Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Eugene Spafford: Q&A

Professor Eugene Spafford knows a bit about security. And the Founder and executive director of Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS) thinks we're doing it all wrong.

By Christopher Lindquist

December 01, 2003CSO — Professor Eugene Spafford knows a bit about security. And he thinks we're going about it all wrong. Founder and executive director of Purdue University's Center for Education and Research in Information Assurance and Security, he was named to the President's Information Technology Advisory Committee in 2003 and has worked on many security books and articles.

CSO recently talked with Spafford about technology, complexity and the shape of security to come. CSO: Do we need to make wholesale changes in how we approach security

Eugene Spafford: We need to make some significant changeschanges that won't be popular with some because they're toward minimalist systems, like appliances or much smaller, tighter systems instead of these larger, general-purpose, do-everything operating systems.

One of the chief enemies of good security is complexity. Complex systems are difficult to build and configure correctly, and they're difficult to understand and operate. Many of the weak points we have now are the result of systems with too much functionality that either isn't needed or can't be secured properly. Hardware is cheap enough that we should be able to afford to buy an extra box or two and isolate and contain failures.

The trend toward all-in-one systems came about decades ago when equipment was very expensive, and we wanted to run everything on the same box. We argue now that we can reduce the training if we have only one type of system or we can reduce the number of patches. But if your system is exceedingly simple to operateyou just plug it in and set three or four switches, and it doesn't need patches because it's not so complicated that it breaks all the timethen that argument has no merit. What else is critical?The second trend is we have to start looking at the tools and technologies we use to build systems and start using some of the accumulated knowledge we've built up in the past 30 or 40 years about good software engineering practice. Programming in C or C++ is not a particularly good idea unless you are really an expert and you have appropriate tools to back up what you're doing with testing.

There are a number of languages that could be developed that are considerably safer for running most of our applications. And we should start putting some energy and thought into creating testing tools and diagnostic tools for what we build. Having thousands of flaws per year that need to be patched is ridiculous. Is there something that could happen or needs to happen to get people working toward these goals?There are a number of things that could cause the change. One is certainly there could be some terrible incident or terrible software that goes around. The places that don't get hit by it will stand out. In fact, that's happened. We were never touched because we use Unix and Macintosh systems. But that didn't stand out enough.

What I think is more likely to make a difference is insurance companies or lawyers are going to get involved. [Companies] are creating a monoculture that is more susceptible to the next big worm or next big break-in because everything is going to have the same set of vulnerabilities. If I was a stockholder in a firm that was doing that, and it got really badly hit by the next big virus or worm, I'd consider that negligent and possibly actionable. We've got years of experience showing us that these kinds of attacks are coming more and faster, that bugs are present. And here they are standardizing on a system that will be wiped out by the next thing that goes through. If that's not negligence, then I don't know what is.

Read more about data protection in CSOonline's Data Protection section.

RESOURCE CENTER