Abstracts & Commentary

Abstract

Whether you are responsible for ensuring the availability of your enterprise network or you are a chief technology officer or information security manager, you will likely ask yourself these questions: How much should I spend on security? Am I more secure today than I was yesterday? What metrics can I use to measure whether my security is improving or not? When can I stop patching so I can get back to doing real work?     

Bridging IT and business: techno MBAs

As we more fully enter the information age, technology is creating new competitors and new strategic options for business. Moreover, as operations become more critical in a world with shorter product cycles and lead times, the importance of integrated information systems becomes apparent. On the other hand, businesses often have many disparate systems in place for order fulfillment, shop floor management, and accounting. Businesses would like to model this information and have it accessible for coordinated analysis of processes, finances, and business goals. Not surprisingly, suppliers of integrated enterprise systems are seeing tremendous sales growth. In general, companies are struggling to answer the questions: Are investments in information technologies paying off? How do we successfully manage the implementation of these new and complex systems? If you are a supplier of information technology, whether it be software or hardware, are there people in your organization who can help answer such questions? Do you have people who know business, understand technology, and have some feel for the pitfalls that occur when the two worlds collide? To fill the perceived gap, several universities have developed programs to produce these hybrid business managers with one foot in the business world and the other in the IT world     

Why is technology transfer so hard?

If you were the vice president of software in a company with 10,000 software personnel, what would you do to make sure your software team had state-of-the-art tools and methodologies? At a more fundamental level, how would you and your staff even find out what they are and whether your current tools and methodologies are good, bad, or average? That is the crux of two major challenges to the software community: How do we evaluate tools and methods for effectiveness? How do we deploy better tools and methods once they have been identified? Unfortunately, the software industry lacks standard measurements and benchmarks for evaluating the effectiveness of programming tools and languages, design approaches, or almost any other kind of technology. Purchasing and acquisition decisions are often made on the basis of unsubstantiated vendor claims. Moreover, once a new tool or methodology is acquired, deployment is often slow. Tools are acquired without considering training needs, or if training is considered, it's not readily available due to schedule pressures     

Patch Management

Imagine this scenario. As a security manager for your organization, your responsibilities include analyzing and applying patches to all Windows servers across the enterprise. Your process is going to each machine and manually evaluating what patches are missing and installing the most critical security patches as soon as possible. How long does this take? One hour per server? Two hours? Maybe more? How many patches are critical? How often do you do it? And, how many servers do you have? It doesn’t take long to do the math to realize that your battle may be a futile one to keep up with the most critical, let alone every, patch that’s released.     

Who ya gonna call! You're on your own [software usability design]

The issue here is not whether discount techniques should be used; they are inevitable. The issue is, in trying to do the best job you can with the ridiculously limited resources provided you, what should you do? How confident should you be in the techniques you are using? A bad design may come back and bite you. When you choose a technique to use in a hurry, you are placing your professional reputation and perhaps your job on the line. You deserve to know four things about any technique that you apply. The hit rate: How many real problems will this technique uncover? The false-alarm rate: How many (and what sorts) of things will it falsely identify as problems (that may not exist, but are costly and time consuming to “fix”)? What does it miss? What types of problems (and how many) does this technique not discover? The correct rejections: How confident are you in your discount technique's ability to flag problems? Discount techniques are not a substitute for the potent combination of analytic and empirical methodologies that usability professionals can bring to bear in designing and evaluating an interface     

The future of PGP on the Internet

The opinion of many truly knowledgeable in the areas of security in general, and Internet security in particular, is that the only true security will come from full encryption. If the messages you send are encrypted, what does it matter if they are intercepted and viewed by unauthorized individuals? If an intruder breaks into your system or network and finds that all files are encrypted, what secretes will leak, what vital information can be altered without user knowledge? If your encryption algorithm is solid, and your encryption keys are both good (i.e. not readily guessed) and secure (i.e. not readily stolen — not written on a post-it note on your VDT, not written on the last page of your desk diary, not kept in a clear text file on your disk or sent in clear text on a LAN, etc.), and if you maintain complete, current and correct backups of all critical files (which you should certainly do, independent of any Internet connectivity), then at worst you may suffer inconveniences as a result of security breaches.     

Four ways to improve security

How can you tell if an IT security product (or a product that includes security components) can secure your application? How can you be certain that a product will fully deliver on its claims that it will protect against malice in a deployed environment? Unfortunately, few vendors - and even fewer customers - can make these judgments. The article won't make you a security wizard, but it will give you a feel for what to look for in, and when to be concerned about, a vendor's claims. To ensure that a product has a chance of being secure; customers should check that vendors use adequate approaches in four primary areas. In order of importance (and maturity and availability), they are: quality-control (QC) mechanisms; cryptographic primitives; hardware assist mechanisms; and separation mechanisms.     

Do you know what your license allows?

Before you push a key to load a program and display it on your monitor, ask yourself this question: “Do I have the power to use this program?” Using software requires power-not physical or electrical power-but the legal power of authorized use. If you are not the program's author or owner, you can only obtain this power through a license-a legal document that states your rights regarding use of the program. This may include the right to use or operate the program as an end user; modify the program through deletions, additions or enhancements as a value-added reseller or original equipment manufacturer; or transfer the program to another as an aggregator, distributor or retailer. If you do not have the appropriate legal power, then your conduct is illegal. If you know that you do not have the appropriate legal power, then your conduct, which amounts to software piracy, is criminal     

A practical guide to biometric security technology

As organizations search for more secure authentication methods for user access, e-commerce. and other security applications, biometrics is gaining increasing attention. But should your company use biometrics? And, if so, which ones should you use and how do you choose them? There is no one best biometric technology. Different applications require different biometrics. To select the right biometric for your situation, you will need to navigate through some complex vendor products and keep an eye on future developments in technology and standards. Your options have never been more diverse. After years of research and development, vendors now have several products to offer. Some are relatively immature, having only recently become commercially available, but even these can substantially improve your company's information security posture. We briefly describe some emerging biometric technologies to help guide your decision making     

Social activity indicators for groupware

Suppose you're a member of a few development teams, working with people who are geographically dispersed. You're using distributed groupware to work with your team mates. How do you decide when to work on a project and when to ignore requests to work on a project, when there are enough users on the groupware system to bother using it, who is available to answer a question, and which applications should get the most real estate on your screen? To help answer these questions, distributed groupware systems must indicate something about the social world they represent-who is on the system and what they are doing. User interfaces for groupware (or computer supported cooperative work (CSCW) applications) must therefore convey social information. It's energizing to know, for example, that your team mates are busy working away on a project. And it's nice to know when your friends or colleagues are available on a chat system. You might not need to know the semantics of the messages or documents involved, just that some activity is occurring. This is true for systems used by work groups as well as those used by an organization or a community of users. We think such social indicators should be a standard part of the CSCW user interface. On the basis of social psychology theory, we believe that a class of social indicator, which we call social activity indicators, is a simple, powerful way to improve user-interface functionality. Furthermore, social activity indicators are easy to build     

Graphics and security: exploring visual biometrics

Biometrics technology has come a long way from simpler forms of systems security. But are biometrics-based systems more secure or do they simply require crackers to become more proficient at breaking into systems? To recognize your fingerprint requires that a template of your fingerprint actually be present in the system that verifies your access. If you want to pass as somebody else, presumably you'd have to either have that person's finger with you or you'd need to change the verifying template residing in the system that verifies your print. Cracking into a system and replacing a legitimate print with your own isn't easy to do unless the system's security is poor. While biometric proponents stress the strength of their proprietary technologies or biometrics in general, no system is ever completely secure. Contrary to what many biometric proponents would have us believe-that biometric security outclasses traditional forms of security-all biometric systems are, after all, another form of computer security with its own set of strengths and weaknesses. Biometrics effectively trade some amount of privacy and cost effectiveness for ultimate convenience-and these systems are certainly no less secure than standard password systems. Password systems are cheap. Complex biometric scanning equipment is usually expensive. But biometrics seems to be where the industry is headed.     

The Future of Cryptography

Abstract

Whether you subscribe to a professional code of conduct¹ or you just claim to be the “good guy” who is protecting the information assets of your organization, your colleagues, your employer, and those whose information you protect expect you to behave ethically. In this context, I use ethics to mean “the rules or standards governing the conduct of the members of a profession.”² How- ever, elements of its common use as a synonym for morals also apply. Ethical conduct includes both acts of commission and acts of omission. We have obligations to perform certain tasks and obligations not to perform others. Just as a soldier may be held to account for accepting an unlawful order, so may the information security professional be held to account for acceding to management requests if they would violate professional ethics. I have found, however, a wide diversity of opinion among people who assert professional status in our field.     

Collecting data for comparability: benchmarking softwaredevelopment productivity

Whether you are benchmarking an organization or simply a project, it all boils down to one thing-data. Do you have the necessary data in your company, and is that data valid and comparable? How can you access data from other organizations? To help you answer these questions and avoid some common serious mistakes in the benchmarking process, the author has summarized her practical real-life experiences with software project data collection and benchmarking efforts in the guidelines     

Security as a Systems Property

How do we protect systems? The answer is straightforward: each component must be evaluated independently and protected as necessary. Beware the easy answers, such as deploying stronger encryption while ignoring vulnerable end points; that's too much like looking under the streetlamp for lost keys, not because they're likely to be there but because it's an easy place to search. Remember, too, that people and processes are system components as well, and often the weakest ones—think about phishing, but also about legitimate emails that are structurally indistinguishable from phishing attacks. I'm not saying you should ignore one weakness because you can't afford to address another serious one—but in general, your defenses should be balanced. After that, of course, you have to evaluate the security of the entire system. Components interact, not always in benign ways, and there may be gaps you haven't filled.     

Special issue on out-of-box experience and consumer devices

“Computer equipment is hard to choose, install, maintain, and, especially, operate” (Landauer 1995 In: The trouble with computers: usefulness, usability, and productivity). How many cables did you have to connect (and organise) before the personal office system was properly installed and put into use? How many set-up procedures and agreements did you have to complete before you could access your e-mail with your mobile phone or PDA? Did you lose any documents or applications when you replaced your old computer with a new one? Computers, mobile devices and information technology products are sometimes difficult to put into use because of the several operations required prior to their first use.     

Applying Security within a Service-Oriented Architecture

ABSTRACT

To paraphrase Calvin Coolidge, the business of the Internet is business ^{1 1}Coolidge, C. (1925, January 17). The press under a free government. Given before the American Society of Newspaper Editors in Washington, DC, The quote is actually “After all, the chief business of the American people is business.” . The more business done on the Internet, the more need for regulation of that business. Many of the existing government and industry regulations deal with security measures, and for that reason it's more important than ever to secure your company's IT infrastructure, no matter how large or small your company. Even if for some reason you're not subject to regulations, it's still a very good idea to secure your assets as if you were. At some point, your status might change, and besides, nobody wants to be hacked.     

Why You Should Not Play the Numbers Game with Anti-Spyware Vendors

Abstract

Security technology vendors relish throwing out numbers: We have “X” more pattern files or “Y” more algorithms than any other vendor. We have more ?fill in this blank with your most-often-heard sales pitch? to make you more secure.     

Guidelines for applying research results

The software engineering literature is full of research reports that relate the conclusions of case studies, surveys, and formal experiments. But it is not always easy to tell which results apply to you. When results conflict, how do you know which study to believe? To understand how to sort through these studies, and decide if you should perform your own study, the author has put together the Non-Trivial Pursuits game board, that tells you when you have enough information to draw a valid conclusion about a relationship between factors. To begin, suppose your project team is interested in improving the quality of the code it produces. You want to determine what factors improve quality so that your team can use appropriate techniques or tools to generate better code. Your first attempt to find out what affects code quality is to examine population studies, in which characteristics of a large developer population are examined for associations among variables     

Editor's Edition

Abstract

What the Securities and Exchange Commission (SEC) Division of Corporate Finance and Investment Management Staff thinks of the Year 2000 (Y2K) problem may help you convince your management to take this matter seriously. Staff Legal Bulletins generally foreshadow the future rulings of the agency. If your organization has an external audit firm that opines on the financial statements of your enterprise, then it should already have advised your senior management on this matter. The accounting implications, however, may not lead management to a greater understanding of the security issues. Financial audits may not require an understanding of your access control environment — at least not in depth. You may then face several challenges:

• ? Access control software (system, network, and application layers) may have Y2K issues.

• ? Audit logs and historical records on which you rely for incident investigations may have Y2K issues (and some of the measures used to correct the first bullet may cause the new logs to be incompatible with your historical logs making reconstruction difficult; in some cases, the new product deletes, and even overwrites, old log files).

• ? The process followed for correcting Y2K issues may bypass controls because time is short. This surrender to expedience opens a host of opportunities for abuse. Regaining control in the year 2000 may pose its own challenges.

• ? What will either be, or appear to be, Y2K-related failures will provide a smokescreen for unauthorized activities.

• ? Heavy reliance on outside consultants, contractors, outsourcers, and vendors of replacement or upgraded products will further burden your security administrators. Administrators will face increased user-identifier maintenance, resource access rules changes, and possibly, architectural changes affecting the security products themselves. Few organizations have properly budgeted for additional help here.

     

SPEC CPU2000: measuring CPU performance in the New Millennium

As computers and software have become more powerful, it seems almost human nature to want the biggest and fastest toy you can afford. But how do you know if your toy is tops? Even if your application never does any I/O, it's not just the speed of the CPU that dictates performance. Cache, main memory, and compilers also play a role. Software applications also have differing performance requirements. So whom do you trust to provide this information? The Standard Performance Evaluation Corporation (SPEC) is a nonprofit consortium whose members include hardware vendors, software vendors, universities, customers, and consultants. SPEC's mission is to develop technically credible and objective component- and system-level benchmarks for multiple operating systems and environments, including high-performance numeric computing, Web servers, and graphical subsystems. On 30 June 2000, SPEC retired the CPU95 benchmark suite. Its replacement is CPU2000, a new CPU benchmark suite with 19 applications that have never before been in a SPEC CPU suite. The article discusses how SPEC developed this benchmark suite and what the benchmarks do