1-2 Agenda Why Information Security Matters Academic Agenda: What Universities Should Teach –Ethics –Economics of Security –Social Implications of Security Computer Science is not a Profession – But Should Be A Culture of Security Begins at the University –Technology Can Help Conclusions
1-3 Why Information Security Matters (Laymen’s Version) Explosion in data collected and stored electronically –… more interconnected and more available than ever before Computer security is a business issue that affects everyone –All critical infrastructure has an IT backbone –Attackers need only find one hole No privacy without security –Many data breaches are privacy breaches –FTC: Cost of PII theft/misuse about $5 billion to consumers and $48 billion to companies per annum Explosion in cost of bad security (worms, viruses, etc.) –NIST: “Inadequate” software costs vendors and users $22.2B to and $59.5B per annum
1-4 “A few lines of code can wreak more havoc than a bomb.” - Tom Ridge (Former) Secretary of the U.S. Department of Homeland Security Why Information Security Matters (2)
1-5 Agenda Why Information Security Matters Academic Agenda: What Universities Should Teach –Ethics –Economics of Security –Social Implications of Security Computer Science is not a Profession – But Should Be A Culture of Security Begins at the University –Technology Can Help Conclusions
1-6 Ethics “It’s too late, Emily” - teaching remedial ethics Tales from the front lines of security The Story of SQL Slammer “Insider information” on security bugs Blackmail for fun and profit Lessons learned Trust is neither established nor enforceable by contract Intellectual chest thumping does not justify digital destruction With knowledge comes responsibility Only bad guys hire black hats or wear them
1-7 Economics of Security Security is a business issue and requires economic justification –Corollary: Nobody cares about “cool technology” unless it solves a useful problem, at a reasonable cost Most computer programmers have no concept of business –Who will use this ? –What problem does it solve? –How can you make money on it? –Is the cost of the solution more economical (all-in cost) than other alternatives? –What else could you be doing with the same resource that might be more profitable?
1-8 Economics of Security (2) Many economic principles can be and should be applied to computer security –Social costs – who pays for “bad code?” –Cost avoidance – build it right the first time –Expected value – e.g., customer cost of missing a patch and getting whacked with a worm –Return on investment – better security, lower cost Examples –Cost to deploy an intrusion detection system –Single sign-on –Patching costs
1-9 Social Implications of Technology (1) Computer security has interesting social /privacy implications –Should we be allowed to keep secrets – even from law enforcement? –Data aggregation/profiling –Who “owns” information about you – DRM for PII –Private industry has better information about you than the government does
1-10 Social Implications of Technology (2) Law of Conservation of Data –Data, once collected, is never destroyed Law of Unintended Data Usage –The temptation to use data collected for one purpose for another purpose, is irresistible Laws of Technical Indifference –Many people will gladly sell both privacy and security for convenience –Many people lack acumen or standing to resist technology –Technology is nothing; implementation is everything Examples –Locators: RFID, Smart Tolls/Smart Tags –Biometrics
1-11 What You Can Do Institute a computer code of conduct covering –Plagiarism –Hacking –Snooping –Piracy –File sharing …and enforce it (Zero Tolerance) Expose students to real world of IT Foster well-rounded nerds –e.g. Humanities Division at SEAS, University of Virginia …and nerdy liberal arts majors –Technology is too important to be left to technical “experts”
1-12 Agenda Why Information Security Matters Academic Agenda: What Universities Should Teach –Ethics –Economics of Security –Social Implications of Security Computer Science is not a Profession – But Should Be A Culture of Security Begins at the University –Technology Can Help Conclusions
1-13 If Civil Engineers Built Bridges Like Developers Write Code… “Structural integrity is a legacy problem. It’s not really interesting. Or elegant.” “We can add some rebar later, so what if the concrete has set?” “Sorry about the unsuitable soil condition, but we can’t let anything affect the critical path…” “The bridge has crumbled? Sorry, I can’t reproduce that problem here.” “But it wasn’t designed to have so many trucks on it.” IT means “infrastructure technology”: it has to be designed and built to be as reliable and secure as physical infrastructure.
1-14 What Civil Engineers Know Live and die by the critical path You can’t “add structure” after the ribbon is cut “Unforeseen site conditions” may bankrupt you Good workmen are nothing without excellent construction management You are accountable for the safety and reliability of the building Complexity of design is no excuse for crappy construction
1-15 Why Computer Science is not a Profession Computer science –Focus on “cool technology” and latest programming languages –Do not plan for failure/fail safe behavior, nor do they think like hackers –No requirement to demonstrate proficiency in safe, secure programming as condition of matriculation –No accredited degree program? –Not licensed (and no liability) to work in profession –Think rules/process/standards “stifle creativity”
1-16 Why Engineering is a Profession Engineering –Focus on safety, reliability –Learn to think of how something can fail –Core curriculum (structures, statics, dynamics, etc.) –Accredited degree programs –Licensed (and liable) to work in profession –Know creativity is rightly bounded by physics, location, form, function, safety factor, cost…
1-17 The Point Computer security is first, and foremost, a cultural issue –Security cannot be bolted on –Security must be built in –Security must ultimately be a red button issue, just as structural safety is –You need to think like a hacker to be able to defend your digital turf –Privacy also needs to be a “design principle” Universities have a key role to play in this cultural transformation
1-18 "A nation, as a society, forms a moral person, and every member of it is personally responsible for his society.“ -Thomas Jefferson (in letter to George Hammond, 1792)
1-19 Agenda Why Information Security Matters Academic Agenda: What Universities Should Teach –Ethics –Economics of Security –Social Implications of Security Computer Science is not a Profession – But Should Be A Culture of Security Begins at the University –Technology Can Help Conclusions
1-20 Defending Your Academic Turf Lots of computing resources that could become a hacker’s playground –DOS attacks, KNARKed OSs, bots, zombies, Trojans, etc. Valuable intellectual property –Research Attractive nuisances/temptations/targets –SSNs (quit using them for identifiers!) –Unused machines (file sharing!) –Poorly defending machines (change those grades…) Tension between “openness of academe” and security
1-21 Does Your University… Have published security policies? –Enforce policies consistently (including Nobel laureates and the dean?) Have an acceptable use policy? Conduct routine security audits? Align with ISO 17799? Have a CSO or CISO with adequate authority? Conduct routine pen.tests/ethical hacking? Deploy defense-in-depth mechanisms? Conduct security awareness training? Review logs regularly?
1-22 Technology Can Help Identity management –Better security, better governance at lower cost –Add strong authentication Granular access control –Row level access control, based on multiple factors, that’s conditional, is here NOW Hardened data, audit stores w/separation of function exists – reduces insider threat Encryption at rest is becoming transparent, and best practice Consider early adoption: today’s research is tomorrow’s security startup
1-23 Conclusions Academia has a critical role to play in securing cyberspace Lead by example –Secure your own networks –Teach ethics and enforce ethical behavior –Practice privacy (don’t collect data just because you can) –Become early adopter of security research fruit Help change (sometimes) ignorant/arrogant CS majors into responsible “computer engineers” Help non-techies to become technically literate on issues of computer security and privacy