Techniques for Evaluating the Security of Computer Systems
As we progress through the technology age, our reliance on computers seems to increase exponentially. Activity that was once thought risky – such as online banking – is now considered by many to be commonplace. Much of this increased activity comes from the belief that computer systems are relatively safe.
Yet, as past shows, computer systems are not as safe as we would like to believe. Even supremely secure organizations – such as the NSA or FBI – have been the subject of successful attackers. Therefore, if even the most expert security professionals struggle with protection, what hope is there for lay individual users?
This article aims at answering such question by addressing key issues of computer security, while also noting techniques that both the professional security practitioners and lay individual user alike can use in evaluating the strength of their security system.
The Unique Characteristics of Computer Security
Computer security differs from its counter-parts of science and engineering in two fundamental ways.
The first is malicious intent, which seems to be at the foundation of computer security. Security methods were first implemented in order to prevent malicious attacks; therefore it is key that the strength of security systems is built upon the consideration of potential attacker’s knowledge, purpose, sophistication of tools, and damage potential.
The second difference can be referred to as time dependence. Time dependence is a major aspect of computer security due to the speed of technological advancement. With advancement, attacker’s techniques become more refined and progressive. Thus, something that may be considered ultra secure today may be flawed and archaic five years later.
As a whole, it is best to consider computer security as dynamic, for it will always be necessary to alter and change components in response to the two aforementioned characteristics. Considering this, open challenges or contests can be utilized in addressing the unique characteristics of computer security.
Examining Open Challenges or Contests
The use of challenges to establish security has been used and criticized in the past. Much of this criticism has been directed towards inconsistent rules or questions of sustainability. Such concerns are valid, but it is important to note that experts have taken this criticism and used it to create a new framework built upon:
It is key to note that this framework should not be used on its own, but rather in conjunction with traditional techniques, such as analysis or verification.
The Importance of Conducting Vulnerability Analysis of a System
Vulnerability analysis plays an important part in establishing secure computer systems, for it can not only evaluate a system’s effectiveness, but also forecast that of the future.
Yet, it should be noted that such beneficial identification comes only if vulnerability analysis is properly conducted. Therefore, in order to take full advantage, it is important to perform a methodical procedure that covers the following areas:
Considering the progressive nature of attacking methods, it is important that this procedure is done in an almost cyclical fashion so that potential vulnerabilities or improvements can be internally identified prior to an attack.
Qualitative or Quantitative?
Current security evaluation techniques consist of either qualitative or ad-hoc measurement. Qualitative measurements include things such as security certification standards, while ad-hoc involves through penetration testing or auditing.
While such evaluation methods are generally strong, there seems to be something missing: quantitative measurement. With quantitative measurement comes granular data that can be used in a forward manner, allowing for individuals to analyze their security systems in real time. The result then, is not a sole reliance on quantitative data, but rather using such as a way to strengthen their system by utilizing the benefits of qualitative, quantitative or ad-hoc.
Checklists are helpful in identifying vulnerabilities, especially for multi-faceted organizations. The goal with checklists is to establish a set of cyber security controls so that even lay individual users can monitor their system’s level of safety (thus, it can essentially be thought of as a to-do list of security procedures).
Lists are often personalized to fit each organization’s specific needs, but generally checklists address concerns referencing personnel security, physical security, account management, confidentiality, disaster recovery, security education, and compliance and audit.
As aforementioned, computer security is a dynamic process. Without consistent monitoring comes opportunities for potential attacks. Therefore, any of the tips mentioned above should not be viewed as a panacea, but rather as a solid foundation upon which a supreme computer security system can be established.