I am often surprised by the lack of understanding amongst security professionals, and so called "Security Experts", of the term System Security, Cyber Security or simply Security in general. More specifically, it is more often than not that their understanding can be described as incomplete at best. For example, in their minds, System Security relates solely to the prevention of unauthorized disclosure of confidential information. In their Universe, the availability of the system hosting the sensitive information is often a reliability and not a Security issue, albeit, when confronted with the idea of a DDoS attack, they quickly change their minds. This collection of blogs, which I fondly refer to as "Security 101 - The fundamentals", has a single purpose. That of establishing a common framework for security discussions, and a common language so that we can attack some of the greatest challenges facing our industry today. This first blog is the result of many years of teaching Security courses at Worcester Polytechnic Institute and Brandeis University Computer Science Departments. It summarizes my first two lectures in the field of Computer Security, and draws heavily on seminal manuscripts published in 1976 by Leslie Lamport [1] and Butler Lampson [2] while addressing the important problems of "Protection" in Operating Systems.
Definitions
Secuirty noun se·cu·ri·ty \si-ˈkyu̇r-ə-tē\
In accordance to Miriam Webster dictionary, Security is the state of being protected or safe from harm. Specifically, when we refer to Computer Security we mean the ability of a set of devices, software and hardware, and operational procedures to protect the following assets from harm:
Information and/or Data System Software, Applications, and Programs Services - both hardware and software
Protecting assets from harm (within this context) means: Confidentiality – assets are used/access only by authorized parties (also refer to as secrecy or privacy) Integrity – assets can be modified only by authorized parties and only in specific ways (“insider threat”) Availability – assets are available to authorize parties at time to.
Defn: a secure computer system, see Garfinkel and Spafford [3],” is a system that can be depended upon to behave as it is expected to.
Similarly, a security breach is:
“the exploitation by individuals who are using, or attempting to use a computer system without authorization (i.e., crackers) and those who have legitimate access to the system but are abusing their privileges (i.e., the insider threat”).
For all practical purposes, all security breaches in systems are the result of system vulnerabilities – hardware, software, or data vulnerabilities. Namely defects in the design, implementation, and deployment of the system which result in a vulnerability.
References:
[1] http://en.wikipedia.org/wiki/Leslie_Lamport
[2] http://en.wikipedia.org/wiki/Butler_Lampson
|
Fernando C. Colon Osorio _____________________________ "Failure is Feedback, and Feedback is the breakfast of Champions" - Anonymous
|