Home > Guides > Security > General Security and Privacy

Security Reference Guide

Hosted by

A Functional Definition of Security

Last updated May 23, 2003.

In addition to the domain structure discussed previously, information security can be analyzed by function. Using five distinct stages or steps, security can be broken down into manageable parts that an organization can use to assign responsibility and resources:

  • Risk avoidance
  • Deterrence
  • Prevention
  • Detection
  • Recovery

The following sections describe each stage and how it relates to computer security.

Risk Avoidance

When designing an information system, it's necessary to consider what components are actually required, and what components are optional. The necessity of this analysis seems fairly straightforward, but a proper and comprehensive study involving management and end users alike is often ignored. Instead, systems are designed on the fly, which can leave major holes for attackers who happen upon a newly installed system.

The proper method of designing a secure information system is to plan for and reason out what parts or technologies are needed, and what can be left out. The plan should be centered around a concept known as risk assessment, which can be defined as the objective study of what value and risk a component has to the system. In terms of security, this can be illustrated by the use of the "guest account." While many computers include a guest account, the risk associated with leaving this account available is rather high. As a result, most businesses disable the account globally, thereby reducing the chance that an attack will occur via the guest account.

To avoid risk, businesses must determine what they actually need with regard to information systems. Hardware is one part, but services, processes, and applications must also be considered. For example, should a company use an in-house web server, or rent space online? Is Microsoft Office required, or can the business use OpenOffice.org? (Thus avoiding the infamous VBScript problems.) Such tough questions and answers must be dealt with before any purchase is made.

Once the risk avoidance strategy is laid out, the components of the information systems should be documented, reviewed, and accepted by all authorizing parties. At this point, risk avoidance can step into the background and maintain a presence for all future decisions. For companies serious about maintaining a documented and complete picture of their information systems, risk avoidance should continue to be used through the life of the business.

Deterrence

Deterrence is the method of manipulating a person's actions by negative motivational influences. While this may seem like a mouthful, it's one of the most common methods of control used by governments, businesses, and individuals.

In short, deterrence is a method of scaring a person into thinking twice before performing an action. For example, one method of deterrence many of us have experienced is the empty police car by the side of the road. Even if we aren't speeding, just the presence of that icon of authority causes many people to hit the brakes. The same mental game is used frequently in the computing world.

For example, if a company has an FTP file server online, they may include a banner like this: "Your IP address has been logged. Unauthorized access will be reported to the authorities." While this won't phase a hardcore and dedicated hacker, it will keep an honest person honest, so to speak.

Another method used to deter malicious activity within an information system is through the use of explicit internal policies and memos. A strongly worded statement discussing the consequences of Internet abuse carries more weight than a simple global warning by the manager.

It should be noted, however, that you cannot deter a worm, virus, or other automated attacker; for something to be deterred, it has to recognize a threat. In other words, regardless of what you do, there will always be a threat from attackers that are either robotic or immune to threats.

Prevention

No matter how invisible an information system may seem, it's vulnerable. This is the first rule that any infosec professional assumes. While the risk may be very low, there's no product or practice that can completely eliminate the chance of a security-related incident. In fact, an estimated 33% of all "attacks" come from within the network, many of which are the result of simple mistakes or curious employees.

NOTE

Source: Sam Costello, "FBI: Cybercrime on the rise, but few victims report it" (Network World Fusion, April 8, 2002).

Whether the source is internal or external, the potential for disaster remains the same. This is why one of the key parts to securing computer systems is prevention. As the old military cliché states, the best offense is often a good defense.

Prevention software, hardware, and practices are typically thought of as the core of infosec. While this is far from the truth, the typical IT security budget supports this myth, with the single largest purchase being a firewall. (See Gunter Ollmann's article "Consultant's View - Firewalls" in SC Magazine's February 2003 issue.) In addition to that one key ingredient, there are many other aspects to a comprehensive prevention system—virus prevention, malicious code filtering, and security assessments, to name just a few.

Detection

While prevention is undeniably important, an information system is still apt to fall prey to a hacker attack. When this occurs, it's of utmost importance that the presence and activities of the hacker be detected and recorded. As a result, many prevention packages also incorporate some measure of detection technology, which comes in the form of intrusion-detection systems (IDS), auditing practices, and file-monitoring programs such as Tripwire.

Detection is important because it represents the last stage in an attack before a system is completely "owned" (that is, completely compromised by an attacker). With proper detection technologies in place, an information system can react automatically to the existence of a malicious presence. For example, if an IDS is set up in parallel with the firewall, and it detects malicious traffic on both sides of the firewall, it can record the data, signal an administrator, and work with the firewall to block the attack by disabling the port on the firewall or restricting access to the attacker's IP address.

In addition to the software/hardware side of detection, the IT staff must take a proactive role in finding anomalies and suspicious activities that were not detected by any automated detection system. This is typically performed by log reviews, internal audits, and due diligence. Without this internal review, the attack and any loss of confidentiality or integrity could go undetected.

Recovery

When all else fails, a solid recovery system is of paramount importance. We recommend incorporating your recovery plan—including both the backup procedures and the recovery procedures—into the initial risk-avoidance planning. This should form the foundation on which everything else is built, and brings things full circle. After all, a company could become the victim of a network-based attack as easily as a burglary or natural disaster.

This function includes the key essentials to a solid backup and recovery system. Like the other defining functions, recovery is not just hardware and software. The plan should include procedures for secure offsite storage, a complete checklist for full recovery from various types of disasters, contact lists, and more. In short, a solid recovery plan is a very complex subject, and often requires the support of third parties.

Books and e-Books

UNIX System Security Tools (McGraw-Hill Osborne Media, 1999), by Seth T. Ross, provides an alternative view of security. This UNIX guideline, though a bit old, looks at security from a time when it was a growing field, back when the dotcoms were making still making money.