Risk management is about risk analysis (what is your security exposure) and risk control
(how can you reduce the damages).
All systems have vulnerabilities. The threat is the enemy (for example, a hacker). The risk
is the probability that a threat uses vulnerabilities to cause damage. Controls or
countermeasures reduce or prevent the risk. Residual risk is either accepted or transferred
to an insurance company.
A widespread control is the access control. Identity is who you are (for example, your
username). Authentication is proof of your identification (for example, your password).
Authorization is what you can do (for example, your ACL). Audit is what you did (for
example, the logging of event messages).
Two main classes of cryptosystems exist:
• Symmetric. Uses the same shared key to encrypt and decrypt. Symmetric
cryptosystems are fast, but their key-distribution system is often cumbersome to
maintain. HMAC is a symmetric cryptosystem where a shared key proves that a
shared key owner originated the message.
• Asymmetric. Requires two different keys (one public and one private). The use of the
private and public keys can provide confidentiality, integrity, and digital signature.
References
1 Krutz, Ronald and Russel Vines. The CISSP Prep Guide. Wiley & Sons. October 2002.
2 Harris, Shon. All-in-One CISSP Certification. McGraw-Hill. December 2001.
3 Schneier, Bruce. Applied Cryptography. John Wiley & Sons. October 1995.