Security is the set of preventative and reactive measures taken to minimize harm, whether intentional or not. Depending on your need for security, there are different measures that can be taken. See also my section on Passwords.

Confidentiality, Integrity, Availability (CIA). Some folks make think it should be Confidentiality, Integrity, Availability, Accountability (CIAA). CIAA is the foundation of information security.

Physical Security

Physical security means to control the physical and electrical means by which access is gained to a system.

Physical security includes the following:

Fault Tolerance

Fault tolerance is the ability to recover from hardware failure or mistakes with little or no interruption. A fault tolerant system is said to be robust and often has redundant or back up components.

Secured Transmissions

Secure transmission ensures that communications are only between the appropriate parties.

Secure transmission includes the following:

A Man-in-the-middle attack (aka MITM attack; bucket-brigade attack; Janus attack) happens when an attacker eavesdrops between two communicatiing parties. Secured transmissions prevent MITM attacks.

Audits

Audits involve logging activity for the purposes of determining what occurred, when, and who did it.

Audits include the following:

Databases in particular can be set up so that every insert, update, and delete is logged: When, who did it, where in the app they did it, and what they changed the data from and to.

Access Control

Access control deals with enabling an authority to control which entities access which resources with what permissions.

Before proceeding, we must define entities, resources, and permission:

An Access Control List (ACL) is a list of permissions attached to a resource. This means which entities have what permissions for that resource. A user is usually a member of multiple groups. When a user is trying to access a resource and is a member of multiple groups that have permissions to that resource, then the permissions of the least restrictive group takes precedence unless the user is a member of a group that is specifically denied access or given "No Access" to that resource.

Access to network resources is ultimately controlled on a per user basis. However there are at least two ways to do this:

Once the entities, resources, and permissions are in place, a system must be provisioned to provide access. Provisioning is initializing, preparing, and equipping a system so it can provide services and resources to users. When an entity wants to access a resource they must first be authenticated then authorized.

  1. Authentication (aka A1; AuthN; An) is the act of estabilishing or confirming that an entity is what or who they say they are. They are usually checked by one (the most common) or more means (aka two-factor authhentication; T-FA; 2FA; multi-factor authentication; MFA) :
    • Knowledge. The entity knows something like user name, password, PIN, pass phrase.
    • Ownership. The entity has something like a wrist band, security token, cell phone.
    • Inherence. The entity is or does something like signature, fingerprints, retina, voice, DNA.
    • Location. The entity is at the specified location.
    • Time. The entity is at the specified date and time.
    • Referral. The entity is checked by a social contact, a friend, a 3rd party. Social sites do this. When one party does authentication for another party, then they have federated the identity. A party that provides Single Sign-On (SSO) for other parties does identity federation.
  2. Authorization (aka A2; AuthR; AuthZ; Az) is the act of parsing the user against the ACL and providing the appropriate resources with the appropriate permissions. EG: Users in human resources can access things that the typical worker can't.

Access control includes the following:

Network Access

A firewall is usually hardware (eg a screening router), software (eg a proxy server), or both. Most firewall systems use one or more of the following methods:

Here is a belt & suspenders firewall, a typical enterprise level setup for network access security:

Diagram of a firewall hardware

The SRs are screening routers, ie packet filters. The BHs (Bastion Hosts) are servers such as IIS, RAS, and Exchange. The DMZ (De-Militarized Zone) demarcate machines that have more exposure to the Internet than the LAN does.

Links

Here are links that lead to off-site pages about security.

Antivirus (AV)

Wikipedia

Wikipedia has many articles related to security. Here are just a few.

Miscellany

Page Modified: (Hand noted: 2007-08-31 10:33:15Z) (Auto noted: 2011-06-22 14:46:44Z)