In this article we’ll take a look at the basic model for cybersecurity. / HOMELAND SECURITY
Basic Model for Cybersecurity
Cybersecurity is like an onion, it’s made up of layers. At the center is the device itself, or target, if you will. The device maybe either a general purpose computer, as in the case of most information technology applications. Or a special purpose computer, as in the case of industrial control systems or avionics, collectively known as cyber physical systems. Access control maybe considered the first layer of cybersecurity enclosing the device. Access control concerns both physical and virtual access to the device.
Physical access controls concern not only physical security measures protecting the device, but also who is allowed to handle it. And what can be put into it, either hardware or software.
Virtual access controls establish resource rights and privileges determining the amount of change a runtime entity is authorized. A user account is one common example. Restricting the amount or memory allocated to a computer process is another example.
System monitoring may be considered the next layer of cybersecurity. At the very least, most devices can keep an audit trail of who made what changes to the system. These can be helpful for validating system security or investigating suspected breaches. Intrusion detection and protection systems provide real-time monitoring of system performance, and warn or take corrective action when anomalous behavior is spotted. If the device is connected to the Internet, then screening is most likely in place to block traffic from bad places and remove traffic with malicious or unauthorized content.
The outer layer in which all other layers are embedded is security policy. The policy layer shapes all other layers. Security policy is based upon risk management. That is because there is no absolute security and all security costs money. We’re not just talking purchase costs. We’re also talking about operation costs. As security measures are designed to prevent unauthorized access and use, they also impede authorized access and use. The result is time delays that translate into cost overhead. So the basis of all security policy starts with the question, how much security can you afford? The simple answer might seem, I’ll take as much security as you can give me.
The problem with that approach is that the resulting system may be so expensive, slow and difficult to use that it ends up defeating the purpose of why you got it in the first place.
Now wouldn’t that be ironic? The fact is all security is a compromise between the amount of security you can afford and the amount of risk you’re willing to accept. Striking the right balance depends on the individual taking the risk. There is no right answer.
Let us review the main points of this article
cybersecurity can be thought of like an onion; it’s made up of layers. At the center is the device being protected, either a general purpose computer supporting an information technology enterprise. Or a special purpose computer supporting a cyber physical system.
The first layer | access control layer
the access control layer. Physical measures control who can handle and what can be put into the machine. Virtual measures set rights and privileges to control how much change a runtime entity can incur.
The second layer | monitoring layer.
Audit logs can help verify security measures and investigate suspected breaches. Intrusion detection and protection systems provide real-time monitoring. And can warn or take corrective action when anomalous behavior is detected.
The third layer | screening
Particularly if the device is connected to the Internet. Screening blocks traffic from bad places, and removes traffic with malicious or unauthorized content.
The fourth layer | policy layer
Outermost layer is the policy layer. The policy layer shapes all other layers. All security is a compromise between the amount of security you can afford, and the amount of risk you’re willing to accept. Striking the right security balance depends on the individual taking the risk. There is no one right answer.