Security is freedom from, or resilience against, potential harm caused by others. Beneficiaries of security may be of persons and social groups and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change by its environment. Security refers to protection from hostile forces, but it has a wide range of other senses: for example, as the absence of harm; the term is used to refer to acts and systems whose purpose may be to provide security. The word'secure' entered the English language in the 16th century, it is derived from Latin securus, meaning freedom from anxiety: se + cura. A security referent is the focus of a security discourse. Security referents may be persons or social groups, institutions, ecosystems, or any other phenomenon vulnerable to unwanted change by the forces of its environment; the referent in question may combine many referents, in the same way that, for example, a nation state is composed of many individual citizens. The security context is the relationships between its environment.
From this perspective and insecurity depend first on whether the environment is beneficial or hostile to the referent, how capable is the referent of responding to its/their environment in order to survive and thrive. The means by which a referent provides for security vary widely, they include, for example: Coercive capabilities, including the capacity to project coercive power into the environment. Any action intended to provide security may have multiple effects. For example, an action may have wide benefit, enhancing security for several or all security referents in the context. Approaches to security are the subject of debate. For example, in debate about national security strategies, some argue that security depends principally on developing protective and coercive capabilities in order to protect the security referent in a hostile environment. Others argue that security depends principally on building the conditions in which equitable relationships can develop by reducing antagonism between actors, ensuring that fundamental needs can be met, that differences of interest can be negotiated effectively.
The table shows some of the main domains. The range of security contexts is illustrated by the following examples: Computer security known as cybersecurity or IT security, refers to the security of computing devices such as computers and smartphones, as well as computer networks such as private and public networks, the Internet; the field has growing importance due to the increasing reliance on computer systems in most societies. It concerns the protection of hardware, data and the procedures by which systems are accessed; the means of computer security include the physical security of systems and security of information held on them. Corporate security refers to the resilience of corporations against espionage, theft and other threats; the security of corporations has become more complex as reliance on IT systems has increased, their physical presence has become more distributed across several countries, including environments that are, or may become, hostile to them. Ecological security known as environmental security, refers to the integrity of ecosystems and the biosphere in relation to their capacity to sustain a diversity of life-forms.
The security of ecosystems has attracted greater attention as the impact of ecological damage by humans has grown. Food security refers to the ready supply of, access to, safe and nutritious food. Food security is gaining in importance as the world's population has grown and productive land has diminished through overuse and climate change. Home security refers to the security systems used on a property used as a dwelling; the concept is supported by the United Nations General Assembly, which has stressed "the right of people to live in freedom and dignity" and recognized "t
A non-disclosure agreement known as a confidentiality agreement, confidential disclosure agreement, proprietary information agreement or secrecy agreement, is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties. The most common forms of these are in doctor–patient confidentiality, attorney–client privilege, priest–penitent privilege, bank–client confidentiality agreements, it is a contract through which the parties agree not to disclose information covered by the agreement. An NDA creates a confidential relationship between the parties to protect any type of confidential and proprietary information or trade secrets; as such, an NDA protects non-public business information. Like all contracts, they can not be enforced. NDAs are signed when two companies, individuals, or other entities are considering doing business and need to understand the processes used in each other's business for the purpose of evaluating the potential business relationship.
NDAs can be "mutual", meaning both parties are restricted in their use of the materials provided, or they can restrict the use of material by a single party. It is possible for an employee to sign an NDA or NDA-like agreement with an employer. In fact, some employment agreements will include a clause restricting employees' use and dissemination of company-owned confidential information. In legal disputes resolved by settlement, the parties sign a confidentiality agreement relating to the terms of the settlement. Good examples of this agreement are: The Dolby Trademark Agreement with Dolby Laboratories, the Windows Insider Agreement, the Halo CFP w/ Microsoft. A non-disclosure agreement may be classified as unilateral, bilateral, or multilateral: A unilateral NDA involves two parties where only one party anticipates disclosing certain information to the other party and requires that the information be protected from further disclosure for some reason. A bilateral NDA involves two parties where both parties anticipate disclosing information to one another that each intends to protect from further disclosure.
This type of NDA is common when businesses are considering some kind of joint merger. When presented with a unilateral NDA, some parties may insist upon a bilateral NDA though they anticipate that only one of the parties will disclose information under the NDA; this approach is intended to incentivize the drafter to make the provisions in the NDA more "fair and balanced" by introducing the possibility that a receiving party could become a disclosing party or vice versa, not an uncommon occurrence. A multilateral NDA involves three or more parties where at least one of the parties anticipates disclosing information to the other parties and requires that the information be protected from further disclosure; this type of NDA eliminates the need for separate unilateral or bilateral NDAs between only two parties. E.g. A single multiparty NDA entered into by three parties who each intend to disclose information to the other two parties could be used in place of three separate bilateral NDAs between the first and second parties and third parties, third and first parties.
A multilateral NDA can be advantageous because the parties involved review and implement just one agreement. However, this advantage can be offset by more complex negotiations that may be required for the parties involved to reach a unanimous consensus on a multilateral agreement. A non-disclosure agreement can protect any type of information, not known. However, nondisclosure agreements may contain clauses that will protect the person receiving the information so that if they lawfully obtained the information through other sources they would not be obligated to keep the information secret. In other words, the nondisclosure agreement only requires the receiving party to maintain information in confidence when that information has been directly supplied by the disclosing party. However, it is sometimes easier to get a receiving party to sign a simple agreement, shorter, less complex and does not contain safety provisions protecting the receiver; some common issues addressed in an NDA include: outlining the parties to the agreement.
Modern NDAs will include a laundry list of types of items which are covered, including unpublished patent applications, know-how, financial information, verbal representations, customer lists, vendor lists, business practices/strategies, etc.. The restrictions on the disclosure or use of the confidential data will be invalid if the recipient had prior knowledge of the materials.
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but it has the added dimension of preventing misuse and malicious behavior; those constraints and restrictions are asserted as a security policy. In one form or another, security engineering has existed as an informal field of study for several centuries. For example, the fields of locksmithing and security printing have been around for many years. Recent catastrophic events, most notably 9/11, have made security engineering become a rapidly-growing field. In fact, in a report completed in 2006, it was estimated that the global security industry was valued at US$150 billion.
Security engineering involves aspects of social science and economics as well as physics, mathematics and landscaping. Some of the techniques used, such as fault tree analysis, are derived from safety engineering. Other techniques such as cryptography were restricted to military applications. One of the pioneers of security engineering as a formal field of study is Ross Anderson. No single qualification exists to become a security engineer. However, an undergraduate and/or graduate degree in computer science, computer engineering, or information assurance, in combination with practical work experience most qualifies an individual to succeed in the field. Other degree qualifications with a security focus exist. Multiple certifications, such as the Certified Information Systems Security Professional, are available that may demonstrate expertise in the field. Regardless of the qualification, the course must include a knowledge base to diagnose the security system drivers, security theory and principles including defense in depth, protection in depth, situational crime prevention and crime prevention through environmental design to set the protection strategy, technical knowledge including physics and mathematics to design and commission the engineering treatment solution.
All this knowledge must be braced by professional attributes including strong communication skills and high levels of literacy for engineering report writing. Security engineering goes by the label Security Science. Information securityprotecting data from unauthorized access, disclosure, modification, or disruption to access. See esp. Computer securityPhysical securitydeter attackers from accessing a facility, resource, or information stored on physical media. Technical surveillance counter-measures Economics of securitythe economic aspects of economics of privacy and computer security. Technological advances, principally in the field of computers, have now allowed the creation of far more complex systems, with new and complex security problems; because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems. Secure systems have to resist not only technical attacks, but coercion and deception by confidence tricksters.
According to the Microsoft Developer Network the patterns and practices of security engineering consist of the following activities: Security Objectives Security Design Guidelines Security Modeling Security Architecture and Design Review Security Code Review Security Testing Security Tuning Security Deployment ReviewThese activities are designed to help meet security objectives in the software life cycle. Understanding of a typical threat and the usual risks to people and property. Understanding the incentives created both by the threat and the countermeasures. Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility. Understanding how to apply the methodology to buildings, critical infrastructure, public transport and other facilities/compounds. Overview of common physical and technological methods of protection and understanding their roles in deterrence and mitigation. Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.
Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorised persons. Methods include placing Jersey barriers, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and truck bombings. Improving the method of visitor management and some new electronic locks take advantage of technologies such as fingerprint scanning, iris or retinal scanning, voiceprint identification to authenticate users. Ross Anderson. Security Engineering. Wiley. ISBN 0-471-38922-6. Ross Anderson. Security Engineering - A Guide to Building Dependable Distributed Systems. Wiley. ISBN 0-470-06852-3. Ross Anderson. "Why Information Security is Hard - An Economic Perspective" Bruce Schneier. Applied Cryptography. Wiley. ISBN 0-471-11709-9. Bruce Schneier. Secrets and Lies: Digital Security in a Networked World. Wiley. ISBN 0-471-25311-1. David A. Wheeler. "Secure Programming for Linux and Unix HOWTO". Linux Documentation Project. Retrieved 2005-12-19. Ron Ross, Michael McEvilley, Janet Carrier Oren.
"Systems Security Engineerin
In the fields of physical security and information security, access control is the selective restriction of access to a place or other resource. The act of accessing may mean entering, or using. Permission to access a resource is called authorization. Locks and login credentials are two analogous mechanisms of access control. Geographical access control may be enforced with a device such as a turnstile. There may be fences to avoid circumventing this access control. An alternative of access control in the strict sense is a system of checking authorized presence, see e.g. Ticket controller. A variant is e.g. of a shop or a country. The term access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Physical access control can be achieved by a human, through mechanical means such as locks and keys, or through technological means such as access control systems like the mantrap. Within these environments, physical key management may be employed as a means of further managing and monitoring access to mechanically keyed areas or access to certain small assets.
Physical access control is a matter of who and when. An access control system determines, allowed to enter or exit, where they are allowed to exit or enter, when they are allowed to enter or exit; this was accomplished through keys and locks. When a door is locked, only someone with a key can enter through the door, depending on how the lock is configured. Mechanical locks and keys do not allow restriction of the key holder to specific dates. Mechanical locks and keys do not provide records of the key used on any specific door, the keys can be copied or transferred to an unauthorized person; when a mechanical key is lost or the key holder is no longer authorized to use the protected area, the locks must be re-keyed. Electronic access control uses computers to solve the limitations of mechanical keys. A wide range of credentials can be used to replace mechanical keys; the electronic access control system grants access based on the credential presented. When access is granted, the door is unlocked for a predetermined time and the transaction is recorded.
When access is refused, the door remains locked and the attempted access is recorded. The system will monitor the door and alarm if the door is forced open or held open too long after being unlocked; when a credential is presented to a reader, the reader sends the credential's information a number, to a control panel, a reliable processor. The control panel compares the credential's number to an access control list, grants or denies the presented request, sends a transaction log to a database; when access is denied based on the access control list, the door remains locked. If there is a match between the credential and the access control list, the control panel operates a relay that in turn unlocks the door; the control panel ignores a door open signal to prevent an alarm. The reader provides feedback, such as a flashing red LED for an access denied and a flashing green LED for an access granted; the above description illustrates a single factor transaction. Credentials can be passed around. For example, Alice has access rights to the server room.
Alice either gives Bob her credential. To prevent this, two-factor authentication can be used. In a two factor transaction, the presented credential and a second factor are needed for access to be granted. There are three types of authenticating information: something the user knows, e.g. a password, pass-phrase or PIN something the user has, such as smart card or a key fob something the user is, such as fingerprint, verified by biometric measurementPasswords are a common means of verifying a user's identity before access is given to information systems. In addition, a fourth factor of authentication is now recognized: someone you know, whereby another person who knows you can provide a human element of authentication in situations where systems have been set up to allow for such scenarios. For example, a user have forgotten their smart card. In such a scenario, if the user is known to designated cohorts, the cohorts may provide their smart card and password, in combination with the extant factor of the user in question, thus provide two factors for the user with the missing credential, giving three factors overall to allow access.
A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being that enables an individual access to a given physical facility or computer-based information system. Credentials can be something a person knows, something they have, something they are, or some combination of these items; this is known as multi-factor authentication. The typical credential is an access card or key-fob, newer software can turn users' smartphones into access devices. There are many card technologies including magnetic stripe, bar code, Wiegand, 125 kHz proximity, 26-bit card-swipe, contact smart cards, contactless smart cards. Available are key-fobs, which are more compact than ID cards, attach to a key ring. Biometric technologies include fingerprint, facial recognition, iris recognition, retinal scan and hand geometry; the built-in biometric technologies found o
Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of confirming that identity, it might involve confirming the identity of a person by validating their identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product is what its packaging and labeling claim to be. In other words, authentication involves verifying the validity of at least one form of identification. Authentication is relevant to multiple fields. In art and anthropology, a common problem is verifying that a given artifact was produced by a certain person or in a certain place or period of history. In computer science, verifying a person's identity is required to allow access to confidential data or systems.
Authentication can be considered to be of three types: The first type of authentication is accepting proof of identity given by a credible person who has first-hand evidence that the identity is genuine. When authentication is required of art or physical objects, this proof could be a friend, family member or colleague attesting to the item's provenance by having witnessed the item in its creator's possession. With autographed sports memorabilia, this could involve someone attesting that they witnessed the object being signed. A vendor selling branded items implies authenticity, while he or she may not have evidence that every step in the supply chain was authenticated. Centralized authority-based trust relationships back most secure internet communication through known public certificate authorities; the second type of authentication is comparing the attributes of the object itself to what is known about objects of that origin. For example, an art expert might look for similarities in the style of painting, check the location and form of a signature, or compare the object to an old photograph.
An archaeologist, on the other hand, might use carbon dating to verify the age of an artifact, do a chemical and spectroscopic analysis of the materials used, or compare the style of construction or decoration to other artifacts of similar origin. The physics of sound and light, comparison with a known physical environment, can be used to examine the authenticity of audio recordings, photographs, or videos. Documents can be verified as being created on ink or paper available at the time of the item's implied creation. Attribute comparison may be vulnerable to forgery. In general, it relies on the facts that creating a forgery indistinguishable from a genuine artifact requires expert knowledge, that mistakes are made, that the amount of effort required to do so is greater than the amount of profit that can be gained from the forgery. In art and antiques, certificates are of great importance for authenticating an object of interest and value. Certificates can, however be forged, the authentication of these poses a problem.
For instance, the son of Han van Meegeren, the well-known art-forger, forged the work of his father and provided a certificate for its provenance as well. Criminal and civil penalties for fraud and counterfeiting can reduce the incentive for falsification, depending on the risk of getting caught. Currency and other financial instruments use this second type of authentication method. Bills and cheques incorporate hard-to-duplicate physical features, such as fine printing or engraving, distinctive feel and holographic imagery, which are easy for trained receivers to verify; the third type of authentication relies on documentation or other external affirmations. In criminal courts, the rules of evidence require establishing the chain of custody of evidence presented; this can be accomplished through a written evidence log, or by testimony from the police detectives and forensics staff that handled it. Some antiques are accompanied by certificates attesting to their authenticity. Signed sports memorabilia is accompanied by a certificate of authenticity.
These external records have their own problems of forgery and perjury, are vulnerable to being separated from the artifact and lost. In computer science, a user can be given access to secure systems based on user credentials that imply authenticity. A network administrator can give a user a password, or provide the user with a key card or other access device to allow system access. In this case, authenticity is implied but not guaranteed. Consumer goods such as pharmaceuticals, fashion clothing can use all three forms of authentication to prevent counterfeit goods from taking advantage of a popular brand's reputation; as mentioned above, having an item for sale in a reputable store implicitly attests to it being genuine, the first type of authentication. The second type of authentication might involve comparing the quality and craftsmanship of an item, such as an expensive handbag, to genuine articles; the third type of authentication could be the presence of a trademark on the item, a protected marking, or any other identifying feature which aids consumers in the identification o