Logical Computer Security – Basic Principles And Fundamental Policies

Information in its broadest meaning is today one of the essential elements for the development and growth of any organization’s business. The current social and commercial interconnection makes information security an essential element, as information is increasingly exposed to a growing number and variety of threats and vulnerabilities. Consequently, adequate and effective protection is needed. But it happens that sometimes the confusion between the terms “information security, “computer logic security,” or “logical security” causes the specific nuances of each of them to be lost.

Differences Between Computer Security And Information Security

Insecurity, it is essential to know what we are referring to at all times precisely and unequivocally. It is, therefore, necessary to start by pointing out the distinction that exists between the previous terms. Thus, “computer security” would protect the technological infrastructures on which the company or organization works. The “information security” for its part has as its objective the protection of systems and information, as long as they are always accessible, that they do not suffer alterations and that their access is allowed exclusively to duly authorized persons. Information security, therefore, refers to the confidentiality, integrity, and availability of information and data. Finally, “logical security” involves all those measures established by administrators and users of information technology resources, which are intended to minimize security risks in their daily operations, in which information technologies are used.

Threats To Information And Computer Security Principles

The main threats of human origin that affect hardware, software, and data in computer security are usually theft, fraud, sabotage, espionage, hacker action, and malicious code. These threats typically materialize through phenomena such as:

• Interruption: destroying hardware, deleting programs, data, operating system crashes, etc.
• Interception: such as illegal copying of programs or eavesdropping on data.
• Modification: by modifying databases or modifying hardware elements.
• Generation: when adding network transactions or adding database records.

To start fighting against the wide range of threats that put information systems at risk, we must bear in mind the three basic computer security principles.

First principle: the intruder to the system will use any means or gadget that makes his access and subsequent attack easier.

The expression “any means or device” implies the existence of an enormous variety, both of fronts through which an attack can be produced, and of modalities, due to how they are produced, which includes actions of Social Engineering. This variety of methods and means makes risk analysis very difficult, although a clue to start. It is that: the intruder will always apply the philosophy of searching for the weakest point.

Second principle: data should be protected only until they lose their value

This principle implies the expiration of the protection system. In other words, there is a time interval during which the confidentiality of the data must be maintained, after which it is no longer necessary.

Third principle: control measures are implemented to be used effectively, and they must be efficient, easy to use, and appropriate to the environment.

This principle implies that control measures must work at the right time, optimizing system resources and going unnoticed by the user. It should also be noted that the effectiveness of any control system cannot be verified until the time comes when it is necessary to apply it.

Information Security Objectives

To minimize the above threats in information security, an appropriate set of specific controls must be implemented. These controls typically include policies, processes, procedures, organizational structures, and software and hardware features. It is also essential to use tools that allow the installation of information systems to be analyzed and organized, establish work procedures to define security, and have controls that will enable the effectiveness of the security measures implemented to be measured. All this must occur within a framework of continuous improvement, in which these measures are in a permanent state of review and revision.

The main objective pursued by the framework of information security controls is to protect the confidentiality, integrity, and availability of information and data, regardless of how they can be obtained.

• Basic Principle of Confidentiality: compliance with this principle attempts to prevent unauthorized disclosure of the organization’s information, whether intentional or not. Confidentiality ensures that only authorized people can access information, preventing the spread of information to unauthorized people.
• Basic Principle of Integrity: The property seeks to keep the data free from unauthorized modifications. The integrity of a message is obtained by appending another set of integrity check data to it. An example would be the digital signature, which is configured as one of the fundamental elements of information security.
• Basic Principle of Availability: availability ensures that access without interruptions to data or information resources by authorized personnel occurs correctly and in real-time. That is, availability ensures that systems work when they are needed.

What Is Logical Security?

Within information security, logical security refers to safety in the use of systems and software. It also implies the protection of data, processes, and programs and the orderly and authorized access of users to information.

With logical security, the following objectives are pursued :

• Restrict access to programs and files to authorized users only.
• That operator can work without close supervision, but they cannot modify programs or files that do not correspond.
• Check that the correct data, files, and programs are being used in and by the proper procedure.
• Guarantee that the transmitted information is received only by the recipient and no other individual.
• Ensure that the knowledge that the recipient has received is the same as that which has been transmitted.

Logical Security Policies

From a practical point of view, logical security policies are the means of control used to achieve the above objectives. The rational security policies of an organization are usually articulated through the following key elements:

Access controls. Access controls can be implemented in the operating system, in the information, in the databases, in a specific security package, or any other utility. It is usually the first line of defense for most computerized systems, its purpose being to prevent unauthorized persons from accessing them. They are the basis of almost all subsequent controls since it also allows you to track the activities of each of the users.

Roles, In this case, the access rights are grouped according to a specific position. Correspondingly, the use of resources is restricted to persons authorized to assume the said role. The use of parts is a relatively effective way of implementing access control. The role definition process is based on rigorous prior analysis of the organization’s behavior.

Transactions

It is articulated when the system knows the account number that provides a user with the relevant access in advance. This access has the duration of a transaction. When it is completed, the access authorization ends, leaving the user unable to continue operating.

Limitations to the services

The limitations to the services are controls that refer to the restrictions that depend on parameters specific to the use of the application. It also refers to those that the system administrator has preset.

Access

mode When specific access is allowed, it is also necessary to consider what type of access or mode is permitted. The four classic access modes that can be used are: read, write, execute, and delete.

Location and Time

Access to specific system resources may be based on data or people’s physical or logical location. As for the schedule, the use of parameters such as office hours or day of the week is expected when this type of control is implemented, which allows users to limit access to specific dates and times.

Internal Access Control Internal Access

Controls determine what a user (or group of users) can or cannot do with system resources. The main internal access control methods are:

• Keywords (Passwords): the keywords or passwords are commonly associated with user authentication. Experts are also used to protect data, applications, and even PCs.
• Encryption: encrypted information can only be decrypted by those with the appropriate key
• Access control lists: these lists refer to a registry of users and the types of access that have been provided.
• Limits on the user interface: Commonly used in conjunction with access control lists, these limits restrict users to specific functions. They can be of three types: menus, views on the database, or physical limitations on the user interface.
• Security labels are denominations given to the resources (it can be a file). The labels can be used for various purposes: access control, specification of protection tests, etc.

External Access Control External Access

Controls are a protection against the interaction of our system with systems, services, and people external to the organization.

• Port Control Devices – These devices authorize access to a specific port on the host computer and may be physically separate or included with another communications device, such as a modem.
• Firewalls or security gates: firewalls allow you to block or filter access between two networks, generally one private and the other external (for example, the Internet), understanding a remote network as one “separate” from others.
• Host-Based Authentication: Provides access based on the ID of the Host from which the access request originates, rather than based on the ID of the requesting user