jump to navigation

Security Concerns November 25, 2013

Posted by lorenmurphy2 in Security.
trackback

Security concerns should be an integral part of the system development process. In the article “Why Cryptosystems Fail,” Anderson discusses the common failures of computer security systems and how computer failures differ publicly than other industry failures such as airline crashes. Growing up, adults often teach children that the best way to learn is from their mistakes. This ideology continues when we are adults and has been adopted by many companies and schools oftentimes via case studies. In the article, Anderson highlights that various industries, such as airlines, also follow this philosophy when a plane crashes. This is because an investigation takes place and includes various functions/departments (manufacturer, pilots, suppliers etc.) in order to get their understanding of what went wrong. However, when it comes to computer security system failures, no such investigation takes place which results in companies being unable to learn from their mistakes to prevent history from repeating. The consequences of this has been seen for years and even dates back to WWII when Norway fell because its codes had the same loop holes as the German’s code in the previous war. As a result, the Germans were able to crack the code using the same techniques that had been used against them.

If security concerns were shared during the development process, systems would be more secure because experts would have a clear understanding about what issues need to be solved. In the article, Anderson discussed that the main cause of security system failures was due to implementation. Since computer security managers do not have specialized knowledge about security integration and management, the validation process for these security systems are not adequate and result in failures. Instead of ensuring that the correct parts of the system are protected, the managers rely on 3rd party vendors to tell them what software to buy and how to validate the system. In a survey, both the US Air forces and National Security Agency both admitted that their main security issue was poor implementation. If these two departments communicated with each other and shared their security concerns when it comes to implementation, both of them could work on a combined solution to correct the issue. The benefit of having a collaborative solution was seen in 1993 when three papers were published by independent authors that proposed a robust solution. Separately, the papers’ solution were not effective, however, when the ideas were combined it created a viable solution for simple protocols.

There is no perfect computer system because each of them is built in order to fulfill a specific purpose. However, by knowing the purpose of the system, security concerns directly related to that issue can be addressed and inputs from other areas can be given and/or received because everyone has a clear understanding of the end goal. This idea was stated at the end of the article when Anderson states, “Indeed there is a sense in which there are no “secure” systems at all; there are merely computer systems whose goals include beating foreign armies, preventing fraud, or winning lawsuits. If these goals are not made explicit, they are unlikely to be achieved.”

References

[1] Why cryptosystems fail, by Ross J. Anderson, November 1994, Communications of the ACM, Volume 37, Issue 11.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: