William Yang - Talks and Tutorials

An Introduction to Computer and Network Security

SUMMARY

This introduction addresses the definition and clarification of the key concepts of computer security concerns. It is a primer to prepare an individual to discuss, think about, become aware of, and perhaps implement technical, policy, and end-user solutions to the security problems that all inforamation professionals face in one form or another.

We consider security to be the definition, implementation, and enforcement of a policy (or policies) which will determine who can use a resource and how that resource is to be used. Thus, security defines a level of control over the (computing) resources that a person, or an organization, is paying for. Unfortunately, it's easy to equate more invasive control to be better security; this is not necessarily the case. When dealing with security, one should also address the functionality intended with a resources -- there's a trade-off between the control of the resource by a centralized (security) facility and the functionality which justifies the resources' existance. The balance, deciding how much central control is required, has to balance several characteristics:

1. The cost to secure should be less than the value of what's being secured. Otherwise, it's cheaper to just replace a compromised resource.
2. The value of what's being secured should be less than the cost to break through the security. Otherwise, it's profitable to attack the resource.
3. The resultant loss of productivity that results from adding the security must be less than the added value of having good security. Otherwise, management, users, and even security implementers will attempt to circumvent the security measures.

Other topics covered in this presentation include threat and risk assessment by direction and motive, understanding a security perimeter, how to control risks, the need for information flow, and the eight key concepts of (computer) security.

The policy portion of this presentation talks about the elements of a computer and network security policy, as well as strategies on how to create strong cases toward justifying an investment into security, the most successful strategies on how to become "secure enough" and how to stay secure in the long run.

This material requires aproximately one hour. It is written for information technology professionals with either a technical or managment background.

COPYRIGHT

The An Introduction to Computer and Network Security presentation and this area are:

Copyright ©1996-2000 William D. Yang. All rights reserved.

Biography

William Yang is the State IT Security Policy Officer for the State of Ohio, responsible for enterprise information assurance/security strategy and policies. In addition to standard assurance activities in relation to information crime, he is actively involved in regulatory compliance, critical infrastructure protection, and homeland security efforts for the government of Ohio. His prior experience includes being the director of operations for a managed security service company, and extensive experience with OSC (Ohio Supercomputer Center), leading software development projects and handling the application of Internet technologies to the cultural, social, and political enrichment of communities.

Mr. Yang has been actively involved in fostering cooperation, information sharing, and trust between law enforcement and private industry since 1995. He was one of six founding members of the InfraGard Provisional National Executive Committee in 1998 and served on the National InfraGard Executive Board through 2003. He was the first elected leader of the public-private partnership organization, InfraGard, serving as Chair of the Executive Board from 2001-2002.

Mr. Yang graduated with a bachelor of arts in Philosophy from the Ohio State University in 1995. He is the founder of GCFN.NET, a network service based on the process of building trust and community to better deliver real solutions.