Cybersecurity Today and Tomorrow Pay Now or Pay Later (2002) / Chapter Skim
Currently Skimming:
1 Cybersecurity Today and Tomorrow
1 Cybersecurity Today and Tomorrow
Pages 1-16
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 1... ...
has examined various dimensions of computer and network security and vulnerability, it decided to revisit reports relevant to cybersecurity issued over the last decade. In some instances, security issues were the primary focus of a report from the start (see, for example, (1)
|
From page 2... ...
and various legal issues associated with protecting critical infrastructure (2001~. Though the most recent of the comprehensive reports was issued 2 years ago and the earliest 11 years ago, not much has changed with respect to security as it is practiced, notwithstanding further evolution of the public policy framework and an increase in our perception of the risks involved.
|
From page 3... ...
In general, accidental causes are natural (e.g., a lightning surge that destroys a power supply in a network that causes part of the network to fail) or human but nondeliberate (e.g., an accidental program8The President's Commission on Critical Infrastructure Protection included under the rubric of "critical infrastructure" telecommunications, electric power systems, gas and oil production and storage, banking and finance, transportation, water supply systems, government services, and emergency services.
|
From page 4... ...
1lA particularly insidious "accidental" problem arises because of the fact that the precise software configuration on any operational system (including applications, device drivers, and system patches) has almost certainly not been tested for security there are simply too many possible configurations to test more than a small fraction explicitly.
|
From page 5... ...
) resulted in major network outages, and the severe damage to a Verizon central office in the World Trade Center attack on September 11, 2001.
|
From page 6... ...
In this lexicon, a system that allows computer viruses to replicate or unauthorized users to gain access exhibits vulnerabilities. The creator of the virus or the unauthorized user is the threat to the system.
|
From page 7... ...
· The best is the enemy of the good. Risk management is an essential element of any realistic strategy for dealing with security issues (2-6~.
|
From page 8... ...
Organizations that are attacked prefer to conceal attacks, because publicity may undermine public confidence, disclose adverse information, and make managers look bad. Weighing these costs and benefits should be a public policy issue, but so far the commercial and face-saving concerns of targets have dominated, and there is no effective reporting.
|
From page 9... ...
That is, users and operators must be held responsible by management for taking all appropriate security measures one cannot count on financial and market incentives alone to drive appropriate action (1,3-6~. Many security problems exist not because a fix is unknown but because some responsible party has not implemented a known fix.
|
From page 10... ...
· Since perfect security is impossible, secure configurations need to be updated when new attacks are discovered. These updates need to be delivered automatically to millions of systems (4,7~.16 · Organizations must have concrete fallback action plans that instruct users and administrators about what they should do under condi160n the other hand, there is a nontrivial chance that updates will diminish existing and needed functionality, and people are sometimes reluctant to apply updates because they are reluctant to instigate system instability.
|
From page 11... ...
· While cryptography is not a magic bullet for security problems, it 17Note that one fundamental difference between risks in the physical world and risks in cyberspace is the existence of an extensive actuarial database for the former that enables organizations to assess the payoff from investments to deal with those risks. By comparison, operations in cyberspace are new and continually evolving, and risks in cyberspace are not well understood by the insurance industry.
|
From page 12... ...
However, it is entirely vulnerable if a hostile party gains access to a system inside the perimeter or compromises a single authorized user. Another approach to network security is mutual suspicion: Every system within a critical network regards every other system as a potential source of threat.
|
From page 13... ...
· Mandate the organization-wide use of currently available network/configuration management tools, and demand better tools from vendors (3,5,6~. · Mandate the use of strong authentication mechanisms to protect sensitive or critical information and systems (3,5,6~.
|
From page 14... ...
· Strengthen software development processes and conduct more rigorous testing of software and systems for security flaws, doing so before releasing products rather than use customers as implicit beta testers to shake out security flaws (4~.18 Changing this mind-set is one necessary element of an improved cybersecurity posture. Policy Makers Policy makers should: · Consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge.
|
From page 15... ...
Given the failure of the market to address security challenges adequately, government support for such research is especially important.
|
From page 16... ...
16 2 Excerpts from Earlier CSTB Reports This chapter contains excerpts from three CSTB reports: Computers at Risk (1991) , Realizing the Potential of C4I (1999)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.