home |  contact

The Goals and Limitations of Information Security

As Information Security begins to come of age, many companies are realizing security is much more of a process rather than simply utilizing technical tools. We have no tools and practices available which, when implemented, make us secure. These tools are a step in the continuous process of securing information. Our goal of being involved in information security is to guide and nurture this process. We begin with analysis of security needs, proceed to preventive measure implementation, follow up with detection and monitoring, and end with repeating the cycle. While we as individuals may only be involved in a short period of the security process, our goal should be to execute that piece in the most effective manner possible and also create the necessary interfaces so that the preceding and following pieces may also be effective.

Identifying limitations is sometimes the most effective way of stating a goal, especially in a broad field such as security. No preventive method of security is 100% effective. No forensic method of security detects 100% of attacks. No auditing method of security detects 100% of the risks. Marcus Ranum, considered by many to be the "father of firewalls," now makes intrusion detection and forensic analysis tools. If firewalls were 100% effective in preventing unauthorized access, what need is there for intrusion detection? It seems that even experienced pioneers in firewall technology like Marcus Ranum know that they are not 100% effective.

In general, those trying to secure information have the chips stacked against them. A common axiom in information security is: "They can make as many mistakes as they want, you can make only one." The typical network and associated people trying to secure it are far outnumbered by thieves, vandals, and saboteurs. Collectively, the enemy has more time and resources. As such, we cannot hope to be completely secure all of the time. A television interview with a successful system cracker who not so successfully got caught illustrates this mismatch. First, the attacker did not describe himself as a networking wizard. He explained matter-of-factly that he was "no virtuoso" and simply found tools and had the time to hammer on these systems until they cracked. Second, and perhaps more foreboding, when asked how long he was on the computer in a typical day, his answer was twelve hours. That is twelve hours of most days this young man spent brute force attacking these systems. He was not caught in a technical fashion either. He was caught using traditional investigative techniques due to his leaking of information in the actual web page defacements he executed. His last breach before going to jail and even after an FBI raid on his home? The White House web page.

Therefore, our goal is to minimize the possibility of successful attacks, detect the attacks if they occur or cannot be prevented effectively, control the possible damage, and react appropriately. An effective agent of security should have no problem finding things to do to increase security. The difficulty facing that agent is choosing which action to take. Each of us only has a limited number of hours in the day and a limited base of knowledge, skill and wisdom. We can only perform a limited set of these steps to increase security. The goal of this course is to build a methodology for consistently choosing a set of actions that maximize security effectiveness.

Home

Services

Partners

About Us

Contact Us