copyright © oracle corporation, 2001. all rights reserved. security assurance: the times they are a...
TRANSCRIPT
Copyright © Oracle Corporation, 2001. All rights reserved.
Security Assurance: The Times They Are A ’
Mary Ann Davidson
Chief Security Officer
Oracle Corporation
Leading by Example: The Case for IT Security in
Academia
1-2
Agenda
• Why Information Security Matters
• Academic Agenda: What You Should Be Teaching
– Ethics
– Economics of Security
– Social Implications of Security
• Computer Science is not a Profession – But Should Be
• Security Begins at Home: Your University
1-3
Why Information Security Matters(Laymen’s Version)
• Vast explosion in amount of data collected and stored electronically
– … more interconnected and more available than ever before
• Computer security is a business issue that affects everyone
– All critical infrastructure has an IT backbone
– Attackers need only find one hole; defenders must close or defend all holes
• No privacy without security
– Amount of data collectible on line is extraordinary
• Explosion in cost of bad security (worms, viruses, etc.)
– NIST: “Inadequate” software costs vendors and users between $22.2B and $59.5B annually
1-4
“A few lines of code can wreak more havoc than a bomb.”
- Tom RidgeSecretary of the U.S. Department of
Homeland Security
Why Information Security Matters (2)
1-5
Agenda
• Why Information Security Matters
• Academic Agenda: What You Should Be Teaching
– Ethics
– Economics of Security
– Social Implications of Security
• Computer Science is not a Profession – But Should Be
• Security Begins at Home: Your University
1-6
Ethics
• “It’s too late, Emily” - teaching remedial ethics
• Tales from the front lines of security
• The Story of SQL Slammer
• “Insider information” on security bugs (1)
• “Insider information” on security bugs (2)
• Blackmail for fun and profit
• Lessons learned
• Trust is neither established nor enforceable by contract
• Intellectual chest thumping does not justify digital destruction
• With knowledge comes responsibility
• Only bad guys hire black hats
1-7
Economics of Security
• Security is a business issue and requires economic justification
– Corollary: Nobody cares about “cool technology” unless it solves a useful problem, at a reasonable cost
• Most computer programmers have no concept of business
– Who will use this <feature, product, code, service>?
– What problem does it solve?
– How can you make money on it?
– Is the cost of the solution more attractive than other alternatives?
– What else could you be doing with the same resource?
1-8
Economics of Security (2)
• Many economic principles can be and should be applied to computer security
– Social costs – who pays for “bad code?”
– Cost avoidance – build it right the first time
– Expected value – e.g, customer cost of missing a patch and getting whacked with a worm
– Return on investment – better security, lower cost
• Examples
– Cost to deploy an intrusion detection system
– Single sign-on
– Patching costs
1-9
Social Implications of Technology (1)
• Computer security has interesting social implications
– Should we be allowed to keep secrets – even from law enforcement?
– Data aggregation/profiling
– Who owns information about you
– Private industry has better information about you than the government does
1-10
Social Implications of Technology
• Law of Conservation of Data
– Data, once collected, is never destroyed
• Law of Unintended Data Usage
– The tendency to use data collected for one purpose, for another purpose, is irresistable
• Laws of Technical Indifference
– Most people will gladly sell both privacy and security for convenience
– Technology is nothing; implementation is everything
• Examples
– Locators: RFID, Smart Tolls/Smart Tags
– Biometrics
– Electronic voting equipment
1-11
What You Can Do
• Institute a computer code of conduct covering
– Plagiarism
– Hacking
– Snooping
– Piracy
– File sharing
• …and enforce it (Zero Tolerance)
• Expose students to real world of IT
• Foster well-rounded nerds
– e.g. Humanities Division at SEAS, University of Virginia
• …and nerdy liberal arts majors
– Technology is too important to be left to technical experts
1-12
Agenda
• Why Information Security Matters
• Academic Agenda: What You Should Be Teaching
– Ethics
– Economics of Security
– Social Implications of Security
• Computer Science is not a Profession – But Should Be
• Security Begins at Home: Your University
1-13
If Civil Engineers Built Bridges Like Developers Write Code…
• “Structural integrity is a legacy problem. It’s not really interesting. Or elegant.”
• “We can add some rebar later, so what if the concrete has set?”
• “Sorry about the unsuitable soil condition, but we can’t let anything affect the critical path…”
• “The bridge has crumbled? Sorry, I can’t reproduce that problem here.”
• “But it wasn’t designed to have so many trucks on it.”
IT means “infrastructure technology”: it has to be designed and built to be as reliable and secure
as physical infrastructure.
1-14
What Civil Engineers Know
• Live and die by the critical path
• You can’t “add structure” after the ribbon is cut
• “Unforeseen site conditions” may bankrupt you
• Good workmen are nothing without excellent construction management
• You are accountable for the safety and reliability of the building
• Complexity of design is no excuse for crappy construction
1-15
Why Computer Science is not a Profession
• Computer science
– Focus on “cool technology” and latest programming languages
– Do not plan for failure/fail safe behavior, nor do they think like hackers
– No requirement to demonstrate proficiency in safe, secure programming as condition of matriculation
– No accredited degree program?
– Not licensed (or liable) to work in profession
– Think rules/process/standards “stifle creativity”
1-16
Why Engineering is a Profession
• Engineering
– Focus on safety, reliability
– Learn to think of how something can fail
– Core curriculum (structures, statics, dynamics, etc.)
– Accredited degree programs
– Licensed (and liable) to work in profession
– Know creativity is rightly bounded by physics, location, form, function, safety factor, cost…
1-17
The Point
• Computer security is first, and foremost, a cultural issue
– Security cannot be bolted on
– Security must be built in
– Security must ultimately be a red button issue, just as structural safety is
– You need to think like a hacker to be able to defend your digital turf
• Universities have a key role to play in this cultural transformation
1-18
"A nation, as a society, forms a moral person, and every member of it is personally responsible
for his society.“
-Thomas Jefferson (in letter to George Hammond, 1792)
1-19
Agenda
• Why Information Security Matters
• Academic Agenda: What You Should Be Teaching
– Ethics
– Economics of Security
– Social Implications of Security
• Computer Science is not a Profession – But Should Be
• Security Begins at Home: Your University
1-20
Defending Your Academic Turf
• Lots of computing resources that could become a hacker’s playground
– DOS attacks, KNARKed OSs, bots, zombies, Trojans, etc.
• Valuable intellectual property
– Research
• Attractive nuisances/temptations/targets
– SSNs (quit using them for identifiers!)
– Unused machines (file sharing!)
– Poorly defending machines (change those grades..)
1-21
Does Your University…
• Have published security policies?
• Have an acceptable use policy?
• Conduct routine security audits?
• Align with ISO 17799?
• Have a CSO or CISO with adequate authority?
• Conduct routine pen.tests/ethical hacking?
• Deploy defense in depth mechanisms?
• Conduct security awareness training?
• Review logs regularly?
1-22
Conclusions
• Academia has a critical role to play in securing cyberspace
• Lead by example: secure your own networks
• Help change (sometimes) ignorant/arrogant CS majors into responsible “computer engineers”
• Help non-techies to become technically literate on issues of computer security and privacy