1.1 Safety Information System First, what is a safety information system? Simply put, security refers to an ability to identify and eliminate unsafe factors, and the safety needs is the basic needs of humans. Information systems consist of communication networks, computers, and various applications. The generalized information system is a complex man-machine system, which can be divided into three parts: hardware (communication network, security equipment and computer), software (support software and application software) and personnel (development, use, maintenance, and management). Information security is the core problem of the information system. The main value of the information system is not to constitute a hardware and software resource of the information system itself, but in the various information it is carrying, processing, and transmitting. However, for information security, the academic community has no uniform definition. General definition of information security must solve the needs of information assets, including information and physical devices (such as computer systems). Information security has gradually increased with the development of human social civilization, and today information security issues have become the public's social welfare issue. The three basic properties of information security are confidential, integrity, and availability. However, there is no mathematical model, but it is impossible to prove theory. Most of the research on information security is concentrated in confidentiality, in fact, this is a prejudice because the need for information security is mainly from the military. For now, integrity has become increasingly important. With the development of the Internet and e-commerce, there is an undeniable requirement. In the 1990s, it also proposed controllability. Such confidentiality, integrity, availability, non-sense, and controllability constitute five basic properties of information security. 1.2 Safety Information System does not exist that the author believes that the security information system does not exist. There is only an absolute security information system only in practical applications. Absolutely safe information systems are not only in the application and they do not exist in theory. Any system of the real world is a string of complex links, and complexity is the safest enemy. Safety measures must penetrate all parts of the system, including its respective components and interconnects between each other. Some of them, even the designers of the information system, the implementation people and users don't know. Therefore, unsafe factors always exist, no system is perfect. No technology is a panacea, because the safety of the product is not equal to the security of the system. Any security technology is even confirmed by humans themselves. On the other hand, although the information system is unlikely to achieve absolute security, we can use a variety of security technologies to ensure a certain level, so that the information system is secure relative to normal use and part of incidents. This problem can be seen from two different angles. 1.2.1 The concept of information security from the concept is not boundary, and there is no recognized definition for information security academics. The basic theory of information security is unpublished (if the correctness of the program is difficult to prove). Second Information Security Core Technology - Cryptography - There is no theoretical security, only calculation security (for example, any public key cryptographic algorithm based on mathematical problems) three information systems is for application services, no absolute security; information system It is costly, and there is no meaning of security measures that exceed their cost. Four complexity is the maximum enemy of security. As a complex system, the information system has the same security. That is, the security of the system depends on the weaker link in the system. Five information security issues are not certain issues, but with random problems. The source of threats is changed, and the occurrence of safety events is not predictive. Probability is always through encryption technology, computer security, risk assessment, countermeasure, security risk is a probability that security itself is also a probability. Six information systems have security including confidentiality, integrity, consistency, reliability, availability, and more, and real-world systems need to be a reasonable compromise between them. Seven current security technology is only a form of repair for existing issues, and has not resolved security issues from the roots.
Most of the safety problems are the root of the traditional Vonnoiman structure and the uneasiness of existing operating systems. The credibility calculation in the study is in the target of the security terminal. There are differences between the eight security theory and safety practices. There is a large number of major theoretical support in security theory, but may be lost in practice. Theoretical security requires a lot of perfect assumptions and conditions, and these are difficult to achieve in real applications, so the security of both is gap. 1.2.2 The physical security of a hardware vulnerability system hardware from the information system cannot be guaranteed, the earthquake, fire and other natural disasters are unpredictable, the consequences are equally unpredictable, hardware electromagnetic radiation makes the system The information is possible to leak. Hardware redundancy and (off-site) backup strategy reduces the probability of system problems, but this possibility cannot be eliminated. In addition, building a information system requires consideration of the cost that can withstand, more than cost hardware security programs are no practical value. Second software vulnerability information system software security cannot be guaranteed. Software correctness is difficult to prove that formal verification can only improve software reliability. Also even if each software is safe, it is not guaranteed to combine them or safe. System support software If the operating system cannot do absolute security. The security of application software is not only depends on software abstract models, but also depends on specific implementation. Even with theoretically correct software, it is difficult to prove that the software's coding is indeed the same security with theoretical security due to the inherent lanes in mainstream programming language. The defects and vulnerabilities of various applications are constantly discovered. No one can guarantee that a software has no vulnerability. The data in the three data vulnerability computers has its own characteristics. The data is reproduced is easy, and it can be identical to the source data. Data can be listened, leakage of electromagnetic radiation, and deleted data may be recovered. If you know the format of the data, it is easy to modify the data to destroy its integrity. Malicious modifications may result in data unavailable. Four interactive vulnerability information security is a man-machine system, and people can't be wrong. Although there is no initiative with hardware and software, it also introduces more uncertainties and error possible. The developers of system software may introduce various vulnerabilities due to negligence. System administrators will greatly reduce security for system configuration. A information system, if the staff operates mistakes or unspected provisions, all protection measures may lose their expected effects. The username and password of hacker use social engineering to defraud the system is a very example of an example of a problem. 1.3 Acceptable "Security" information system information system is put into use means the existence of risks. For example, if it is allowed to access the computer or network, there is a risk of misused, a popular statement is only relatively safe. This method makes the computer confidentiality, reducing security risks, but also makes the computer's availability, hardware and software resources are almost equal to waste, and it is difficult to achieve the goal of establishing the system. For an information system, it is necessary to start the top downward, from the property to determine the security needs of the system, analyze its security risks, and ultimately realize risk management. Although there is no absolute security information system, we can achieve relatively security of information systems through various technical means, so that this security is sufficient for practical applications. It is not to try to build a unable to establish a unlunished information system, but to establish a information system that uses a variety of security measures to residual risk in the acceptable range. The system and reasonable use of information security technology is the key to the safety of information systems to achieve satisfactory level. It uses unrealistic technical means, and the consequences are quite serious: light, will result in excessive investment establishment There is no practical ultra-high level protection system, waste financial, inconvenience; heavy, it will make a wrong alarm signal, interfere with normal work, but can't find in time to real intrusion.
