October 2004
Information technology security is a hot topic at IT security conferences, in IT professional societies and in institutions of higher and further education. Senior lecturer and associate dean (graduate studies) in the IT faculty at Monash Chris Avram argues that to maximise IT security we need adequately trained professionals who have a full understanding of general security issues as well as a thorough knowledge of the IT industry.
It is well understood that security reduces convenience; that convenience reduces security; and that we can buy slightly more security or convenience with a slightly higher expenditure. This is often represented as a joke -- profit, security or convenience, choose any two.
|
| Mr Chris Avram. |
Often overlooked, however, is a second hidden variable that has significant influence over the level of security achievable in a particular environment. This is the skill or, more generally, the professionalism of the people responsible for providing security.
In order to provide a safe IT infrastructure, designers, integrators and operators must understand the features of the systems being used and those available more broadly. They need to know how to operate and configure IT systems and the levels of security required -- including the levels of confidentiality, integrity and the user availability required. They also need to know how to keep such systems secure. This knowledge is currently achieved and maintained through manufacturer certification.
As professionals, security practitioners also need to keep their knowledge current and need to engage in self-review. And importantly, society expects them to adhere to high ethical standards, often with more contentious ethical dilemmas than those faced by other IT professionals.
So how do we train professionals in IT security? Manufacturer certification alone is not enough, and while a generalist degree added to certification is better, IT security professionals need a more broadbased education.
At a basic level, IT degrees should address the problem-solving, planning, organising and communication skills needed. They should also address self-review issues and develop an ongoing love of learning.
But there are some principles of security that are not covered in manufacturer certification or in general IT courses. These are core principles of security -- the sorts of things that do not go out of date.
Let me mention one that is thousands of years old. Defence in depth is a concept you find in ancient military thinking, whereby a good security system will protect itself from attack from within -- for instance, the walls surrounding Troy were not enough to protect the city.
However, while this is an age-old lesson, it is still not well understood in IT security. Indeed, during a recent online forum, discussions revolved around the need for personal computers to have personal firewalls installed. However some participants thought they were not needed and just too inconvenient.
But no matter how good an organisation's external firewall, email and web proxy virus checker, these devices will not protect work computers from a virus-infected computer somewhere inside the firewall. It is no longer enough to ask how the virus got inside the firewall, only what do we do if one does.
There is more to the defence in depth principle though. It also requires defence against the security system being turned on those it was protecting. A good example of this was a recent attack in which a fault in personal firewall software was used as an access point for distributing a computer virus.
This highlights the need for experienced security professionals to have an understanding of the importance of keeping security infrastructure secure and closely monitored.
In fact, security infrastructure should be more secure and more closely monitored than the infrastructure it protects.
There are other general principles of security often missed in vendor certification. One is the principle of minimum capability.
When we deploy software or grant permissions to people and systems, we should grant only the minimum capability necessary to do the agreed task. However, this principle has been lost in the ever-increasing capability granted to software downloaded as we visit ever more 'functionally rich' websites.
Programmers are often taught how to use these capabilities, rather than being taught and required to exercise the principle of minimum capability.
The issue of appropriate content, the balance between fundamental knowledge and current skills, of vendor verification versus degree programs and the balancing of short and long-term skill needs are being played out for IT in general. In relation to IT security skills, these principles and the balance chosen can have life-threatening and national significance.
We cannot leave IT security in the hands of people who only know how to configure -- even if it is configured well -- the latest piece of security equipment or software. The security systems themselves may be faulty and vulnerable.
We should only leave security in the hands of people who understand the principles of security learned through a thorough study of failures in security over the millennia. These people, if professionals, will ensure they have ongoing current skills and systems knowledge.
The specification of a curriculum in IT security is a current and ongoing task -- please join in.
Contact:
chris.avram@infotech.monash.edu .au
Ph: +61 3 9905 3849 or +61 3 9903 2196. | 
