Wikipedia

Security engineering: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
No edit summary
Line 1:
'''Security engineering''' is a specialized field of [[engineering]] that deals with the development of detailed engineering plans and designs for security features, controls and systems. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user [[requirements]], but with the added dimension of preventing misuse and malicious behavior. These constraints and restrictions are often asserted as a [[security policy]].
 
In one form or another, Security Engineering has existed as an informal field of study for several centuries. For example, the fields of [[locksmithing]] and [[security printing]] have been around for many years. at [[US$]]150 billion.<ref>{{cite news | title=Data analytics, networked video lead trends for 2008 | publisher=CLB MEDIA INC | url =http://www.sptnews.ca/index.php?option=com_content&task=view&id=798&Itemid=4 | work =SP&T News | accessdate = 2008-01-05 }}</ref>
 
Security engineering involves /p/articles/mi_m1216/is_n5_v181/ai_6730246]
Due to recent catastrophic events, most notably [[9/11]], Security Engineering has quickly become a rapidly growing field. In fact, in a recent report completed in 2006, it was estimated that the global security industry was valued at [[US$]]150 billion.<ref>{{cite news | title=Data analytics, networked video lead trends for 2008 | publisher=CLB MEDIA INC | url =http://www.sptnews.ca/index.php?option=com_content&task=view&id=798&Itemid=4 | work =SP&T News | accessdate = 2008-01-05 }}</ref>
 
Security engineering involves aspects of [[social science]], [[psychology]] (such as designing a system to '[[fail well]]' instead of trying to eliminate all sources of error) and [[economics]], as well as [[physics]], [[chemistry]], [[mathematics]], [[architecture]] and [[landscaping]].[http://findarticles.com/p/articles/mi_m1216/is_n5_v181/ai_6730246]
Some of the techniques used, such as [[fault tree analysis]], are derived from [[safety engineering]].
 
Line 19 ⟶ 17:
* [[CISSP]]
However, multiple qualifications, or several qualified persons working together, may provide a more complete solution.[http://www.asla.org/safespaces/pdf/design_brochure.pdf]
 
==Security Stance==
The 2 possible default positions on security matters are:
 
1 '''Default deny''' - "Everything, not explicitly permitted, is forbidden"
::Improves security at a cost in functionality.
Line 31 ⟶ 25:
::Allows greater functionality by sacrificing security.
::This is only a good approach in an environment where security threats are non-existent or negligible.
::See [[computer insecurity]] for* an[[Secure exampleCoding]] of the failure of this approach in the real world.==Sub-fields==
 
==Core Practices==
* [[Security Planning]]
* [[Security Requirements Analysis]]
* [[Security Architecture]]
* [[Secure Coding]]
* [[Security testing]]
* [[Security Operations and Maintenance]]
* [[Economics of Security]]
 
==Sub-fields==
* [[Physical security]]
:*deter attackers from accessing a facility, resource, or information stored on physical media.
Line 52 ⟶ 35:
 
==Methodologies==
Technological advances, principally in the field of [[computer]]s, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts ofAccording thoseto systemsthe using''Microsoft [[socialDeveloper engineeringNetwork'' (computerthe security)|social engineering]] attacks[http://msdn2.microsoft.com/en-us/library/ms998404.aspx patterns Secure& systemspractices haveof toSecurity resist not only technical attacks, but also [[coercionEngineering]], [[fraud]],consists of andthe [[deception]] by [[confidence trickster]]s.following activities:
 
===Web Applications===
According to the ''Microsoft Developer Network'' the [http://msdn2.microsoft.com/en-us/library/ms998404.aspx patterns & practices of Security Engineering] consists of the following activities:
* Security Objectives
* Security Design Guidelines
Line 68 ⟶ 48:
===Physical===
 
* Understanding of a ''typical''to threatbuildings, andcritical theinfrastructure, usualports, riskspublic to peopletransport and propertyother facilities/compounds.====Target Hardening====
* Understanding the incentives created both by the threat and the countermeasures.
* Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
* Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
* Overview of common physical and technological methods of protection and understanding their roles in [[deterrence]], [[detection]] and [[mitigation]].
* Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.
 
====Target Hardening====
Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorised persons. Methods include placing [[Jersey barrier]]s, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and [[truck bombing]]s. Improving the method of [[Visitor management]] and some new electronic [[Lock (device)|locks]] take advantage of technologies such as [[fingerprint]] scanning, iris or [[retinal scan]]ning, and [[voiceprint]] identification to authenticate users.
 
Line 81 ⟶ 54:
* US Department of State, [[Bureau of Diplomatic Security]] (ABET certified institution degree in engineering or physics required)<ref>http://careers.state.gov/specialist/opportunities/seceng.html</ref>
 
Some criticize this field as not being a bona fide field of engineering because the methodologies of this field are less formal or excessively ad-hoc compared to [[Engineering|other fields]] and many in the ==Criticisms==practice of security engineering have no engineering degree. Part of the problem lies in the fact that while conforming to positive requirements is well understood; conforming to negative requirements requires complex and indirect posturing to reach a [[Closed-form expression|closed form]] solution. In fact, some rigorous methods do exist to address these difficulties but are seldom used, partly because they are viewed as too old or too complex by many practitioners. As a result, many ad-hoc approaches simply do not succeed.
==Criticisms==
{{seemain|Controversies over the term Engineer}}
Some criticize this field as not being a bona fide field of engineering because the methodologies of this field are less formal or excessively ad-hoc compared to [[Engineering|other fields]] and many in the practice of security engineering have no engineering degree. Part of the problem lies in the fact that while conforming to positive requirements is well understood; conforming to negative requirements requires complex and indirect posturing to reach a [[Closed-form expression|closed form]] solution. In fact, some rigorous methods do exist to address these difficulties but are seldom used, partly because they are viewed as too old or too complex by many practitioners. As a result, many ad-hoc approaches simply do not succeed.
 
==See also==
Line 98 ⟶ 69:
* [[Electronic underground community]]
* [[Explosion protection]]
* [[Hack (technology)|Hacking]]
* [[Information Systems Security Engineering]]
* [[Password policy]]
Line 111 ⟶ 81:
{{col-break}}
'''Physical'''
* [[Access control]]* [[Physical Security]]
* [[Access control vestibule]]
* [[Authorization]]
* [[Critical Infrastructure Protection]]
* [[Environmental design]] (esp. [[Crime prevention through environmental design|CPTED]])
* [[Locksmithing]]
* [[Physical Security]]
* [[Secrecy]]
* [[Security]]
Line 126 ⟶ 90:
{{col-break}}
'''Misc. Topics'''
* [[Deception]]* [[Steganography]]
* [[Fraud]]
* [[Full disclosure]]
* [[Security awareness]]
* [[Security community]]
* [[Steganography]]
* [[Social engineering (computer security)|Social engineering]]
* [[Kerckhoffs' principle]]
Line 145 ⟶ 104:
| url = http://www.cl.cam.ac.uk/~rja14/book.html
}}
*{{cite Ross Anderson (2001). "[http://wwwbook.acsa-admin.org/2001/papers/110.pdf Why Information Security is Hard - An Economic Perspective]"
*{{cite book
| author = [[Ross Anderson]]
| year = 2008
| title = Security Engineering - A Guide to Building Dependable Distributed Systems
| publisher = Wiley
| isbn = 0-470-06852-3
| url = http://www.booksamillion.com/ncom/books?id=4167503584957&isbn=0470068523
}}
* Ross Anderson (2001). "[http://www.acsa-admin.org/2001/papers/110.pdf Why Information Security is Hard - An Economic Perspective]"
<!--
*{{Conference reference
Line 175 ⟶ 126:
| year = 2000
| title = [[Secrets and Lies: Digital Security in a Networked World]]
| publisher = Wiley | author = [[David A. Wheeler]]
| isbn = 0-471-25311-1
}}
*{{cite web
| author = [[David A. Wheeler]]
| year = 2003
| url = http://www.dwheeler.com/secure-programs
Line 188 ⟶ 135:
 
===Articles and Papers===
* [http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.SecurityEngineering patterns & practices Security Engineering/en-us/dnpag2/html/SecEngExplained.asp onpatterns & practices Security Engineering Channel9Explained]
* [http://msdn.com/SecurityEngineering patterns & practices Security Engineering on MSDN]
* [http://msdn.microsoft.com/library/en-us/dnpag2/html/SecEngExplained.asp patterns & practices Security Engineering Explained]
* [http://www.capitalprograms.sa.edu.au/a8_publish/modules/publish/content.asp?id=23343&navgrp=2557 Basic Target Hardening] from the Government of South Australia
 
Retrieved from "https://en.wikipedia.org/wiki/Security_engineering"