Demythifying Cyber security: IEEE ComSocSCV April 19th Meeting Summary

Background:

Cyber security impacts all areas of IT and has probably not gotten the attention it deserves.  Here are several related questions to consider and think about:

  • For Internet consumers, what web sites should you trust and what’s the risk? Will you be the unwilling victim of identity theft, a stolen email account or passwords? How can you protect yourself from these malicious attacks?
  • Are corporate data centers (i.e. servers) secured? Is your IP VPN access foolproof with respect to authentication, authorization and accounting?
  • As a potential cloud computing user/service provider/vendor, what are the real security issues with the cloud? Should we extrapolate from current data center security or think of the cloud as a distributed data center?
  • Wat is the threat and risk of electronic eavesdropping? Is encryption needed on all web and email transactions?  Is your encryption foolproof or can it be broken?
  • For government agencies, what is the risk of a cyber terror attack on government computers and Internet sites? 

Discussion:

At the April 19th IEEE ComSocSCV meeting (co-sponsored by IEEE Computer SCV), Ed Talbot and Tom Kroeger of Sandia Labs took a hard look at cyber security issues, especially the many assumptions people make that are not valid. From the session abstract:

“Current cyber security approaches are fundamentally broken. Vulnerabilities in current implementations are virtually limitless, and threats are exploiting these vulnerabilities faster than we can detect and counter them. This talk presents a qualitative survey of the current state of affairs in cyber security. We show how current cyber security implementations compound the problem by creating the illusion of security. The result is a primitive cyber society in which trust and confidence are absent or, worse yet, deceptive. This examination of cyber security is intended as a reality check with the hope of provoking the thoughtful discussion about solutions that address the core problems. We will examine this situation and present several approaches that attempt to develop a basis from which we can foster transformation in digital security.”

Here are the top three (out of 14) security myths the speakers identified:

  1. The more layers of defense, the better.
  2. Burdensome security is better security (like strong passwords).
  3. Running my executables on my data on my system is secure because I control my system.

Counter examples for these three myths were provided with an interesting set of use cases and graphics which illustrated the fallacies, pitfalls and risks associated with these false notions of security.  The speakers said that vulnerabilities are  limitless with threats exploiting those vulnerabilities coming faster than they can be detected,  The speakers believe the industry needs a fresh approach or new way in which we think about security, potential vulnerabilities and counter-measures to prevent them.

The session was very well received by over 80 attendees as was evident during the very spirited Q and A session.  There were several debates among audience members and speakers.  After the meeting formally concluded at 8:15pm many attendees queued for 1 on 1 discussions with the speakers and each other. This lasted  till we were forced to leave the building at 9pm.  And then several attendees followed Ed and Tom into the parking lot to continue the discussions!

Postscript:

In an Aprl 20th email, Tom wrote: 

The Myths that we’ve discovered so far are below.  I probably need to tune up the wording on some of them and I’m sure that the list is not complete.  But it’s a place to start the dialog.  Your thoughts and comments are welcome.

  • Myth 1: More Layers of Defense Are Always Better than Fewer
  • Myth 2: Running My Executables on My Data on My System Is Secure Because I Control My System
  • Myth 3: Effective Security Is Necessarily Burdensome
  • Myth 4: Trusted Computing Eliminates the Need to Trust People
  • Myth 5: We understand our adversary
  • Myth 6: Stronger authentication will compromise anonymity
  • Myth 7: Using industry best practices provides the best value in cybersecurity
  • Myth 8: Better security will compromise availability
  • Myth 9: It’s OK for the adversary to be in the system as long as they don’t compromise mission success.
  • Myth 10: Cyber is a battle space just like land, sea, air, and space.
  • Myth 11: Improving cyber security will necessarily compromise freedom, human rights, eliminate school lunch programs, kill puppies…whatever.
  • Myth 12: The mission is more important than security.
  • Myth 13: Using the cloud will diminish availability.
  • Myth 14: A system is only as trustworthy as its weakest link

Ed asks, “Are there more???”

About IEEE ComSocSCV:

Please check out all our upcoming and archived meetings at:  www.comsocscv.org.

We also have a ComSocSCV Facebook page and a LinkedIn Group

Related blogs/ article: 

‘Demystifying Cyber Security – Myths vs Realities’ Perspective/Event Summary

http://www.semiwiki.com/forum/f2/demystifying-cyber-security-myths-vs-realities-perspective-event-summary-629.html

The Changing Face of Security: Is the U.S. Prepared for a Major Cyber-security Attack?

In a very impressive CSO Perspectives conference keynote speech on April 6th, Howard A. Schmidt, Special Assistant to the President and the Cybersecurity Coordinator, told the audience that the U.S. was taking very strong measures to prevent and defend against cyber-security attacks. President Obama has made cyber-security a top policy priority within his Administration. On May 29th of 2009 Obama stated that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on Cyber-security.”

Demythifying Cybersecurity, May/June 2010 (vol. 8 no. 3) by Edward B. Talbot, Sandia National Laboratories, CA; Deborah Frincke, the Pacific Northwest National Laboratory; Matt Bishop, University of California, Davis

http://www.computer.org/portal/web/csdl/doi/10.1109/MSP.2010.95