Issue No.06 - November/December (2011 vol.9)
Published by the IEEE Computer Society
William Arbaugh , University of Maryland
Deborah A. Frincke , US Department of Defense
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.166
All computers today operate in a hostile environment. The only difference between large enterprises, small businesses, governments, and home users is the degree of hostility faced. How we deal with these threats and what we do to improve the situation are vitally important to our future. This issue tackles some of the salient points from how we create these problems ourselves to what we can do to mitigate threats.
Information security breaches, or the sexier-sounding "cyberattacks," have become common, almost routine at this point. The popular press frequently reports about the compromise of Fortune 100 companies and governments by unknown assailants. What's not reported, however, is that small businesses
and home users are equally targeted—for different reasons, but still targeted.
The Internet is essentially now the Wild West, and the majority of us are bringing a butter knife to a gun fight. If presumably sophisticated users, such as governments and Fortune 100 companies, are falling prey, how can the rest of us survive? Unfortunately, there's no silver-bullet answer.
The traditional information security approach is grounded in mathematics and sound engineering practice—building a strong trusted base and extending it vertically. Although this approach works in theory, it's impractical. The costs and development time are usually too high. Worse, the usability of these highly secure systems tends to be wanting. They often don't take into account that people must use these systems—people who might not have any engineering or security training.
A number of forces other than technology impact system security, such as dual use, complacent and poorly educated users, and mission priority. For instance, a purely technical approach doesn't take into account that even mission-critical information systems are sometimes used for entertainment purposes. Users often log in to Facebook and YouTube during the workday. They might check their private email accounts at Gmail, Yahoo, or Hotmail. The use of mission-critical information systems for personal use, while often prohibited, is common, and this dual use of systems opens the door to a wide variety of threats. The manner in which we use our information systems for both mission-critical activities and entertainment is directly at odds with the notion of separation of duties wherein each system component performs one or more well-defined critical tasks.
The biggest negative force affecting security by far is us—the users. Study after study demonstrates our complacency. Mission always trumps security. If security gets in the way of completing an important task, we find a way around the security or just turn it off. This special issue of IEEE Security & Privacy digs deeper into how we deal with and create the insecurity that we live with on a daily basis. In many ways it's a game of cat and mouse. Every action of defenders results in a reaction by attackers, and vice versa. Do we get ahead of this vicious cycle, or do we learn to live with and adapt to the everyday risks? Sadly, we can't cover this topic as completely as we'd like. However, the articles in this issue cover several of the salient points in our struggle.
Rosa R. Heckle examines this problem with a case study at a regional hospital. In "Security Dilemma: Healthcare Clinicians at Work," she concludes that healthcare providers will always choose the patient's well-being over security. Although the study results aren't surprising, they do raise an important and difficult question—how do we keep a system secure while letting users bypass enforcement at critical times?
In "Security Risk Management Using Incentives," Debin Liu and his colleagues address this problem directly, combining psychology and technology to create a new access control. The authors use a bit of judo on users—rather than forcing the users to accept a new technology, which at times users ignore or bypass, they create a risk/reward environment to help guide user decisions.
Continuing this theme, Antonio Manuel Fern´ndez Villamor and Juan C. Yelmo discuss one notion of how ISPs might help oversee users' activity, protecting and guiding them, in "Helping Users Deal with Digital Threats: The Online User Supervision Architecture." This approach might not appeal to some. The notion of a third party—even a trusted one—watching your online activity is troublesome to many. Others might want the help. However, the ideas the authors present are thought provoking.
Turning toward the more technical end of living with insecurity, in "Securing Collaborative Intrusion Detection Systems," Steven Cheung describes how collaborative intrusion detection systems (CIDSs) can become more resilient to statistical poisoning (adversaries feeding false information to systems to hide their activities). CIDSs attempt to operate like an Internet Center for Disease Control, grouping the data from local sensors to detect wide-scale attacks. Unfortunately, adversaries have learned to socially engineer the technology that is attempting to detect them. Cheung provides several approaches to eliminate these problems.
Continuing with technical notions of living with insecurity, Simson L. Garfinkel and George Dinolt present an approach to remediate systems until they can be recovered completely in "Operations with Degraded Security." Garfinkel and Dinolt take an approach from mitigating denial-of-service attacks and apply the ideas to help provide operations in several common enterprise scenarios.
We conclude with a look toward the future of cloud computing. We haven't been able to withstand the threat in our enterprise and home networks, and as a result, we're living each day in insecurity. Many believe that cloud computing is the answer to our problems, whereas others believe it will only exacerbate our existing challenges and create a big juicy target for adversaries. The impact that cloud computing will have on living with insecurity remains to be seen. In our final article, Joel Weis and Jim Alves-Foss discuss the pros and cons of database as a service in "Securing Database as a Service: Issues and Compromises." No matter what your position on cloud computing's effects on security is, you'll find the article interesting.
Although we can debate the problems and solutions, we can't deny the fact that every one of us is now living with insecurity at work, at home, and on the road with our smartphones and tablets. We have to wonder if insecurity is like a balloon—no matter where we make progress and push on the balloon, it will expand elsewhere. Perhaps one day someone will propose a conservation of insecurity law, and we'll finally understand how to measure and tolerate the insecurity that we live with daily.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.
William Arbaugh is an associate professor of computer science at the University of Maryland, College Park. Contact him at email@example.com.
Deborah A. Frincke is deputy director for research at the US Department of Defense. Contact her at firstname.lastname@example.org.