C H A P T E R 1
Introduction to Security
Defining Security
What is security?
Is it a state of well-being for systems, organizations, or people? Can it be achieved through safety from criminal activity, such as terrorism, theft, or espionage? Does it include procedures followed or measures taken to ensure feelings of safety, stability, and freedom from fear or anxiety?
Security is all of these things and more. Specifically, in computer systems, security is expressed as the system’s degree of resistance to, or protection from, harm. Foundations of Security
Security is built on the following foundations:
Figure 1.1: Computer security foundations
Authentication
Put simply, authentication is the process of verifying the identity of a person or thing. It might involve confirming the identity of a person by validating identity documents, verifying the validity of a website with a digital certificate, tracing the age of an artifact by carbon dating, or ensuring that a product is what its packaging and labeling claim it is. Authentication often involves verifying the validity of at least one form of identification.
Authorization
Authorization is the function of specifying access rights to resources. More formally, to authorize is to define an access policy based on roles and permissions.
It is easy to confuse authentication with authorization. The two are frequently used interchangeably in conversation and are often tightly associated as key pieces of a secure system. But the two are very different concepts. Authentication is the process by which an individual’s identity is confirmed. Authorization is the association of that identity with rights and permissions.
Auditing
Auditing is normally used as a finance-related term. However, in the realm of security, auditing is an unbiased examination and evaluation of an organization’s security goals. It can be done internally (by employees of the organization) or externally (by an outside firm).
Confidentiality
Confidentiality involves a set of rules or a promise that limits access or places restrictions on certain types of information. In day-to-day life, people do not share all of their personal information with every person around. Information is shared on a need-to-know basis or it is protected, according to the requirements of its holder. All of this falls under the foundation of confidentiality.
Integrity
The commonly understood meaning of integrity is the quality of being honest, having strong moral principles, and sometimes, the state of being whole and undivided. In security, integrity is further defined as the state of a system performing its intended functions without being degraded or impaired by changes or disruptions in its internal or external environments.
Availability
In secure systems, availability is the degree to which a secured system resource, such as a system, a subsystem, or equipment, is in a specified operational and accessible state at the start of a task, when the task is called for at an unknown or random time. Availability is linked to other security foundations as well. The availability of a resource to those accessing it should be according to their roles, permissions, and authorization.
Accountability
One goal of computer security is that anyone with access to a secured system should be held accountable for his or her actions within the system. For example, if a document has been amended by person X, and if later X denies having amended it, the system should be able to hold X accountable by showing evidence that the document was amended by X.
Security Terminology
When discussing security, it is important to be aware of these frequently used terms:
• Assurance: A guarantee or level of guarantee that a secure system will behave as expected when put to use. • Risk: A possibility that something may go wrong. While working to make a system secure, one must consider the risks to the security. • Threat: A method of triggering risk. Any action needed to make a system secure is based on preventing the threats posed to the system. • Vulnerability: A weakness in a system that can be exploited by a security threat. • Countermeasures: Ways and means to stop a threat from triggering a risk. • Exploits: Vulnerabilities that have been triggered by a threat. Different Kinds of Security
After becoming familiar with basic security terminology, the next stage is to understand the different types of computer security.
Internet security
Internet security is a set of rules and actions meant to protect against online attacks. The Internet has become part of our daily lives—a basic need for individuals, organizations, and systems. Internet security works to ensure confidentiality by protecting access to authorized resources and services. One example is an online system that prevents credit card details from being stolen on a shopping website.
Information security
Information security means defending information from attempts by unauthorized entities to use, disclose, disrupt, modify, peruse, inspect, record, or destroy a system. Information is a generic term for any form of data, whether physical or electronic.
Mobile security
Mobile security, as the name suggests, is the security of mobile devices like smartphones, tablets, laptops, and other portable computing devices. Because this type of security also includes securing the networks that mobile devices use to operate, it is sometimes referred to as wireless security.1
1 Mobile security is examined and discussed in much greater depth in chapter 16.