Information security is vital to the health of today's businesses, but designing, managing, and implementing IT security applications and answering fundamental IT security questions can seem like a daunting task-especially to those who are not the most tech savvy. What is security? And how can business leaders ensure that their virtual networks, business assets, and intellectual property are secure from the threat of viruses, malware, and malicious users?
Stay Safe! A Basic Guide to Information Technology Security provides an overview of the fundamental aspects of computer and network security. Examine how information security applies to applications, the Internet, and other networks, cloud computing, mobile devices, and more. Become familiar with different types of information security protection, including access control, antivirus software, cryptography, firewalls, intrusion detection and prevention systems, data backup and recovery, and biometrics. Understand different information technology threats, such as malware and social engineering.
Because network and computer security is critical for today's businesses, it is important for management to be informed and able to discuss intricate information-security issues with technical experts. This guide will explain security concepts and help business leaders be more confident in their decisions regarding information security infrastructure.
C H A P T E R 1
Introduction to Security
What is security?
Is it a state of well-being for systems, organizations, or people? Can it be achieved through safety from criminal activity, such as terrorism, theft, or espionage? Does it include procedures followed or measures taken to ensure feelings of safety, stability, and freedom from fear or anxiety?
Security is all of these things and more. Specifically, in computer systems, security is expressed as the system's degree of resistance to, or protection from, harm. Foundations of Security
Security is built on the following foundations:
Figure 1.1: Computer security foundations
Put simply, authentication is the process of verifying the identity of a person or thing. It might involve confirming the identity of a person by validating identity documents, verifying the validity of a website with a digital certificate, tracing the age of an artifact by carbon dating, or ensuring that a product is what its packaging and labeling claim it is. Authentication often involves verifying the validity of at least one form of identification.
Authorization is the function of specifying access rights to resources. More formally, to authorize is to define an access policy based on roles and permissions.
It is easy to confuse authentication with authorization. The two are frequently used interchangeably in conversation and are often tightly associated as key pieces of a secure system. But the two are very different concepts. Authentication is the process by which an individual's identity is confirmed. Authorization is the association of that identity with rights and permissions.
Auditing is normally used as a finance-related term. However, in the realm of security, auditing is an unbiased examination and evaluation of an organization's security goals. It can be done internally (by employees of the organization) or externally (by an outside firm).
Confidentiality involves a set of rules or a promise that limits access or places restrictions on certain types of information. In day-to-day life, people do not share all of their personal information with every person around. Information is shared on a need-to-know basis or it is protected, according to the requirements of its holder. All of this falls under the foundation of confidentiality.
The commonly understood meaning of integrity is the quality of being honest, having strong moral principles, and sometimes, the state of being whole and undivided. In security, integrity is further defined as the state of a system performing its intended functions without being degraded or impaired by changes or disruptions in its internal or external environments.
In secure systems, availability is the degree to which a secured system resource, such as a system, a subsystem, or equipment, is in a specified operational and accessible state at the start of a task, when the task is called for at an unknown or random time. Availability is linked to other security foundations as well. The availability of a resource to those accessing it should be according to their roles, permissions, and authorization.
One goal of computer security is that anyone with access to a secured system should be held accountable for his or her actions within the system. For example, if a document has been amended by person X, and if later X denies having amended it, the system should be able to hold X accountable by showing evidence that the document was amended by X.
When discussing security, it is important to be aware of these frequently used terms:
• Assurance: A guarantee or level of guarantee that a secure system will behave as expected when put to use. • Risk: A possibility that something may go wrong. While working to make a system secure, one must consider the risks to the security. • Threat: A method of triggering risk. Any action needed to make a system secure is based on preventing the threats posed to the system. • Vulnerability: A weakness in a system that can be exploited by a security threat. • Countermeasures: Ways and means to stop a threat from triggering a risk. • Exploits: Vulnerabilities that have been triggered by a threat. Different Kinds of Security
After becoming familiar with basic security terminology, the next stage is to understand the different types of computer security.
Internet security is a set of rules and actions meant to protect against online attacks. The Internet has become part of our daily lives-a basic need for individuals, organizations, and systems. Internet security works to ensure confidentiality by protecting access to authorized resources and services. One example is an online system that prevents credit card details from being stolen on a shopping website.
Information security means defending information from attempts by unauthorized entities to use, disclose, disrupt, modify, peruse, inspect, record, or destroy a system. Information is a generic term for any form of data, whether physical or electronic.
Mobile security, as the name suggests, is the security of mobile devices like smartphones, tablets, laptops, and other portable computing devices. Because this type of security also includes securing the networks that mobile devices use to operate, it is sometimes referred to as wireless security.1
1 Mobile security is examined and discussed in much greater depth in chapter 16.
ABDUL B. SUBHANI is a founder and the President and CEO of Centex Technologies. He is a Certified Ethical Hacker, a Certified Fraud Examiner, Certified in Risk and Information Systems Control, a Texas Licensed Private Investigator, and the recipient of multiple other advanced IT credentials. Abdul has been a frequent keynote speaker, moderator, and panelist at leading IT conferences, and he has given speeches to thousands of students at colleges and universities.