Because
there are so many aspects to overall system security management that have to be
considered, over time, basic security protocols and definitions have been
established to enable a structured, more modular approach to separating and
simplifying the many complex and often overlapping areas involved in security
issues, so that forms of system protection could be researched, created and
implemented.
A main
concept and “starting point” involves the creation of an overall defining
Security Policy - for a particular system and circumstance - that
helps identify and define the critical assets in a system that are to be
protected, an appropriate level of security required to protect those assets,
and a proposed set of procedures to follow to help achieve that overall goal,
with procedures to be followed in the event of a breach in that policy. It can
only be a “best guess” approach toward defining requirements for a given
system.
This Policy
then helps define acceptable patterns of “normal” behaviour for a given system,
both by users of the system and the behaviour of the system itself, and allows
for follow up actions to be taken with respect to this, which may include:
Accountability
– the determination of who was responsible for the actions
Damage
assessment – determine what specific actions caused any damage
Damage
recovery - determine what actions are necessary to return the system to normal
System
security is often defined in terms of the Security Triad – CIA – Confidentiality,
Integrity and Accessibility (via Authorisation), where:
Confidentiality - the requirement for
information to be restricted only to those authorised to access it.
Integrity – the requirement that original
data remains protected from accidental or deliberate, unauthorised alteration
Accessibility – the requirement that
information is always accessible when required, to those authorised for access.
With these
concepts in mind, security complexity can be further expanded to include ideas
of Trust, Threat, and Vulnerability.
Trust is a local to wide area concept,
and mirrors the level of “confidence perception” that could be ascribed to a
system or group of systems, and may incorporate many aspects, from System Administrator
control, user access, hardware components, interconnected devices, and other
interconnected autonomous systems, all of which have to be considered with a
degree of “trustworthiness” as to how well a particular part of a system
functions in reality, compared to how it is expected to function, usually
within a defined boundary.
Threat can be defined as a potential
circumstance that causes a system to operate outside of the design limits set
out for its original purpose, or required by the Security Policy, and usually
take a form that can cause a breach in the Security Triad definitions, by the
disclosure, alteration or prevention of access to data.
Vulnerability
can be
regarded as the level to which a system is capable of suffering from
circumstances that affect its normal operation, as defined by its design, or
the Security Policy and the Security Triad. System vulnerability can also come
in many forms, from badly designed, written and tested software containing
“bugs”, to what is regarded as the widest reaching potential vulnerability –
the human user - because of the
potential for damage that can be caused by deliberate action (disgruntled
employee, terrorist) or accidental or unwitting damage (deletion of files,
victim of social engineering), mainly because most users have higher privilege
levels of system access being on the “inside” of a systems technical device
security perimeter.