计算机安全防范方法(中英对照)

   
　　Computer crime is certain to continue．The goal of computer security is to institute controls that preserve secrecy，integrity，and availability．Sometimes these controls are able to prevent attacks；other less powerful methods can only detect a breach as or after it oclearcase/" target="_blank" >ccurs．
　　In this section we will survey the controls that attempt to prevent exploitation of the vulnerabilities of computing systems．
   
1．Encryption
   
　　The most powerful tool in providing computer security is coding．By transforming data so that it is unintelligible to the outside observer，the value of an interception and the possibility of a modification or a fabrication are almost nullified．
    Encryption provides secrecy for data．Additionally，encryption can be used to achieve integrity，since data that cannot be read generally also cannot be changed．Furthermore，encryption is important in protocols，which are agreed-upon sequences of actions to accomplish some task．Some protocols ensure availability of resources．Thus，encryption is at the heart of methods for ensuring all three goals of computer security．
    Encryption is an important tool in computer security，but one should not overrate its importance．Users must understand that encryption does not solve all computer security problems．Furthermore，if encryption is not used properly，it can have no effect on security or can，in fact，degrade the performance of the entire system．Thus，it is important to know the situations in which encryption is useful and to use it effectively．
   
2．Software Controls
   
　　Programs themselves are the second link in computer security．Programs must be secure enough to exclude outside attack．They must also be developed and maintained so that one can be confident of the dependability of the programs．
    Program controls include the following kinds of things：
    •  Development controls，which are standards under which a program is designed，coded，tested，and maintained
    •   Operating system controls，which are limitations enforced by the operating system to protect each user from all other users
    •   Internal program controls that enforce security restrictions，such as access limitations in a database management program
    Software controls may use tools such as hardware components，encryption，or information gathering．Software controls generally affect users directly，and so they are often the first aspects of computer security that come to mind．Because they influence the way users interact with a computing system，software controls must be carefully designed．Ease of use and potency are often competing goals in the design of software controls．

3．Hardware Controls
   
　　Numerous hardware devices have been invented to assist in computer security．These devices range from hardware implementations of encryption to locks limiting access to theft protection to devices to verify users’identities．
 　1）Policies
    Some controls on computing systems are achieved through added hardware or software features，as described above．Other controls are matters of policy．In fact，some of the simplest controls，such as frequent changes of passwords，can be achieved at essentially no cost but with tremendous effect．
    Legal and ethical controls are an important part of computer security．The law is slow to evolve，and the technology involving computers has emerged suddenly．Although legal protection is necessary and desirable，it is not as dependable in this area as it would be in more well-understood and long-standing crimes[1]．
　　The area of computer ethics is likewise unclear，not that computer people are unethical，but rather that society in general and the computing community in particular have not adopted formal standards of ethical behavior．Some organizations are attempting to devise codes of ethics for computer professionals．Although these are important，before codes of ethics become widely accepted and therefore effective，the computing community and the general public need to understand what kinds of behavior are inappropriate and why．
　　2）Physical Controls
    Some of the easiest，most effective，and least expensive controls are physical controls．Physical controls include locks on doors，guards at entry points，backup copies of important software and data，and physical site planning that reduces the risk of natural disasters．Often the simple physical controls are overlooked while more sophisticated approaches are sought．
    3）Effectiveness of Controls
    Merely having controls does no good unless they are used properly．The next section contains a survey of some factors that affect the effectiveness of controls．
　　　Awareness of Problem
        People using controls must be convinced of the need for security；people will willingly cooperate with security requirements only if they understand why security is appropriate in each specific situation．Many users，however，are unaware of the need for security，especially in situations in which a group has recently undertaken a computing task that was previously performed by a central computing department[2]．
　　　Likelihood of Use
        Of course，no control is effective unless it is used．The lock on a computer room door does no good if people block the door open．During World War II code clerks used outdated codes because then had already learned them and could encode messages rapidly．Unfortunately，the opposite side had already broken some of those codes and could decode those messages easily．
    Principle of Effectiveness．Controls must be used to be effective．They must be efficient，easy to use，and appropriate．
    This principle implies that computer security controls must be efficient enough，in terms of time，memory space，human activity，or other resources used，so that using the control does not seriously affect the task being protected．Controls should be selective so that they do not exclude legitimate accesses．
   
4．Overlapping Controls
         
　　Several different controls may apply to one exposure．For example，security for a microcomputer application may be provided by a combination of controls on program access to the data，on physical access to the microcomputer and storage media，and even by file locking to control access to the processing programs[3]．This situation is shown in Fig. 18-3．

      
   
5．Periodic Review
       
　　Few controls are permanently effective．Just when the security specialist finds a way to secure assets against certain kinds of attacks，the opposition doubles its efforts in an effort to defeat the security mechanism．Thus，judging the effectiveness of a control is an ongoing task．

NOTES
[1]主句中前面一个it代表legal protection；as... as it...为同等比较。
[2]a group暗示many users。
[3]该长句实际上是一个简单句，只是方式状语有两个并列成分by a combination...和even by file...。

KEYWORDS
encryption     加密

EXERCISES
1．True / False．
（1）            The most powerful tool in providing computer security is coding．
（2）            Some less powerful methods of defense are able to prevent attacks．
（3）            Encrypted data is unintelligible to the outside observer．
（4）            We can’t overrate encryption’s importance．
（5）            Development controls are limitations by the operating system．
（6）            Access limitations in a data base management program are internal program controls．
（7）            Ease of use and potency are often cooperative goals in the design of sof-tware controls．
（8）            Policies in hardware controls are complex controls．
（9）            Legal protection is not as dependable in computing area．
（10）           The area of computer ethics is likewise unclear．
（11）           Control is effective unless it is used．
（12）           Overlapping controls combined several different controls to one expos-ure．

2．Fill in the blanks with appropriate words or phrases．
（1）The goal of computer security is to preserve             ．
（2）Methods of defense provided in this text include             ．
（3）Encryption can be used to achieve              of data．
（4）Some              ensure availability of resources．
（5）Types of abuse in computing systems include             ．
（6）             of programs must be confident in the development and maintenance of the programs．
（7）Tools used by software controls involve             ．
（8）Hardware controls include             ．
（9）The simplest control in policies is             ．
（10）Physical controls in computing systems include              of important software and data．
（11）Factors that affect the effectiveness of controls are             ．
（12）Principle of Effectiveness means that computer security controls must be efficient enough，in terms of             ．
　　　a．hardware components，encryption，or information gathering
　　　b．backup copies
　　　c．secrecy，integrity，and availability
　　　d．frequent changes of passwords
　　　e．confident
　　　f．integrity
　　　g．awareness of problem and likelihood of use
　　　h．encryption，software controls，hardware controls，overlapping controls and periodic review
　　　i．hardware，software and data
　　　j．time，memory space，human activity，or other resources used
　　　k．hardware implementations of encryption，locks limiting access to theft protection and devices to verify users’ identities
      l．protocols

答案：
1．
（1）t　　　（2）f  　（3）t  （4）t
（5）f  　　（6）t  　（7）f  （8）f
（9）t  　　（10）t  　（11）f  （12）t
2．
（1）c  　　（2）h  　（3）f  （4）1
（5）i  　　（6）e  　（7）a  （8）k
（9）d  　　（10）b  　（11）g  （12）j

翻译：

防范方法
   
　　计算机犯罪肯定还会继续发生。计算机安全防范的目的是对系统进行控制，以保证系统的安全性、完整性和可用性。有时这些控制措施可以防止攻击；另外一些不太有效的方法就只能在事件出现以后将之检测出来。
    本节将看到防止计算机系统脆弱性为人所利用的控制方法。
    1．加密
    保证计算机安全的最有效的工具是编码。将数据进行变换，使外界看起来都是无规律的，这样截获的数据就无用、修改或伪造的可能性都将化为乌有。
    加密用于数据保密。加密的数据一般不能读出，也不能更改，因而能保证数据的完整性。另外，加密在协议中也是重要的，因为协议是为完成某项任务而制定的一系列规定。某些协议保证了资源的可用性。因而加密是为达到3个计算机安全目标所使用的各种方法的核心。
    加密是计算机安全的重要工具，但有时也不能对它估计过高。用户应该知道加密并不能解决计算机所有的安全问题，甚至于如果加密使用不当，不但对安全没有作用，还会降低整个系统的性能。因而了解在什么情况下加密有用和有效是很重要的。
    2．软件控制
    程序本身是计算机安全中的第二个环节，程序必须足够安全以抵御外界攻击。程序的开发和维护必须能保证程序的可信度。
    程序控制包括以下几种。
 开发控制，指程序设计、编码、测试和维护的标准化行为；
 操作系统控制，限制由操作系统强制实施，以防止其他用户对某一用户的干扰；
 内部程序控制，强调安全限制，如对数据库管理程序的访问限制。
    软件控制要使用如硬件部件、加密或信息采集等工具。一般来讲，软件控制会直接影响用户，因而是计算机安全中首先要考虑的。因为软件控制直接影响了用户与计算机系统交互的方法，故必须认真设计。在进行软件控制设计时，容易使用和效能通常是相互矛盾的两个目标。
    3．硬件控制
    人们已经研制成了有助于计算机安全的大量硬设备，这些设备包括加密算法的硬件实现、防盗窃的限制访问加锁、验证用户身份的设备。
    1）策略
    对计算机系统的控制，有些是通过前面所叙述的增加硬件或软件功能来实现的，有些控制可以靠策略来解决。事实上．某些最简单的控制，如频繁更换口令，可以基本上不花钱而得到意想不到的效果。
    法律和伦理控制是计算机安全的重要部分。法律的变化是很慢的，而包括计算机在内的技术发展是很快的。尽管需要法律保护，也希望有法律保护，但在这一领域里的法律保护并不像在其他易于理解而又典型的案例中那样可信。
    计算机在伦理上同样是不清晰的。这并不是说计算机人员不讲伦理，而是一般说来，社会和实际的计算机界并不承认通常的道德行为标准。某些部门正试图发明用于计算机行业的伦理代码。虽然这些是很重要的，但在伦理代码被广泛接受和有效使用之前，计算机界和公共社会需要了解哪些行为是不适合的以及为什么。
    2）实际控制
    某些实际控制方法是最容易、最有效和最省钱的。实际控制包括加门锁、在入口处设警卫、重要软件和数据的后备复制以及为减少自然灾害风险所进行的场地设计。在寻求更先进的方法时，人们往往会忽略最简单的控制方法。
    3）控制的效用
    除非使用得当，否则有些控制并不很有效。下面介绍影响控制效用的一些因素。
 认识问题。
        　使用这些控制方法的人必须认识安全的必要性；人们只有懂得为什么在各种场合下都要考虑安全性时，他们才会按照安全的要求去做。然而，有很多用户没有认识到安全的重要性，特别是在某一部门现承担的计算任务以前都是由计算中心完成的情况下更是如此。
 使用的可能性。
        　当然，控制如果不使用是没有效果的。将计算机房门锁上并不是好办法，因为人们可以把门打开。第二次世界大战期间，编码员使用过时的代码，是由于他们已经学会了使用它们并且能很快地用之对电文编码。不幸的是敌方已经破译了某些代码并且能很容易地译出那些电文。
 有效性原理。
        　必须使用有效、高效的，容易使用而且恰如其分的控制。
    这一原理表明，在时间、存储空间、人的活动或其他所用的资源方面，控制计算机的安全必须足够高效，以使得使用控制手段时对所保护的工作影响并不严重。控制方法应该是有选择的，这样可以不排斥合法的计算机访问。
    4．重叠控制
    几种不同的控制方法可以共同应用到一个方向。例如，微机应用程序的安全可由对程序访问数据的控制和对计算机和存储媒体的实际访问控制的组合来提供，甚至由对处理程序的控制访问文件加锁来提供，这种状况如图18-3所示。
    5．定期评审
    控制方法很少是永久有效的。当安全专家刚刚找到了一种抵御某些攻击的方法时，对方又变本加厉地试图挫败这种安全机制。因此，判断一种控制的有效性是一个应持续进行的工作。

原文转自：http://www.ltesting.net