What is computer security?
Computer security is a process of planning, implementing, and verifying the protection of your organization's computer-related assets from internal and external threats.
While security requires good up-front planning and implementation, it is really a never-ending process as assets, threats, and protection priorities change for your organization. Any organization that operates a computer system should engage that process by designating at least one person as the organization's security specialist. A security specialist, whose duties are described in this chapter, coordinates the organization's efforts toward establishing computing security. While that person may not be a security expert, he or she keeps informed about possible threats, and keeps a critical eye on the organization's ability to respond to each type of risk.
Two fundamental goals
Computer security can be boiled down to two fundamental goals:
Secure Soft Assets
Soft assests such as computer software and private data should be secured from theft or exposure.
Maintain Computer Resources Availability
Ensure system up-time and access when needed by authorized users.
Computer security often fills peoples' heads with dark images of government computer break-ins, inspired by Hollywood and the media. In reality, a missing icon on a computer can indicate a security problem. That situation violates the second security goal as listed above: the computer no longer works "as intended when needed by authorized users."
If an authorized user sits down at a computer to run the application that the now-missing icon pointed to, that user might be unable to do her necessary work. For that user, at that moment, a missing icon is no less a problem than if foreign spies had broken into the local area network through the Internet and planted a highly intelligent virus that has slowly destroyed the exact application she needs to use. Whether by missing icon or insidious virus, the computer just isn't going to do what she needs it to do. This is a problem that security can address by locking down the computer desktops so that icons can't be removed.
Three interrelated security issues
Security to a large degree is analogous to placing all of your computer resources behind a locked door, then giving selected individuals or groups the key to the door. Some resources, such as a Web or FTP server, are intended for a large group called "the world." Giving the world access doesn't mean that at least a thin door of security isn't still in place; that thin door may simply be a logging system that records activity. Security isn't always just keeping people out; it is defining who can access each system resource, then taking steps to verify each user's identity and perhaps log user activity.
The goals of computer security are met through three tightly interrelated issues of:
Physical system security
Network and host security
User preparation and training
These issues encompass considerations of computer room design, software and hardware solutions, training, and policy making.
Thinking about security
Computer security can be compared to home security. For your home you might have the following:
- Locks-to prevent against illegal access
- Alarms-to warn when illegal access occurs
- Insurance-to repair/replace damage after an incident
- Laws-to define acceptable behavior and how violations are to be handled
Computer security equivalents exist for each of these:
- Locks-passwords, file protections, encryption, and disk quotas
- Alarms-log files and system alerts
- Insurance-daily/weekly/monthly backups, uninterruptible power supplies, mirrored disks
- Laws-policies that define acceptable system use and how violations are to be handled
Continuing with the comparison between home security and computer security, almost every house is equipped with perimeter security. Perimeter security may simply be locks on the doors to the outside. This is comparable to using network perimeter security, such as a firewall, at any point where your network connects to another network. This is to keep the "bad guys" out of the network. This is good, but what about securing sensitive information from users inside the network or from those who have been granted trusted access past the firewall?
For example, say a room in a house contains a rare and expensive work of art. Most people would consider it reasonable to secure the perimeter of that room with additional locks. By the same token, it is also reasonable to secure a sensitive database and equip it with additional "alarms" or activity logging. In short, in your home you decide if locks are needed on each room, whether multiple locks are needed on exits and entrances to the house, whether an alarm system is needed, and how extensive it has to be. You also need to decide how much and what types of insurance to carry, and what valuables need to be placed in a safe or in a safe-deposit box outside the home. Storing something outside the home might be comparable to taking a resource off the network completely, much as is done in extremely secure military contract sites. To avoid being hacked into through the Internet, such sites often simply aren't connected to the Internet at all.