Previous Table of Contents Next


Chapter 24
The Basics of Computer System and Data Network Security

C. Warren Axelrod

Complete security against unauthorized computer access, misuse, and damage is, by all practical measures, not economically feasible. Reducing and limiting such breaches, however, is achievable. This chapter discusses the security functions, avoidance, deterrence, prevention, detection, recovery, and correction, and provides examples of preventive measures in each area of risk.

PROBLEMS ADDRESSED

One primary goal of a computer system and data network security program is to prevent unauthorized access to computer systems and facilities. Another goal, should unauthorized access occur, is to prevent the misuse of, or damage to, computer and network assets. If, despite security precautions, an incident of such unauthorized access causes damage, the data security department should act immediately to recover from the intrusion and to prevent recurrence.

The complete protection of computer systems and data networks has become increasingly complex, expensive, and restrictive as computer systems move from centralized mainframes and minicomputers to distributed client-server architectures and as data networks provide broader access to an exploding population of end users. Consequently, complete protection is seldom economically justifiable. Data center and data network managers must accept some tradeoffs and compromises. Although absolute protection is not feasible, the occurrences of breaches of security and damage to assets can be reduced through careful evaluation of risks and implementation of preventive measures. This chapter brings together fundamental security concepts to provide data center managers and data network managers with an overview of the data security function. Examples of preventive measures are provided for each area of risk discussed.

BASIC SECURITY FUNCTIONS

There are six basic data security functions. The first three — avoidance, deterrence, and prevention — address the organization’s need to control the level of access and limit the distribution of access authority. The last three — detection, recovery, and correction — respond to unauthorized intrusions or destruction of assets.

Avoidance is the elimination of a threat to assets or the removal of assets from potential danger. Deterrence is the discouragement of behavior that threatens computer assets. Prevention is the implementation of measures to protect assets in the event of an attempted security breach.

In response to an attempted or actual security breach, detection is the deployment of means to recognize intrusion or damage and to raise an alarm during the breach. Recovery includes determining the extent of the damage and returning the system to operating condition. Correction is the introduction of new measures or the improvement of existing measures to avoid similar security breaches in the future.

SECURITY VIOLATIONS

Computer systems and data networks must be secured against three types of violations: unauthorized access, misuse, and damage.

Unauthorized access is the gaining of illicit entry — physically or electronically — to the computer facility, the system software, or the data. Misuse is the manipulation of computer and network assets against the interests of the organization, whether or not any damage results. Damage is the adverse modification or destruction of physical or electronic computer and network assets. Damage is essentially an extreme form of misuse, and whether an attempt to misuse a system results in damage is often a matter of chance. Some forms of misuse may leave a computer system or network physically and logically intact but can cause irreparable financial damage to an organization.

Exhibit 1 indicates the type of violation addressed by each security measure. These measures are arranged according to the six basic security functions. The major areas of risk are discussed in the following sections.


Previous Table of Contents Next

Copyright © CRC Press LLC