Show notes for Episode 0

What is security? My definition of security is the art and science of risk management. Things are going to go wrong, the world is an imperfect place. Computer security is all about the prevention of things going wrong that you can prevent, and the minimization of damage when things go wrong beyond your control. According to ISC2, there are 10 areas or domains of security

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

However, in the broader scale, I break these down into four major areas:

• Policy - Anticipating and planning for what to do when things go wrong. As the name implies, this is a definition of acceptable use of your network and computers.

• Security Engineering - Putting the tools in place to [hopefully] prevent or at least detect when things go wrong. This is the securing of your network and computers therein. This is what I refer to as the “wrench work”. These are the measures that the system administrator and the security engineer put in place to satisfy the policy requirements and IA findings.

• Information Assurance - Reviewing the policy and Security Engineering steps to insure that they are adequate to protect your investment when things go wrong. IA is the assurance of data confidentiality, integrity and availability. This is the measure of the effectiveness of the defenses in place, and recommendations for improving these defenses.

• Forensics - Figuring out why things went wrong. The art and science of data recovery and reconstructing crime scenes. Sort of like CSI, but nowhere near as sexy.

The other domains are the support infrastructure of the areas noted above. For the typical home Linux user, IA and Policy are implied, however, we will be taking a look at them in future podcasts. There is no such thing as complete security. I’ve often stated that security times usability is a constant. To get a truly secure system, you need to unplug it from the network, remove power, pack it in concrete and fire it into the sun…But then it isn’t very usable, is it? That said, your threat environment should dictate your security posture. You generally don’t see Mayberry-style small-town police forces toting automatic weapons and anti-aircraft missiles. By the same token, a sling and stones hasn’t worked in a combat environment since David’s time and he had God’s help. When planning security, one of the watchwords is ”Defense in Depth”. What does this mean? Well, it means that you should not depend on one method to detect or defend against an attack. In fact, you should have interlocking defenses. If one method fails or is defeated, this should trip another one.