背景图片_背景-CSDN博客

背景图片

It’s clear that the cybersecurity industry hasn’t been able to agree upon what cybersecurity is and isn’t. Even NIST, who is responsible for the definition of technical terms used by the U.S. Federal Government, has four different definitions of cybersecurity! At a minimum, there are dozens of different definitions of cybersecurity currently in use. Nearly all are incomplete in scope, some are horridly wrong, and nearly all fail to differentiate between cybersecurity and its information security cousin.

显然，网络安全行业尚未就什么是网络安全还是没有网络安全达成共识。甚至负责美国联邦政府使用的技术术语定义的NIST，也对网络安全有四个不同的定义！至少，当前使用了数十种不同的网络安全定义。几乎所有人的范围都不完整，有些人犯了严重错误，并且几乎所有人都无法区分网络安全及其信息安全的表亲。

背景 (Background)

If you look up the definition of “cybersecurity,” most of the answers you get are laughable. Most appear to be written by some “expert” with no actual concept of what cybersecurity is. Nearly all of those definitions sound as though they were written by an academic pontificating what he thinks cybersecurity theoretically should be, without himself ever having done any actual hands-on cybersecurity engineering.

如果您查找“网络安全性”的定义，您得到的大多数答案都是可笑的。多数似乎是由某些“专家”撰写的，没有关于网络安全的实际概念。几乎所有这些定义听起来都是由学术界撰写的，这使他认为 理论上 应该是网络安全，而不需要亲自进行任何实际的网络安全工程。

Until July 2019, the sole “official” definition of cybersecurity (as defined by NIST) was: “The ability to protect or defend the use of cyberspace from cyber attacks.” Hyper-informative, wasn’t it? It’s about like telling a man who’s never seen a donut that, “A donut is a pastry shaped like a donut torus.” [See note 1.]

直到2019年7月，网络安全的唯一“正式”定义(由NIST定义)是： “ 保护或捍卫网络空间免受网络攻击的能力。” 内容丰富，不是吗？这就像是告诉一个从未见过甜甜圈的男人说：“甜甜圈是一种形状像甜甜圈环面的糕点。” [见注1。]

Then, just when you think it can’t get worse, it does. Now NIST can’t even agree within itself what cybersecurity is! It now four different definitions of cybersecurity! None of them tell you anything particularly useful about cybersecurity. Those definitions of cybersecurity are: [2]

然后，就在您认为情况不会变得更糟时，它就会做到。现在NIST甚至无法在内部同意什么是网络安全！ 现在，它对 网络安全有 四个 不同的定义！ 他们都没有告诉您关于网络安全特别有用的任何信息。网络安全的那些定义是：[2]

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
防止损坏，保护和恢复计算机，电子通信系统，电子通信服务，有线通信和电子通信，包括其中包含的信息，以确保其可用性，完整性，认证，机密性和不可否认性。
The ability to protect or defend the use of cyberspace from cyber attacks.
保护或捍卫网络空间免受网络攻击的能力。
The process of protecting information by preventing, detecting, and responding to attacks.
通过预防，检测和响应攻击来保护信息的过程。
The prevention of damage to, unauthorized use of, exploitation of, and — if needed — the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems.
防止损坏，未经授权使用，利用和(必要时)恢复电子信息和通信系统及其包含的信息，以增强这些系统的机密性，完整性和可用性。

If you search online for a definition of cybersecurity, most definitions are just as bad — if not worse — than the definitions NIST provides. Here are some examples:

如果您在网上搜索有关网络安全的定义，则大多数定义与NIST提供的定义一样糟糕， 甚至还不差 。这里有些例子：

Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack. [3]
为防止计算机或计算机系统(如Internet)受到未经授权的访问或攻击而采取的措施。 [3]
The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. [4]
保护网络，设备和数据免遭未经授权的访问或犯罪使用的技术，以及确保信息的机密性，完整性和可用性的做法。 [4]
May also be referred to as information technology security. [5]
也可以称为信息技术安全。 [5]
The preventative techniques used to protect the integrity of networks, programs and data from attack, damage, or unauthorized access. [6]
用于保护网络，程序和数据的完整性免受攻击，破坏或未经授权的访问的预防性技术。 [6]
The practice of protecting systems, networks, and programs from digital attacks. [7]
保护系统，网络和程序免受数字攻击的做法。 [7]
The protection of information assets by addressing threats to information processed, stored, and transported by internetworked information systems. [14]
通过解决对互联信息系统处理，存储和传输的信息的威胁来保护信息资产。 [14]

Notice the pattern? The definitions all talk about defending computers, networks, and data. That isn’t what cybersecurity is. That’s what information security is! Plus, the scope is strictly digital in many cases. Clearly, whoever wrote those definitions have no experience with industrial controls security, where even analogue devices can be at risk of attack. [8]

注意到模式了吗？所有定义都涉及防御计算机，网络和数据。那不是网络安全。 这就是信息安全！ 另外，在很多情况下，示波器都是严格数字的。显然，无论是谁写的那些定义，都没有工业控制安全方面的经验，即使模拟设备也可能遭受攻击。 [8]

We have two problems here. First, we have failed to adequately or accurately define what cybersecurity is. Worse, we are trying to somehow shoehorn cybersecurity into being either the same as information security or some subset of information security. It isn’t, and I’ll go into detail why in a minute.

这里有两个问题。首先，我们未能充分或准确地定义什么是网络安全。更糟糕的是，我们正试图以某种方式使网络安全性与信息安全性或信息安全性的某些子集相同。不是，我稍后会详细说明原因。

So, if we can’t even agree upon what cybersecurity is, how can we possibly expect to create reasonably secure systems and products that depend upon an in-depth understanding of cybersecurity?

因此，如果我们甚至不能就什么是网络安全达成共识，那么我们怎么可能期望创建依赖于对网络安全的深入理解的合理安全的系统和产品？

Clearly, we can’t.

显然，我们不能。

And, the problem is compounded by the mindset that the same tools and techniques used for information security are applicable to cybersecurity. Yes, most information security tools and techniques can be applied to cybersecurity, but cybersecurity requires tools and techniques which go far beyond those of information security.

而且，这种思想使用于信息安全的相同工具和技术适用于网络安全的思想更加复杂。是的， 大多数信息安全工具和技术都可以应用于网络安全，但是网络安全所需要的工具和技术 远远 超出了信息安全的范围。

How can we expect to secure our systems when we are using the wrong tools? Or, at best, an incomplete set of tools?

当我们使用错误的工具时，我们如何期望保护我们的系统？还是充其量是一套不完整的工具？

Again, clearly, we can’t.

再次，显然，我们不能。

In my professional opinion, the root of the problem we’re facing is that too many “cybersecurity experts” began their careers as “information security experts” and never have had actual hands-on cybersecurity experience beyond applying partial aspects of cybersecurity to information systems. Thus, we are left with information-centric definitions of cybersecurity, where the “experts” have tried to mold cybersecurity into the shape of information security.

以我的专业意见，我们面临的问题的根源是，太多的“网络安全专家”以“信息安全专家”的身份开始了他们的职业生涯，除了将网络安全的部分内容应用于信息系统之外，从未有过实际的动手网络安全经验。。因此，我们只剩下以信息为中心的网络安全定义，“专家”试图将网络安全塑造成信息安全的形式。

Well, it’s time to break that mold!

好吧，是时候打破那个模子了！

Let’s get started with a few definitions.

让我们开始一些定义。

定义 (Definitions)

First, let’s define security: Security is the protection of assets from threats.

首先，让我们定义安全性： 安全性是保护资产免受威胁。

That’s fairly clear, but let’s dissect it to ensure the subtleties are covered:

这是很清楚的，但让我们对其进行剖析以确保涵盖了所有细微之处：

Assets are anything tangible or intangible that has value. In the context of security, usage of the word “asset” usually refers to a “protected asset.”
资产 是任何有价值的有形或无形资产。 在安全性的上下文中，“资产”一词的使用通常是指“受保护的资产”。
Protected Assets are any asset protected by a security service. Examples of protected assets could include: data or information (electronic or physical), network and computing infrastructure, software, products and associated intellectual property, people (employees, customers, vendors), real estate and personal property, and utilities and other critical infrastructure. That is, anything of value is a potential protected asset.
受保护资产 是受安全服务保护的任何资产。 受保护资产的示例包括：数据或信息(电子或物理)，网络和计算基础结构，软件，产品和相关的知识产权，人员(员工，客户，供应商)，房地产和个人财产以及公用事业和其他关键基础结构。也就是说， 任何有价值的东西都是潜在的受保护资产。
Security Services are any threat reduction capability provided by security. There are five generally recognized security services: Confidentiality, Integrity, Availability, Authenticity, and Access-Control. (See the blog post, What Are The Fundamental Services Provided By Security? Hint: CIA Is Not The Answer for additional details.)
安全服务 是 安全提供 的任何威胁减少功能。 有五种公认的安全服务：机密性，完整性，可用性，真实性和访问控制。 (有关更多详细信息，请参阅博客文章， “安全性提供了哪些基本服务？提示：CIA不是答案 ”。)
Threats are anything with the potential to cause harm. For example, the potential for an attack to occur. Threats can be either intentional (e.g., sabotage) or accidental (e.g., aircraft bird strike), and they can be both man-made events (e.g., human errors, cyber attacks, power failures, and network outages) or natural events (e.g., fires, floods, earthquakes, hurricanes, and tornados). Also, see security threats, below.
威胁 是任何可能造成伤害的东西。 例如，发生攻击的可能性。威胁可以是故意的(例如破坏活动)，也可以是偶然的(例如飞机鸟罢工)，威胁既可以是人为事件(例如人为错误，网络攻击，电源故障和网络中断)，也可以是自然事件(例如，火灾，洪水，地震，飓风和龙卷风)。另外，请参阅下面的安全威胁 。
Attacks are any action taken against an asset with the intention of causing harm.
攻击 是对资产造成伤害的任何行动。
Security Threats are anything that may cause harm to a protected asset and/or associated entities. For example, whereas a security threat that discloses personally identifiable information would most likely inflict minimal harm to the asset that held the disclosed information, the disclosure itself could do considerable harm to both the organization’s brand and to the individuals whose information was disclosed. There are seven generally recognized categories of security threats: Denial of Access, Forgery, Spoofing, Repudiation, Unauthorized Access, Unauthorized Disclosure, and Unauthorized Modification (see blog post referenced in Security Services for more details.).
安全威胁 是可能对受保护资产和/或关联实体造成损害的任何事物。 例如，尽管公开个人身份信息的安全威胁很可能对持有公开信息的资产造成最小的损害，但是公开本身可能对组织的品牌和公开信息的个人造成相当大的损害。有七种公认的安全威胁类别：拒绝访问，伪造，欺骗，抵赖，未经授权的访问，未经授权的披露和未经授权的修改(有关更多详细信息，请参阅Security Services中引用的博客文章。)。
Entities, in the context of security, are anything that attempts to use a protected asset. An entity can be a person, software, robot, or anything else that attempts to use a protected asset.
在安全性方面， 实体 是任何尝试使用受保护资产的事物。 实体可以是人，软件，机器人或任何其他尝试使用受保护资产的东西。

Okay, I lied: That definition has a lot of subtly buried within it. Hopefully, now the definition of security has a deeper meaning for you.

好的，我撒了谎：这个定义里面隐藏着很多微妙的东西。希望现在，安全性定义对您来说具有更深的含义。

So, that’s the definition of the mission of security across all of the organization’s security domains. In most organizations, there should be three top-level security domains:

因此，这就是跨组织所有安全域的安全任务的定义。在大多数组织中，应该有三个顶级安全域：

Corporate Security
企业安全
Information Security
信息安全
Cyber Security
网络安全

Now, let’s define each of those security domains.

现在，让我们定义每个安全域。

企业安全 (Corporate Security)

Corporate Security is those aspects of an organization’s security not directly related to technology.

公司安全性是组织安全性中与技术不直接相关的那些方面。

That is, in general, corporate security is those aspects of security that pre-date technology or technological security solutions, or are unrelated to technology. Falling under the corporate security domain would be aspects of security related to employee services, safety, environmental services, or facilities; or which are intellectual property, legal, or regulatory in nature. (This is not an all-inclusive list.)

也就是说，通常，公司安全性是指那些早于技术或技术安全性解决方案或与技术无关的安全性方面。属于公司安全领域的将是与员工服务，安全，环境服务或设施有关的安全方面；或本质上属于知识产权，法律或法规的内容。 (这不是一个全包列表。)

In other words, much of what you would think of as an organization’s security before the advent of digital technologies falls into the corporate security domain.

换句话说，在数字技术出现到公司安全领域之前，您会想像成组织安全的大部分内容。

Today, corporate security often makes extensive use of technology. But, corporate security’s technology is often not under the auspices of information security or cybersecurity. Without close collaboration between security groups, serious gaps in security defenses will occur.

如今，公司安全经常广泛使用技术。但是，公司安全技术通常不在信息安全或网络安全的支持下。如果安全小组之间没有紧密的协作，安全防御方面将出现严重的差距。

Worse, there often isn’t a corporate security group in the organization. Instead, you often find aspects of corporate security disbursed between multiple (and, often non-communicating) groups, such as human resources, facilities, safety, plant protection, legal, risk management, and environmental.

更糟糕的是，组织中通常没有公司安全小组。相反，您经常会发现在多个(通常是非交流)组之间分配的公司安全方面，例如人力资源，设施，安全，工厂保护，法律，风险管理和环境。

I plan to discuss corporate security in more detail in an upcoming blog post, Corporate Security: The Forgotten Security Domain.

我计划在即将发表的博客文章“ 企业安全：被遗忘的安全域”中更详细地讨论企业安全。

信息安全 (Information Security)

Information Security is the protection of information in any form and at all times.

信息安全是随时保护任何形式的信息。

That’s pretty much the classic paragraph-long definition of information security, summarized into one sentence.

这几乎是经典的整段信息安全定义，总结为一句话。

Now, let’s dissect it to get a deeper understanding of what that means.

现在，让我们对其进行剖析，以更深入地了解其含义。

Security is the protection of assets from threats.
安全 是保护资产免受威胁。
Protection is the rendering safe from harm. Protection is passive security. That is, security that does not offer a response to an attack. It is equivalent to putting a lock on a door to secure your house.
保护 是使免受伤害的安全。 保护是被动安全。即，不能提供对攻击的响应的安全性。这等效于在门上加锁以保护您的房屋。
In any form means it includes both physical (e.g., printed documents) and electronic (e.g., files and databases) information.
以任何形式 表示，它既包括物理(例如印刷文档)信息，也包括电子(例如文件和数据库)信息。
At all times means the information must be protected, whether it is at rest (i.e., in storage), in use, or in motion (e.g., electronic information sent over a network, or a printed document transported by a courier).
无论何时 ，信息都必须受到保护，无论它处于静止状态(即存储中)，使用中还是运动中(例如，通过网络发送的电子信息，或由快递员运送的印刷文件)。

Thus, we define information security as the protection of information. Note that we didn’t place any constraints upon the scope of protection. That is, if we have to protect computers and networks to protect information, then that would be within the scope of information security. But, keep in mind that the objective is the protection of information. Nothing more. Nothing less.

因此，我们将信息安全定义为对信息的保护。请注意，我们并未对保护范围施加任何限制。也就是说，如果我们必须保护计算机和网络以保护信息，那么这将在信息安全范围内。但是，请记住，目标是保护信息。 而已。没什么。

网络安全 (Cyber Security)

We’ve already shown that there isn’t a commonly agreed-to definition for cybersecurity. Now, I’m going to propose a definition for cybersecurity which covers all aspects of cybersecurity — something which is lacking from other definitions — while providing a clear distinction from information security. [10]

我们已经表明，对于网络安全还没有一个公认的定义。现在，我将为网络安全提出一个定义，该定义涵盖网络安全的所有方面，这是其他定义所欠缺的，同时又提供了与信息安全的明显区别。 [10]

Cybersecurity is the protection and defense of both analogue and digital electronic devices, their communications channels, and their processing-and-control logic and algorithms.

网络安全是对模拟和数字电子设备，其通信通道以及其处理和控制逻辑和算法的保护和防御。

Now, let’s dissect that definition to get a deeper understanding of what it means and its ramifications.

现在，让我们剖析该定义，以更深入地理解其含义及其后果。

Security is the protection of assets from threats.
安全 是保护资产免受威胁。
Protection is the rendering safe from harm. Protection is passive security. That is, security that does not offer a response to an attack. It is equivalent to putting a lock on a door to secure your house.
保护 是使免受伤害的安全。 保护是被动安全。即，不能提供对攻击的响应的安全性。这相当于在门上加锁以保护房屋。
Defense is an action taken to resist an attack. Defense is active security. This means that you have dynamic security with ever-changing defenses — which can include offensive actions to stop an attack. It is the equivalent of confronting an intruder in your house with a loaded weapon.
防御 是为抵抗攻击而采取的行动。 防御是主动安全。这意味着您拥有不断变化的防御的动态安全性， 其中可能包括阻止攻击的进攻性措施。 这等效于用装有武器的武器面对您家中的入侵者。
Digital Devices are any electronic device that uses discrete data and processes for all its operations. This clearly includes computers, cell phones and tablets, routers, switches, WiFi access points, and firewalls, but it also includes all other digitally networked devices, such as all IoT devices, VoIP telephones, digital security cameras, smart badge readers, etc.
数字设备 是将离散数据和过程用于其所有操作的任何电子设备。 显然，这包括计算机，手机和平板电脑，路由器，交换机，WiFi接入点和防火墙，但它还包括所有其他数字网络设备，例如所有IoT设备，VoIP电话，数字安全摄像机，智能徽章读取器等。
Analogue Devices are any electronic device that uses continuous data and processes for all its operations. This would include landline telephones, fax machines, most nuclear reactor control systems, older radar systems, older industrial controls, some satellite and other space systems controls, and literally thousands of other devices. In industrial controls situations, analogue devices often serve as failsafe backups to digital controls.
模拟设备 是任何使用连续数据和过程进行所有操作的电子设备。 这将包括座机电话，传真机，大多数核React堆控制系统，较旧的雷达系统，较旧的工业控件，某些卫星和其他空间系统控件，以及数以千计的其他设备。在工业控制情况下，模拟设备通常充当数字控制的故障安全备份。
Communications Channels are the means by which a device is connected to other devices. For analogue device communications, this could be a simple wire or wire-pair, coax cable, analogue radio, or similar technologies. For digital device communications, it would include any type of wired or wireless network. For digital to analogue device communications, it could include any of the previously mentioned means of analogue device communications used to communicate to an analogue interface in the digital device.
通信通道 是一种将设备连接到其他设备的方式。 对于模拟设备通信，这可以是简单的电线或双绞线，同轴电缆，模拟无线电或类似技术。对于数字设备通信，它将包括任何类型的有线或无线网络。对于数字到模拟设备的通信，它可以包括用于与数字设备中的模拟接口进行通信的任何前面提到的模拟设备通信方式。
Processing Logic and Algorithms are the means by which a device accomplishes its designated purpose. For analogue devices, this is all done in hardware. For digital devices, this includes both hardware and software (microcode, firmware, operating systems, applications, etc.).
处理逻辑和算法 是设备实现其指定目的的手段。 对于模拟设备，这全部在硬件中完成。对于数字设备，这包括硬件和软件(微码，固件，操作系统，应用程序等)。
Control Logic and Algorithms are the means by which a device regulates its processing. For analogue devices, this is all done in hardware. For digital devices, this includes both hardware and software (microcode, firmware, operating systems, applications, etc.).
控制逻辑和算法 是设备调节其处理的手段。 对于模拟设备，这全部在硬件中完成。对于数字设备，这包括硬件和软件(微码，固件，操作系统，应用程序等)。

Now, let’s put the phrases together and detail the bigger picture.

现在，让我们将这些短语放在一起并详细说明大图。

Is the protection and defense is cybersecurity’s first significant difference from information security. Cybersecurity not only offers protection like information security, but it also offers defense. In other words, cybersecurity can take the offensive actions necessary to defend systems.
保护和防御是网络安全与信息安全的第一个重大区别。网络安全不仅提供诸如信息安全之类的保护，还提供防御。换句话说， 网络安全可以采取防御系统所必需的进攻行动。
Of both analogue and digital electronic devices is the next significant difference from information security, as information security’s tools seldom address analogue devices. It is also different in that information security offers protection of non-electronic information (e.g., printed), whereas cybersecurity only deals with electronic devices and their data. [11]
模拟和数字电子设备 与信息安全的下一个重要区别是，信息安全的工具很少处理模拟设备。信息安全还提供对非电子信息(例如，印刷的)的保护，而网络安全仅处理电子设备及其数据，这也不同。 [11]

This definition means that protection and defense are also offered to the electronic devices (components) combined to construct a more complex electronic device. For example, protection and defense would be offered to CPUs, GPU, FPGAs, ASICs, NICs, DACs, memory, controllers, and all the other various analogue and digital components that comprise a modern end-purpose electronic device, such as a smartphone or a computer. In other words,
此定义意味着还可以对组合构成更复杂的电子设备的电子设备(组件)提供保护和防御。例如，保护和防御将提供给CPU，GPU，FPGA，ASIC，NIC，DAC，内存，控制器以及构成现代最终用途电子设备(如智能手机或平板电脑)的所有其他各种模拟和数字组件。一台电脑。换一种说法，

cybersecurity protects and defends any security-sensitive electronic device, be it analogue or digital, and be it an end-purpose device or a component of such a device.
网络安全可以保护和捍卫任何对安全敏感的电子设备(无论是模拟还是数字设备)，也可以是最终用途的设备或此类设备的组件。
Their communications channels is again a difference between cybersecurity and information security. Cybersecurity provides both protection and defense of the electronic communications channels themselves, both analogue and digital. Whereas, information security only provides for the protection of the information conveyed over those communications channels.
他们的通信渠道再次成为网络安全和信息安全之间的区别。网络安全为模拟和数字电子通信渠道本身提供保护和防御 。然而，信息安全仅提供对通过那些通信信道传送的信息的保护。

Additionally, information security also provides for the protection of information communicated by non-electronic means (e.g., printed documents), which is outside the scope of cybersecurity.
另外，信息安全还提供了对通过非电子方式(例如，印刷文档)传递的信息的保护，这超出了网络安全的范围。
And their processing-and-control logic and algorithms is the final difference between cybersecurity and information security. Cybersecurity offers protections to both hardware and software, and can take actions to defend both from attack. By contrast, information security only provides passive protection to information.
以及它们的处理和控制逻辑与算法 是网络安全和信息安全之间的最终区别。网络安全为硬件和软件提供保护，并且可以采取措施防御攻击。相比之下，信息安全仅提供对信息的被动保护。

So, that is the definition of cybersecurity and an explanation of its scope.

因此，这就是网络安全的定义及其范围的解释。

To recap, cybersecurity provides security for all electronic technology, except for the information processed by such technology (information is protected by information security).

概括地说， 网络安全为所有电子技术提供了安全性，但由该技术处理的信息除外(信息受信息安全性的保护)。

Or, another way to view the difference between information security and cybersecurity is that information security secures the information itself, and cybersecurity secures everything that creates, uses, processes, stores, or communicates that information.

或者，查看信息安全与网络安全之间差异的另一种方法是， 信息安全 可保护信息本身 ，而网络安全 可保护创建，使用，处理，存储或传达信息的所有内容。

信息安全失败的地方 (Where Information Security Fails Us)

In my blog introduction, I state that “trying to treat cybersecurity problems as though they are information security problems” is one of the fundamental mistakes we are making in security today. The lack of an understanding of the differences between information security and cybersecurity is the root cause of this problem.

在我的博客简介中，我指出“试图像对待信息安全问题一样对待网络安全问题”是我们当今在安全方面犯的基本错误之一。缺乏对信息安全和网络安全之间差异的了解是此问题的根本原因。

As we have seen in the preceding definitions, information security is “data-centric,” and cybersecurity is “device-centric.” Trying to apply information security principals to “device security” creates two problems: First, you can’t adequately secure “hardware” using the same controls used to secure data; And second, there is nothing in information security that provides for an active defense.

正如我们在前面的定义中看到的那样，信息安全是“以数据为中心的”，而网络安全是“以设备为中心的”。试图将信息安全原则应用于“设备安全性”会产生两个问题：首先，您无法使用用于保护数据的相同控件来充分保护“硬件”。其次，信息安全中没有任何东西可以提供主动防御。

Let’s look at some of the issues that the premises supporting information security fail to address. To do this, we’ll examine an example from product security.

让我们看一下支持信息安全的前提无法解决的一些问题。为此，我们将研究产品安全性中的一个示例。

The overwhelming insecurity of IoT products has filled the news recently. Why? Many would say that it’s a simple matter of companies trying to produce products on the cheap. However, I would argue that the issue is more likely the product’s designers’ failure to recognize the potential for security problems in their products.

物联网产品的巨大不安全性最近充满了新闻。为什么？许多人会说，这是公司试图廉价生产产品的简单问题。但是，我认为该问题很可能是产品的设计人员未能意识到其产品中潜在的安全问题。

I believe that fundamentally, such product failures are compounded by an incomplete view of security: a view driven by an information security focus. A focus that, for embedded systems products (such as IoT devices), is incomplete, at best. Why incomplete? Because most security issues with IoT devices are not information related. Rather the problems are with the devices themselves.

我认为，从根本上讲，此类产品故障会因不完整的安全性观点(由信息安全焦点驱动的观点)而变得更加复杂。对于嵌入式系统产品(例如IoT设备)，充其量是最多的。为什么不完整？因为IoT设备的大多数安全问题与信息无关。相反，问题出在设备本身。

Let’s begin by listing some of the security questions that product designers should be asking, but are obviously not asking. And, with most product security practitioners coming from an information security background, those product security architects probably do not even know they should be asking these questions.

让我们从列出产品设计师应该问但显然没有问的一些安全性问题开始。而且，由于大多数产品安全从业人员都来自信息安全背景，所以这些产品安全架构师甚至可能都不知道他们应该问这些问题。

After all, why should they know better? Nothing they had learned in the scope of information security would indicate that these are issues with which to be concerned. The types of product security questions (that is, cybersecurity questions) which all product security architects should be asking include:

毕竟，他们为什么要更好地了解？他们在信息安全范围内学到的任何信息都不会表明这些是需要关注的问题。所有产品安全架构师都应询问的产品安全性问题(即网络安全性问题)的类型包括：

How do you prevent reverse engineering of the product?
您如何防止产品的逆向工程？
How do you prevent tampering with the product?
您如何防止篡改产品？
How do you prevent the production of unlicensed clones of the product?
您如何防止产品的未经许可的克隆的产生？
How do you prevent access to the hardware interfaces used for development debugging of the product?
您如何防止访问用于产品开发调试的硬件接口？
How do you prevent access to the hardware interfaces used for manufacturing testing of the product?
您如何防止访问用于产品制造测试的硬件接口？
How do you perform failsafe firmware updates of the product (such that a failed update does not brick the product)?
您如何执行产品的故障安全固件更新(以使失败的更新不会使产品变砖)？
How do you prevent unauthorized modification of the product’s firmware?
如何防止对产品固件进行未经授权的修改？
How do you prevent your firmware from running on third-party devices?
如何防止固件在第三方设备上运行？
How do you ensure the integrity of your supply chain?
您如何确保供应链的完整性？
How do you prevent unauthorized modification of the device itself?
您如何防止对设备本身进行未经授权的修改？
How do you prevent misuse of the device from damaging the device itself (e.g., using a USB port on a device for other than its intended purpose, and drawing too much power)?
如何防止滥用设备损坏设备本身(例如，将设备的USB端口用于其预定目的以外的其他用途，以及消耗过多功率)？
How do you prevent misuse of the device from creating a safety incident (e.g., using an aerosol can to create a vapor fog to trigger a motion detector to unlock a door)?
您如何防止滥用设备造成安全事故(例如，使用气溶胶罐产生蒸气雾来触发移动探测器以解锁门)？
How can this device be abused by an attacker to cause harm?
攻击者如何滥用此设备造成伤害？
How can we verify that our UI is always unambiguous to its intended audience?
我们如何验证自己的用户界面始终对目标受众明确？
How can we verify that our UX is always intuitive to its intended audience?
我们如何才能验证我们的用户体验始终对预期的用户直观？
How can we verify that our UI creates neither security or safety issues?
我们如何验证我们的UI既不存在安全问题也不存在安全问题？
How can we verify that our ID creates neither security or safety issues?
我们如何验证我们的ID不会造成安全或安全问题？

And this is just a very small sample of the questions that every product development organization should be asking, but which is clearly failing to occur.

而这仅仅是一个的问题，非常小的样本， 每一个产品开发组织应该问，但是这显然是失败的发生。

Now, I can already hear the objections: “These are hardware engineering issues, not information security issues, and that’s why they’re not covered by information security.” Well, that’s half wrong and half right. Wrong, in that they are not hardware engineering issues; rather, they are hardware security issues. Right, in that they are not information security issues; rather, they are cybersecurity issues. [12]

现在，我已经听到了反对意见：“这些是硬件工程问题，而不是信息安全问题，这就是为什么它们不在信息安全范围之内。” 好吧，这是错误的一半，正确的一半。错误的是，它们不是硬件工程问题；相反，它们是硬件安全问题。是的，因为它们不是信息安全问题；相反，它们是网络安全问题。 [12]

These, and tens of thousands of other similar issues, are being left unaddressed during product development because information security doesn’t address these types of issues. Nor should it, as those issues are cybersecurity issues and not information security issues.

这些以及成千上万的其他类似问题在产品开发过程中没有得到解决，因为信息安全无法解决这些类型的问题。 也不应该，因为这些问题是网络安全问题，而不是信息安全问题。

Nothing in an information security professional’s background or training would prepare them to even know that they should be asking the types of questions I posited. And, that’s what should be expected, because these are not information security issues and I would not expect an information security professional even to have half-a-clue that such problems exist. It’s for precisely this reason that cybersecurity exists and is different from information security.

在信息安全专业人员的背景或培训中，任何事情都不会使他们准备知道他们应该问我提出的问题类型。而且，这应该是可以预期的，因为这些都不是信息安全问题，而且我也不希望信息安全专业人员对这些问题的存在有半点了解。 正是由于这个原因，网络安全存在并且不同于信息安全。

The problem is really simple: Information security exists to protect information. Nothing in the fundamentals of information security was ever intended to secure anything other than information. Thus, we need to stop trying to use an information security mindset to secure “stuff” that isn’t information. We must recognize that cybersecurity’s scope is beyond that of information security, and thus apply cybersecurity principals to cybersecurity problems.

问题确实很简单：存在信息安全性来保护信息。 信息安全的基本原理从来没有打算保护信息以外的任何东西。 因此，我们需要停止尝试使用信息安全思想来保护不是信息的“材料”。 我们必须认识到 网络安全的范围已经超出了信息安全的范围，因此必须将网络安全原理应用于网络安全问题。

防御 (Defense)

We also need to remember that cybersecurity allows for active measures to defend devices. There’s a reason that the military and intelligence agencies refer to their security operations as cybersecurity, and that’s because they take active countermeasures to attacks. You don’t do that when your objective is to secure information. In fact, that entire concept is an anathema to the information security principals and mindset.

我们还需要记住，网络安全允许采取积极措施来保护设备。军事和情报机构将其安全行动称为网络安全是有原因的，这是因为它们采取了积极的对策来应对攻击。当您的目标是保护信息时，就不要这样做。实际上，整个概念是对信息安全原则和思维定式的厌恶。

Cybersecurity defense is a big rabbit hole I don’t plan to explore further in this posting, other than to remind you that cybersecurity’s objective is the protection and defense of assets.

网络安全防御是一个大难题，除了提醒您网络安全的目标 是保护 资产 和防御之外 ，我不打算在本文中进一步探讨。

摘要 (Summary)

There is an old saying, “When the only tool you have is a hammer, everything looks like a nail.” With no real cybersecurity experience, too many information security experts are trying to hammer cybersecurity into becoming an information security nail. We need to reset the thinking of those information security professionals and teach them that cybersecurity is more like a bolt than a nail, and that you use a wrench, not a hammer, when installing or removing a bolt.

有一句古老的谚语：“当您拥有的唯一工具是锤子时，一切看起来就像钉子。” 没有真正的网络安全经验，太多的信息安全专家试图将网络安全变成信息安全的钉子。我们需要重新设置那些信息安全专业人员的思想，并告诉他们网络安全更像是螺栓而不是钉子，并且在安装或卸下螺栓时要用扳手而不是锤子。

Now, a quick review…

现在，快速回顾...

In most organizations, there are three security domains with which it must be concerned:

在大多数组织中，必须考虑三个安全域：

Corporate Security, which protects (and sometimes defends) people; and real, corporate, and intellectual property.
公司安全，保护(甚至捍卫)人民；以及不动产，公司和知识产权。
Information Security, which protects information (data).
信息安全，用于保护信息(数据)。
Cybersecurity, which protects and defends: hardware, communications, and software.
网络安全，可以保护和捍卫：硬件，通信和软件。

The diagram below illustrates those relationships among the organization’s security domains.

下图说明了组织的安全域之间的那些关系。

We established the following definitions in support of those security domains:

我们为支持这些安全域建立了以下定义：

Security is the protection of assets from threats.
安全是保护资产免受威胁。
Corporate Security is those aspects of an organization’s security not directly related to technology.
公司安全性是组织安全性中与技术不直接相关的那些方面。
Information Security is the protection of information in any form and at all times.
信息安全是随时随地保护信息的任何形式。
Cybersecurity is the protection and defense of both analogue and digital electronic devices, their communications channels, and their processing-and-control logic and algorithms.
网络安全是对模拟和数字电子设备，其通信通道以及其处理和控制逻辑和算法的保护和防御。

Trying to treat cybersecurity problems as though they are information security problems is one of the fundamental mistakes we are making in security today. We have to remember that information security is “data-centric,” and cybersecurity is “device-centric.” Trying to apply information security principals to “device security” creates two problems:

试图将网络安全问题视为信息安全问题，这是我们当今在安全方面犯的基本错误之一。我们必须记住，信息安全是“以数据为中心”，而网络安全是“以设备为中心”。尝试将信息安全主体应用于“设备安全”会产生两个问题：

You cannot adequately secure “hardware” using the same controls used to secure data, and
您无法使用与保护数据相同的控件来充分保护“硬件”，并且
There is nothing in information security that provides for active defense.
信息安全中没有任何东西可以提供主动防御。

If you search the Internet, you will find that many so-called “information security experts” claim that cybersecurity is a subset of information security. But, compared to information security, cybersecurity has a substantially broader scope, addresses a more complex set of security threats, and offers active defenses not provided by information security.

如果您搜索Internet，则会发现许多所谓的“信息安全专家”声称网络安全是信息安全的一部分。但是，与信息安全相比，网络安全的范围要广得多，可以解决一系列更复杂的安全威胁，并且可以提供信息安全无法提供的主动防御。

If anything, we should view information security as a subset of cybersecurity. However, that’s not accurate either, as what those two domains are attempting to secure is different — data vs. hardware, software, and communications. Some overlap between the two is unavoidable, but at the most fundamental levels, they are attempting to solve different problems. [13]

如果有的话，我们应该将信息安全视为网络安全的一部分。但是，这也不是正确的，因为这两个域试图保护的内容是不同的-数据与硬件，软件和通信。两者之间不可避免地存在一些重叠，但是从最根本的角度来看，他们正在尝试解决不同的问题。 [13]

Thus, we need clear, concise, unambiguous definitions of both cybersecurity and information security.

因此，我们需要对网络安全和信息安全都做出清晰，简洁，明确的定义。

Hopefully, you will find the definitions provided here meet those criteria.

希望您会发现此处提供的定义符合这些条件。

So, don’t let alleged information security experts try to tell you what is and is not cybersecurity! Those so-called “information security experts” are precisely that, and nothing more, because they clearly do not understand cybersecurity!

因此，不要让所谓的信息安全专家试图告诉您什么是网络安全，什么不是网络安全！正是这些所谓的“信息安全专家”，仅此而已，因为他们显然不了解网络安全！

Please leave cybersecurity to actual cybersecurity practitioners.

请把网络安全留给实际的网络安全从业人员。

Thank you!

谢谢！

笔记： (Notes:)

NIST IR 7298 Rev. 2. Glossary of Key Information Security Terms (Withdrawn, July 3, 2019).
NIST IR 7298修订版2。关键信息安全条款词汇表(撤回，2019年7月3日)。
NIST IR 7298 Rev. 3. Glossary of Key Information Security Terms: Cybersecurity (April 11, 2020)
NIST IR 7298 Rev. 3.关键信息安全术语词汇：网络安全 (2020年4月11日)
Merriam-Webster Online Dictionary: Cybersecurity (April 11, 2020)
Merriam-Webster在线词典：网络安全 (2020年4月11日)
US-CERT: Security Tip (ST04–001) What is Cybersecurity? (April 11, 2020) Note also that they consider cybersecurity to be an “art” instead of an engineering activity! No wonder we have so many security issues if the organization responsible for advising on cybersecurity incident response can’t even get it right.
US-CERT：安全提示(ST04-001)什么是网络安全？ (2020年4月11日)还请注意，他们将网络安全视为一项“艺术”，而不是一项工程活动！难怪我们有如此多的安全问题，如果负责提供网络安全事件响应建议的组织甚至无法正确解决这一问题。
DigitalGuardian: What is Cyber Security? (April 11, 2020)
DigitalGuardian：什么是网络安全？ (2020年4月11日)
Palo Alto Networks: What is Cybersecurity? (April 11, 2020)
Palo Alto Networks：什么是网络安全？ (2020年4月11日)
Cisco Systems: What Is Cybersecurity? (April 11, 2020)
思科系统：什么是网络安全？ (2020年4月11日)
Two points on this paragraph. First, in reality, many of those definitions are not pure information security definitions, as they are overlaps of both information security and cybersecurity. However, cybersecurity does not protect data, so they are not correct cybersecurity definitions, either, when they claim in their definition to protect data.
本段有两点。首先，实际上，许多定义不是纯粹的信息安全定义，因为它们是信息安全和网络安全的重叠。但是，网络安全不能保护数据，因此，当它们声称要保护数据时，它们也不是正确的网络安全定义。

Second, the scope of analogue systems is actually much broader. I won’t even pretend to be able to list all the industries which are dependent upon analogue systems that are susceptible to attack. But, at a minimum, that list would include: any automated manufacturer, aerospace and defense, utilities, environmental and medical.
其次，模拟系统的范围实际上要广泛得多。我什至不假装能够列出依赖于容易受到攻击的模拟系统的所有行业。但是，至少，该列表将包括：任何自动化制造商，航空航天和国防，公用事业，环境和医疗。
This is the security definition of a threat. In risk calculations, a threat is the frequency of potentially adverse events.
这是威胁的安全性定义。在风险计算中，威胁是潜在不良事件的发生频率。
Just for clarity, there is no difference between “Cyber Security” and “Cybersecurity.” The former is the older way of writing the term, and the latter is the currently preferred manner. I used the older style when I seek to emphasize that “Cyber” is one of a family of security domains within an organization.
为了清楚起见，“网络安全”和“网络安全”之间没有区别。前者是该术语的较旧写法，而后者是当前首选的写法。当我试图强调“网络”是组织内的一系列安全域之一时，我使用了较旧的样式。
A more accurate statement may be that “information security’s tools do not address analogue devices,” as I can’t think of any that would apply to the analogue world. But, I was playing it safe by saying “seldom,” in the likely case that “never” could be used as an argument to discredit my premise.
更为准确的说法可能是“信息安全工具不针对模拟设备”，因为我想不出任何适用于模拟世界的工具。但是，我说“很少”是很安全的，在可能的情况下，“从不”可被用作抹黑我的前提的论点。
Yes, not all of these are “hardware engineering” issues, per se. Some of them are UI/UX and ID engineering issues. But, all are cybersecurity issues.
是的，并不是所有这些本身都是“硬件工程”问题。其中一些是UI / UX和ID工程问题。但是，所有这些都是网络安全问题。
In a complete view of security, we should point out that “Corporate Security” also overlaps with both cybersecurity and information security. Worse, corporate security often deploys technologies that should come under the purview of information security and/or cybersecurity, but frequently do not for historical and political reasons, creating security gaps and organizational-level vulnerabilities.
从安全的角度来看，我们应该指出“企业安全”也与网络安全和信息安全重叠。更糟糕的是，公司安全通常会部署应属于信息安全和/或网络安全范围内的技术，但由于历史和政治原因常常不会部署这些技术，从而造成安全漏洞和组织级漏洞。
ISACA Glossary: Cybersecurity. (April 18, 2020)
ISACA词汇表：网络安全。 (2020年4月18日)

Please check out my Blog Introduction and Index to find other postings about what we are doing wrong in security and how we need to fix it.

请查看我的 博客简介和索引， 以查找有关我们在安全方面做错了什么以及我们需要如何解决的其他帖子。

About The Blogger

关于博客