As computers become more complex, we see attackers increasing in sophistication. Attackers are continually crafting new methods to compromise the most secure environments. The job of the security professional is becoming more difficult because of the complexity of systems and the sophistication of attacks. No single action, rule, or device can protect an information system from all attacks. It takes a collection of strategies to make a computer environment safe. This approach to using a collection of strategies is often called defense in depth. To maintain secure systems, it is important to understand how environments are attacked and how computer systems and networks can be protected. The focus here is specifically on securing the family of Microsoft Windows operating systems and applications.

The main goal in information security is to prevent loss. Today’s information is most commonly stored in electronic form on computers, also referred to as information systems. Although printed information, or hard copy, needs to be protected, this text only addresses issues related to protecting electronic information stored on information systems.

The two goals of protecting information from unauthorized use and making the information available for authorized use are completely separate and often require different strategies. Ensuring information is readily available and accessible for authorized use makes restricting the data from unauthorized use more difficult. Most information security decisions require careful thought to ensure balance between security and usability. Information that is secure is simply serving the purpose for which it is intended. It is not being used for unintended purposes.

Mechanisms used to protect information are called security controls. Security controls can be part of the operating system or application software setup, part of a written policy, or a physical device that limits access to a resource. There are two methods for categorizing controls. These are not the only methods used to classify controls, and a single control may fit into more than one category. The first method looks at what the control is. Security controls belong to at least one of the following types:

• Administrative controls are written policies, procedures, guidelines, regulations, laws, and rules of any kind.

• Technical controls are devices or processes that limit access to resources. Examples include user authentication, antivirus software, and firewalls. Technical controls are also called logical controls.

• Physical controls are devices that limit access to or otherwise protect a resource, such as fences, doors, locks, and fire extinguishers.

Security controls can also be categorized by the type of function they perform—also referred to as what they do. Here are the most common types of security control function types:

• Preventive controls prevent an action. They include locked doors, firewall rules, and user passwords.

• Detective controls detect that an action has occurred. They include smoke detectors, log monitors, and system audits.

• Corrective controls repair the effects of damage from an attack. They include virus removal procedures, firewall table updates, and user authorization database updates.