What is “computer security”? When Adrian Bryan and I set out to write our Introduction to System and Network Security course for Learning Tree some years ago, we needed to start with a definition. It served as a sort of goal or guiding light in writing the course materials. The definition is from Simson Garfinkel and Gene Spafford in Practical UNIX & Internet Security: “A computer is secure if you can depend on it and its software to behave as you expect.” [Simson Garfinkel and Gene Spafford, Practical UNIX & Internet Security, Ed. 2 (Sebastopol, CA: O’Reilly, 1996)]. We expanded upon it a bit, though. Here is our version:
A system/network is secure if you can trust the accuracy and confidentiality of the data, and the system behaves as you expect.
The meaning is the same, but we particularly liked the word “trust”. Our definition carries the spirit and meaning of Garfinkel and Spafford’s but it is just a little different.
“Trust” is an important word here, and I plan to come back to it frequently. As alluded to by the definition, a lot of security is about trust. In the real world we trust a lot of people: family, banker, credit card companies, grocery stores and so forth. And that is just the beginning–we trust so many people and things in today’s world that we often don’t even think about it.
Thinking about trust is a big part of the security mindset. Let me give you an example: when I started teaching security courses people would ask “Do you really trust using your credit card on the Internet?”. My answer was often not what they wanted to hear, though, “At least as much as I trust giving my card to a waiter at a restaurant.” The waiter, you see, can put the card behind a piece of paper, run a pencil over it and have all the information he or she needs (if he or she also writes down the security code) to use my card on line and clean me out! To get my card info on the Internet one would need to break into a (hopefully!) secure company server. (By the way, my personal information was stolen and I was a victim of identity theft. We never found the cause. Even though I take a lot of precautions someone got my info. I’ll share more about that later.)
So in technical terms the definition above talks about trusting accuracy and confidentiality of data. In the computer security arena these are called Integrity and Confidentiality. “Behaves as you expect” is a bit broader: it covers not only the integrity of the programs running, but also the Availability of the system. That is, that the system or network is there when you want to use it. We call these terms collectively CIA (Confidentiality, Integrity and Availability), and I will use each a lot as we go forward.