Subtitles of the Movie

During this first part of our course, we're going to talk about basic security principles and terms. Now, the reason I think it's important for you to learn these basic principles and terms is that we can start out on a level playing field. We can start from scratch. Even those of you who have had a little bit of work in the security field or have heard these terms and maybe know what some of them are, maybe you don't know what some of the origins are and maybe you have never been fully explained to what some of these terms have meaning with in context of security. And there are also those of you out there who may have never heard these terms before. So we're going to start out with a basic set of knowledge, these basic principles and terms and we're going to talk about each one of them in depth and if you're a new user to security or a computer user who's just getting into the world of security, then these are going to be some new things that will help you later on down the road if you learn them well. First we're going to talk about the concept of security in functionality and why sometimes those two concepts are at odds with each other. Then we're going to look at something popularly known as the CIA Triad and talk about why it's very important in terms of designing our security mechanisms. We'll also look at authentication and authorization; two things that aren't the same thing but they go hand in hand. We'll also look at the concepts of having a security clearance and a need to know and why those two things are important as far as access control goes. We'll also look at accountability and auditing and why those two things are important in determining if our security policies and mechanisms are working or not. Then we'll take a look at lease privilege and separation of duties, two other security concepts that are important to know. First let's take a look at security in functionality. Now, earlier operating systems were developed with functionality in mind, not security so one of the examples I could give you would include such as Windows 3.1, Windows 95 or even Windows 98. You see, in what I like to call the old days, computer users wanted to be able to perform more functions on the computers than they had in the previous versions and in order to market computers to the general populace, functionality was emphasized, often at the expense of security, but also because a lot of things that we know now about security we didn't know back then. A hacker might have been one or two, you know, really smart people at a university. There wasn't hacker tools out there like there are now for the average 14-year old to hack into your network. So they weren't very prevalent. So security wasn't really thought of in terms of being important. Now unfortunately, as we all know, times have changes, of course, and security has become far more important. There's more security and hacking tools out there than you can imagine and the average 14-year old can come by your house and steal your wireless network. Now, as far as the two concepts being at odds, security and functionality are often at odds because generally the rules is the more something is secure, the less functional it is and vice-versa. The reason this is is in order to make something more secure, you have to take away functionality in general. For example, users who are not used to logging on with a user name and password at all might find it to be a little less functional or a little less friendly when they suddenly have to meet the requirement of logging on with a user name and password. Or over time, having to log in with a password that increases in size, such as two digits today and maybe eight digits tomorrow. Now, as I said, security and functionality are often at odds, but they're also in a constant trade-off. You have to decide which do you need more of, security or functionality? A couple of examples I could give you, for example, include complex passwords or easy passwords. A lot of users don't like the complex passwords and they find them difficult to remember. So unfortunately, they may write them down on little stickies and put them under their keyboards. That actually reduces security. Another example might be remote connections. A lot of people are going more and more to use VPNs to access their company networks remotely. Well, in the old days, all you had to do was dial up, maybe put a password, maybe not, but the point is those actions have increased in complexity and increased in security, so now the requirements are a little bit more strict and functionality has lessened a little bit. At least that's the appearance. Now, security and functionality don't have to always be at odds. They can both coexist because each of them has their merit. You can't really have a system that's completely secure because it probably wouldn't even be plugged in or turned on. So it wouldn't be functional at all. And on the other end of the spectrum, you can't have a system that does every single thing you want because then you probably wouldn't have to log in at all and you wouldn't have to use any security mechanisms. So you've got to find a happy medium and that's really what it's all about, what the trade-off is about; security versus functionality. So you might ask the question, how much do I need of each one of them? Well, the answer is unfortunately, as we often see in security, it depends. Security is based on different factors and so is functionality. There's different things that you have to factor in when you're talking about how secure to make something. For example, the computer that you're used to play Internet games with head-to-head with someone else may not necessarily have to be as secure as the computer system, for example, that our government uses to launch missiles. So there's a little bit of a criticality of data question there. How critical is the data that you're trying to protect? How critical is the system? That's something you might want to ask yourself. Also, there's a cost involved. With security, there's always a little bit of a cost involved, especially if you're using some of the newer technologies such as PKI and biometrics to protect yourself. So cost is a factor. The computing environment and infrastructure are also factors. In a banking environment, for example, where there are high-dollar transactions involved, you definitely want to keep a secure environment over, let's say, maybe a small mom and pop type of a business that only has three computers. So the environment's a little bit different so the security requirements are going to be a little bit different and so are the functionality requirements. The bottom line is that security and functionality don't have to be mutually exclusive. You're going to have to look at your network and your computer systems and determine how much of each you really need. Do you really need to lockdown the computers to the extent that not many people can use them effectively or they hinder the work or do you also want to go ahead and make them as functional as possible but have no computer security whatsoever and leave holes in the system? You don't want to do either one, so you're going to have to find a happy medium based upon your environment. nd leave holes in the system? You don't want to do either one, so you're going to have to find a happy medium based upon your environment.