QOTD - Spafford on Infosec as a Profession

The real value chance for advancement and chance to make a difference is in treating this really as a profession [...] It's very similar to what one might encounter in becoming a doctor, lawyer or college professor, where you have to devote yourself to life-long education and development and continuing to hone your skills. Part of being a professional is to actually continue to improve in what you're doing, rather than treating it simply as a job [...] I think it's time to also make the distinction between having a job and being part of a profession. Training will get you a job. Education - especially ongoing education - is part of being a professional and that's where I think the future really lies for many people in this field.

-- Professor Eugene H. Spafford, Executive Director, CERIAS at Purdue University

Note: emphasis is mine.

Src: Infosec Careers: The New Demands (see page 3 for actual quote)

QOTD - Shostack on Infosec & Oil Platform Engineering

Replying to a series of posts on the Security Metrics mailing list about whether information security is (or can aspire to become) an art, a science, or an engineering discipline, Adam Shostack, author of The New School of Information Security, wrote:

I think we're more like oil platform engineers than bridge engineers. Our mistakes are hidden, hard to estimate, and residue is turning up in unexpected places.

Note: posted with author's permission

QOTD - Spaf on InfoSec R&D Funding

Security is an ongoing effort against those who make continuing attacks against us, in a domain where innovation and change have been accelerating. We cannot hope to succeed if we take small steps, fail to provide continuous emphasis, and focus solely on finding cheap solutions to problems in 60-90 days; our adversaries are not acting this way, and we are already behind in several important areas.
[...]
It has been repeatedly noted in reports, testimony, and community gatherings that current cyber-security research is largely incremental. This evolutionary rather than revolutionary approach has prevented true leaps ahead in the technology. Thus, we continue to deal with legacy issues such as computer viruses and buffer overflows on a seemingly endless basis.
-- Dr. Eugene Spafford, Two Proposals on Cyber Security Research

Src: http://transfer.spaf.us/is-prop.pdf

QOTD - Geer on Evolution

The central tenet of the theory of evolution is that the changes which determine fitness are responses to threats imposed on the organism from the outside, that survival pressure forces change, but that only some changes aid survival. The threats are threats because they are new; technically, the appearance of a new survival threat is known as a punctuated equilibrium. All of us in the security field owe our jobs to one of these equilibrium punctuations: the sudden exposure of all computers to widely interconnected networks (the near simultaneous arrival of the first browser and the first network stack in Windows).
[...]
The equilibrium punctuation, the paradigm shift that is already here, is that data is now king. Yes, Moore’s Law still holds – every eighteen months a dollar buys twice what it did before – but a dollar buys twice as much storage about every twelve months and back in the lab they are doubling bandwidth about every nine. Every decade, that is two orders of magnitude for computing, three for storage, and four for bandwidth. The future of computing is, thus, all about data in motion. Data’s value and risk overtook the value and risk of networks and infrastructure; data punctuated the equilibrium of security management. To retain the former paradigm is to fail to evolve, and failing to evolve is a dead end. -- Dan Geer, Chief Scientist Emeritus at Verdasys

Please, go read the whole article, it is well worth it!

Note: emphasis is mine.

Src: The Enterprise Information Protection Paradigm | TMCNet.com

Academia and Risk Management

The Association of Governing Boards (AGB), an association focusing on governance and leadership issues in higher education has recently released a report entitled "The State of Enterprise Risk Management at Colleges and Universities Today." Based on a survey of more than 600 respondents (in June 2008), the report covers "attitudes, practices and policies regarding enterprise risk management among American colleges and universities." The AGB's site also hosts a two-page document called "Enterprise Risk Management: Best Practices for Boards, Presidents, and Chancellors." with an accompanying (simple) worksheet covering most basic types of risks in higher ed. All of these documents are also contained in the report.

The report provides valuable action items for university leaders and board members. Most of the recommendations include the need to define one's risk appetite and engage in a systematic and comprehensive, regular risk assessment.

Unfortunately, in my opinion, the effect of looming cuts from most state budgets will mean that this report and its recommendations will be ignored by most institutions until an "incident" forces them to rethink their position.

Src: Research Agenda | Association of Governing Boards

QOTD - Spafford on the security conundrum

No individual business is facing huge losses necessarily, but collectively we are facing just unimaginable losses, but nobody is willing to pay the cost up front for what is necessary to solve the problem in the longer term.

The problem is that we generally only respond to crisis. And the kinds of problems that we are seeing in the whole information security arena is not a spot crisis; it is a growing community problem. So when we are talking tens of billions of dollars of loss every year in intellectual property theft, fraud, unnecessary or over-expenditure on security goods and services, and various other kinds of problems, that cost is not borne by any single entity, but it is borne by everyone. This results in a huge friction on the economy. It is definitely a loss to society. But no one feels it enough that they are willing to make the investment and the sacrifices to move forward. The government might play a role in this, and one way would be to phase in some liability on operators and vendors for obviously making poor choices. -- Prof. Eugene Spafford, Purdue University

Src: The State of Information Assurance Education 2009: Prof. Eugene Spafford, Pursue University

Corrupted Word Files for Sale - Educators Beware

Educators take note: if your students are sending you MS Word files that are corrupted, it may have been done on purpose to buy more time to complete the work.

Src: Corrupted Word Files for Sale | Schneier on Security

The End of the University as We Know It

Graduate education is the Detroit of higher learning. Most graduate programs in American universities produce a product for which there is no market (candidates for teaching positions that do not exist) and develop skills for which there is diminishing demand (research in subfields within subfields and publication in journals read by no one other than a few like-minded colleagues), all at a rapidly rising cost (sometimes well over $100,000 in student loans).

I agree wholeheartedly. Traditional academia is a dinosaur on its way towards extinction. If you were to look around various institutions, you would find that most faculty are incapable of functioning outside of the bubble of the ivory tower as they often lack "real-world skills" that the marketplace requires.

What's this gotta do with Information Security you may ask? In areas such as Computer Science and Information Technology, faculty often teach classes without spending much time (if any) discussing the implications of writing insecure code. How could they since they themselves lack the interest and/or motivation to embrace information security.

Once tenure has been granted, there is no leverage to encourage a professor to continue to develop professionally or to require him or her to assume responsibilities like administration and student advising...
Colleges and universities should be able to reward researchers, scholars and teachers who continue to evolve and remain productive while also making room for young people with new ideas and skills.

My own career path has been markedly different from that of the traditional faculty. I consider myself a hybrid, one equally at ease talking with ivory-tower colleagues, but also very much at ease interacting with fellow information security practitioners or business executives. I do not view my Ph.D. as a "terminal degree." Instead, I view it as a lifelong commitment to learning, as evidenced by my later accomplishments including several leading certifications and engagements within the field of InfoSec.

Src: Op-Ed Contributor - End the University as We Know It | NYTimes.com [tx to the other Dr. Veltsos for this link]

Stolen computer at UT exposes data on 24K students and 450 faculty

An apparent break-in at an office in the College of Arts and Sciences at the University of Toledo, Ohio yielded more than just a computer: university officials will also be notifying 24,000 students about FERPA data exposure (student ID # and grades). More troubling is that the stolen computer also had data on 450 faculty, including names, birth dates and SSNs.

As is unfortunately too common across most colleges/universities,

The personal data was saved on the computer itself and not on the university's network, which officials are encouraging staff to do.

A university official claimed that the "computer was password protected and many of the files were specifically encrypted or individually password protected." However, as security professionals caution about, using "password-protected" documents (i.e. MS Word, MS Excel, PDFs) is not considered strong protection as this "protection" can easily be cracked or bypassed.

Src: Stolen computer at UT contains personal information of students, faculty

Rethinking computing insanity, practice and research

Gene Spafford provides a historical perspective and commentary about the state of cyber-security research.

The current cyber security landscape is a major battlefield. We are under constant attack from criminals, vandals, and professional agents of governments.

Src: Rethinking computing insanity, practice and research | CERIAS | Purdue

Software-Generated Paper Accepted At IEEE Conference

The field of Computer-related publications has become saturated with mediocre papers presented at a multitude of obscure conference that are nothing but a ponzi scheme for the associations behind them, often charging speakers upward of $600 for the "privilege" of presenting their research. The work of these MIT students has exposed several conferences that accepted fake (computer-generated and senseless) papers.

Instead of focusing on writing papers that no one will ever read, researchers in the computer field should take a cue from their security colleagues and focus on research projects that make a difference and truly advance the profession, even at the risk of being labeled FUD.

It's time for academia to once again find its focus and voice. Instead of trying to compete with the MIT and Purdue of this world, teaching institutions (i.e. those below "tier one") should focus on what they are best at: teaching.

Src: Software-Generated Paper Accepted At IEEE Conference | Slashdot