computer security

Also found in: Dictionary, Thesaurus, Legal, Financial, Acronyms, Wikipedia.
Related to computer security: Network security

computer security

[kəm′pyüd·ər sə′kyu̇r·əd·ē]
(computer science)
Measures taken to protect computers and their contents from unauthorized use.
McGraw-Hill Dictionary of Scientific & Technical Terms, 6E, Copyright © 2003 by The McGraw-Hill Companies, Inc.

Computer security

The process of ensuring confidentiality, integrity, and availability of computers, their programs, hardware devices, and data. Lack of security results from a failure of one of these three properties. The lack of confidentiality is unauthorized disclosure of data or unauthorized access to a computing system or a program. A failure of integrity results from unauthorized modification of data or damage to a computing system or program. A lack of availability of computing resources results in what is called denial of service.

An act or event that has the potential to cause a failure of computer security is called a threat. Some threats are effectively deflected by countermeasures called controls. Kinds of controls are physical, administrative, logical, cryptographic, legal, and ethical. Threats that are not countered by controls are called vulnerabilities.


Encryption is a very effective technique for preserving the secrecy of computer data, and in some cases it can also be employed to ensure integrity and availability. An encrypted message is converted to a form presumed unrecognizable to unauthorized individuals. The principal advantage of encryption is that it renders interception useless. See Cryptography

Access control

Computer security implies that access be limited to authorized users. Therefore, techniques are required to control access and to securely identify users. Access controls are typically logical controls designed into the hardware and software of a computing system. Identification is accomplished both under program control and by using physical controls.

Typically, access within a computing system is limited by an access control matrix administered by the operating system or a processing program. All users are represented as subjects by programs executing on behalf of the users; the resources, called the objects of a computing system, consist of files, programs, devices, and other items to which users' accesses are to be controlled. The matrix specifies for each subject the objects that can be accessed and the kinds of access that are allowed.

Access control as described above relates to individual permissions. Typically, such access is called discretionary access control because the control is applied at the discretion of the object's owner or someone else with permission. With a second type of access control, called mandatory access control, each object in the system is assigned a sensitivity level, which is a rating of how serious would be the consequences if the object were lost, modified, or disclosed, and each subject is assigned a level of trust.

Access control is not necessarily as direct as just described. Unauthorized access can occur through a covert channel. One process can signal something to another by opening and closing files, creating records, causing a device to be busy, or changing the size of an object. All of these are acceptable actions, and so their use for covert communication is essentially impossible to detect, let alone prevent.

Security of programs

Computer programs are the first line of defense in computer security, since programs provide logical controls. Programs, however, are subject to error, which can affect computer security.

A computer program is correct if it meets the requirements for which it was designed. A program is complete if it meets all requirements. Finally, a program is exact if it performs only those operations specified by requirements.

Simple programmer errors are the cause of most program failures. Fortunately, the quality of software produced under rigorous design and production standards is likely to be quite high. However, a programmer who intends to create a faulty program can do so, in spite of development controls. See Software engineering

A salami attack is a method in which an accounting program reduces some accounts by a small amount, while increasing one other account by the sum of the amounts subtracted. The amount reduced is expected to be insignificant; yet, the net amount summed over all accounts is much larger.

Some programs have intentional trapdoors, additional undocumented entry points. If these trapdoors remain in operational systems, they can be used illicitly by the programmer or discovered accidentally by others.

A Trojan horse is an intentional program error by which a program performs some function in addition to its advertised use. For example, a program that ostensibly produces a formatted listing of stored files may write copies of those files on a second device to which a malicious programmer has access.

A program virus is a particular type of Trojan horse that is self-replicating. In addition to performing some illicit act, the program creates a copy of itself which it then embeds in other, innocent programs. Each time the innocent program is run, the attached virus code is activated as well; the virus can then replicate and spread itself to other, uninfected programs. Trojan horses and viruses can cause serious harm to computing resources, and there is no known feasible countermeasure to halt or even detect their presence.

Security of operating systems

Operating systems are the heart of computer security enforcement. They perform most access control mediation, most identification and authentication, and most assurance of data and program integrity and continuity of service.

Operating systems structured specifically for security are built in a kernelized manner, embodying the reference monitor concept. A kernelized operating system is designed in layers. The innermost layer provides direct access to the hardware facilities of the computing system and exports very primitive abstract objects to the next layer. Each successive layer builds more complex objects and exports them to the next layer. The reference monitor is effectively a gate between subjects and objects. See Operating system

Security of databases

Integrity is a much more encompassing issue for databases than for general applications programs, because of the shared nature of the data. Integrity has many interpretations, such as assurance that data are not inadvertently overwritten, lost, or scrambled; that data are changed only by authorized individuals; that when authorized individuals change data, they do so correctly; that if several people access data at a time, their uses will not conflict; and that if data are somehow damaged, they can be recovered.

Database systems are especially prone to inference and aggregation. Through inference, a user may be able to derive a sensitive or prohibited piece of information by deduction from nonsensitive results without accessing the sensitive information itself. Aggregation is the ability of two or more separate data items to be more (or less) sensitive together than separately. Various statistical methods make it very difficult to prevent inference, and aggregation is also extremely difficult to prevent, since users can access great volumes of data from a database over long periods of time and then correlate the data independently.

Security of networks

As computing needs expand, users interconnect computers. Network connectivity, however, increases the security risks in computing. Whereas users of one machine are protected by some physical controls, with network access, a user can easily be thousands of miles from the actual computer. Furthermore, message routing may involve many intermediate machines, called hosts, each of which is a possible point where the message can be modified or deleted, or a new message fabricated. A serious threat is the possibility of one machine's impersonating another on a network in order to be able to intercept communications passing through the impersonated machine.

The principal method for improving security of communications within a network is encryption. Messages can be encrypted link or end-to-end. With link encryption, the message is decrypted at each intermediate host and reencrypted before being transmitted to the next host. End-to-end encryption is applied by the originator of a message and removed only by the ultimate recipient.

To benefit from sharing access to computing systems that are not all located together, organizations have established virtual private networks (VPNs). These networks approach the security of a private network at costs closer to those of shared public resources. The primary security technique used is encryption.

The Internet, or any similar public network, is subject to threats to its availability, integrity, and confidentiality. A complicating feature is that there is effectively no control on transmissions over the Internet. Consequently, a system connected to the Internet is exposed to any malicious attack that any other Internet user wants to launch.

Security perimeter

A security perimeter is a logical boundary surrounding all resources that are controlled and protected. The protected resources are called a domain (or enclave or protected subnetwork). There may be overlapping domains of varying protection, so that the most sensitive resources are in the innermost domain, which is the best protected. Protecting the security perimeter may be physical controls, identification and authentication, encryption, and other forms of access control. Two controls that relate especially to the security perimeter are network vulnerability scanning and firewalls.

A network vulnerability scan is the process of determining the connectivity of the subnetwork within a security perimeter, and then testing the strength of protection at all the access points to the subnetwork. With a network domain, if a forgotten access point is not secured, its weakness can undermine the protection of the rest of the domain. A network scanner maps the connectivity of a domain, typically by probing from outside the domain, to determine what resources are visible from the outside. Once all outside connections are identified, each is tested with a range of attacks to determine the vulnerabilities to which it is susceptible and from which it needs to be better protected.

A firewall is a host that fuctions as a secured gateway between a protected enclave and the outside. The firewall controls all traffic according to a predefined access policy. For example, many firewalls are configured to allow unhindered communication outbound (from the protected domain to a destination outside the domain) but to allow only certain kinds of inbound communication. A firewall can be a separate computer, or firewall functionality can be built into the communications switch connecting the enclave to the external network.

Intrusion detection

It is most effective to eliminate vulnerabilities, but if that is not possible, it is then desirable to recognize that an attack is occuring or has occured, and take action to prevent future attacks or limit the damage from the current one. Intrusion detection can be either anomaly detection, which seeks to identify an attack by behavior that is out of the norm, or misuse detection, to identify an attack by its attempted effect on sensitive resources. Intrusion detection systems monitor a computing system in order to warn of an attack that is imminent, is under way, or has occurred.

McGraw-Hill Concise Encyclopedia of Engineering. © 2002 by The McGraw-Hill Companies, Inc.

computer security

This article is provided by FOLDOC - Free Online Dictionary of Computing (

computer security

The protection of data, networks and computing power. The protection of data (information security) is the most important. The protection of networks is important to prevent loss of server resources as well as to protect the network from being used for illegal purposes. The protection of computing power is relevant only to expensive machines such as large supercomputers. See information security and COMPUSEC.
Copyright © 1981-2019 by The Computer Language Company Inc. All Rights reserved. THIS DEFINITION IS FOR PERSONAL USE ONLY. All other reproduction is strictly prohibited without permission from the publisher.
References in periodicals archive ?
To obtain a clearer picture of computer security behavior, the researchers will be interviewing additional computer users of varying levels of responsibility, including cybersecurity professionals; mid-level employees with responsibilities to protect personally identifiable information in fields such as health care, finance and education; and workers who use computers but for whom security is not their primary responsibility.
Professionals, especially, need to take computer security seriously.
The goal of the book is to show how to use "smart technology" (which, regrettably, the authors never define) to enhance computer security. Much of the book is based on machine learning and machine-learning tools, including algorithmic aspects of machine learning.
How much money do companies in different industry sectors lose because of computer security incidents?
Several computer security companies said only a few thousand computers had been hit by the virus by midday today compared to the up to 500,000 PCs that were expected to be affected.
CyberScrub LLC, an Atlanta based developer of computer security tools has released CyberScrub KeyChain, an advanced password management and auto form filler utility.
Silence On The Wire: A Field Guide To Passive Reconnaissance And Indirect Attacks by computer security and programming expert Michal Zalewski focuses upon fundamentals of computing so that even non-specialist general readers can understand network design and their own computing activities, becoming able to address computer security issues.
AICPA Obtains Computer Security Discount for Members
Grades depended on how well agencies met the requirements set out in the Federal Information Security Management Act (FISMA), which requires them to meet certain computer security standards.
"The White House's top computer security official ...
This package is quick and easy to install, and it's inexpensive, so if you're looking for a pain-free way to spy on employees or loved ones (or are looking for greater computer security), then Spector might be a good place to start.
Yet e-mail, especially through message attachments, is a common way to spread viruses and one of the biggest computer security threats.

Full browser ?