Copyright © Oracle Corporation, 2001. All rights reserved.

Security Assurance: The Times They Are A ’

Mary Ann Davidson

Chief Security Officer

Oracle Corporation

Leading by Example: The Case for IT Security in

Academia

1-2

Agenda

• Why Information Security Matters

• Academic Agenda: What You Should Be Teaching

– Ethics

– Economics of Security

– Social Implications of Security

• Computer Science is not a Profession – But Should Be

• Security Begins at Home: Your University

1-3

Why Information Security Matters(Laymen’s Version)

• Vast explosion in amount of data collected and stored electronically

– … more interconnected and more available than ever before

• Computer security is a business issue that affects everyone

– All critical infrastructure has an IT backbone

– Attackers need only find one hole; defenders must close or defend all holes

• No privacy without security

– Amount of data collectible on line is extraordinary

• Explosion in cost of bad security (worms, viruses, etc.)

– NIST: “Inadequate” software costs vendors and users between $22.2B and $59.5B annually

1-4

“A few lines of code can wreak more havoc than a bomb.”

- Tom RidgeSecretary of the U.S. Department of

Homeland Security

Why Information Security Matters (2)

1-5

Agenda

• Why Information Security Matters

• Academic Agenda: What You Should Be Teaching

– Ethics

– Economics of Security

– Social Implications of Security

• Computer Science is not a Profession – But Should Be

• Security Begins at Home: Your University

1-6

Ethics

• “It’s too late, Emily” - teaching remedial ethics

• Tales from the front lines of security

• The Story of SQL Slammer

• “Insider information” on security bugs (1)

• “Insider information” on security bugs (2)

• Blackmail for fun and profit

• Lessons learned

• Trust is neither established nor enforceable by contract

• Intellectual chest thumping does not justify digital destruction

• With knowledge comes responsibility

• Only bad guys hire black hats

1-7

Economics of Security

• Security is a business issue and requires economic justification

– Corollary: Nobody cares about “cool technology” unless it solves a useful problem, at a reasonable cost

• Most computer programmers have no concept of business

– Who will use this <feature, product, code, service>?

– What problem does it solve?

– How can you make money on it?

– Is the cost of the solution more attractive than other alternatives?

– What else could you be doing with the same resource?

1-8

Economics of Security (2)

• Many economic principles can be and should be applied to computer security

– Social costs – who pays for “bad code?”

– Cost avoidance – build it right the first time

– Expected value – e.g, customer cost of missing a patch and getting whacked with a worm

– Return on investment – better security, lower cost

• Examples

– Cost to deploy an intrusion detection system

– Single sign-on

– Patching costs

1-9

Social Implications of Technology (1)

• Computer security has interesting social implications

– Should we be allowed to keep secrets – even from law enforcement?

– Data aggregation/profiling

– Who owns information about you

– Private industry has better information about you than the government does

1-10

Social Implications of Technology

• Law of Conservation of Data

– Data, once collected, is never destroyed

• Law of Unintended Data Usage

– The tendency to use data collected for one purpose, for another purpose, is irresistable

• Laws of Technical Indifference

– Most people will gladly sell both privacy and security for convenience

– Technology is nothing; implementation is everything

• Examples

– Locators: RFID, Smart Tolls/Smart Tags

– Biometrics

– Electronic voting equipment

1-11

What You Can Do

• Institute a computer code of conduct covering

– Plagiarism

– Hacking

– Snooping

– Piracy

– File sharing

• …and enforce it (Zero Tolerance)

• Expose students to real world of IT

• Foster well-rounded nerds

– e.g. Humanities Division at SEAS, University of Virginia

• …and nerdy liberal arts majors

– Technology is too important to be left to technical experts

1-12

Agenda

• Why Information Security Matters

• Academic Agenda: What You Should Be Teaching

– Ethics

– Economics of Security

– Social Implications of Security

• Computer Science is not a Profession – But Should Be

• Security Begins at Home: Your University

1-13

If Civil Engineers Built Bridges Like Developers Write Code…

• “Structural integrity is a legacy problem. It’s not really interesting. Or elegant.”

• “We can add some rebar later, so what if the concrete has set?”

• “Sorry about the unsuitable soil condition, but we can’t let anything affect the critical path…”

• “The bridge has crumbled? Sorry, I can’t reproduce that problem here.”

• “But it wasn’t designed to have so many trucks on it.”

IT means “infrastructure technology”: it has to be designed and built to be as reliable and secure

as physical infrastructure.

1-14

What Civil Engineers Know

• Live and die by the critical path

• You can’t “add structure” after the ribbon is cut

• “Unforeseen site conditions” may bankrupt you

• Good workmen are nothing without excellent construction management

• You are accountable for the safety and reliability of the building

• Complexity of design is no excuse for crappy construction

1-15

Why Computer Science is not a Profession

• Computer science

– Focus on “cool technology” and latest programming languages

– Do not plan for failure/fail safe behavior, nor do they think like hackers

– No requirement to demonstrate proficiency in safe, secure programming as condition of matriculation

– No accredited degree program?

– Not licensed (or liable) to work in profession

– Think rules/process/standards “stifle creativity”

1-16

Why Engineering is a Profession

• Engineering

– Focus on safety, reliability

– Learn to think of how something can fail

– Core curriculum (structures, statics, dynamics, etc.)

– Accredited degree programs

– Licensed (and liable) to work in profession

– Know creativity is rightly bounded by physics, location, form, function, safety factor, cost…

1-17

The Point

• Computer security is first, and foremost, a cultural issue

– Security cannot be bolted on

– Security must be built in

– Security must ultimately be a red button issue, just as structural safety is

– You need to think like a hacker to be able to defend your digital turf

• Universities have a key role to play in this cultural transformation

1-18

"A nation, as a society, forms a moral person, and every member of it is personally responsible

for his society.“

-Thomas Jefferson (in letter to George Hammond, 1792)

1-19

Agenda

• Why Information Security Matters

• Academic Agenda: What You Should Be Teaching

– Ethics

– Economics of Security

– Social Implications of Security

• Computer Science is not a Profession – But Should Be

• Security Begins at Home: Your University

1-20

Defending Your Academic Turf

• Lots of computing resources that could become a hacker’s playground

– DOS attacks, KNARKed OSs, bots, zombies, Trojans, etc.

• Valuable intellectual property

– Research

• Attractive nuisances/temptations/targets

– SSNs (quit using them for identifiers!)

– Unused machines (file sharing!)

– Poorly defending machines (change those grades..)

1-21

Does Your University…

• Have published security policies?

• Have an acceptable use policy?

• Conduct routine security audits?

• Align with ISO 17799?

• Have a CSO or CISO with adequate authority?

• Conduct routine pen.tests/ethical hacking?

• Deploy defense in depth mechanisms?

• Conduct security awareness training?

• Review logs regularly?

1-22

Conclusions

• Academia has a critical role to play in securing cyberspace

• Lead by example: secure your own networks

• Help change (sometimes) ignorant/arrogant CS majors into responsible “computer engineers”

• Help non-techies to become technically literate on issues of computer security and privacy

1-23

Q U E S T I O N S

A N S W E R S&