From MRL Wiki
In formal literature computer security is described as a field of computer science concerned with devising ways to prevent weaknesses from being exploited.
Computer security addresses three aspects:
- Confidentiality ensures that computer-related assets are accessed only by authorized parties.
- Integrity means that assets can be modified only by authorized parties or only in authorized ways.
- Availability means that assets are accessible to authorized parties at appropriate times.
Computer security is concerned with threats which are sets of circumstances that have the potential to cause loss or harm. We can view any threat as being one of four kinds:
- Interception means that some unauthorized party has gained access to an asset.
- Interruption is where an asset of the system becomes lost, unavailable, or unusable.
- Modification in which case an unauthorized party not only accesses but tampers with an asset.
- Fabrication where an unauthorized party might create a fabrication of counterfeit objects on a computing system.
Threats are blocked by control of vulnerabilities. Sometimes these controls can prevent or mitigate attacks; other, less powerful methods can only inform us that security has been compromised, by detecting a breach as it happens or after it occurs. The following controls are available:
- Encryption. Encryption is the formal name for the scrambling process. We take data in their normal, unscrambled state, called cleartext, and transform them so that they are unintelligible to the outside observer; the transformed data are called enciphered text.
- Software Controls. Programs must be secure enough to prevent outside attack. They must also be developed and maintained so that we can be confident of the programs' dependability. Program controls include the following:
- Internal program controls: parts of the program that enforce security restrictions, such as access limitations in a database management program.
- operating system and network system controls: limitations enforced by the operating system or network to protect each user from all other users.
- independent control programs: application programs, such as password checkers, intrusion detection utilities, or virus scanners, that protect against certain types of vulnerabilities.
- development controls: quality standards under which a program is designed, coded, tested, and maintained, to prevent software faults from becoming exploitable vulnerabilities
- Hardware controls. Numerous hardware devices have been created to assist in providing computer security:
- hardware or smart card implementations of encryption
- locks or cables limiting access or deterring theft
- devices to verify users' identities
- intrusion detection systems
- circuit boards that control access to storage media.
- Policies and Procedures. Some of the simplest controls, such as frequent changes of passwords, can be achieved at essentially no cost but with tremendous effect
- Physical controls. Physical controls include locks on doors, guards at entry points, backup copies of important software and data, and physical site planning that reduces the risk of natural disasters.
Effectiveness of controls. Merely having controls does no good unless they are used properly. Let us consider several aspects that can enhance the effectiveness of controls.
- Awareness of Problem. People using controls must be convinced of the need for security. People will willingly cooperate with security requirements only if they understand why security is appropriate in a given situation.
- Likelihood of Use. Computer security controls must be efficient enough, in terms of time, memory space, human activity, or other resources used, that using the control does not seriously affect the task being protected. Controls should be selective so that they do not exclude legitimate accesses.
- Overlapping controls. Sometimes called Layered defense. Several different controls may apply to address a single vulnerability.
- Periodic Review. Few controls are permanently effective. Judging the effectiveness of a control is an ongoing task.