العربية
中国
Français
Deutsch
Ελληνική
हिन्दी
Italiano
日本語
Português
Русский
EspañolSECURITY ENGINEERING
'Security engineering' is the field of engineering dealing in developing detailed engineering designs for security systems and for security of spaces. It is similar to systems engineering in that its motivation is to make a system meet requirements, but with the added dimension of enforcing a security policy. It has existed as an informal field for centuries, in the fields of locksmithing and security printing.
For this reason it involves aspects of social science, psychology and economics, as well as physics, chemistry and mathematics. Some of the techniques used, such as fault tree analysis, are derived from safety engineering.
Other techniques such as cryptography were previously restricted to military applications. One of the pioneers of security engineering as a formal field of study is Ross Anderson.
Typical qualifications for a security engineer are:
★ Chartered Professional Engineer
★ CPP
★ PSP
★ BICSI RCDD
★ CISSP
However, multiple qualifications, or several qualified persons working in concert, may provide the more a compleat solution.[1]
Possible default positions on security matters:
'Default deny' - "Everything not explicitly permitted is forbidden"
-- Improves security at a cost in functionality. This is a good approach if you have lots of security threats. See secure computing for a discussion of computer security using this approach.
'Default permit' - "Everything not explicitly forbidden is permitted"
-- Allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non-existent or negligible. See computer insecurity for an example of the failure of this approach in the real world.
★ Physical security - measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media.
★ Information security - protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access. (See esp. Computer security)
★ Economics of security - addressing the economic aspects of economics of privacy and computer security.
Technological advances, principally in the field of computers, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems using social engineering attacks. Secure systems have to resist not only technical attacks, but also coercion, fraud, and deception by confidence tricksters.
According to the ''Microsoft Developer Network'' the patterns & practices of Security Engineering consists of the following activities:
★ Security Objectives
★ Security Design Guidelines
★ Security Modeling
★ Security Architecture and Design Review
★ Security Code Review
★ Security Testing
★ Security Tuning
★ Security Deployment Review
These activities are designed to help meet security objectives in the software life cycle.
★ Understanding of a ''typical'' threat and the usual risks to people and property.
★ Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
★ Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
★ Overview of common physical and technological methods of protection and understanding their roles in deterrence, detection and mitigation.
★ Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.
★ US Department of State, Bureau of Diplomatic Security (ABET certified institution degree in engineering or physics required)
★ There is a need for appropriate licensing for security engineers (this differs from country to country).
★ The use of the term "engineering" is debated. One argument being that few practicing security engineers hold engineering degrees from accredited universities.
'Computer Related'
★ Authentication
★ Cryptography
★ Cryptanalysis
★ Computer insecurity
★ Data remanence
★ Defensive programming
★ Electronic underground community
★ Hacking
★ Password policy
★ Software cracking
★ Software Security Assurance
★ Secure computing
★ Systems engineering
★ Trusted system
'Physical'
★ Access control
★ Authorization
★ Critical Infrastructure Protection
★ Environmental design (esp. CPTED)
★ Locksmithing
★ Physical Security
★ Secrecy
★ Security
★ Secure cryptoprocessor
★ Security through obscurity
★ Technical Surveillance Counter-Measures
'Misc. Topics'
★ Deception
★ Fraud
★ Full disclosure
★ Security awareness
★ Security community
★ Steganography
★ Social engineering
★ Kerckhoffs' principle
★ Security Engineering, Ross Anderson, , , Wiley, 2001, ISBN 0-471-38922-6
★ Ross Anderson (2001). "Why Information Security is Hard - An Economic Perspective"
★ Applied Cryptography, Bruce Schneier, , , Wiley, 1995, ISBN 0-471-11709-9
★ , Bruce Schneier, , , Wiley, 2000, ISBN 0-471-25311-1
★ Secure Programming for Linux and Unix HOWTO David A. Wheeler
★ patterns & practices Security Engineering on Channel9
★ patterns & practices Security Engineering on MSDN
★ patterns & practices Security Engineering Explained
★ Basic Target Hardening from the Government of South Australia
For this reason it involves aspects of social science, psychology and economics, as well as physics, chemistry and mathematics. Some of the techniques used, such as fault tree analysis, are derived from safety engineering.
Other techniques such as cryptography were previously restricted to military applications. One of the pioneers of security engineering as a formal field of study is Ross Anderson.
Qualifications
Typical qualifications for a security engineer are:
★ Chartered Professional Engineer
★ CPP
★ PSP
★ BICSI RCDD
★ CISSP
However, multiple qualifications, or several qualified persons working in concert, may provide the more a compleat solution.[1]
Security Stance
Possible default positions on security matters:
'Default deny' - "Everything not explicitly permitted is forbidden"
-- Improves security at a cost in functionality. This is a good approach if you have lots of security threats. See secure computing for a discussion of computer security using this approach.
'Default permit' - "Everything not explicitly forbidden is permitted"
-- Allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non-existent or negligible. See computer insecurity for an example of the failure of this approach in the real world.
Sub-fields
★ Physical security - measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media.
★ Information security - protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access. (See esp. Computer security)
★ Economics of security - addressing the economic aspects of economics of privacy and computer security.
Methodologies
Technological advances, principally in the field of computers, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems using social engineering attacks. Secure systems have to resist not only technical attacks, but also coercion, fraud, and deception by confidence tricksters.
Computer - Patterns & Practices
According to the ''Microsoft Developer Network'' the patterns & practices of Security Engineering consists of the following activities:
★ Security Objectives
★ Security Design Guidelines
★ Security Modeling
★ Security Architecture and Design Review
★ Security Code Review
★ Security Testing
★ Security Tuning
★ Security Deployment Review
These activities are designed to help meet security objectives in the software life cycle.
Physical - Patterns & Practices
★ Understanding of a ''typical'' threat and the usual risks to people and property.
★ Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
★ Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
★ Overview of common physical and technological methods of protection and understanding their roles in deterrence, detection and mitigation.
★ Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.
Companies and Governments Employing Security Engineers
★ US Department of State, Bureau of Diplomatic Security (ABET certified institution degree in engineering or physics required)
Criticisms
★ There is a need for appropriate licensing for security engineers (this differs from country to country).
★ The use of the term "engineering" is debated. One argument being that few practicing security engineers hold engineering degrees from accredited universities.
See also
'Computer Related'
★ Authentication
★ Cryptography
★ Cryptanalysis
★ Computer insecurity
★ Data remanence
★ Defensive programming
★ Electronic underground community
★ Hacking
★ Password policy
★ Software cracking
★ Software Security Assurance
★ Secure computing
★ Systems engineering
★ Trusted system
'Physical'
★ Access control
★ Authorization
★ Critical Infrastructure Protection
★ Environmental design (esp. CPTED)
★ Locksmithing
★ Physical Security
★ Secrecy
★ Security
★ Secure cryptoprocessor
★ Security through obscurity
★ Technical Surveillance Counter-Measures
'Misc. Topics'
★ Deception
★ Fraud
★ Full disclosure
★ Security awareness
★ Security community
★ Steganography
★ Social engineering
★ Kerckhoffs' principle
Further reading
★ Security Engineering, Ross Anderson, , , Wiley, 2001, ISBN 0-471-38922-6
★ Ross Anderson (2001). "Why Information Security is Hard - An Economic Perspective"
★ Applied Cryptography, Bruce Schneier, , , Wiley, 1995, ISBN 0-471-11709-9
★ , Bruce Schneier, , , Wiley, 2000, ISBN 0-471-25311-1
★ Secure Programming for Linux and Unix HOWTO David A. Wheeler
Articles and Papers
★ patterns & practices Security Engineering on Channel9
★ patterns & practices Security Engineering on MSDN
★ patterns & practices Security Engineering Explained
★ Basic Target Hardening from the Government of South Australia
This article provided by Wikipedia. To edit the contents of this article, click here for original source.
psst.. try this: add to faves
