Computer Security Defined

The threat of computer attacks dates back to the earliest days of mainframes used in the 1960s . . .

As more and more companies turned to computer technology for important tasks, attacks on computer systems became more and more of a worry. In the early days of the personal computer, the worry was viruses.

With the advent of the World Wide Web and the exponential expansion of the Internet in the late 1990s, the worry became hackers and denial of service attacks. Now, at the dawn of the new millennium, the worry has become spam, malware/spyware, email worms, and identity theft.

All of this begs the question:

How do we protect ourselves from this perpetual onslaught of ever-adapting attacks?

The answer, as you may have guessed, is to be vigilant, staying one step ahead of those who would maliciously compromise the security of your system. Utilizing cryptography, access control policies, security protocols, software engineering best practices, and good old common sense, we can improve the security of any system.

As is stated by Matt Bishop [1], computer security is both a science and an art.

So What Is Security?
To begin, we need to define security in a fashion appropriate for our discussion. For our purposes, we will define computer security as follows :

Definition: Computer Security. Computer security is the protection of personal or confidential information and/or computer resources from individuals or organizations that would willfully destroy or use said information for malicious purposes.

Another important point often overlooked in computer security is that the security does not need to be limited to simply the protection of resources from malicious sources-it could actually involve protection from the application itself.

This is a topic usually covered in software engineering, but the concepts used there are very similar to the methods used to make an application secure. Building a secure computer system also involves designing a robust application that can deal with internal failures; no level of security is useful if the system crashes and is rendered unusable.

A truly secure system is not only safe from external forces, but from internal problems as well. The most important point is to remember that any flaw in a system can be exploited for malicious purposes.

If you are not familiar with computer security, you are probably thinking, " What does' protection ' actually mean for a computer system? " It turns out that there are many factors that need to be considered, since any fl aw in the system represents a potential vulnerability. In software, there can be buffer overfl ows, which potentially allow access to protected resources within the system.

Unintended side effects and poorly understood features can also be gaping holes just asking for someone to break in. Use of cryptography does not guarantee a secure system either; using the strongest cryptography available does not help if someone can simply hack into your machine and steal that data directly from the source. Physical security also needs to be considered.

Can a malicious individual gain access to an otherwise protected system by compromising the physical components of the system?

Finally, there is the human factor. Social engineering, essentially the profession practiced by con artists, turns out to be a major factor in many computer system security breaches. There is little that can be done to secure human activities, and it is a subject best left to lawyers and politicians.

*
Endnotes:
1. Author of Computer Security: Art and Science.