Improving the Security of Networked Systems
暂无分享,去创建一个
www.stsc.hill.af.mil 7 Targeting the Problem Networks have become indispensable for conducting business in government, industry, and academic organizations. Networked systems allow access to needed information rapidly, improve communications while reducing costs, enable collaboration with partners, provide better customer services, and conduct electronic commerce [1]. Organizations have moved to distributed, client-server architectures where servers and workstations communicate through networks. In addition, they are connecting their networks to the Internet to sustain a visible business presence with customers, partners, and suppliers. While computer networks revolutionize the way business is done, the risks they introduce can be fatal. Attacks on networks can lead to lost money, time, products, reputation, sensitive information, and even lives. The 2000 Computer Security Institute/FBI Computer Crime and Security Survey [2] indicates that computer crime and other information security breaches are still on the rise, and the cost is increasing. For example, 70 percent of the 585 respondents reported computer security breaches within the last twelve months, up from 62 percent in 1999. Furthermore, the financial losses for the 273 organizations that could quantify them totaled $265,586,240, a 100 percent increase over the $123,779,000 reported in 1999. Engineering for ease of use is not being matched by engineering for ease of secure administration. Today’s software products, workstations, and personal computers bring the power of the computer to increasing numbers of people to perform their work more effectively. Products are so easy to use that people with little technical knowledge or skill can install and operate them on their desktop computers. Unfortunately, it is difficult to configure and operate many of these products securely. This gap between the knowledge needed to operate a system and that needed to keep it secure leads to increasing numbers of vulnerable systems [3]. Technology evolves so rapidly that vendors concentrate on time-to-market, often minimizing that time by placing a low priority on security features. Until customers demand products that are more secure, the situation is unlikely to change. Users count on their systems being there when they need them, assuming that their information technology (IT) departments are operating all systems securely. This may not be the case. System and network administrators typically have insufficient time, knowledge, and skill to address the wide range of demands to keep today’s complex systems and networks up and running. Additionally, evolving attack methods and software vulnerabilities continually introduce new threats to an organization’s installed technology and systems. Thus, even vigilant, security-conscious organizations discover that security starts to degrade almost immediately after fixes, workarounds, and newly installed technology are put in place. Inadequate security in the IT infrastructures can negatively affect the integrity, confidentiality, and availability of systems and data. Who has this problem? The answer is just about everyone—anyone that uses information technology infrastructures that are networked, distributed, and heterogeneous needs to care about improving the security of networked systems.
[1] Mark Wilson,et al. SP 800-16. Information Technology Security Training Requirements: a Role- and Performance-Based Model , 1998 .
[2] Christopher J. Alberts,et al. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0 , 1999 .
[3] Derek Simmel,et al. Information Assurance Curriculum and Certification: State of the Practice , 1999 .
[4] M. E. Beall. U.S. patent and trademark office , 1997 .