A major problem with securing IT systems is the fact that software is often used for applications for which it was not intended, says Fred Schneider, Cornell University professor of computer science.
Speaking yesterday, at the 32nd International Conference on Software Engineering, in Cape Town, Schneider said a proactive rather than reactive approach should be taken towards securing IT systems.
He used the analogy of investment in medical research that is used to cure dread diseases.
“In the US, children are not allowed to attend school unless they have been vaccinated,” Schneider said. “Vaccinations have been developed through constant investment in medical technologies, and a similar approach should be adopted by the software engineering community.”
He said every computer system that is “trusted” has to work despite experiencing natural disasters, human error caused by operators inputting data, and survive malicious attacks.
“Natural disasters are a constant; human mistakes will grow as the Internet grows, and so the only malicious factor that is rising are deliberate attacks.”
Another example used by Schneider is an application that everyone in the country uses to make cellphone transactions. If someone had to subvert it, and then was able to transfer large amounts of money out of the country, the financial disaster could be far greater than any natural disaster as it could lead to the collapse of the economy.
“We don't know how buggy software is until it is attacked,” Schneider noted.
The problem with software is that the producers do not guarantee their products, and so their limitations and vulnerabilities are only identified when they have been used in areas for which they were not intended, he commented.
Blue screen of death
“Currently, there are warships where the command and control systems run off Microsoft Windows. However, Windows was never designed or intended for this kind of use.
“If every software manufacturer, such as Microsoft, had to place warranties on their products, the software would have very limited uses. However, the convenience created from having a de facto industry standard means less training or education is needed for systems, but this leads to a monopoly-type situation.”
Again, using the banking sector as an example, Schneider said the problem with implementing something such as secure transactions within the banking system, is that the expectation is that all the banks are equally secure.
“The problem with this kind of approach is that it also means they are equally bad at security. What they decide to do is take a risk-based approach and decide they can afford to lose a certain amount, but keep the convenience so that they can attract and service the majority of their clients.
“What needs to happen is that someone needs to worry about the system in its entirety.”
Share