Security Introduction

1
Security Introduction
2
Security is a system

• It is important to realize that security is a
  system of individual measures, each of which is
  not fully effective in isolation but which work
  effectively in tandem. As a system, it is only as
  strong as its weakest link.
• To appreciate this concept, consider your local
  bank branch. It has a vault, a teller cage, a
  lock on the front door, a surveillance camera, an
  alarm system to summon the police, and an armored
  vehicle to transport cash to and fro.
• Think about it These measures are complementary,
  and each makes up for obvious shortcomings in the
  others.
• Further, the security system can never be 100
  effective, even though it can prevent most
  thefts.

3
Security impacts usability

• Security always adversely impacts the ease of
  legitimate uses.
• Returning to the bank branch example,
• If the bank was willing to deny customer's access
  to their money, or even willing to make it harder
  for customers to access their money, security
  could be made more effective.
• Letting customers in the front door also lets in
  the bad guys. Thus, any security system, to avoid
  unnecessarily getting in the way of legitimate
  uses, should counter the most credible threats
  and take into account the seriousness of any
  consequences.
• Analogously, dealing with sensitive information
  (like student's grades or identity information
  for human research subjects) deserves more
  stringent (and hence more invasive) security
  measures than, say, the drafting of this course.

4
Major elements of security requires a combination
of people and technology

• People. In computer security, these include the
  users, as well as professional staff
  administering the computers and networks.
• Using technology appropriately. There exist
  effective security technologies, but they have to
  be used properly, to be effective.
• An important source of security lapses is the
  failure to use technologies properly. Human error
  (either users or system administrators) is also a
  frequent cause of lapses.
• The most effective means to minimize human error
  is to employ technologies that are automatic and
  transparent, installed, configured, and
  maintained by professional system administrators.
  
• But even with this professional administration,
  users still have an important role, including
  vigilance and avoiding common errors.

5
The following are essential elements of a
security system

• Education. Users need to be aware of their risks
  and responsibilities, and understand how to use
  the technologies available to them and the
  consequences of innocent errors or omissions they
  may make.
• Software. As the Internet provides global
  connectivity to any computer, security software
  preventing and detecting nefarious access is
  essential.
• Services. Professional services should be made
  available to administrators to manage any
  computer, (especially those harboring sensitive
  data), install, configure, and maintain
  specialized security tools, and monitor for
  intrusions.Ê Users, especially those harboring
  sensitive data, should take advantage of these
  services.
• Policies. Members of the communityshoul adhere to
  minimum security practices through the expression
  of mandatory policies. Focusing policies around
  credible means to follow them will also encourage
  wider compliance, although enforcement is
  generally necessary to ensure universal
  compliance.
• Laws. It will always be possible for an insider
  or outsider to penetrate computer security
  through malfeasance. Laws provide for punishment
  as deterrence to this activity, and may also
  isolate the perpetrator from society so that they
  are unable to repeat this act.