Secure and Architecture and Models - Essay Example

Secure and Architecture and Models Secure is a term used to describe a situation that is free from harm and is not exposed to any danger.in computer world secure is simply the state of the computer and other computer related devices are free from interruption risks, internal or external unauthorized entry and access and infections[Dav10]. Architecture is the process of defining a set of structured solutions and decisions that meet all the operational and technical requirements in an organization while optimizing common quality elements and attributes[Kat03]. The important part of the architecture is the structural nature. Models are clearly anything that is used as a structure to represent another thing. Models are used to represent a blueprint of an intended project or idea[Dav10]. Models provide an overview and a simpler way of expressing complex process or ideas. System components These are element or parts that are jointly connected to develop a system. Different Components usually perform different functions in a system. A good example is the computer system components. The computer system component comprises of the input devices, output devices, backing stores, and the central unit[Dav10]. All the components have different features and perform different functions. Because of this reason, all have different security prevention measures. The system components should be compatible with each other in order to work together as a system, this means that the developers has to generate ways to get the components compatible are a middleware of networks to link the components to each other to allow communication. This architecture brings about the normal functioning of a computer system. Common criteria (CC) This is the set of nationally and internationally recognized operational and technical configurations and standards that allow for security evaluations of Information Technology (IT) technology and products[Kat03]. The individual set of common criteria technical standards or configurations developed for a particular product or technology is qualified as a protection profile[Dav10]. These are security frameworks that govern the standardized interoperability of technology and products as far as security are concerned. These standards are enforced by the international community through the Common Criteria Recognition Arrangement (CCRA). The hierarchical security framework Common Criteria Evaluation and Validation Scheme (CCEVS) are used to effectively evaluate and implement the security concepts and terminology according to the Common Criteria standards[Kat03]. The creation of the Common Criteria paradigm involves the following steps; Identify a Target of Evaluation (TOE) Develop a set of Security Targets (ST) After building there is the act of applying the Common Criteria[Kat03]. These sections include; Introduction and General Models Security Functional Requirement Security Assurance Requirement ITSEC This is the Information Technology Security Evaluation Criteria[Kat03]. This is a standardized body that evaluates the security technicalities in the Information Technology field. Information Technology plays a vital role in almost all departments and sections, in an organized society. This, therefore means, security will be an essential aspect of Information Technology[Jim02]. Information Technology security will, therefore, be integrated into three parts, Integrity- this is the prevention of unauthorized information modification; Confidentiality- this is the prevention of unauthorized information disclosure; Availability- this is the prevention of the unauthorized resources or information withholding. For an information Technology system to uphold the above mentioned requirements and aspects it will have to implement a wide range of technical security measures usually referred to as the security enforcing functions, This will in turn bring about the issue of assurance. Most users if not all need confidence in the system, and this will only be attained by assuring them of the security of the system is good, by providing them with a yardstick to use in comparing the system security capabilities and what they need. Such evaluation and requirement of a system by the user require an existence of certified body that has well defined security evaluation criteria to justify the evaluation of the systems and products. This always involves impartial assessment of some kind by the body[Kat03]. After this rigorous process of assessment, the product or system is accredited a pass of attaining some levels of quality assurance, and this means that the product can be accepted for use in a certain environment. TCSEC This is Trusted Computer System Evaluation Criteria, originally published and used to evaluate products by the US Department of Defense[Jim02]. It was developed to enhance security protection by providing a yardstick for evaluation of an effective system security, as a procurement standard, as a guide for system developers. In the process, two main requirements were pointed out in relation to secure processing[Jim02]; Assurance requirement; Specific security features requirement. These requirements enable personnel evaluation to determine whether the required features are included and are functioning as specified or intended[Jim02]. These evaluation criteria are imposed on a set of components consisting a trusted system, so not all components are evaluated individually. There are so many government agencies that offer the same kind if services in the Information Technology sector. Examples of these agencies are the “Orange Book” which is the TCSEC in the US, and then there is the “Green Book”, which is the, Department of Trade and Industry (DTIEC), proposed for the commercial products in Information Technology security[Jim02]. Also, there is the CESG Memorandum Number 3 (CESG3), in the UK, developed for use by the government. In France, there is the existence of a body called SCSSI also known as “Blue-White-Red Book”. The Germans also have the German Information Security Agency publishing their own evaluation criteria known as ZSIEC. Most industries did not advocate for individual security criteria whose approaches and basic concepts are the same in different countries, and most industries noticed that they would gain by jointly bringing these countries together, so it was decided unanimously that it is better to use the US TCSEC after putting all the security agencies in a structured and consistent perspective[Jim02]. Cyber terrorism This is an unlawful act in the cyberspace[Böt02]. This generally involves attacks through the internet. These attacks pose a threat to the modern society in three categories; Hackers- a small group or single persons who search for security system leaks and lock themselves into databases, websites and other sorts of networks. An example of this are the “Electrohippies”, they conducted web sit-ins in Seattle in 1999 against the WTO site, attacks like this are annoying, and may even cause financial losses to the site, but they are not acts of terror because in the real sense, they are not supposed to create fear or cause physical damage to people. Another category is the criminals who gain financially from the use of their information technology knowledge[Böt02]. They hack into commercial website and intercept a client credit card data, and use it to take money out of cash dispensers or use it to pay large bills. The last category is attacks specifically intended to cause as much destruction and damages to organizations. An example is the attack of February 2000 that struck yahoo, CNN and eBay through a determined denial-of-service. This attack caused an estimate of one billion $ lose[Böt02]. References Dav10: , (David Kim, 2010), Kat03: , (Wallace, 2003), Jim02: , (Jim Alves-Foss, 2002), Böt02: , (Böttler, 2002), Read More