In the early days of computers, computer security was understood as ensuring the correct configuration of hardware and software. Over time, the functionality and purpose ofcomputers changed. Computers became interconnected and networked. Computer security had to change. The term computer security is therefore interchangeable and reflects the current technological world.
Today, companies are completely reliant on computers and information systems (IT) for all areas of their business. This dependency on IT systems means the risks are considerably bigger than for computers and networks in private households where the computer is used for personal use and often replaces audio devices and television. information security is therefore strategically focused on within companies. There are additionally corresponding obligations which are derived from the various laws throughout the German-speaking area.
Information security is an important component of risk management. International regulations such as the Sarbanes-Oxley Act or ⇒PCI compliance play an important role to ensure that a base level security standard is adhere to.
Threats
Errors in computer or information security can have the following consequences:
- Technical system failure
- System abuse (Intentional and/or negligent)
- Sabotage
- Espionage
- Fraud and theft
Attack Vectors
These threats can be brought about by the following:
- Incorrect or inappropriate use by staff.
- Computer viruses, Trojans and Worms. (collectively referred to as malware)
- Spoofing, phishing and pharming (faking a false identity)
- Denial of service attacks
- Man-in-the-middle attack or snarfing
- Social engineering
Viruses, Worms, Trojans
While in the corporate environment a whole range of computer security layers are considered, many private users understand the term “computer security” as primarily the protection against viruses and are undifferentiated against hacking. The original computer viruses were quite harmless and served to primarily highlight weaknesses in computer systems. It didn’t take long to realise that viruses are capable of much more. This kicked of a rapid phase of virus development and malicious capabilities from the simple deletion of files, spying of data (passwords, credit card information, bank data) to the remote access of a computer (backdoor, Trojan). Meanwhile, there are various kits on the Internet, which provide all the necessary components and guides for the simple programming of a virus. Last but not least, criminal organizations covertly place viruses on PCs to use them for their own malicious purposes. This is how huge ⇒Botnets were created.
Attacks and protection
An attack on a computer system means any action whose consequences or purpose is a loss of privacy or data security. Technical failure could also be considered as an attack under this definition. Security can be divided into either statistical or absolute security.
Statistical Security: A system is said to be secure if the cost of penetrating the system is greater than the resulting benefit to the attacker. The hurdles for a successful break-in must be as high as possible to reduce the risk.
Absolute security: A system is absolutely safe if it can withstand every conceivable attack. Absolute safety can only be achieved under special conditions. The work with such a system is massively limited by special access control, no networking, and physical security (nuclear power plant).
Activities
When creating a security concept, the measures to protect these assets must be proportionate to the value placed on them. Too many measures entail excessive financial, organizational and / or personnel expense. Furthermore, accountability issues arise when employees are not sufficiently involved in the IT security process. On the opposite side of the spectrum, implementing too few measures leaves systems vulnerable to attackers who can then easily take advantage of this.
The lack of computer security is a multi-layered threat that can only be answered by a sophisticated defense. Buying software is not a substitute for judiciously analyzing the risks and implementing possible measures to counter these threats.