To reduce this threat, start with
strong authentication for the use of
any privileged capabilities. Implement multiparty controls over these
capabilities. Improve accountability
by ensuring privilege is available to
only one user at a time, only when
needed. Keep a record of all grants
and uses of privilege.
Q: You clearly have strong opinions
about how to secure our computer systems and networks. You place a great
deal of weight on past security practices. Are these not obsolete? Don’t we
need the results of modern security research more than ever?
A: I plead guilty to having strong
opinions and I beg for tolerance. I
would like to defend my respect for
past practices. Believe it or not, designers of operating systems have made
security and protection a high priority
since the 1960s. Their research and experience with real systems proves that
many of the methods they discovered
work. It astounds me that we would
downplay those older successes in favor of unproven research.
What has changed over those years
is not the need for security, but the
risks and costs of insecurity. It should
be clear to a casual reader of the news,
let alone those with access to intelligence sources, that what we are doing
is not working. It is both costly and
dangerous.
While these recommendations may
represent a change in the way we are doing things, we know they work. There is
little new in them. Most of these ideas
are as old as computing and some we
inherited from more primitive information technology. Most of the resistance
to using these practices comes from
loss of convenience. Good security is
not convenient. But it is absolutely necessary for the security of our assets and
the reliability of the many critical systems on which we all depend. We need
not suffer from the scourge of systems
that so easily succumb to invaders.
Peter J. Denning ( pjd@nps.edu) is Distinguished
Professor of Computer Science and Director of the
Cebrowski Institute for information innovation at the
Naval Postgraduate School in Monterey, CA, is Editor of
ACM Ubiquity, and is a past president of ACM. The author’s
views expressed here are not necessarily those of his
employer or the U. S. federal government.
Copyright held by author.
can do from the user interface that will
make a persistent change to the integrity of the software. There is little the
developers of programs can do that will
nullify defects in the operating system
or other programs.
It is ironic that one can get a so-called “computer science” degree without even being aware of alternatives to
the von Neumann architecture.
Q: There have been many attempts
at intrusion detection in operating
systems. Is it possible to identify that
someone appearing to be an authorized user is actually someone else?
A: There are recognizable differences in the behavior of authorized
users and impersonators. The simple
measure of identifying repeated failed
attempts to do something can reveal
intruders. More complex measures
exploiting advances in artificial intelligence can detect more subtle differences. We must tune these measures
to balance false positives against the
failure to detect. We must also ensure the alarms and alerts get to the
responsible managers, usually the
manager of the user and the owner
of the asset, who are in a position to
recognize the need for, and have the
authority and resources, to take any
indicated corrective action.
Q: When OSs started to span networks,
traffic analysis of packets became an
ingredient of a signature of computer
use. Is this a valuable approach today?
A: It’s tough but not hopeless.
While we may never be sure that all
nodes in the public networks properly
identify themselves, cryptography
can improve the trust that we have
as to the source of traffic. While we
may never solve the problem of compromised systems being used as “
cutouts” to hide the identity and location
of the sources of attack traffic, by storing more meta data about the sources
and destination of traffic, we can improve the effectiveness and efficiency
of forensics.
Q: Another common attack method is
phishing: email or voicemail messages
that appear legitimate and entice you
into revealing your personal information. Are there any practical ways to defend against phishing.
A: Courtney’s Third Law taught us
“there are management solutions to
technical problems but there are no
technical solutions to management
problems.” Substitute “human” for
“management” and the statement remains true.
Masquerading and fraud attacks
appeal to the Seven Deadly Sins and to
gullibility, fear, curiosity, and even the
mere desire to be helpful. Fraud and
deceit—what the roque hackers call
“social engineering”—are as old as language. They have exploited every communication medium ever used.
However, in the modern world,
these appeals are mostly used to get us
to compromise our credentials or the
integrity of our systems. We can caution and train our users but experience suggests the best of these efforts
will not be sufficient. We must also
use the measures recommended here
to limit the consequences of the inevitable errors.
Q: What about insider attacks?
A: Threats have both source and
rate. Insiders have a low rate but high
consequences. Outsiders may damage
the brand but insiders may bring down
the business.
There are risks with privileged users and escalation of privileges. Edward Snowden was able to expand his
privileges in an organization with “
security” in its name. He did this over
an extended period of time without
being detected.
Pervasively we have too many over
privileged users, with too little accountability. Indeed privileged users
are among the most likely to share IDs
and passwords. There is no accountability if something goes wrong. Often
the privileges are so great and accountability so poor that the privileges, once
granted, cannot be reliably withdrawn.
Outsiders may
damage the brand but
insiders may bring
down the business.