1-2 Agenda Why Information Security Matters Academic Agenda: What You Should Be Teaching –Ethics –Economics of Security –Social Implications of Security Computer Science is not a Profession – But Should Be Security Begins at Home: Your University
1-3 Why Information Security Matters (Laymen’s Version) Vast explosion in amount of data collected and stored electronically –… more interconnected and more available than ever before Computer security is a business issue that affects everyone –All critical infrastructure has an IT backbone –Attackers need only find one hole; defenders must close or defend all holes No privacy without security –Amount of data collectible on line is extraordinary Explosion in cost of bad security (worms, viruses, etc.) –NIST: “Inadequate” software costs vendors and users between $22.2B and $59.5B annually
1-4 “A few lines of code can wreak more havoc than a bomb.” - Tom Ridge Secretary of the U.S. Department of Homeland Security Why Information Security Matters (2)
1-5 Agenda Why Information Security Matters Academic Agenda: What You Should Be Teaching –Ethics –Economics of Security –Social Implications of Security Computer Science is not a Profession – But Should Be Security Begins at Home: Your University
1-6 Ethics “It’s too late, Emily” - teaching remedial ethics Tales from the front lines of security The Story of SQL Slammer “Insider information” on security bugs (1) “Insider information” on security bugs (2) Blackmail for fun and profit Lessons learned Trust is neither established nor enforceable by contract Intellectual chest thumping does not justify digital destruction With knowledge comes responsibility Only bad guys hire black hats
1-7 Economics of Security Security is a business issue and requires economic justification –Corollary: Nobody cares about “cool technology” unless it solves a useful problem, at a reasonable cost Most computer programmers have no concept of business –Who will use this ? –What problem does it solve? –How can you make money on it? –Is the cost of the solution more attractive than other alternatives? –What else could you be doing with the same resource?
1-8 Economics of Security (2) Many economic principles can be and should be applied to computer security –Social costs – who pays for “bad code?” –Cost avoidance – build it right the first time –Expected value – e.g, customer cost of missing a patch and getting whacked with a worm –Return on investment – better security, lower cost Examples –Cost to deploy an intrusion detection system –Single sign-on –Patching costs
1-9 Social Implications of Technology (1) Computer security has interesting social implications –Should we be allowed to keep secrets – even from law enforcement? –Data aggregation/profiling –Who owns information about you –Private industry has better information about you than the government does
1-10 Social Implications of Technology Law of Conservation of Data –Data, once collected, is never destroyed Law of Unintended Data Usage –The tendency to use data collected for one purpose, for another purpose, is irresistable Laws of Technical Indifference –Most people will gladly sell both privacy and security for convenience –Technology is nothing; implementation is everything Examples –Locators: RFID, Smart Tolls/Smart Tags –Biometrics –Electronic voting equipment
1-11 What You Can Do Institute a computer code of conduct covering –Plagiarism –Hacking –Snooping –Piracy –File sharing …and enforce it (Zero Tolerance) Expose students to real world of IT Foster well-rounded nerds –e.g. Humanities Division at SEAS, University of Virginia …and nerdy liberal arts majors –Technology is too important to be left to technical experts
1-12 Agenda Why Information Security Matters Academic Agenda: What You Should Be Teaching –Ethics –Economics of Security –Social Implications of Security Computer Science is not a Profession – But Should Be Security Begins at Home: Your University
1-13 If Civil Engineers Built Bridges Like Developers Write Code… “Structural integrity is a legacy problem. It’s not really interesting. Or elegant.” “We can add some rebar later, so what if the concrete has set?” “Sorry about the unsuitable soil condition, but we can’t let anything affect the critical path…” “The bridge has crumbled? Sorry, I can’t reproduce that problem here.” “But it wasn’t designed to have so many trucks on it.” IT means “infrastructure technology”: it has to be designed and built to be as reliable and secure as physical infrastructure.
1-14 What Civil Engineers Know Live and die by the critical path You can’t “add structure” after the ribbon is cut “Unforeseen site conditions” may bankrupt you Good workmen are nothing without excellent construction management You are accountable for the safety and reliability of the building Complexity of design is no excuse for crappy construction
1-15 Why Computer Science is not a Profession Computer science –Focus on “cool technology” and latest programming languages –Do not plan for failure/fail safe behavior, nor do they think like hackers –No requirement to demonstrate proficiency in safe, secure programming as condition of matriculation –No accredited degree program? –Not licensed (or liable) to work in profession –Think rules/process/standards “stifle creativity”
1-16 Why Engineering is a Profession Engineering –Focus on safety, reliability –Learn to think of how something can fail –Core curriculum (structures, statics, dynamics, etc.) –Accredited degree programs –Licensed (and liable) to work in profession –Know creativity is rightly bounded by physics, location, form, function, safety factor, cost…
1-17 The Point Computer security is first, and foremost, a cultural issue –Security cannot be bolted on –Security must be built in –Security must ultimately be a red button issue, just as structural safety is –You need to think like a hacker to be able to defend your digital turf Universities have a key role to play in this cultural transformation
1-18 "A nation, as a society, forms a moral person, and every member of it is personally responsible for his society.“ -Thomas Jefferson (in letter to George Hammond, 1792)
1-19 Agenda Why Information Security Matters Academic Agenda: What You Should Be Teaching –Ethics –Economics of Security –Social Implications of Security Computer Science is not a Profession – But Should Be Security Begins at Home: Your University
1-20 Defending Your Academic Turf Lots of computing resources that could become a hacker’s playground –DOS attacks, KNARKed OSs, bots, zombies, Trojans, etc. Valuable intellectual property –Research Attractive nuisances/temptations/targets –SSNs (quit using them for identifiers!) –Unused machines (file sharing!) –Poorly defending machines (change those grades..)
1-21 Does Your University… Have published security policies? Have an acceptable use policy? Conduct routine security audits? Align with ISO 17799? Have a CSO or CISO with adequate authority? Conduct routine pen.tests/ethical hacking? Deploy defense in depth mechanisms? Conduct security awareness training? Review logs regularly?
1-22 Conclusions Academia has a critical role to play in securing cyberspace Lead by example: secure your own networks Help change (sometimes) ignorant/arrogant CS majors into responsible “computer engineers” Help non-techies to become technically literate on issues of computer security and privacy