What is Computer/Network Security?
Open any book on the subject, and you will find the following definition on infomation security (INFOSEC):
- Confidentiality: How is the data protected against unauthorised access?
- Integrity: What measures are in place to preserve data against accidental deletion, mistakes and unathorised changes? Can the version control, backup and snapshots provide data that's accurate enough if they're needed?
- Availability: Are the information resources available, when needed, to those who are authorised to access them? What happens if your hard drive fails, your computer or device stops working? Are your security measures applied to all your devices? Is your organisation resilient enough to cope with network and server outages?
The above is known as the 'CIA model' - the textbook (and highly abstracted) definition for information security. The principle is that, instead of attempting to make an organisation's network totally secure, information security must be about finding the right balance between all three for a given organisation. The more secure you make something, the less available it becomes. Making something less available could compromise its integrity because it's harder to check and update. The more available something is made, the less confidential it becomes.
There are other reasons why absolute security cannot exist in the real world: Operating systems are highly complex - even I have only an abstract understanding of what each component of an operating system does. No single person could audit every application running on their system, reverse-engineer the proprietary ones to find vulnerabilities, and audit the programming language and existing modules those applications were made from. Few have the expertise to evaluate whatever encryption products we use.
Security vulnerabilities will exist in every computer system, whether they are obvious bugs in an application or an obscure defects in the way the operating system manages a hardware resource.
But, of course, we know that our personal computers and devices aren't isolated. We use them to browse the Web, applications are installed on them that interact with various services via the Internet, 'social' media encourages us to actively share our personal information with third parties, and the vast majority of us have every email we send and receive hosted on third-party servers.
Once data is shared over the Internet, we have almost no control of how that data might be shared and used by others, and it can be used in ways we never anticipated.
As Bruce Schneier often points out, information security is ultimately about trust.
What is security about, then? An organisation needs to worry itself not only with preserving confidentiality, but also things like managing large numbers of user accounts, access control, disaster recovery, business continuity, the integrity of its records and mitigating DDoS attacks. For the individual, computer security is primarily about protecting your data and resources by making it as awkward as possible for an adversary to gain access to it. As I add more pages to this site, I'll describe some of the tools and techniques I've used for real-world situations, and explain why I chose them.