This semester, Dr. Heather Crawford asked us to wirte a review about the paper titled “What Is Computer Security?” written by MattBishop.
I learned from the article that information security concerns might need more support in conceptual level rather than technological level. By classification of requirements and policies and mechanisms and then categorizing mechanisms further into operational and technical, I can look at information security in a different perspective. The clarification of security requirements in particular system may make certain policies insignificance while put some other policies in priority. It may save time and expenses by not investing into unnecessary mechanisms and not jeopardizing users accessibility to information. For example the traffic of most of peer-to-peer networks cannot easily be classified by layer-3 firewalls. Only an application-layer firewall can classify these types of traffics. An advanced peer-to-peer network user can easily modify flow signature in order to circumvent these types of firewalls. Therefore operational policy such as suspension complemented with auditing network traffic solutions seem much more appropriate.
As another example, my personal experience shows that no absolute method to secure intellectual properties of software companies exists. In operational perspective, obfuscation methods and copy-protection features may even make the situation worst by making crackers more motivated to remove copy-protection features. Therefore it makes more sense to reinforcement legal resources of a company in such situations to protect their intellectual properties.
I learned that by investigating how well requirements, policies and mechanisms cover each other we can define plausible security assurance measurements and have a clearer picture of our system security in general. As we think of these three main principles in broader sense we see that people play a substantial role to glue these principles together and consequently affecting overall security assurance measurements of system. In that sense, the effectiveness of communication means in different levels of the organization plays an important role.
Personally, as a CRM system supervisor for few years I have had so many struggles with my company managers, advocating making use of different software by different vendors for different jobs in favor of splitting their system in isolated secure subsystems. As our software systems became more heterogeneous and our company grow, more integration between these subsystems were demanded and most of the time these demands were addressed by insecure methods of file sharing resulting to have sensitive financial information available almost on every user desktops. I also had several challenges with IT administrators that would make everything accessible just have their job done easily without considering the consequences, simply by adding administrator role to the user with permission problem instead of learning how to add well-trimmed access to have both issue resolved and to not compromise overall system security. When I look back at my experiences I realize more investments in proper training of both parties would be key factor to mitigate such inefficacies.
I also learned that in which level of organization security decisions must be made. Talking about operating systems and OpenBSD as an organization dedicated to create the most secure operating system. The reasons behind design decisions are security concerns. These concerns even affected their parallelization strategy for their operating system network stack to use BGL instead of more performance wise methods in other SMP operating systems that modern operating systems use.
Network security appliances market has grown strongly last few years and it’s foreseen to even exceed $11 billion in 2019. In this market all security companies try is to take the market share take market share away from competitors. Building buzz around their product is one of the ways to market their products. In that setting it is hard to decide whether specific solution or product contributes to organization policy and that policy contributes to requirements.