Computer Security: A Comprehensive Explanation

2025 4/03

2025年4月3日 2025年4月3日

Fundamental Concepts of Computer Security

Core Principles (Confidentiality, Integrity, Availability)

At the heart of computer security lie three fundamental principles that guide the protection of information and systems: confidentiality, integrity, and availability. Confidentiality ensures that sensitive information is accessible only to authorized individuals, preventing unauthorized disclosure. This is crucial for protecting personal data, trade secrets, and government intelligence. Integrity focuses on maintaining the accuracy and completeness of data, preventing unauthorized modification or deletion. This principle is vital for ensuring the reliability of information used for decision-making and operations. Availability guarantees that authorized users have timely and reliable access to information and resources when they need them. This is essential for business continuity and ensuring that critical services remain operational. While these principles are not explicitly defined together in a single provided document, they form the bedrock of security practices discussed in frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework.¹ The NIST framework, through its various functions, aims to safeguard these core tenets by outlining best practices for identifying, protecting, detecting, responding to, and recovering from cybersecurity risks. The consistent emphasis on “protecting data” and “ensuring resilience” throughout the NIST framework implicitly underscores the importance of these three principles as practical objectives for any robust security strategy.¹ For example, the “Protect” function within the NIST framework directly addresses confidentiality by recommending the encryption of sensitive data, both when it is stored and when it is being transmitted.¹ Similarly, the recommendation for regular data backups within the same function directly supports availability and integrity by ensuring that data can be restored in case of loss or corruption.¹ The use of security software, also a key aspect of the “Protect” function, contributes to all three principles by preventing unauthorized access (confidentiality), protecting against data alteration (integrity), and ensuring system uptime (availability).¹

Introduction to the NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) serves as a voluntary set of guidelines designed to assist organizations in evaluating and enhancing their ability to prevent, detect, and respond to cybersecurity threats.¹ Developed by the U.S. National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, the framework was initially published in 2014 with a focus on critical infrastructure sectors.¹ However, its utility and adaptability have led to its widespread adoption across a diverse range of industries, including government entities and private enterprises on a global scale.² The framework achieves this by integrating existing standards, guidelines, and best practices into a structured approach for managing cybersecurity risk.²

At its core, the NIST CSF is comprised of five key functions: Identify, Protect, Detect, Respond, and Recover.¹ The Identify function focuses on establishing an organizational understanding of cybersecurity risk management concerning systems, personnel, assets, data, and capabilities.¹ This includes crucial activities such as creating a comprehensive inventory of all equipment, software, and data utilized by the organization, encompassing devices like laptops, smartphones, tablets, and point-of-sale systems.¹ Furthermore, it involves the development and dissemination of a company-wide cybersecurity policy that clearly defines the roles and responsibilities of employees, vendors, and any other parties with access to sensitive data.¹ This function also necessitates outlining the specific steps to be taken to prevent cyberattacks and to mitigate potential damage should an incident occur.¹

The Protect function then outlines the appropriate safeguards necessary to ensure the continued delivery of critical infrastructure services.¹ This involves implementing a variety of security measures aimed at preventing cybersecurity incidents. These measures include controlling access to the network and the use of computers and other devices, employing security software to safeguard data, and encrypting sensitive data both when it is stored (at rest) and during transmission (in transit).¹ Regular data backups, automated software updates, and the establishment of formal policies for the secure disposal of electronic files and outdated devices are also critical components of this function.¹ Moreover, the framework emphasizes the importance of comprehensive cybersecurity training for all individuals who interact with the organization’s computers, devices, and network, highlighting both their roles in the workplace and potential personal risks.¹

The Detect function defines the activities required to identify the occurrence of a cybersecurity event.¹ This involves the continuous monitoring of computers for unauthorized access by personnel, devices such as USB drives, and unauthorized software installations.¹ Investigating any unusual activities observed on the network or by staff members and regularly checking the network for unauthorized users or connections are also essential aspects of this function.¹

The Respond function encompasses the actions to be taken once a cybersecurity incident has been detected.¹ This includes having a well-defined plan for notifying customers, employees, and other stakeholders whose data may have been compromised.¹ Ensuring the continuity of business operations, reporting the attack to relevant law enforcement and other authorities, and conducting thorough investigations to contain the incident are also crucial steps.¹ Furthermore, this function emphasizes the importance of updating the cybersecurity policy and plan based on lessons learned from the incident and preparing for inadvertent events, such as weather emergencies, that could potentially put data at risk.¹ Regular testing of the incident response plan is also recommended to ensure its effectiveness.¹

Finally, the Recover function focuses on the activities needed to restore any capabilities or services that were impaired due to a cybersecurity incident.¹ This includes repairing and restoring affected equipment and network components and keeping both employees and customers informed about the ongoing response and recovery efforts.¹

Beyond these core functions, the NIST CSF also includes Implementation Tiers, which help organizations assess the sophistication of their cybersecurity practices, and Profiles, which allow for the framework to be customized to suit an organization’s unique risk profile and specific needs.² The NIST Cybersecurity Framework has gained international recognition and has been translated into multiple languages, serving as a benchmark for cybersecurity standards and facilitating alignment with other recognized global standards such as ISO/IEC 27001 and COBIT.² Research indicates that the NIST Cybersecurity Framework has the potential to significantly influence cybersecurity standards both within the United States and internationally, particularly in sectors where formal cybersecurity standards are still in their early stages of development.² It is important to note that the NIST Cybersecurity Framework is intended to be a dynamic and evolving document, undergoing updates and improvements over time to keep pace with advancements in technology and the ever-changing landscape of cybersecurity threats, as well as to incorporate best practices and lessons learned from real-world experiences.²

The NIST framework provides a structured, risk-based approach to computer security, which moves beyond the simple implementation of security tools. The cyclical nature of the five functions – Identify, Protect, Detect, Respond, and Recover – creates a continuous process of improvement.¹ Identifying assets and potential risks directly informs the development and implementation of protection strategies. These protection measures, in turn, enable more effective detection of security incidents. A well-defined response plan ensures that incidents are handled efficiently, and the recovery process allows for the restoration of affected systems and services. The lessons learned from each incident and the recovery efforts then feed back into the initial identification phase, leading to a more robust and adaptive security posture. Furthermore, the NIST framework’s applicability to businesses of all sizes suggests a scalable model for computer security.¹ While initially conceived for critical infrastructure, its fundamental principles are adaptable to organizations with varying levels of resources and complexities. The framework’s focus on desired outcomes and best practices, rather than rigid technical specifications, allows organizations to tailor their implementation to their specific needs and risk tolerance.

Table 1: Comparison of NIST CSF Functions and Security Controls

NIST CSF Function	Key Activities/Examples
Identify	Inventorying equipment, software, and data; Creating cybersecurity policies; Defining roles and responsibilities; Assessing business environment and risk tolerance ¹
Protect	Implementing access controls; Using security software; Encrypting data (at rest and in transit); Conducting regular data backups; Updating software regularly; Establishing secure disposal policies; Providing cybersecurity training ¹
Detect	Monitoring for unauthorized access, devices, and software; Investigating unusual network or staff activities; Checking for unauthorized network users or connections ¹
Respond	Developing incident response plans; Establishing notification procedures for affected parties; Reporting incidents to authorities; Investigating and containing attacks; Updating security policies based on lessons learned; Preparing for inadvertent events; Regularly testing the response plan ¹
Recover	Repairing and restoring affected equipment and network components; Keeping employees and customers informed about recovery activities ¹

Categories of Threats to Computer Security

Malware

Malware, short for malicious software, encompasses a broad range of software designed to harm or exploit computer systems, networks, or users. This category includes various types, each with its own distinct methods of operation and potential impact. Viruses are a type of malware that require a host program to attach themselves to and replicate, often spreading when the infected program is executed. Worms, on the other hand, are self-replicating and do not need a host program; they can spread autonomously across networks, potentially causing widespread disruption. Ransomware is a particularly damaging form of malware that encrypts a victim’s files, rendering them inaccessible, and then demands a ransom payment, typically in cryptocurrency, in exchange for the decryption key.¹ The National Institute of Standards and Technology recognizes the severity of this threat, as evidenced by the existence of a draft document, NISTIR 8374, which focuses specifically on a cybersecurity framework profile for managing ransomware risks.² This dedicated attention underscores the increasing prevalence and significant impact of ransomware attacks in the current threat landscape. Finally, Spyware is a type of malware that operates stealthily, secretly monitoring user activity and collecting sensitive information such as keystrokes, browsing history, and login credentials, often without the user’s knowledge or consent.

Phishing

Phishing is a specific type of social engineering attack that relies on deception to trick individuals into divulging sensitive information, such as usernames, passwords, credit card details, or other personal data.¹ These attacks typically involve the use of fraudulent emails, text messages, or websites that are designed to mimic legitimate entities like banks, online retailers, or government agencies. Attackers often craft these communications to create a sense of urgency or fear, prompting victims to take immediate action without carefully scrutinizing the request. Common scenarios include fake login pages that steal credentials, urgent requests for personal information to resolve a non-existent issue, or enticing offers that lure victims into clicking malicious links or downloading infected attachments. The Federal Trade Commission (FTC) specifically highlights phishing as a significant cybersecurity concern for small businesses in their guidance materials.¹ This inclusion emphasizes that phishing is not solely a technical vulnerability but also a human-centric one that can impact organizations of any size, particularly those with potentially fewer dedicated IT security resources, making their employees more susceptible targets.

Social Engineering

Social engineering, in a broader context, refers to the manipulation of individuals to gain unauthorized access to computer systems, networks, or sensitive information.¹ Unlike purely technical attacks, social engineering exploits human psychology and trust to achieve its objectives. Attackers may employ various tactics to deceive their victims, including pretexting (creating a fabricated scenario to gain trust), baiting (offering something enticing, like a free download, that contains malware), and tailgating (physically following an authorized person into a restricted area). The FTC’s cybersecurity guidance for small businesses specifically mentions “Business Email Imposters” and “Tech Support Scams” as prevalent threats.¹ Business email compromise involves attackers impersonating high-ranking employees or trusted vendors to trick employees into making fraudulent wire transfers or providing sensitive information. Tech support scams typically involve attackers posing as legitimate technical support representatives to convince victims that their computer has a problem and then persuading them to grant remote access or pay for unnecessary services. These specific examples underscore the increasing sophistication of social engineering tactics targeting businesses, where attackers leverage trust and authority to manipulate employees into actions that ultimately compromise security.

Denial-of-Service Attacks

Denial-of-Service (DoS) attacks are malicious attempts to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic, making it unavailable to its intended users. A common variation is a Distributed Denial-of-Service (DDoS) attack, where the overwhelming traffic originates from multiple compromised computer systems, often a network of infected devices known as a botnet. This distributed nature makes DDoS attacks more difficult to block and mitigate compared to single-source DoS attacks. The consequences of successful DoS attacks can be significant, leading to service disruptions, financial losses due to downtime, reputational damage, and the inability for customers or employees to access critical resources. While the provided snippets do not offer specific details on DoS attacks, the broader understanding of cybersecurity threats includes them as a significant category. In the context of the NIST framework, the “Recover” function would be particularly relevant in the aftermath of a DoS attack, focusing on the restoration of impaired services and the return to normal operational status.¹

Table 2: Examples of Threat Categories and Specific Threats

Threat Category	Specific Threat	Brief Description
Malware	Virus	Self-replicating code that attaches to other programs.
Malware	Worm	Self-replicating code that doesn’t require a host and can spread across networks.
Malware	Ransomware	Encrypts files and demands a ransom for decryption.¹
Malware	Spyware	Secretly monitors user activity and collects information.
Phishing	Fake Login Pages	Deceptive web pages designed to steal login credentials.¹
Phishing	Urgent Information Requests	Fraudulent communications that pressure users to provide sensitive data.¹
Social Engineering	Business Email Imposter	Attackers impersonate trusted figures to induce fraudulent actions.¹
Social Engineering	Tech Support Scam	Attackers pose as tech support to gain remote access or payment for fake services.¹
Social Engineering	Pretexting	Creating a fabricated scenario to gain trust and extract information.
Social Engineering	Baiting	Offering something enticing (e.g., infected media) to lure victims.
Social Engineering	Tailgating	Physically following an authorized person into a restricted area.
Denial-of-Service	DDoS	Overwhelming a target with traffic from multiple compromised systems, causing service disruption.

Security Measures Implemented to Protect Computer Systems

Preventative Controls

Preventative controls are security measures implemented with the primary goal of stopping security incidents from occurring in the first place. These controls act as the first line of defense against various threats. Firewalls, which can be hardware or software-based, play a crucial role in monitoring and controlling incoming and outgoing network traffic based on a predefined set of security rules.¹ By filtering traffic and blocking unauthorized connections, firewalls help to prevent malicious access to computer systems and networks. The FTC’s guidance on “Secure Remote Access” implicitly suggests the use of firewalls as a fundamental preventative measure for protecting remote connections.¹ Antivirus software is another essential preventative control designed to detect, prevent, and remove malware, including viruses, worms, and ransomware.¹ NIST recommends the use of security software as a key step in protecting sensitive data.¹ Intrusion Detection Systems (IDS) are designed to monitor network or system activities for any signs of malicious activity or violations of security policies.¹ While they primarily function to detect suspicious behavior, some advanced systems, known as Intrusion Prevention Systems (IPS), can automatically take action to block detected threats in real-time, adding an active layer of prevention. NIST’s recommendation to monitor computers for unauthorized access and unusual activities aligns with the core function of an IDS.¹

Detective Controls

Detective controls are security measures implemented to identify and record security incidents after they have occurred. These controls do not prevent incidents but are crucial for discovering breaches and understanding their impact. Security auditing involves the systematic examination of security-related activities, logs, and records to identify potential security violations or weaknesses. Log analysis is a key component of detective controls, involving the review of system and application logs to identify suspicious patterns, anomalies, or evidence of security breaches.¹ NIST’s advice to check the network for unauthorized users or connections often entails thorough log analysis to uncover any illicit activity.¹ Effective detective controls enable organizations to identify and respond to security incidents in a timely manner, minimizing potential damage.

Corrective Controls

Corrective controls are security measures taken to repair damage or restore systems to a normal operational state after a security incident has been detected. These controls focus on mitigating the impact of an incident and preventing its recurrence. Incident response encompasses the processes and procedures for handling and recovering from a security incident, aligning directly with the “Respond” function of the NIST framework.¹ This includes steps such as containment, eradication, and recovery. Disaster recovery involves the procedures and plans for recovering IT infrastructure and data after a major disruption, such as a natural disaster or a significant cyberattack. This aligns with the “Recover” function of the NIST framework, which focuses on restoring capabilities and services impaired by an incident.¹

Technical Controls

Technical controls are security measures that are implemented using technology to protect computer systems and data. Encryption is a fundamental technical control that involves converting data into an unreadable format, known as ciphertext, to protect its confidentiality.¹ Only authorized individuals with the correct decryption key can transform the data back into its original, readable form. NIST explicitly recommends encrypting sensitive data both when it is stored (at rest) and when it is being transmitted across networks (in transit).¹ Multi-Factor Authentication (MFA) is another critical technical control that requires users to provide two or more verification factors to gain access to an account or system. These factors typically fall into categories such as something the user knows (e.g., a password), something the user has (e.g., a security token or a smartphone), and something the user is (e.g., a biometric characteristic). NIST’s recommendation to control who logs on to the network strongly implies the use of MFA as an effective method for enhancing access security.¹

The NIST framework’s structure inherently promotes a layered approach to security, effectively encompassing preventative, detective, and corrective controls through its five core functions.¹ The “Protect” function primarily focuses on implementing preventative measures, while the “Detect” function emphasizes the importance of detective controls. The “Respond” and “Recover” functions address corrective actions necessary after a security incident. Technical controls like encryption and MFA are crucial components within the “Protect” function, providing technological safeguards against unauthorized access and data breaches. This multi-layered strategy, often referred to as defense in depth, recognizes that no single security measure is foolproof and that multiple layers of protection are necessary to effectively mitigate the diverse range of cybersecurity threats.

Best Practices for Maintaining Computer Security

Password Management

Effective password management is a cornerstone of computer security. Strong passwords act as the first line of defense against unauthorized access to accounts and systems. Recommended practices include using strong passwords that are long (ideally 12 characters or more), complex (incorporating a mix of uppercase and lowercase letters, numbers, and symbols), and unique for each online account.¹ Reusing the same password across multiple accounts significantly increases the risk of compromise. While NIST’s guidance does not explicitly detail specific password complexity requirements, the recommendation to control who logs on to the network strongly implies the necessity of using robust passwords.¹ Password managers are valuable tools that can help users generate and securely store complex passwords, reducing the burden of remembering multiple unique credentials and promoting better overall password hygiene.

Software Updates

Keeping software updated is essential for maintaining computer security as software vendors regularly release updates to patch newly discovered security vulnerabilities.¹ Failing to install these updates can leave systems vulnerable to exploitation by attackers who are aware of these weaknesses. It is crucial to update both the operating system, which is the core software that manages computer hardware and software resources, and individual applications installed on the system.¹ NIST explicitly recommends automating software updates whenever possible to ensure that systems are promptly protected against known vulnerabilities.¹ This proactive approach significantly reduces the window of opportunity for attackers to exploit security flaws.

Security Awareness and Training

Educating users about potential security threats and best practices is a vital component of maintaining a strong security posture.¹ Even the most sophisticated technical security measures can be undermined by a lack of user awareness. Key areas of security awareness training include identifying phishing attempts, teaching users how to recognize suspicious emails, messages, and websites that may be designed to steal their information.¹ The FTC’s emphasis on phishing in their guidance for small businesses underscores the importance of training in this specific area.¹ Training should also cover safe browsing habits, educating users on how to navigate the internet securely, avoid clicking on suspicious links, and refrain from downloading files from untrusted sources. Furthermore, users should be trained on data security practices, including how to handle sensitive data appropriately, secure its storage, and ensure its proper disposal when no longer needed.¹ NIST specifically emphasizes the importance of training everyone who uses the organization’s computers and network about cybersecurity, highlighting both their responsibilities within the workplace and the potential risks they face in their personal lives.¹ This recognition of the human element in security underscores that informed and vigilant users are a critical first line of defense against many types of cyber threats.

Conclusion

Maintaining robust computer security is a multifaceted endeavor that requires a comprehensive and adaptable approach. Frameworks like the NIST Cybersecurity Framework provide a valuable structure for understanding, managing, and mitigating cybersecurity risks by emphasizing a continuous cycle of identification, protection, detection, response, and recovery. Understanding the various categories of threats, including malware, phishing, social engineering, and denial-of-service attacks, is crucial for developing effective security strategies. Implementing a combination of preventative, detective, and corrective security measures, including technical controls like encryption and multi-factor authentication, forms the backbone of a strong defense. However, technology alone is insufficient. Adhering to best practices such as strong password management, timely software updates, and comprehensive security awareness training for all users is equally vital. The human element remains a critical factor in the overall security posture of any organization. As the threat landscape continues to evolve, a proactive and adaptive approach to computer security, incorporating both technological safeguards and user education, is essential for protecting valuable information and ensuring the resilience of computer systems.