Five Challenges of Computer Security
A Paper I wrote for American Military University, Criminal Justice Department
Introduction
After a recent lecture on information systems security I was asked, “What are the problems with computer security? Why is it so difficult to secure computers?” I answered that there aren’t any problems, only challenges; challenges which, once they come to light, they can be addressed and overcome. Ignorance is our enemy, so equip yourself with the knowledge and you can become victorious.
Design Flaws
Since the 1960s, the primary design of the computer has been centered around communication between computers and the sharing of information.[1] Resource sharing has a primary goal of making programs, equipment and, most of all, data available to users, regardless of their location. Initially, sharing data required a cumbersome process that had people physically moving magnetic tapes between data centers.[2] A process had to be developed to make this sharing easier.
The ARPANET Program was designed to help share resources and research data between centers.
“The objective of this program is two-fold: (1) To develop techniques and obtain experience on interconnecting computers in such a way that a very broad class of interactions are possible, and (2) To improve and increase computer research productivity through resources sharing.”[3]
As you can see, there was no objective with security in mind. This is the precursor to today’s Internet. The same Internet on which, every year, billions of dollars are spent.
ARPANET was concerned mostly with the network side of the picture, not so much with the operating system on the computer itself. In fact, the only non- classified computer operating systems that had security as one of its design goals was MULTICS (Multiplexed Information and Computing Service). It was developed in the mid 1960s by General Electric, Bell Labs and MIT and is now obsolete. Shortly after, in 1969, a new operating system called UNIX was developed. This operating system did not have security levels or passwords.[4] Outside of physical security, computer security didn’t really matter much to most people at that time.[5] This same UNIX, in various forms and versions, is still used today.
The 1990s brought with it a tremendous growth rate in technology and thrust computers into every aspect of life. There are millions of networks and computers connected together by wire or wirelessly around the world today. All are connected using the same basic premises that ARPANET used to connect people with data and equipment.
In early 2002, Microsoft stopped all production on what is now its Windows 2003 server and other products to change their philosophy on design to include security as a top priority. Bill Gates outlines Microsoft’s new security direction in an email that states, “When we face a choice between adding features and resolving security issues, we need to choose security.” This is significant in that Microsoft’s market share in 2001 for servers was 49% and its market share for client computer systems was 93%.[6]
In response to the growing need for security the Trusted Computing Platform Alliance was founded in 1997 by Compaq, HP, IBM, Intel and Microsoft. The mission of TCPA is “Through the collaboration of HW (hardware), SW (software), communications, and technology vendors, drive and implement TCPA specifications for an enhanced HW and OS (operating system) based trusted computing platform that implements trust into client, server, networking, and communication platforms.” – TCPA website.
This new security design direction will help correct the first fundamental security flaw with computers. Time will only tell if this will be adapted by all software and hardware developers, network administrators, and every business in general. This challenge is now being met but has a way to go before it is overcome.
Technical Complexity
The next challenge in computer security is the great diversity in computer security discipline. Computer Security in the past was limited to physical security where the actual computers or hardware were stored and operated.[7] Physical security for computers of the past was far more straightforward than the system security of today.
One example of the diversity of the computer security profession is the “ten domains of security” embodied in the CBK (Common Body of Knowledge) setup by the International Information Systems Security Certification Consortium or (ISC)2, which was formed in 1989 as a nonprofit organization to meet the growing need for a certification and profession in computer security.[8]
“The Common Body of Knowledge [CBK] is a compilation and distillation of all security information collected internationally of relevance to Information Security [IS] professionals. With no industry standards for such knowledge, (ISC)2 was formed, in part, to aggregate, standardize and maintain such information.”
- (ISC)2 website
The CBK covers the following in computer security; Security Management Practices, Security Architecture and Models, Access Control Systems & Methodology, Application Development Security, Operations Security, Physical Security, Cryptography, Telecommunications, Network, & Internet Security, Business Continuity Planning, Law, Investigations, & Ethics. The premier certification CISSP (Certified Information System Security Professional) demonstrates proficiency in those 10 domains of security when they are certified. Given that the topic is so broad the exam is described as an inch deep and a mile wide.[9]
“Security is a broad topic and covers a multitude of sins.”[10] Given the broad range of disciplines within the computer industry, security professionals need to know how those disciplines work together so that they can adequately protect the information assets that they have been entrusted. The CISSP certification is so broad in order to give the professional the broad overview that is needed.
A broad and diverse background in all areas of the computer industry is a must in order to adequately secure them. Businesses need a wide range of expertise ready to address all its complex high-tech security issues. Due to this fact, a team of professionals, rather than one individual, is what’s needed.
A Moving Target
The high-technology computer industry, for the past decade, has fueled the world’s economy and will continue to do so in the future. The industry is fast-paced and constantly changing. The issues are unique and computer security is critical to the success of every business and nation. This fast moving industry has become a moving target for security professionals.
This fast-moving target challenges professionals to keep up-to-date on new technologies and developments in the industry. The mere fact that processor power continues to grow exponentially remains a threat to any encryption[11] and proves the need to keep on top of changing developments.
In order to meet this challenge, computer security professionals need to be “students for life” and have a continuing education plan in place.[12] This is true for those professional who are certified by (ISC)2 or ASIS. In order to remain certified, continuing education is required for most professional certifications.
For (ISC)2, certified professionals must complete 120 CPE (continuing professional education) credits every three years. “In addition to paying an annual maintenance fee and subscribing to the Code of Ethics, a CISSP or SSCP must earn continuing professional education credits every three years - or retake their certification examinations.” - (ISC)2 website
For ASIS, individuals with a CPP (Certified Protection Professional) must earn a total of 16 CPE points in three-year term. If their certification lapses “Between January 1st and June 30th of the year following the recertification term, a total of seventeen credits and a $90.00 fee is required to reinstate the CPP designation (one additional credit and a $30.00 late fee); a total of eighteen credits and a $90.00 fee is required (two additional credits and a $30.00 late fee) between July 1st and December 31st. (Non-member late fee is $110.00) Recertification after a lapse of twelve months or more will require completing the full examination process.” – ASIS website
Human Intelligence
Another challenge to computer security isn’t the computers, but the operators of them. In computer security, humans are considered the weakest link.[13] In the realm of security, anything that is not predictable is a liability and people aren’t completely predictable. This is a constant challenge that can be met if you are aware that we, as people, are the weakest link in computer security.
In this section, I am not addressing the intentional acts committed by disgruntled employees, people who will believe anything, social engineering, dishonesty, impersonation, trespass or espionage. Many industries that are affected by these threats are aware of them and have developed methods to mitigate their risk. Instead, I will discuss unintentional acts that all organizations face.
Unintentional acts by humans are typically called errors and omissions. This is where an operator mistypes some information or forgets to lock out his or her workstation. The funny thing about computers is they only do what they are told to do. If the operator does not close a particular port on a firewall, how is the computer supposed to know that we really wanted to block those packets. Data entry errors or accidental deletion of work errors and omissions account for some of the greatest losses in business. In fact a recent study suggested that billions of dollars are lost in business every year.[14]
One of the hardest issues to overcome is the fact that these people are authorized to access the data as a part of their job.[15] They may even intend to do the right thing. Unknowingly, they can cause network security breaches.[16] These security braches can be caused by accident, carelessness,[17] ignorance, inadequate training or even a heavy workload.
The single best defense against such a security breach is an awareness of security related issues. One approach is to create a security education, training and awareness (SETA) program.[18] This answers the why, how and what of security for the employees or staff. The security awareness program acts as a constant reminder of the issues surrounding security and keeps security in the minds of the users.
Ed Tittel in his article, entitled “Seven secrets to successful employee involvement in security policies,” outlines his seven step approach to having employee involvement in security. 1. Employees need to know security is important. 2. Employee training is essential. 3. Short but memorable security statements. 4. Have employees buy-in by signing the security policy. 5. Consequences should be clearly spelled out. 6. Ask for employee input. 7. Create a "neighborhood watch" mentality.[19]
One problem with this approach is the fact that security awareness is the least implemented and most beneficial portion of a SETA program. A security awareness newsletter is also one of the least expensive and extremely cost- effective means to raise security awareness throughout an organization.[20]
The Business Need
The fact that security programs are not addressed by many organizations may be due to my next and final challenge of computer security, which is the realization that security is a business need. Many businesses didn’t see the need of an executive level security manager to maintain organization-wide security and bring the needs to those who make the business decisions.
The attitude in the past has been that security is “guns, guards and dogs.” The realm of computer security has been viewed by executive management as too complex and technical for them to address. That attitude can’t be farther from the truth; computer security has more to do with management than it has to do with technology.[21] The goal of computer security is to protect the organization’s ability to continue running a business with a profit.
In fact, the absence of a security program may put a business at a competitive disadvantage.[22] The real business world has business executives building and maintaining the trust of shareholders and clients. “Soon, all business players will need to asset that their infrastructure, network, and business administration are tuned to the confidentiality, availability and accuracy of the data records we are creating, recording, and transmitting. Not in technical terms, but real business terms.”[23]
Top executives have found that security is a top priority and that they will be held accountable if security is not given the highest priority. They are concerned now about compliance with new privacy regulations. This legislation has mandated protection of private client data in such acts as the Health Information Portability and Availability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA) and some of the new legal trends in privacy enacted in California.[24] Giving, assuring and keeping the clients’ trust has become the definition of success at the beginning of this new century.[25]
Summary
The challenges to computer security are the fundamental design flaws of computers not having security as a design requirement. Computers are so complex that it requires teamwork in order to cover all aspects of computer security. Computers and technology are constantly changing and that change affects the security of the entire system. Humans are the weakest link in computer security and businesses need to realize that security is a real business need and must be addressed.
If we ignore security and don’t give it the highest priority, there will be consequences. Even now HIPAA has consequences for not maintaining the security and privacy of personal health information that ranges from fines to jail time.
These challenges can be addressed and even overcome if they are exposed and everyone takes action. It will not be easy and it will require that we change our view on the role of security. It will require that we address the complexity of computers and the ever changing landscape of technology. We must address security as a business need and nothing less than an absolute must. It will require that organizations bring training, education and awareness of security issues. If we can do this, we will be at a competitive advantage over our competition.
Instructor’s comments
Excellent paper. I also reviewed your sources and your personal web page. Very good job! I noted that you had the Computer Security Act of 1987 listed. I remember when I was providing training under the requirements of this act in the Federal government. Most agencies still are not in compliance with these standards and have not the resources to meet these demands. For your information, GAO and other IG audits have reports on this problem.
References
[1] Andrew S. Tanenbaum, Computer Networks fourth edition (New Jersey: Pearson Education Inc. 2003), 3.
[2] Dr. Michael E. Whitman and Herbert J Mattord, Principles of Information Security (Boston, Course Technology 2003), 5
[3] Dr. Lawrence Roberts, ARAPANET Program Plan June 3, 1968 [Report online]. Available online at http://livinginternet.com/?i/ii_roberts.htm accessed 5 May 2003.
[4] Dr. Michael E. Whitman and Herbert J Mattord, Principles of Information Security (Boston, Course Technology 2003), 8
[5] Robert Richardson, “The Future of Microsoft Security” Computer Security Journal XVIII (2002) 53.
[6] Al Gillen, “Worldwide Client and Server Operating Environment Market Forecast and Analysis: 2002-2006.” (Framingham, Mass, IDC 2002)
[7] Dr. Michael E. Whitman and Herbert J Mattord, Principles of Information Security (Boston, Course Technology 2003), 4
[8] Shon Harris, CISSP All-in-one Certification Exam Guide, (Berkeley CA, McGraw Hill/Osborne 2002), 7
[9] Shon Harris, CISSP All-in-one Certification Exam Guide, (Berkeley CA, McGraw Hill/Osborne 2002), 3
[10] Andrew S. Tanenbaum, Computer Networks fourth edition (New Jersey: Pearson Education Inc. 2003), 721.
[11] “Cryptanalysis” [Essay on line] available at http://www.bletchleypark.net/crypt/cryptanalysis.html accessed 5 May 2003
[12] T. Andrew Yang, Computer security and impact on computer science education (The Consortium for Computing in Small Colleges 2001) 233 - 246
[13] Jeff Crume, Inside Internet Security What Hackers Don’t Want You To Know (New York, Addison-Wesley 2000) 92.
[14] Steve Balmer, Microsoft CEO, Windows 2003 Server Launch (San Francisco, 24 April 2003) [Speech] Available online at http://metahost.cwusa.tv/microsoft/20030424/msoft_20030424_300.asx
[15] Dr. Michael E. Whitman and Herbert J Mattord, Principles of Information Security (Boston, Course Technology 2003), 44.
[16] Paul Campbell, Ben Calvert, Steven Boswell, Security+ Guide To Network Security Fundamentals (Boston, Course Technology 2003) 7.
[17] PJ Ortmeier, Security Management An Introduction (New Jersey, Pearson Education Inc. 2002) 26.
[18] Dr. Michael E. Whitman and Herbert J Mattord, Principles of Information Security (Boston, Course Technology 2003), 222 - 224.
[19] Ed Tittel, “Seven secrets to successful employee involvement in security policies” (TechTarget 20 Dec 2002) [Online Article] Available at http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci870942,00.html
[20] Dr. Michael E. Whitman and Herbert J Mattord, Principles of Information Security (Boston, Course Technology 2003), 222 - 224.
[21] Dr. Michael E. Whitman and Herbert J Mattord, Principles of Information Security (Boston, Course Technology 2003), 41.
[22] Dr. Michael E. Whitman and Herbert J Mattord, Principles of Information Security (Boston, Course Technology 2003), 154.
[23] Michael J. Corby, CISSP CCP, "Security is all about business, not technology" [Online article] (Auerbach Publications 2002) Available at http://www.techrepublic.com/article_guest.jhtml?id=r00520020416ern01.htm&fromtm=e101-7
[24] Donald E. Hester CISSP “Laws relating to Information Security” 11 May 2003 [Online article] Available at http://www.sbcscomputers.com/Security/InfoSecLaws.htm
[25] Michael J. Corby, CISSP CCP, "Security is all about business, not technology" [Online article] (Auerbach Publications 2002) Available at http://www.techrepublic.com/article_guest.jhtml?id=r00520020416ern01.htm&fromtm=e101-7
Comments