Security Engineer on:
[Wikipedia]
[Google]
[Amazon]
Security engineering is the process of incorporating
* Understanding of a ''typical'' threat and the usual risks to people and property.
* Understanding the incentives created both by the threat and the countermeasures.
* Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
* Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
* Overview of common physical and technological methods of protection and understanding their roles in
patterns & practices Security Engineering on Channel9
patterns & practices Security Engineering on MSDN
patterns & practices Security Engineering Explained
Basic Target Hardening
from the Government of South Australia {{DEFAULTSORT:Security Engineering
security controls
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the c ...
into an information system
An information system (IS) is a formal, sociotechnical, organizational system designed to collect, process, store, and distribute information. From a sociotechnical perspective, information systems are composed by four components: task, people ...
so that the controls become an integral part of the system’s operational capabilities. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements
In product development and process optimization, a requirement is a singular documented physical or functional need that a particular design, product or process aims to satisfy. It is commonly used in a formal sense in engineering design, includi ...
, but it has the added dimension of preventing misuse and malicious behavior. Those constraints and restrictions are often asserted as a security policy
Security policy is a definition of what it means to ''be secure'' for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms ...
.
In one form or another, security engineering has existed as an informal field of study for several centuries. For example, the fields of locksmithing
Locksmithing is the science and art of making and defeating locks. Locksmithing is a traditional trade and in many countries requires completion of an apprenticeship. The level of formal education legally required varies from country to country ...
and security printing
Security printing is the field of the printing industry that deals with the printing of items such as banknotes, cheques, passports, tamper-evident labels, security tapes, product authentication, stock certificates, postage stamps and identity ca ...
have been around for many years. The concerns for modern security engineering and computer systems were first solidified in a RAND paper from 1967, "Security and Privacy in Computer Systems" by Willis H. Ware. This paper, later expanded in 1979, provided many of the fundamental information security concepts, labelled today as Cybersecurity, that impact modern computer systems, from cloud implementations to embedded IoT.
Recent catastrophic events, most notably 9/11
The September 11 attacks, commonly known as 9/11, were four coordinated suicide terrorist attacks carried out by al-Qaeda against the United States on Tuesday, September 11, 2001. That morning, nineteen terrorists hijacked four commercial ...
, have made security engineering quickly become a rapidly-growing field. In fact, in a report completed in 2006, it was estimated that the global security industry was valued at US $150 billion.
Security engineering involves aspects of social science
Social science is one of the branches of science, devoted to the study of societies and the relationships among individuals within those societies. The term was formerly used to refer to the field of sociology, the original "science of soc ...
, psychology
Psychology is the scientific study of mind and behavior. Psychology includes the study of conscious and unconscious phenomena, including feelings and thoughts. It is an academic discipline of immense scope, crossing the boundaries betwe ...
(such as designing a system to " fail well", instead of trying to eliminate all sources of error), and economics
Economics () is the social science that studies the Production (economics), production, distribution (economics), distribution, and Consumption (economics), consumption of goods and services.
Economics focuses on the behaviour and intera ...
as well as physics
Physics is the natural science that studies matter, its fundamental constituents, its motion and behavior through space and time, and the related entities of energy and force. "Physical science is that department of knowledge which r ...
, chemistry
Chemistry is the science, scientific study of the properties and behavior of matter. It is a natural science that covers the Chemical element, elements that make up matter to the chemical compound, compounds made of atoms, molecules and ions ...
, mathematics
Mathematics is an area of knowledge that includes the topics of numbers, formulas and related structures, shapes and the spaces in which they are contained, and quantities and their changes. These topics are represented in modern mathematics ...
, criminology architecture
Architecture is the art and technique of designing and building, as distinguished from the skills associated with construction. It is both the process and the product of sketching, conceiving, planning, designing, and constructing building ...
, and landscaping
Landscaping refers to any activity that modifies the visible features of an area of land, including the following:
# Living elements, such as flora or fauna; or what is commonly called gardening, the art and craft of growing plants with a goal o ...
.
Some of the techniques used, such as fault tree analysis
Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined. This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, to identify t ...
, are derived from safety engineering
Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety en ...
.
Other techniques such as cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
were previously restricted to military applications. One of the pioneers of establishing security engineering as a formal field of study is Ross Anderson.
Qualifications
No single qualification exists to become a security engineer. However, an undergraduate and/or graduate degree, often incomputer science
Computer science is the study of computation, automation, and information. Computer science spans theoretical disciplines (such as algorithms, theory of computation, information theory, and automation) to Applied science, practical discipli ...
, computer engineering
Computer engineering (CoE or CpE) is a branch of electrical engineering and computer science that integrates several fields of computer science and electronic engineering required to develop computer hardware and software. Computer engineers ...
, or physical protection focused degrees such as Security Science, in combination with practical work experience (systems, network engineering, software development
Software development is the process of conceiving, specifying, designing, programming, documenting, testing, and bug fixing involved in creating and maintaining applications, frameworks, or other software components. Software development invol ...
, physical protection system modelling etc.) most qualifies an individual to succeed in the field. Other degree qualifications with a security focus exist. Multiple certifications, such as the Certified Information Systems Security Professional
CISSP (Certified Information Systems Security Professional) is an independent information security certification granted by the International Information System Security Certification Consortium, also known as (ISC)².
As of January, 2022 there ...
, or Certified Physical Security Professional are available that may demonstrate expertise in the field. Regardless of the qualification, the course must include a knowledge base to diagnose the security system drivers, security theory and principles including defense in depth, protection in depth, situational crime prevention and crime prevention through environmental design to set the protection strategy (professional inference), and technical knowledge including physics and mathematics to design and commission the engineering treatment solution. A security engineer can also benefit from having knowledge in cyber security and information security. Any previous work experience related to privacy and computer science is also valued.
All of this knowledge must be braced by professional attributes including strong communication skills and high levels of literacy for engineering report writing. Security engineering also goes by the label Security Science.
Related-fields
*Information security
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
:*See esp. Computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
:*protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access.
* Physical security
Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physica ...
:*deter attackers from accessing a facility, resource, or information stored on physical media.
* Technical surveillance counter-measures
Countersurveillance refers to measures that are usually undertaken by the public to prevent surveillance, including covert surveillance. Countersurveillance may include electronic methods such as technical surveillance counter-measures, which is ...
* Economics of security
The economics of information security addresses the economic aspects of privacy and computer security. Economics of information security includes models of the strictly rational “homo economicus” as well as behavioral economics. Economics of se ...
:*the economic aspects of economics of privacy and computer security.
Methodologies
Technological advances, principally in the field ofcomputer
A computer is a machine that can be programmed to Execution (computing), carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as C ...
s, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems using social engineering attacks. Secure systems have to resist not only technical attacks, but also coercion
Coercion () is compelling a party to act in an involuntary manner by the use of threats, including threats to use force against a party. It involves a set of forceful actions which violate the free will of an individual in order to induce a desi ...
, fraud
In law, fraud is intentional deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. Fraud can violate civil law (e.g., a fraud victim may sue the fraud perpetrator to avoid the fraud or recover monetary compens ...
, and deception
Deception or falsehood is an act or statement that misleads, hides the truth, or promotes a belief, concept, or idea that is not true. It is often done for personal gain or advantage. Deception can involve dissimulation, propaganda and sleight o ...
by confidence trickster
A confidence trick is an attempt to defraud a person or group after first gaining their trust. Confidence tricks exploit victims using their credulity, naïveté, compassion, vanity, confidence, irresponsibility, and greed. Researchers have def ...
s.
Web applications
According to the ''Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
Developer Network'' the patterns and practices of security engineering consist of the following activities:
* Security Objectives
* Security Design Guidelines
* Security Modeling
* Security Architecture and Design Review
* Security Code Review
* Security Testing
* Security Tuning
* Security Deployment Review
These activities are designed to help meet security objectives in the software life cycle
A software release life cycle is the sum of the stages of development and maturity for a piece of computer software ranging from its initial development to its eventual release, and including updated versions of the released version to help impro ...
.
Physical
* Understanding of a ''typical'' threat and the usual risks to people and property.
* Understanding the incentives created both by the threat and the countermeasures.
* Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
* Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
* Overview of common physical and technological methods of protection and understanding their roles in deterrence
Deterrence may refer to:
* Deterrence theory, a theory of war, especially regarding nuclear weapons
* Deterrence (penology), a theory of justice
* Deterrence (psychology)
Deterrence in relation to criminal offending is the idea or theory that t ...
, detection and mitigation.
* Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.Product
Product security engineering is security engineering applied specifically to the products that an organization creates, distributes, and/or sells. Product security engineering is distinct from corporate/enterprise security, which focuses on securing corporate networks and systems that an organization uses to conduct business. Product security includes security engineering applied to: * Hardware devices such as cell phones, computers,Internet of things
The Internet of things (IoT) describes physical objects (or groups of such objects) with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other comm ...
devices, and cameras.
* Software such as operating systems, applications, and firmware.
Such security engineers are often employed in separate teams from corporate security teams and work closely with product engineering teams.
Target hardening
Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorized persons. Methods include placingJersey barrier
A Jersey barrier, Jersey wall, or Jersey bump is a modular concrete or plastic barrier employed to separate lanes of traffic. It is designed to minimize vehicle damage in cases of incidental contact while still preventing vehicle crossovers resu ...
s, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and truck bombing
A car bomb, bus bomb, lorry bomb, or truck bomb, also known as a vehicle-borne improvised explosive device (VBIED), is an improvised explosive device designed to be detonated in an automobile or other vehicles.
Car bombs can be roughly divided ...
s. Improving the method of visitor management and some new electronic locks
Lock(s) may refer to:
Common meanings
*Lock and key, a mechanical device used to secure items of importance
*Lock (water navigation), a device for boats to transit between different levels of water, as in a canal
Arts and entertainment
* ''Lock ...
take advantage of technologies such as fingerprint
A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfac ...
scanning, iris or retinal scan
A retinal scan is a biometric technique that uses unique patterns on a person's retina blood vessels. It is not to be confused with other ocular-based technologies: iris recognition, commonly called an "iris scan", and eye vein verification that ...
ning, and voiceprint identification to authenticate users.
See also
Computer-related *Authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
* Cryptanalysis
Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic sec ...
* Data remanence
Data remanence is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting o ...
* Defensive programming
Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unf ...
(secure coding)
* Earthquake engineering
* Economics of security
The economics of information security addresses the economic aspects of privacy and computer security. Economics of information security includes models of the strictly rational “homo economicus” as well as behavioral economics. Economics of se ...
* Engineering Product Lifecycle
* Explosion protection
Explosion protection is used to protect all sorts of buildings and civil engineering infrastructure against internal and external explosions or deflagrations. It was widely believed until recently that a building subject to an explosive attack had ...
* Password policy
A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part o ...
* Secure coding
Secure coding is the practice of developing computer software in such a way that guards against the accidental introduction of security vulnerabilities. Defects, Software bug, bugs and logic flaws are consistently the primary cause of commonly ...
* Security hacker
A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge ...
* Security pattern Security patterns can be applied to achieve goals in the area of security. All of the classical design patterns have different instantiations to fulfill some information security goal: such as confidentiality, integrity, and availability. Additional ...
* Security Requirements Analysis
* Security testing
Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing ...
* Software cracking
Software cracking (known as "breaking" mostly in the 1980s) is the modification of software to remove or disable features which are considered undesirable by the person cracking the software (software cracker), especially copy protection featur ...
* Software security assurance
* Systems engineering
Systems engineering is an interdisciplinary field of engineering and engineering management that focuses on how to design, integrate, and manage complex systems over their enterprise life cycle, life cycles. At its core, systems engineering util ...
* Trusted system In the security engineering subspecialty of computer science, a trusted system is one that is relied upon to a specified extent to enforce a specified security policy. This is equivalent to saying that a trusted system is one whose failure would b ...
Physical
* Access control
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
* Authorization
Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
* Critical infrastructure protection
Critical infrastructure protection (CIP) is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation.
The American Presidential directive PDD-63 of May 1998 set up ...
* Environmental design
Environmental design is the process of addressing surrounding environmental parameters when devising plans, programs, policies, buildings, or products. It seeks to create spaces that will enhance the natural, social, cultural and physical environm ...
(esp. CPTED
Crime prevention through environmental design (CPTED) is an agenda for manipulating the built environment to create safer neighborhoods.
It originated in America around 1960, when urban renewal strategies were felt to be destroying the social fram ...
)
* Mantrap
* Physical security
Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physica ...
* Secrecy
Secrecy is the practice of hiding information from certain individuals or groups who do not have the "need to know", perhaps while sharing it with other individuals. That which is kept hidden is known as the secret.
Secrecy is often controvers ...
* Secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike crypt ...
* Security through obscurity
Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component.
History
An early opponent of security through ob ...
Misc. Topics
* Full disclosure (computer security)
In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is sh ...
* Security awareness
Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. Many organizations require formal security awareness trainin ...
* Security community image:UStankParis-edit1.jpg, 200px, Despite a long record of armed conflicts between Germany and France, the European security community has made war between these two less likely.
A security community is a region in which a large-scale use of viol ...
* Steganography
Steganography ( ) is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, ...
* Kerckhoffs's principle
Kerckhoffs's principle (also called Kerckhoffs's desideratum, assumption, axiom, doctrine or law) of cryptography was stated by Dutch-born cryptographer Auguste Kerckhoffs in the 19th century. The principle holds that a cryptosystem should be s ...
References
Further reading
* * * * * * *Articles and papers
patterns & practices Security Engineering on Channel9
patterns & practices Security Engineering on MSDN
patterns & practices Security Engineering Explained
Basic Target Hardening
from the Government of South Australia {{DEFAULTSORT:Security Engineering