"What is Security? - Definitions and a Common Language",

I am often surprised by the lack of understanding amongst security professionals, and so called "Security Experts", of the term System Security, Cyber Security or simply Security in general. More specifically, it is more often than not that their understanding can be described as incomplete at best. For example, in their minds, System Security relates solely to the prevention of unauthorized disclosure of confidential information.  In their Universe, the availability of the system hosting the sensitive information
is often a reliability, and not a Security issue, albeit, when confronted with the idea of a DDoS attack, they quickly change their minds. This collection of blogs, which I fondly refer to as "Security 101 - The fundamentals", has a single purpose. That of establishing a common framework for security discussions, and a common language so that we can attack some of the greatest challenges facing our industry today. This first blog is the result of many years of teaching Security courses at Worcester Polytechnic Institute and Brandeis University Computer Science Departments. It summarizes my first two lectures in the field of Computer Security, and draws heavily on seminal manuscripts published in 1976 by Leslie Lamport [1] and Butler Lampson [2] while addressing the important problems of "Protection" in Operating Systems.

Definitions:

Secuirty  noun se·​cu·​ri·​ty | \ si-ˈkyu̇r-ə-tē

In accordance to Miriam Webster dictionary, Security is the state of being protected or safe from harm. Specifically, when we refer to Computer Security we mean the ability of a set of devices, software and hardware, and operational procedures  to protect the following assets from harm:

Malware Conference icon Tiny Bulle  Information and/or Data
Malware Conference icon tiny bullet  System Software, Applications, and
Malware Conference icon tiny bullet  Programs Services - both hardware and software

Protecting assets from harm (within this context) means:

Malware Conference icon Tiny Bulle  Confidentiality: assets are used/access only by authorized parties (also refer to as secrecy or privacy)
Malware Conference icon Tiny Bulle  Integrity: assets can be modified only by authorized parties and only in specific ways ("insider threat")
Malware Conference icon Tiny Bulle  Availability: assets are available to authorize parties at time to.




Defn:
a secure computer system, see Garfinkel and Spafford [3], is a system that can be depended upon to behave as it is expected to.Similarly, a security breach is:

"the exploitation by individuals who are using, or  attempting to use a computer system without authorization (i.e., crackers) and those who have legitimate access to the system but are abusing their privileges (i.e., the insider threat)."

For all practical purposes, all security breaches in systems are the result of system vulnerabilities: hardware, software, or data vulnerabilities. Namely defects in the design, implementation, and deployment of the system which result in a vulnerability.

References:
[1] http://en.wikipedia.org/wiki/Leslie_Lamport 


Fernando C. Colon Osorio

"Failure is Feedback, and Feedback is the breakfast of Champions" - Anonymous

F
©2020 Wireless Systems Security Research Lab (WSSRL). All Rights Reserved. Designed By WSSRL

Search