CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [13]
As a computer security professional, you have to understand all of these concerns. You have to know that a great deal is expected of you but few users want to be hassled or inconvenienced by the measures you must put in place. You have a primary responsibility to protect and safeguard the information your organization uses. Many times that means educating your users and making certain they understand the “why” behind what is being implemented.
Security is a high-growth area in the computer industry, and it has been for several years now. The need for qualified people is increasing rapidly, as a search of job boards will quickly illustrate. Your pursuit of the Security+ certificate is a good first step in this process. Security+ is not the only security certification on the market, and it is not even the only entry-level certification available to you. It is, however, the only one to truly focus on the topics that most think of when security comes to mind. To pass it, you must have a broad knowledge of all the different types of security mentioned in the first paragraph.
In this chapter, I’ll discuss the various aspects of computer security as they relate to your job. I will introduce the basics of computer security and provide several models you can use to understand the risks your organization faces. Not stopping there, I will also present steps you must take in order to minimize those risks.
Understanding Information Security
Information security narrows down the definition of security. The term information security covers a wide array of activities in an organization. It includes not only the products, but also the processes used to prevent unauthorized access to, modification of, and deletion of information. This area also involves protecting resources by preventing them from being disrupted by situations or attacks that may be largely beyond the control of the person responsible for information security.
From the perspective of a computer professional, you’re dealing with issues that are much bigger than protecting computer systems from viruses. You’re also protecting an organization’s most valuable assets from people who are highly motivated to misuse those assets. Fortunately, most of them are outsiders who are trying to break in, but some of these people may already be inside your organization and discontented in their present situation. Not only do you have to keep outsiders out, but you have to be prepared for the accountant who has legitimate access to files and wants to strike out because he did not get as good a performance review as he thought he should.
Needless to say, this job isn’t getting any easier. Weaknesses and vulnerabilities in most commercial systems are well known and documented, and more become known each day. Your adversaries can use search engines to find vulnerabilities on virtually any product or operating system. To learn how to exploit the most likely weaknesses that exist in a system, they can buy books on computer hacking, join newsgroups on the Internet, and access websites that offer explicit details. Some are doing it for profit or pleasure, but many are doing it just for the sheer thrill of it. There have been many glamorized characters on television and in movies who break into computer systems and do things they should not. When was the last time you saw a glamorized security administrator on such a show? If you make things look fun and exciting, there is some part of the audience that will attempt it.
Compounding matters, in many situations you’ll find yourself constantly dealing with inherent weaknesses in the products you use and depend on. You can’t count on the security within an application