Scribd
Upload
113 views

1.1 Methods of Defense

Encryption, software controls, and hardware controls are three methods for defending computer systems from attacks. Encryption transforms data to be unintelligible, protecting secrecy, integrity, and availability, but must be used properly. Software controls include development standards, operating system limitations, and internal access restrictions to protect users. Hardware controls range from encryption devices to locks and identity verification tools. Effectiveness requires proper usage of controls and periodic review as new threats emerge.

Uploaded by

RAJ TAPASE
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
113 views

1.1 Methods of Defense

Encryption, software controls, and hardware controls are three methods for defending computer systems from attacks. Encryption transforms data to be unintelligible, protecting secrecy, integrity, and availability, but must be used properly. Software controls include development standards, operating system limitations, and internal access restrictions to protect users. Hardware controls range from encryption devices to locks and identity verification tools. Effectiveness requires proper usage of controls and periodic review as new threats emerge.

Uploaded by

RAJ TAPASE
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

21-3 METHODS OF DEFENSE

Computer crime is certain to continue . The goal of computer security is to institute


controls that preserve secrecy , integrity , and availability . Sometimes these controls
are able to prevent attacks; other less powerful methods can only detect a breach as
or after it occurs .

In this section we will survey the controls that attempt to prevent exploitation of the
vulnerabilities of computing systems .
1 . Encryption

The most powerful tool in providing computer security is coding . By transforming


data so that it is unintelligible to the outside observer , the value of an interception
and the possibility of a modification or a fabrication are almost nullified .

Encryption provides secrecy for data . Additionally , encryption can be used to


achieve integrity , since data that cannot be read generally also cannot be changed .
Furthermore , encryption is important in protocols , which are agreed-upon
sequences of actions to accomplish some task . Some protocols ensure availability of
resources . Thus , encryption is at the heart of methods for ensuring all three goals of
computer security .

Encryption is an important tool in computer security , but one should not overrate its
importance . Users must understand that encryption does not solve all computer
security problems . Furthermore , if encryption is not used properly , it can have no
effect on security or can , in fact , degrade the performance of the entire system .
Thus , it is important to know the situations in which encryption is useful and to use it
effectively .

2 . Software Controls
Programs themselves are the second link in computer security . Programs must be
secure enough to exclude outside attack . They must also be developed and
maintained so that one can be confident of the dependability of the programs .

Program controls include the following kinds of things:


. Development controls , which are standards under which a program is designed ,
coded , tested , and maintained
. Operating system controls , which are limitations enforced by the operating system
to protect each user from all other users
. Internal program controls that enforce security restrictions , such as access
limitations in a data base management program
Software controls may use tools such as hardware components , encryption , or
information gathering . Software controls generally affect users directly , and so they
are often the first aspects of computer security that come to mind . Because they
influence the way users interact with a computing system , software controls must be
carefully designed . Ease of use and potency are often competing goals in the design
of software controls .

3 . Hardware Controls
Numerous hardware devices have been invented to assist in computer security .
These devices range from hardware implementations of encryption to locks limiting
access to theft protection to devices to verify users' identities .
(1) Policies
Some controls on computing systems are achieved through added hardware or
software features , as described above . Other controls are matters of policy . In fact ,
some of the simplest controls , such as frequent changes of passwords , can be
achieved at essentially no cost but with tremendous effect .

Legal and ethical controls are an important part of computer security . The law is
slow to evolve , and the technology involving computers has emerged suddenly .
Although legal protection is necessary and desirable , it is not as dependable in this
area as it would be in more well-understood and long-standing crimes.

The area of computer ethics is likewise unclear , not that computer people are
unethical , but rather that society in general and the computing community in
particular have not adopted formal standards of ethical behavior . Some
organizations are attempting to devise codes of ethics for computer professionals .
Although these are important , before codes of ethics become widely accepted and
therefore effective , the computing community and the general public need to
understand what kinds of behavior are inappropriate and why .
(2) Physical Controls
Some of the easiest , most effective , and least expensive controls are physical
controls . Physical controls include locks on doors , guards at entry points , backup
copies of important software and data , and physical site planning that reduces the
risk of natural disasters . Often the simple physical controls are overlooked while
more sophisticated approaches are sought .
(3) Effectiveness of Controls
Merely having controls does no good unless they are used properly . The next
section contains a survey of some factors that affect the effectiveness of controls .
. Awareness of Problem
People using controls must be convinced of the need for security; people will
willingly cooperate with security requirements only if they understand why security is
appropriate in each specific situation . Many users , however , are unaware of the
need for security , especially in situations in which a group has recently undertaken a
computing task that was previously performed by a central computing department.
. Likelihood of Use
Of course , no control is effective unless it is used . The lock on a computer room
door does no good if people block the door open . During World War Ⅱ code clerks
used outdated codes because they had already learned them and could encode
messages rapidly . Unfortunately , the opposite side had already broken some of
those codes and could decode those messages easily .

Principle of Effectiveness . Controls must be used to be effective . They must be


efficient , easy to use , and appropriate .

This principle implies that computer security controls must be efficient enough , in
terms of time , memory space , human activity , or other resources used , so that
using the control does not seriously affect the task being protected . Controls should
be selective so that they do not exclude legitimate accesses .

4 . Overlapping Controls
Several different controls may apply to one exposure . For example , security for a
microcomputer application may be provided by a combination of controls on
program access to the data , on physical access to the microcomputer and storage
media , and even by file locking to control access to the processing programs. This
situation is shown in fig21-3.

5 . Periodic Review
Few controls are permanently effective . Just when the security specialist finds a way
to secure assets against certain kinds of attacks , the opposition doubles its efforts in
an effort to defeat the security mechanism . Thus , judging the effectiveness of a
control is an ongoing task .

You might also like