Upload
jeremy-beasley
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
20 May 2004 CISCO at UQ 1
Protecting Australia's Information Infrastructure through
Education and Training
Professor William J Caelli AO,PhD (ANU), BSc (Hons) (Newc), FACS, FTICA, Sen MIEEE, CISM
Head – School of Software Engineering and Data CommunicationsFaculty of Information TechnologyQueensland University of TechnologyGPO Box 2434Brisbane. Qld. 4001. AUSTRALIAPhone: +61 – 7 – 3864 2752 Fax: +61 – 7 – 3864 1801 Email: [email protected]
Keynote Presentation to “IT Opportunities Kiosk (ITOK)”, 20 May 2004 : CISCO Academies of UQ and QUT
20 May 2004 CISCO at UQ 2
Asian Wall Street Journal11 May 2004.
..42years..
SomeCaelli
Nostalgia !
EDS&
IBM 1401
20 May 2004 CISCO at UQ 3
“..changes the costly PC-centric model for enterprise applications…”
IBM AdvertisementAsian Wall Street Journal11 May 2004.
20 May 2004 CISCO at UQ 4
SOMEBACKGROUND
20 May 2004 CISCO at UQ 5
20 May 2004 CISCO at UQ 6
“If current trends continue, Clarke told attendees at Gartner's Symposium/ITxpo 2003 here this week, the cybersecurity situation isn't just going to get worse. It's going to get exponentially worse.”
Richard A Clarke, Former USA Whitehouse IT Security AdvisorReported in ZDNet, USA – 22 October 2003. http://techupdate.zdnet.com/Clarke_issues_gloomy_report_card_.html
CLARKE, RICHARD A
20 May 2004 CISCO at UQ 7
Brian ValentineSenior Vice-PresidentMicrosoft WindowsDevelopment
“..I’m not proud…We really haven’t doneeverything we could toprotect our customers…. Our products justaren’t engineered for security”
Computerworld (Australia)September 16, 2002. Page 14.
20 May 2004 CISCO at UQ 8
MICROSOFT (Mundie, 8 Oct. 2002, RSA, Paris)MICROSOFT (Mundie, 8 Oct. 2002, RSA, Paris)• Question: 25 years to go “trustworthy” ?• Reply:
• “Customers wouldn’t pay for it until recently.• “Information officers ..only recently begun to
demand security.”• “.. Only in last 10 years that Microsoft has
attempted to play in the security-requiringworlds of banking, payroll and networkedsystems…”
VENDOR ESCAPE:
20 May 2004 CISCO at UQ 9
15 March 2004
20 May 2004 CISCO at UQ 10
Grand Challenges #2: Grand Challenges #2:
CRA Conference on:"Grand Research Challenges in Information Security & Assurance"
16 – 19 November 2003.Airlie House, Warrenton.Virginia. USA.
Sponsored by the National Science Foundation (NSF)
20 May 2004 CISCO at UQ 11
20 May 2004 CISCO at UQ 12
20 May 2004 CISCO at UQ 13
FOUR GENERATIONS OF PEOPLEIN COMPUTER SCIENCE & TECHNOLOGY
1940 – 1960 Scientist/engineerprogram, operate yourself
1960 – 1980 IT Professionalsprogrammer/analystoperations, managers
1980 – 2000 CIO / end-userssoftware industry, usercontrol, hackers
2000 – 2020? Diverse / spread profession3Cs – converged computing,communications & content
20 May 2004 CISCO at UQ 14
44thth GENERATION OF IT PROFESSIONALS GENERATION OF IT PROFESSIONALS
Generation 1 ( 1940 - 1960 ).
• Engineer / scientist
CSIRAC CSIRAC (Australia)(Australia)
COLOSSUSCOLOSSUS(UK)(UK)
20 May 2004 CISCO at UQ 15
44thth GENERATION OF IT PROFESSIONALS GENERATION OF IT PROFESSIONALS
Generation 2 ( 1960 - 1980 ).
• Elites ( Specialist professionals )• Managers
20 May 2004 CISCO at UQ 16
IBM System/360-50
Happy 40th Birthday!( 7 April 1964 )
20 May 2004 CISCO at UQ 17
44thth GENERATION OF IT PROFESSIONALS GENERATION OF IT PROFESSIONALS
Generation 3 ( 1980 - 2000 ).
• Professionals vs Hobbyists, Hackers & Amateurs
20 May 2004 CISCO at UQ 18
44thth GENERATION OF IT PROFESSIONALS GENERATION OF IT PROFESSIONALS
Generation 4 ( 2000 on ).
• Everyone (multiple levels)
Mobile PhoneMobile Phone
20 May 2004 CISCO at UQ 19
INTEGRATION & “END-TO-END” SECURITYINTEGRATION & “END-TO-END” SECURITY
“.. hardware on which applications run must be secure, as must the operating system and run time environment in between, while offering a reasonable API for application developers…
.. applications cannot be more secure than the kernel functions they call, and the operating system cannot be more secure than the hardware that executes its commands..”
Dyer et al – “Building the IBM 4758 Secure Coprocessor”IEEE Computer, October 2001.
20 May 2004 CISCO at UQ 20
EDUCATION&TRAINING
20 May 2004 CISCO at UQ 21
EDUCATION & TRAININGEDUCATION & TRAINING
DUALREQUIREMENTS
INFORMATIONSYSTEMS
(IS)
COMPUTER /COMMS
SCIENCE &ENGINEERING
(CSE)Taxis
Cars
20 May 2004 CISCO at UQ 22
EDUCATION & TRAINING
DUAL REQUIREMENTS• Industry & business (incl. commercial
government, etc.)• Emphasis on enterprise analysis, business
awareness & needs, team involvement,speed of implementation, cost, etc.
• Defence, intelligence & NIIP• Emphasis on IT & comms fundamentals,
science & engineering, protocol &computer architectures, structures, etc
20 May 2004 CISCO at UQ 23
PC Magazine – USA – 11 Feb 2004.
• Microsoft security Update MS04-007• “Critical”
• Buffer overflow in ASN.1 Library DLL• Used by security sub-system• “..the vulnerability has no workarounds..”
FACTS:* System vulnerabilities are almost completely
in system software and middleware.* ICT technology & artefacts come from mainly
one nation and a few companies, including a recognised monopoly
* China is emerging
20 May 2004 CISCO at UQ 24
EDUCATION & TRAININGEDUCATION & TRAINING
DUAL REQUIREMENTS FACTS ABOUT IS / CSE PROGRAMS AT
UNIVERSITIES / COLLEGES( USA / Australia )
• CS - NO computer structures/architectures• IS - “scripting” / Web emphasis• CSE – NO assembler level languages• CSE - <6 lectures on architecture• CSE / IS – NO undergraduate work on
software security & protection• CSE – nothing on “drivers”, kernels, crypto, etc
20 May 2004 CISCO at UQ 25
EDUCATION & TRAININGEDUCATION & TRAINING
DUAL REQUIREMENTS• FACTS ABOUT IS / CSE PROGRAMS AT
UNIVERSITIES / COLLEGES ( IIT - India )
• CSE – undergraduate project• develop RSA encryption VLSI chip for
1024 bit modulus with PKS interfacestandards support and create appropriatedriver and support software for a popularOS
20 May 2004 CISCO at UQ 26
National Cyber Security PartnershipNational Cyber Security Partnership“…public-private partnership .. established to develop shared strategies and programs to better secure and enhance America’s critical information infrastructure..”
Task forces include:• Awareness for Home Users and Small Businesses • Cyber Security Early Warning • Corporate Governance • Security Across the Software Development Life Cycle • Technical Standards and Common Criteria
http://www.cyberpartnership.org
20 May 2004 CISCO at UQ 27
Security Across the Software Development Life Cycle
Report – 1 April 2004.
SOFTWARE VALUE
INCREASE PRODUCTIVITY
& EFFICIENCY
RESILIENCE TO ATTACK
PERFORM IN BOTH NORMAL
& CRISIS SITUATIONS MULTICS
20 May 2004 CISCO at UQ 28
Security Across the Software Development Life Cycle - 1 April 2004
OVERVIEW:
“.. lack of adequate education in software security for software developers has cost the United States dearly…….”
“…if the United States is to progress beyond immature infrastructures created by amateurs, professionalism based on a sound university education is required……”
20 May 2004 CISCO at UQ 29
Security Across the Software Development Life Cycle - 1 April 2004
OVERVIEW:
“…. across the globe … software security research funding … is almost non-existent..”
20 May 2004 CISCO at UQ 30
Security Across the Software Development Life Cycle - 1 April 2004
EDUCATION SUB-GROUP FINDINGS
LOSSES IN 10s OF BILLIONS $(US)
Software security flaws Patch management
Offshoring to “more able” overseas programmers
Best people through “university degree programs”
leading to
because
20 May 2004 CISCO at UQ 31
Security Across the Software Development Life Cycle - 1 April 2004
THE PROBLEM – GETTING WORSE!IMPROVE SOFTWARE SECURITY = SAFEGUARD NII
WHO ISSUES
Universities Education & researchProducers Skills, processes,
incentivesCustomers RequirementsProviders Quality, testing
20 May 2004 CISCO at UQ 32
Security Across the Software Development Life Cycle - 1 April 2004
THE PROBLEM – GETTING WORSE!IMPROVE SOFTWARE SECURITY = SAFEGUARD NII
WHO ISSUES
Administrators Maintenance, patchingUsers Ease of useInstallers ConfigurationGovernments Enforcement
20 May 2004 CISCO at UQ 33
Security Across the Software Development Life Cycle - 1 April 2004
REQUIREMENTS ACTION
Security at the centre in Education &software design & Trainingfoundation for development process
Education subgroup
20 May 2004 CISCO at UQ 34
EDUCATION & TRAINING FOR NIIPEDUCATION & TRAINING FOR NIIP
SUMMARY ““Back to basics”Back to basics”
• Recognition / assessment of threats & vulnerabilities ( risk)
• Software from anywhere• “Skype” – Estonia / Telstra (Aust) - India • Device drivers – Russia
• Understanding of hardware (again) & softwareinteraction – compilers, libraries, etc.
• Emerging software schemes – “components”• Reverse engineering, test harnesses
20 May 2004 CISCO at UQ 35
EDUCATION & TRAINING FOR NIIPEDUCATION & TRAINING FOR NIIP
SUMMARY ““Back to basics”Back to basics”
• Re-emphasis on fundamentals of computerscience and engineering
• Education program vs. “quick” industry“training”
• Emerging requirements for “expert witnesses”in IT & sub-disciplines
• US recognises lost 20 years (NSA & NCSP)• NIIP requires national education programs• New opportunities, e.g. SeLINUX
20 May 2004 CISCO at UQ 36
THANKYOU
Visit the “Colloquium for InformationSystems Security Education (CISSE)”,
(5 – 9 June 2004)USMA, West Point, NY. USA.
See:http://www.ncisse.org