Security involves making sure the good guys get in and the bad guys stay out. Throughout the development of the computer, security has been an increasingly important consideration. Software has evolved to include security functions, and with the advent of the Internet and large networks, security has become a daily issue. In fact, security software is considered by many in the computer industry to be a "necessary evil."
At the core of any security software process is the fundamental proposition that the level of risk associated with electronic data (often called an information asset) is the product of the data's value, threats, and vulnerabilities. Understanding this risk and being able to determine its relative rating are key components of security. As the significance of any of these factors increases, the risk also increases. Conversely, reducing any of these factors will significantly reduce the relevant risk. All three factors must be understood before it is possible to assess risk in a reliable manner.
- Asset Value is measured in terms of importance of data to the organization's business, operations, or ongoing support.
- Threats are measured in terms of events or actions that could have a negative impact on the availability, integrity, or confidentiality of an information asset. Threats are typically evaluated in terms of the source (internal or external), nature (structured or unstructured), and agents (hostile or non-hostile).
- Vulnerabilities are measured in terms of the absence, inadequacy, or inconsistency of facilities and processes that are deployed to protect the asset's value from the identified threats.
Security software has been incorporated into large computer systems for many years. The basic proposition is to lock up and protect computing resources (data and programs) from unauthorized use and access. Large computing systems typically use the following three-part scheme: (1) Identification; (2) Authentication; (3) Authorization.
Identification is usually done with a user identification (userid) indicator. The userid can be similar to the person's name or it can be a totally arbitrary indicator (i.e., JOHN1 or WX99RCA).
Authentication is the process of proving that you are really who you say you are. It is typically accomplished using a password or secret phrase. The password is known only to the user and allows the security software to ensure (with a limited degree of comfort) that users are, in fact, who they purport to be.
Authorization, the last step, assigns the userid the appropriate privileges within the system once identification and authentication have been completed.
While these steps sound easy enough, it can be difficult to provide assurance that the person attempting to gain access is actually an authorized user. Userids tend to be publicly known or easily guessed. Passwords are often guessed or not changed with sufficient frequency. And creative people can come up with new ways to circumvent the process. As a result, security software has become more sophisticated.
A Brief History
Before networks and the Internet, security software was much easier to create, manage, and even understand. Individual machines and their software could be protected from unauthorized use through the use of protection programs that ensured that only one authorized user could gain entry to the machine's capabilities. In most cases, this involved a userid tied to the individual machine. Some software systems also allowed the user to restrict access to the data and software housed in the individual machine.
Once local area networks (LANs) and other connection capabilities (i.e., the Internet) appeared, security software became a top priority. From the smallest to the largest network, it was necessary to make sure that the system was secure from attack, theft, or other malicious use. This required security software functionality to increase. In addition, the number of system components to be protected multiplied as people added capabilities to their networks. The advent of business transactions over the Internet (e-commerce) has led to great advances in security software.
Security software has evolved as the systems it protects have grown in complexity and capabilities. There are basic activities that any security software performs. Specialized needs can be accommodated with more complex software programs.
Selecting the appropriate security software requires a careful analysis of several criteria including degrees of risk and vulnerability; types of assets to be protected; budget considerations; the security policy underlying the system; implementation resources; and auditing processes to test system security. As computing technology grows, security software will continue to develop in sophistication and function.
see also Invasive Programs; Privacy; Security; Security Hardware; Viruses.
Allen, Julia H. The CERT Guide to System and Network Security Practices. Boston: Addison-Wesley, 2001.
Goncalves, Marcus. Firewalls: A Complete Guide. New York: McGraw-Hill, 2000.
Information Systems Security Association. <http://www.issa.org/>
The Information Systems Audit and Control Association and Foundation. <http://www.isaca.org/>