- Computer Security refers to the measures taken to assure that only the allowed persons can have access to the data in a computer system.
It's not only about data, but also about control over computer systems (for example famous changes of web pages).
- As the systems are ever more complex, this objective, as security in the real world, remains forever unattainable.
- A determined thief can successfully rob the best guarded of banks. A determined computer criminal can read, copy, alter or destroy data in the best secured computer. As in the real world, the best you can do is make it more difficult, changing the cost/benefit equation for the criminal. You can reduce the effects of data loss by careful [backing up]? and insurance. And you can further change the cost/benefit equation by pursuing the criminal after the attack.
That's completely untrue. Security-related parts of systems (usually only a few percent of code) don't have to become more complex. They can even become simpler, as they don't need so many performance-optimalizations as it was required in the past.
It's completely possible (even though rarely done nowadays) to mathematically prove correctness of all security-related code. It's as possible to get 100% security of computer system as to get 100% sureness of any other algorithm or code.
And 'cracker' not 'criminal' is the correct word. Legilaty of cracking doesn't have anything to do with computer systems and cracking by police isn't any different than cracking by individuals. --Taw
I've been looking at this page, and I completely agree with you that it needs a major rewrite. However, I'm not sure on how to accomplish it, as what already exists is far to 'advisory' and not enough 'to the point', in addition to beeing very "morally correct" .
It would be a good thing to have a rewrite, imho.
While it's unfortunate I'm temportary moving lot of useful and well-written content to /Talk. It unfortunatelly presented one-sided view of computer security. I hope we'll made better and more balanced article. --Taw
Computer Security refers to the measures taken to assure that only the allowed persons can have access to the data in a computer system. As computer systems hold ever more valuable data, the importance of computer security grows. As the systems are ever more complex, this objective, as security in the real world, remains forever unattainable.
A determined thief can successfully rob the best guarded of banks. A determined computer criminal can read, copy, alter or destroy data in the best secured computer. As in the real world, the best you can do is make it more difficult, changing the cost/benefit equation for the criminal. You can reduce the effects of data loss by careful backing up and insurance. And you can further change the cost/benefit equation by pursuing the criminal after the attack.
The only real difference between computer security and real world, "bank" security is that computer systems are poorly understood, as a rule. Managers have usually a firm grasp on real world security issues, like fences, walls, security personnel, alarms, police, etc. And if they do not, their insurance companies do. Computer systems are many times not insured against data theft or destruction, so this "security consulting" is lost. This lack of insurance for so potentially important a loss is in itself noteworthy. It stems probably from this same lack of knowledge, although the cause may be more complex.
A teenager wandering into a warehouse to pick up a trophy and show it to his friends, is not treated in the real world as a dangerous criminal. If such an "explorer" enters into the company computer system, the management can go ballistic, and the trespasser, if aprehended, risks prosecution. This lack of knowledge is potentially the biggest risk in a company. Of course they will have competent technical personnel, but they will tend to concentrate on the technical side of the issue. Social engineering, for example, will probably be ignored.
Of course, the parallelism between computer security and real world security is not exact, for a number of reasons. For example, vandalism is more dangerous in the computer world because it is potentially much more destructive. A vandal can cause havoc in thousands of computers systems around the world with little effort and small risk of capture. Of course the result would be not as visually satisfying as a graffitied wall, but all taken into account, what is really surprising is the small probability you have today of suffering damage from a computer virus or computer worm.
Today, computer security is composed mainly from "preventive" measures, like firewalls. We could liken a firewall to the building of a good fence around your warehouse. A good first step. But not enough if you keep the fence unguarded (no monitoring), or if you hand a copy of the key to everybody that asks for it by phone (social engineering). If, to add insult to injury, it's widely known that you won't prosecute any trespasser, we could consider the firewall installation as almost an exercise in futility. However, many computer systems are not monitored, and the number of computer criminals to be really brought to justice is abysmally low. In that situation, it's no wonder you have no insurance; the policy would be enormous.
Along the same lines of reasoning, it's good to have an antivirus program, but rather pointless if your users open any and all of the executable attachments they receive by e-mail. Opening an executable attachment is the same as opening the door to your system, with your user privileges, to anybody that sent you that attachment.
In short, lack of computer security today is a multi-pronged menace to which a multi-faceted defense is the only response. Buying an off-the-shelf software package is no substitute for a careful evaluation of the risks, the possible losses, the counter-measures and the security policies, done at a high enough company level.