This Article 
 Bibliographic References 
 Add to: 
Security as a Systems Property
September/October 2009 (vol. 7 no. 5)
pp. 88
Steven M. Bellovin, Columbia University
Daniel G. Conway, Augustana College
How do we protect systems? The answer is straightforward: each component must be evaluated independently and protected as necessary. Beware the easy answers, such as deploying stronger encryption while ignoring vulnerable end points; that's too much like looking under the streetlamp for lost keys, not because they're likely to be there but because it's an easy place to search. Remember, too, that people and processes are system components as well, and often the weakest ones—think about phishing, but also about legitimate emails that are structurally indistinguishable from phishing attacks. I'm not saying you should ignore one weakness because you can't afford to address another serious one—but in general, your defenses should be balanced. After that, of course, you have to evaluate the security of the entire system. Components interact, not always in benign ways, and there may be gaps you haven't filled.
Index Terms:
Steve Bellovin, systems, encryption, phishing, clear text
Steven M. Bellovin, Daniel G. Conway, "Security as a Systems Property," IEEE Security & Privacy, vol. 7, no. 5, pp. 88, Sept.-Oct. 2009, doi:10.1109/MSP.2009.134
Usage of this product signifies your acceptance of the Terms of Use.