Trust in Cyberspace: Difference between revisions

From Cybersecurity Wiki
Jump to navigation Jump to search
 
(20 intermediate revisions by the same user not shown)
Line 9: Line 9:


==Categorization==
==Categorization==
 
* Resource by Type: [[Independent Reports]]
* Overview: [[Independent Reports]]
* Threats and Actors: [[Military Networks (.mil)]]; [[Public Data Networks]]; [[Telephone]]
 
* Issues: [[Incentives]]; [[Public-Private Cooperation]]; [[Risk Management and Investment]]
* Threats and Actors: [[Telephone]]; [[Military Networks (.mil)]]; [[Public Data Networks]]
 
* Issues: [[Incentives]]
 
* Approaches: [[Government Organizations]]
* Approaches: [[Government Organizations]]


==Key Words==
==Key Words==
[[Keyword_Index_and_Glossary_of_Core_Ideas#Computer_Network_Attack | Computer Network Attack]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#COTS_Software | COTS Software]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#COTS_Software | COTS Software]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_an_Externality | Cyber Security as an Externality]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_a_Public_Good | Cyber Security as a Public Good]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#DDoS_Attack | Denial of Service Attack]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#DDoS_Attack | Denial of Service Attack]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Interdependencies | Interdependencies]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Interdependencies | Interdependencies]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Computer_Network_Attack | Computer Network Attack]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Research_&_Development | Research & Development]],
 
[[Keyword_Index_and_Glossary_of_Core_Ideas#Risk_Modeling | Risk Modeling]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Software_Vulnerability | Software Vulnerability]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#SCADA_Systems | SCADA Systems]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Software_Vulnerability | Software Vulnerability]]


==Synopsis==
==Synopsis==


This book, edited by a study committee convened by the Computer Science and Telecommunications Board (CSTB) of the National Research Council, provides an assessment of the current state of the art procedures for building trustworthy networked information systems. It proposes directions for research in computer and network security, software technology, and system architecture. In addition, the book assesses current technical and market trends in order to better inform public policy as to where progress is likely and where incentives could help. Trust in Cyberspace offers insights into:
This book, edited by a study committee convened by the Computer Science and Telecommunications Board (CSTB) of the National Research Council, provides an assessment of the current state of the art procedures for building trustworthy networked information systems. It proposes directions for research in computer and network security, software technology, and system architecture. In addition, the book assesses current technical and market trends in order to better inform public policy as to where progress is likely and where incentives could help.  


<blockquote>
To be labeled as trustworthy, a system not only must behave as expected but also must reinforce the belief that it will continue to produce expected behavior and will not be susceptible to subversion. The question of how to achieve assurance has been the target of several research programs sponsored by the Department of Defense and others. Yet currently practiced and proposed approaches for establishing assurance are still imperfect and/or impractical. Testing can demonstrate only that a flaw exists, not that all flaws have been found; deductive and analytical methods are practical only for certain small systems or specific properties.  Moreover, all existing assurance methods are predicated on an unrealistic assumption—that system designers and implementers know what it means for a system to be “correct” before and during development.  The study committee believes that progress in assurance for the foreseeable future will most likely come from figuring out (1) how to combine multiple approaches and (2) how best to leverage add-on technologies and other approaches to enhance existing imperfect systems.  Improved assurance, without any pretense of establishing a certain or a quantifiable level of assurance, should be the aim.
To be labeled as trustworthy, a system not only must behave as expected but also must reinforce the belief that it will continue to produce expected behavior and will not be susceptible to subversion. The question of how to achieve assurance has been the target of several research programs sponsored by the Department of Defense and others. Yet currently practiced and proposed approaches for establishing assurance are still imperfect and/or impractical. Testing can demonstrate only that a flaw exists, not that all flaws have been found; deductive and analytical methods are practical only for certain small systems or specific properties.  Moreover, all existing assurance methods are predicated on an unrealistic assumption—that system designers and implementers know what it means for a system to be “correct” before and during development.  The study committee believes that progress in assurance for the foreseeable future will most likely come from figuring out (1) how to combine multiple approaches and (2) how best to leverage add-on technologies and other approaches to enhance existing imperfect systems.  Improved assurance, without any pretense of establishing a certain or a quantifiable level of assurance, should be the aim.
</blockquote>


The two likely building blocks of any networked information system are the telephone network and InternetThe strengths and vulnerabilities of the Public Telephone Network (PTN) are:
===Key Findings:===
* Attacks on the telephone network have, for the most part, been directed at perpetrating billing fraud. The frequency of attacks is increasing, and the potential for more disruptive attacks, with harassment and eavesdropping as goals, is growing.
 
* Better protection is needed for the many number translation and other databases used in the PTN.
* The public telephone network (PTN) is increasingly dependent on software and databases that constitute new points of vulnerabilityBusiness decisions are also creating new points of vulnerability. Protective measures need to be developed and implemented.
* SS7 was designed for a closed community of telephone companies. Deregulation has changed the operational environment and created opportunities for insider attacks against this system, which is fundamental to the operation of the PTN.
 
* Telephone companies need to enhance the firewalls between operations support systems (OSSs), and the Internet and safeguard the physical security of their facilities.
* In some respects, the Internet is becoming more secure as its protocols are improved and as security measures are more widely deployed at higher levels of the protocol stack. However, the increasing complexity of the Internet’s infrastructure contributes to its increasing vulnerability. The end points (hosts) of the Internet continue to be vulnerable. As a consequence, the Internet is ready for some business use, but abandoning the PTN for the Internet would not be prudent for most. The Internet is too susceptible to attacks and outages to be a viable basis for controlling critical infrastructures. Existing technologies could be deployed to improve the trustworthiness of the Internet, although many questions about what measures would suffice do not currently have answers because good basic data (e.g., on Internet outages) is scant.
Current Internet issues are:
 
* New countermeasures for name server attacks are needed that work well in large-scale, heterogeneous environments.
* Operational errors represent a major source of outages for the PTN and the Internet. Some of these errors could be prevented by implementing known techniques, whereas others require research to develop preventative measures.
* Cryptography, while not in itself sufficient, is essential to the protection of both the Internet and its end points. Wider deployment of cryptography is needed. Algorithms for authentication only are largely free from export and usage restrictions, yet they can go a long way toward helping.
 
* Cryptographic mechanisms to secure the DNS do exist; however, deployment to date has been limited.
* The design of trustworthy networked information systems (NISs) presents profound challenges for system architecture and project planning. Little is understood, and this lack of understanding ultimately compromises trustworthiness
* No effective means exist to secure routing protocols, especially on backbone routers. Research in this area is urgently needed.
 
* Attacks that result in denial of service are increasingly common. Wider use of updated software and patches, new product development, and better software engineering are needed to deal with this problem.
* To develop an NIS, subsystems must be integrated, but little is known about doing this. In recent years, academic researchers have directed their focus away from large-scale integration problems; this trend must be reversed.  
 
* It is clear that networked information systems will include commercial off the shelf (COTS) components into the foreseeable future. However, the relationship between the use of COTS components and NIS trustworthiness is unclear. Greater attention must be directed toward improving our understanding of this relationship.
 
* Although there are accepted processes for component design and implementation, the novel characteristics of NISs raise questions about the utility of these processes. Modern programming languages include features that promote trustworthiness, and the potential may exist for further gains from research.  
 
* Formal methods are being used with success in commercial and industrial settings for hardware development and requirements analysis and with some success for software development. Increased support for both fundamental research and demonstration exercises is warranted.
 
* Security research during the past few decades has been based on formal policy models that focus on protecting information from unauthorized access by specifying which users should have access to data or other system objects. It is time to challenge this paradigm of “absolute security” and move toward a model built on three axioms of insecurity: insecurity exists; insecurity cannot be destroyed; and insecurity can be moved around.
 
* Cryptographic authentication and the use of hardware tokens are promising avenues for implementing authentication.
 
* Obstacles exist to more widespread deployment of key management technology and there has been little experience with public-key infrastructures, especially large-scale ones.


As NISs become more ubiquitous, applications are migrating from custom written mainframe software to web applications using commercial software:
* Because NISs are distributed systems, network access control mechanisms play a central role in the security of NISs. Virtual private networks and firewalls have proven to be promising technologies and deserve greater attention in the future.
<blockquote>
Market conditions today strongly favor the use of commercial off-the-shelf (COTS) components over custom-built solutions, in part because COTS technology is relatively inexpensive to acquire. The COTS market’s earliest entrants can gain a substantial advantage, so COTS producers are less inclined to include trustworthiness functionality, which they believe
can cause delay. COTS producers are also reluctant to include in their products mechanisms to support trustworthiness (and especially security) that can make systems harder to configure or use. While today’s market for system trustworthiness is bigger than that of a decade ago, the market remains small, reflecting current circumstances and perceptions: to date, publicized trustworthiness breaches have not been catastrophic, and consumers have been able to cope with or recover from the incidents.  Thus, existing trustworthiness solutions—though needed—are not being widely deployed because often they cannot be justified.
</blockquote>


* The implications for trustworthiness of anticipated developments in hardware and software technology, including the consequences of mobile code.
* In its necessary efforts to pursue partnerships, the federal government also needs to work to develop trust in its relationships with the private sector, with some emphasis on U.S.-based firms.


* The shifts in security technology and research resulting from replacing centralized mainframes with networks of computers.
* The National Security Agency’s (NSA) organization must increase its efforts devoted to outreach and recruitment and retention issues.


* The heightened concern for integrity and availability where once only secrecy mattered.
* Defense Advanced Research Projects Agency (DARPA) is generally effective in its interactions with the research community, but DARPA needs to increase its focus on information security and NIS trustworthiness research, especially with regard to long-term research efforts.


* The way in which federal research funding levels and practices have affected the evolution and current state of the science and technology base in this area.
* An increase in expenditures for research in information security and NIS trustworthiness is warranted.


==Additional Notes and Highlights==
==Additional Notes and Highlights==


Expertise Required: Technology - Moderate
Expertise Required: Technology - Moderate

Latest revision as of 16:12, 23 July 2010

Full Title of Reference

Trust in Cyberspace

Full Citation

Nat'l Research Council, Trust in Cyberspace (Fred B. Schneider ed., National Academy Press 1999). Web

BibTeX

Categorization

Key Words

Computer Network Attack, COTS Software, Cyber Security as an Externality, Cyber Security as a Public Good, Denial of Service Attack, Interdependencies, Research & Development, Risk Modeling, SCADA Systems, Software Vulnerability

Synopsis

This book, edited by a study committee convened by the Computer Science and Telecommunications Board (CSTB) of the National Research Council, provides an assessment of the current state of the art procedures for building trustworthy networked information systems. It proposes directions for research in computer and network security, software technology, and system architecture. In addition, the book assesses current technical and market trends in order to better inform public policy as to where progress is likely and where incentives could help.

To be labeled as trustworthy, a system not only must behave as expected but also must reinforce the belief that it will continue to produce expected behavior and will not be susceptible to subversion. The question of how to achieve assurance has been the target of several research programs sponsored by the Department of Defense and others. Yet currently practiced and proposed approaches for establishing assurance are still imperfect and/or impractical. Testing can demonstrate only that a flaw exists, not that all flaws have been found; deductive and analytical methods are practical only for certain small systems or specific properties. Moreover, all existing assurance methods are predicated on an unrealistic assumption—that system designers and implementers know what it means for a system to be “correct” before and during development. The study committee believes that progress in assurance for the foreseeable future will most likely come from figuring out (1) how to combine multiple approaches and (2) how best to leverage add-on technologies and other approaches to enhance existing imperfect systems. Improved assurance, without any pretense of establishing a certain or a quantifiable level of assurance, should be the aim.

Key Findings:

  • The public telephone network (PTN) is increasingly dependent on software and databases that constitute new points of vulnerability. Business decisions are also creating new points of vulnerability. Protective measures need to be developed and implemented.
  • In some respects, the Internet is becoming more secure as its protocols are improved and as security measures are more widely deployed at higher levels of the protocol stack. However, the increasing complexity of the Internet’s infrastructure contributes to its increasing vulnerability. The end points (hosts) of the Internet continue to be vulnerable. As a consequence, the Internet is ready for some business use, but abandoning the PTN for the Internet would not be prudent for most. The Internet is too susceptible to attacks and outages to be a viable basis for controlling critical infrastructures. Existing technologies could be deployed to improve the trustworthiness of the Internet, although many questions about what measures would suffice do not currently have answers because good basic data (e.g., on Internet outages) is scant.
  • Operational errors represent a major source of outages for the PTN and the Internet. Some of these errors could be prevented by implementing known techniques, whereas others require research to develop preventative measures.
  • The design of trustworthy networked information systems (NISs) presents profound challenges for system architecture and project planning. Little is understood, and this lack of understanding ultimately compromises trustworthiness
  • To develop an NIS, subsystems must be integrated, but little is known about doing this. In recent years, academic researchers have directed their focus away from large-scale integration problems; this trend must be reversed.
  • It is clear that networked information systems will include commercial off the shelf (COTS) components into the foreseeable future. However, the relationship between the use of COTS components and NIS trustworthiness is unclear. Greater attention must be directed toward improving our understanding of this relationship.
  • Although there are accepted processes for component design and implementation, the novel characteristics of NISs raise questions about the utility of these processes. Modern programming languages include features that promote trustworthiness, and the potential may exist for further gains from research.
  • Formal methods are being used with success in commercial and industrial settings for hardware development and requirements analysis and with some success for software development. Increased support for both fundamental research and demonstration exercises is warranted.
  • Security research during the past few decades has been based on formal policy models that focus on protecting information from unauthorized access by specifying which users should have access to data or other system objects. It is time to challenge this paradigm of “absolute security” and move toward a model built on three axioms of insecurity: insecurity exists; insecurity cannot be destroyed; and insecurity can be moved around.
  • Cryptographic authentication and the use of hardware tokens are promising avenues for implementing authentication.
  • Obstacles exist to more widespread deployment of key management technology and there has been little experience with public-key infrastructures, especially large-scale ones.
  • Because NISs are distributed systems, network access control mechanisms play a central role in the security of NISs. Virtual private networks and firewalls have proven to be promising technologies and deserve greater attention in the future.
  • In its necessary efforts to pursue partnerships, the federal government also needs to work to develop trust in its relationships with the private sector, with some emphasis on U.S.-based firms.
  • The National Security Agency’s (NSA) organization must increase its efforts devoted to outreach and recruitment and retention issues.
  • Defense Advanced Research Projects Agency (DARPA) is generally effective in its interactions with the research community, but DARPA needs to increase its focus on information security and NIS trustworthiness research, especially with regard to long-term research efforts.
  • An increase in expenditures for research in information security and NIS trustworthiness is warranted.

Additional Notes and Highlights

Expertise Required: Technology - Moderate

Retrieved from "http://cyber.harvard.edu/cybersecurity/?title=Trust_in_Cyberspace&oldid=4718"