d

Information Security: The Complete Documentation

• This category contains 5 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Attack Modeling for Information Security and Survivability

Published on 2001, by Andrew P. Moore, Robert J. Ellison, Robert J. Ellison, ©Andrew P. Moore, Robert J. Ellison, Robert J. Ellison.

Many engineering disciplines rely on engineering failure data to improve their designs. Unfortunately, this is not the case with information system engineers, who generally do not use security failure data—particularly attack data—to improve the security and survivability of systems that they develop. Part of the reason for this is that, historically, businesses and governments have been reticent to disclose information about attacks on their systems for fear of losing public confidence or for fear that other attackers would exploit the same or similar vulnerabilities. Specific, detailed attack data has just not been available.

Instruments of the Information Security Trade

Published on 2001-11-27, by Mark Graff, ©SANS Institute.

Internet security is extremely important today. The amount lost due to intrusions and hacking incidents has increased tremendously over the years. How important is security to your company? Is your company at risk? How do you really know for sure? Periodic penetration testing can help you determine whether your company has the necessary controls in place to protect your organization. These tests will show how secure or how vulnerable your company’s networks are to an attack and the results will open up the eyes of management as to what could happen to the companies assets. The results of these tests alone justify the importance of security within your organization. Penetration tests will also provide results of how your systems and employees react to an attack along with testing the current procedures that are in place.

Offensive Approach to Teaching Information Security: "Aachen Summer School Applied IT Security" (An)

Published on 2004, by Maximillian Dornseif and Felix C. Gärtner and Thorsten Holz and Martin Mink, ©Maximillian Dornseif and Felix C. Gärtner and Thorsten Holz and Martin Mink.

Why Information Security is Hard - An Economic Perspective

Published on 2001, by Ross Anderson, ©Ross Anderson.

According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved.

In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.

Why Information Security is Hard - An Economic Perspective

Published on 2002, by Paul A. Karger and Roger R. Schell, ©Paul A. Karger and Roger R. Schell.

Almost thirty years ago a vulnerability assessment of Multics identified significant vulnerabilities, despite the fact that Multics was more secure than other contemporary (and current) computer systems. Considerably more important than any of the individual design and implementation flaws was the demonstration of subversion of the protection mechanism using malicious software (e.g., trap doors and Trojan horses). A series of enhancements were suggested that enabled Multics to serve in a relatively benign environment. These included addition of "Mandatory Access Controls" and these enhancements were greatly enabled by the fact the Multics was designed from the start for security. However, the bottom-line conclusion was that "restructuring is essential" around a verifiable "security kernel" before using Multics (or any other system) in an open environment (as in today's Internet) with the existence of well-motivated professional attackers employing subversion. The lessons learned from the vulnerability assessment are highly applicable today as governments and industry strive (unsuccessfully) to "secure" today's weaker operating systems through add-ons, "hardening", and intrusion detection schemes.