial of Service (DoS) Elevation of privilege Spoofing is gaining access to the target system with READ MORE
Levels of Classification for Security
There are 2 commons schemes for classification. Government/Military Classification Business/Private Sector Classification Government/Military Classifications has 5 levels Top Secret Secret Confidential Sensitive but unclassified Unclassified Top Secret is the highest level and unauthorised disclosure of this type of data will have drastic effects and can cause grave damage to national security. Top secret classified data READ MORE
Concept of AAA Services in Security
AAA services concept is a widely known security concept which stands for Authentication, Authorisation, Accounting (or Auditing). Although, it is called AAA services and it only has the first letters of 3 elements, it actually represents 5 elements in a chain. Identification: Claiming to be an identity when attempting to access a resource. eg. typing username, READ MORE
Concept of CIA in Security
There are 3 most important principals of security called CIA triad in short of which are: Confidentiality Integrity Availability Confidentiality; is the measures used to ensure the protection of the secrecy of the resource. and the goal is to prevent or minimise unauthorised access to it. eg. Encryption, access controls … Integrity; is the concept READ MORE