Computer security: Encyclopedia II - Computer security - Techniques for creating secure systems

Computer security - Techniques for creating secure systems

The following techniques can be used in engineering secure systems. These techniques, whilst useful, do not of themselves ensure security. One security maxim is "a security system is no stronger than its weakest link"

• Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.
• Thus simple microkernels can be written so that we can be sure they don't contain any bugs: eg EROS[1] and Coyotos[2].
• A bigger OS, capable of providing a standard API like POSIX, can be built on a microkernel using small API servers running as normal programs. If one of these API servers has a bug, the kernel and the other servers are not affected: eg Hurd.
• Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified.
• Strong authentication techniques can be used to ensure that communication end-points are who they say they are.
• Secure cryptoprocessors can be used to leverage physical security techniques into protecting the security of the computer system.
• Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers.
• Mandatory access control can be used to ensure that privileged access is withdrawn when privileges are revoked. For example, deleting a user account should also stop any processes that are running with that user's privileges.
• Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. The next sections discuss their use.

Some of the following items may belong to the computer insecurity article:

• In a production system when an application provides no way to patch already known security flaws, don't use it or use another one (at least until the fix is available). Publicly known flaws are the main entry used by worms to automatically break into a system and then spread to other systems connected to it. The security website Secunia provides a search tool for unpatched known flaws in popular products.

• Backups are a way of securing your information; they are another copy of all your important computer files kept in another location. These files are kept on hard disks, CD-Rs, CD-RWs, and tapes. Backups can be kept in a multitude of locations, some of the suggested places would be a fireproof, waterproof, and heat proof safe, or in a separate, offsite location than that in which the original files are contained. Some individuals and companies also keep their backups in safe deposit boxes inside the vaults of banks. There is also a fourth option, which involves using one of the companies on the Internet that backs up files for both business and individuals.
  • Backups are also important for reasons other than security. Natural disasters, such as earthquakes, hurricanes, or tornadoes, may strike the building where the computer is located. The building can be on fire, or an explosion may occur. There needs to be a recent backup at an alternate secure location, in case of such kind of disaster. The backup needs to be moved between the geographic sites in a secure manner, so as to prevent it from being stolen.
• Anti-virus software deletes or quarantines viruses on your computer, in essence protecting you against viruses. This software once on your computer needs to be updated regularly, as there are new viruses created daily. There are a couple things that are an important part of any antivirus software, one should look for a good detection rate, compatibility with your system, easy to use, and must have the ability to update.
• Firewalls are hardware and/or software components that protect computers from intruders. The firewall will not allow anything to enter your computer without the correct markings. All networks require a firewall to keep out people and files that are hazardous to the system.
• Access authorization is a way of protecting your computer by using authentication systems, so you know who is trying to get in. This system would allow only those with authorized access into certain areas of the computer or to open certain files. There are a lot of methods in detecting one's identity. The most commonly used are passwords or identification cards, however as technology advances more methods are becoming common such as smart cards or biometrics, for example with fingerprints.
• Encryption is used to protect your message from the eyes of others. It can be done in several ways by switching the characters around, replacing characters with others, and even removing characters from the message. These have to be used in combination to make the encryption secure enough, that is to say, sufficiently difficult to crack. Public key encryption is a refined and practical way of doing encryption. It allows for example anyone to write a message for a list of recipients, and only those recipients will be able to read that message.
• Intrusion-detection systems can scan a network for people that are on the network but who should not be there or are doing things that they should not be doing, for example trying a lot of passwords to gain access to the network.
• Social engineering awareness - Keeping yourself and your employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of your network and servers.

Adapted from the Wikipedia article "Techniques for creating secure systems", under the G.N U Free Docmentation License. Please also see http://en.wikipedia.org/wiki