Cameras | Reviews | Shop | Business | Help | News | Handhelds | GameSpot | Holiday | Downloads | Developer
Top Digital Cameras
Computer Books Direct
Free Downloads

ZDNet > Business & Tech > eWEEK > Columnists > Combating the plague of insecurity

Click here!

Search For:             Search Tips
 Power Search


News archive


Spencer F. Katt

Special reports




Resource Centers
 Enterprise Apps
 Web Hosting
 Windows 2000

Also on BizTech:
 Small Business
 Free newsletters
 Research & Reports

The Trilligent Cluster. The Intelligent Streaming Media Solution from Avid


eWEEK Commentary
Off the Cuff
Combating the plague of insecurity
By Peter Coffee
March 1, 2000 2:14 PM ET

REDMOND, Wash. -- While meeting Tuesday morning with PC Week's Corporate Partner advisory board and a team of Microsoft's Windows 2000 security engineers, I suddenly found the words to describe the fatal flaw in almost every current approach to securing our enterprise information systems.

Coincidentally, in the month just ended, the publication of an MIT PhD thesis gives us an opportunity to look at new ways of closing this enormous gap in our defenses.

Most security solutions have no power to guard against the acts of authorized users. It may seem self-evident that authorized users are the clients, not the targets, of information security technologies, but fraud and abuse are most often committed by persons authorized to access or modify data as part of their jobs.

If you've already spent, hypothetically, a million dollars protecting a system against intrusion or attack, and someone offers to double your security budget, it's far from clear that the added million dollars should go into added protection against outside threats. The unmitigated risks are more likely to lie within, but how can one reduce them?

On the Internet, information risk is a paradox. There is risk in aggregation: A person who steals 100,000 credit card numbers in a single act is a bigger problem than a person who steals a waste-basket's worth of carelessly discarded receipts. But there is also risk in isolation: A user may be able to frame a query about average salary for a group of employees, defining group criteria so that a single employee's salary can be deduced from the results -- even though the inquiring user is not supposed to have access to other individuals' information.

The fleas on the rats

It's a losing battle to attempt the containment of information risk by application- or component-focused campaigns of design review and source code audit. To do this, as I said in our meeting at Microsoft, is to try to keep track of the fleas on the rats that carry the plague of insecurity.

The owner of a system must be able to articulate policies such as, "A user may not issue a query that returns a result set (or its statistical aggregate) that includes the salary field but has only one member." Policies must be relatively few in number and automatically applied across entire populations of applications and users -- as opposed to present-day reliance on every link in every separate chain of data, application and user privilege configuration.

The serendipity of the Web is a wonderful thing. When I returned from the meeting where I raised this concern, I plied Google with the four-word search group, "security isolation aggregation policy." One click later, I was reading someone's trip notes on last May's IEEE Symposium on Security and Privacy, which included two promising papers: "Hardening [Off-the-Shelf] Software with Generic Software Wrappers," by employees of Trusted Information Systems Inc., and "Flexible Policy-Directed Code Safety," by MIT researchers David Evans and Andrew Twyman.

Evans and Twyman acknowledge that the Java Virtual Machine has the germ of a policy-based approach to system security, with the JVM's facilities for controlling (for example) the precise locations and operations of allowable access to a user's data files. But Java's designers "were hamstrung into providing only a limited number of checks by a design that incurs the cost of a safety check regardless of whether it matters to the policy in effect," observes Evans, who is now an assistant professor at the University of Virginia.

In his MIT doctoral thesis, Evans suggests an approach that "statically analyzes and compiles a policy." He asserts that this method "can support safety checks associated with any resource manipulation, yet the costs of a safety check are incurred only when the check is relevant."

Attacks on our information systems are more than matters of convenience, or even of business continuity. In an Off the Cuff column earlier this week, News Editor Michael Zimmerman refers to China's uneasy relationship with Taiwan and the implications for our current presidential campaign. It's worth recalling that, late last summer, those Taiwan Strait tensions expressed themselves in a bilateral campaign of Web site attacks.

Information security has become the world's concern, and new ways of approaching the job are timely contributions to making this a better world in many ways.

Are you tired of counting the fleas that carry the plague? Tell me at Off the Cuff, an online exclusive column, appears Monday, Wednesday and Friday.

See more Off the Cuff columns.

In Combating the plague of inse... - George B. Tselentis
Tere's an inherent contradictio... - Mike Byrne
The security problem worsens wh... - Michael Lowry
With trust being a major issue,... - Tim
Doesn't encryption offer the "i... - Don M. Darragh
Re: Policies, Crypto, Apps R... - Peter Coffee
Flaw in Coffee's proposed polic... - E. Parker

Top Stories

Net Consortium's forum plans draw fire

PLUS: Network Associates hit with DoS attack

Volera, backed by Novell, opens its doors

Microsoft to rebrand Office, Windows?

It's a new day for Ariba, Commerce One

Send e-mail to eWEEK
E-mail this story!
Printer Friendly
Tech Poll: Who should be responsible for Net security?

Exodus beefs up security consulting packages

Tripwire Delivers Open-Source DDoS And Security Answer

Tech execs caution against knee-jerk reaction to Net security

ZDNet's Security site

ZDNet's CyberCrime zone

Company Info
Microsoft Corp. MSFT
Network Associates, Inc. NETA
Google Inc.  
Enter company

Enter ticker(s)

Get the top eWEEK headlines by e-mail every day.
It's free!


 Sponsored Links
CLEARANCE  Save up to 30% on all SONY VAIO notebooks
Tijit  Free Download-secure LAN that reaches across the planet.
eBizinsights  Are you eBPM enabled? Click here for FREE White Paper.
B2B IT  eJigsaw, the Interactive Network for IT Decisions.
Books  Get the hottest Video Games at Barnes &!
FAST&LIGHT  TransPort LT - 600MHz, under 5 lbs, from $2399!
 Everything Intel    Find Out More
Shop Now!   Shop at Dell's Home Solution Center - Dell Small Business Center
Shop Now!   Gateway Home Computing Center - TOSHIBA
Shop Now!   Everything Intel
 Featured Links
Bargains!  Save on desktops, digital cameras, modems & more in the Outlet
Download  Boost your download capabilities with Go!Zilla FREE!
Free Book!  3 Computer Books for $1.99 each + 1 FREE w/ membership!
 Magazine Offers
Click Here  Free Access to the Hottest Gaming Tips + Monthly CD's!

Tech Jobs |  ZDNet e-centives |  Free E-mail |  Newsletters |  Updates |  MyZDNet |  Alerts |  Rewards |  Join ZDNet |  Members |  SiteBuilder
Feedback |  Your Privacy |  Service Terms |  Advertise |  About Us
Copyright (c) 2000 ZD Inc. All Rights Reserved. ZDNet and ZDNet logo are registered trademarks of ZD Inc. Content originally appearing in eWEEK Copyright (c) 2000 Ziff Davis Media. All Rights Reserved. eWEEK and Ziff Davis Media are trademarks of Ziff Davis Publishing Holdings Inc.