Basic Security Threats and Principles
Identify the basic security issues associated with system/network design and configuration.
Every week, computer trade magazines report new types of viruses, security breaches, or a vulnerability in an operating system or a critical application. Hackers find “holes” in operating systems or Web servers, and then use them to gain unauthorized access to systems. In this era of information technology, globally networked computers, and the Internet, your systems can be compromised in many ways. You need to account for a system's physical security and ensure that its operating systems and applications are secure as well. Ask yourself, for instance, who has access to the computer system? Have all the latest operating system security patches been installed? Who has rights to access data?
NOTE
For in-depth discussions of these processes, see “Identifying the Elements of Security” later in this chapter.
When implementing computer security, perform the tasks in the following list:
Assess risk. Determine the types of data you have and how important they are to your organization.
Identify vulnerabilities. Determine the vulnerabilities of the network, individual systems, and applications.
Create a security policy. Develop a policy that defines how security is implemented.
Controlling Access to Data
When determining how to protect sensitive information, you can think in terms of implementing data access controls. These controls relate specifically to monitoring and managing data and limiting who can access it. For example, your system might require mandatory access controls, in which the system itself determines access rules, based in part on user security levels and security controls on the data. Or, perhaps the system should use discretionary access control, in which the owner of the data determines what mode of access other users should have to it.
Security protection would not be complete without system security administration. This effort requires developing security policies and procedures and performing periodic auditing to make sure the policies are being followed and kept up to date. A security policy can make a system secure only if users follow the policy's rules and guidelines.
Comparing Computer and Network Security
Security considerations can differ depending on the type of system you want to protect. For example, protecting a standalone computer is simpler than protecting an office network that links only workstations within the office or one that connects some computers to the outside world through the Internet or a dial-up modem.
On the other hand, the security of a single computer has much in common with network security. Both involve the same three key points: confidentiality, integrity, and availability. Both require the same processes of risk assessment, vulnerability analysis, and security policy implementation and auditing. What differentiates computer and network security are the methods attackers use to compromise each environment, and what you can do to mitigate the damage.