Properly applied, the various disciplines of information security really come down to risk management that is not fundamentally different from risk management in other situations such as finance and insurance.

In learning how to think constructively about managing risks, often the following common sense vocabulary is used:

Asset: something important that needs protection

Risk: likelihood of threat leading to actual abuse

Cost (1): reduction in value of abused asset

Cost (2): amount of resources required to use security measures to protect an asset

Benefit: the value of a security measure

It would be great if these terms - asset, value, threat, risk, cost, benefit - could be used scientifically, but when it comes to information systems, most of them are pretty squishy. Nevertheless, even a "best guess" is remarkably useful. If guesses about relative va

Glossary. Baltimore Learning Center, 1999. *http://www.baltimore.com/library/mn_glossary.html*.

Each of these kinds of measures has its limits as well. In addition to examining security techniques (and how to use them as effective security measures), attention must be paid to their limits. In doing so, security measures can be used effectively in a way that makes sense in terms of budget and of risk management.

Companies and people who are Internet-connected are not immune to the attacks and risks, some of which are described below.

But every measure, even these good tradeoffs where modest effort saves lots of effort that would otherwise be required, are part of complex systems where every change can have unexpected side effects. For example, if is easy to block NFS by blocking all Internet-based traffic using UDP (the transport protocol underlying NFS). This once was typical because of common security issues of all UDP-based protocols. However, some UDP-based protocols are permitted, especially ones with relatively well-defined (or tunable) port usage. Therefore, it may be acceptable to allow UDP packets, for example, on the port used by RealAudio.

On the other hand, a properly used firewall is a good tradeoff. For example, most firewalls will block some kinds of remote login functions of operating systems (e.g. implementations of "telnet"). They may or may not provide a more secure remote access mechanism, but they definitely block attempts from outside to telnet to inside computers. There may be hundreds of inside computers for which telnet would otherwise have to be disabled, and frequently audited. But with a simple firewall rule against telnet, it becomes much less critical to ensure that telnet is disabled everywhere.

Some common words found in the essay are:
Cow BO2K, Tradeoffs Implementing, Policy Defining, Management Risk, Microsoft Computing, Security Policy, Security Measures, Applications Enterprise, Overview Security, Internet Corporations, security measures, security program, risk management, operating system, information security, system security, communication security, network security, security policy, buffer overflow, security measures include, security requires security, cult dead cow, buffer overflow attacks, strong security program,
Approximate Word count = 4410
Approximate Pages = 18 (250 words per page double spaced)