PKIForum.com - News. Information. Education.

  

News.  Information.  Education.  
 Ask PKIForum.com

Ask PKIForum.com is an interview feature where you have the chance to ask the experts questions of your own.

Don't forget to read Part Two of our EXCLUSIVE interview with Prof. Spafford.

Is there someone that you would like to see interviewed? Make a suggestion! Please send an e-mail message to


 Subscribe

You can to our low-volume mailing list for e-mail notices of site news, contests and more.

To subscribe to our newsletter, please send an e-mail message to with the subject line SUBSCRIBE.


 About PKIForum.com

PKIForum.com is an independent news, information and education organization focused on public key infrastructure (PKI).

To contact PKIForum.com, please send an email message to

If you are interested in sponsorship opportunities at PKIForum.com, please send an email message to

Thank you for visiting PKIForum.com! We hope to see you again soon.


 Professor Gene 'Spaf' Spafford
  BOOKS ETC HOME    INTERVIEW    BIO    PART ONE    PART TWO    LINKS 

 EXCLUSIVE INTERVIEW: PART ONE

 

Professor Gene 'Spaf' Spafford, Director of CERIAS
Professor Gene 'Spaf' Spafford
Director, Center for Education and Research in Information Assurance and Security (CERIAS)

 

PKIForum.com: What is your specialty?

Spafford: I have worked in a number of areas, including fault-tolerant systems, software engineering, [and] networked operating systems. But for the last nine to 10 years I've been working almost exclusively in the area of information security systems and technologies, and integration of that with research in areas related to computing that have an impact on security and reliability of computing systems.

PKIForum.com: This is on the development end?

Spafford: A lot of the research that I've been doing myself and with some of my senior students has been more on the back end: the intrusion detection, audit trail generation, computer forensics aspects of systems.

PKIForum.com: Can you explain what those are?

Spafford: Well, intrusion detection is a term that's been somewhat overloaded recently. The way I'm using it refers to detecting violations of security policy on systems by insiders or outsiders -- outsiders who have come in and breached defenses, or insiders who are misusing privileged positions to affect the systems. So, that's an area where I've done a lot of work over the longest period of time.

The work in audit has been in trying to determine what things are best saved, what things should be logged that would enable us -- after something has happened -- to go back and reconstruct the mechanism that was used, what was damaged and what was touched, and possibly to recover it or to use it in prosecution.

And the area of forensics has been involved in how to investigate a system, how to collect evidence after something's happened and [how to] use that to assist in an investigation.

PKIForum.com: What do you see as the major challenge in information security today?

Spafford: If it had to be a single challenge, from a societal point of view, it would be getting the everyday user who knows very little about how computers work and what security means -- and what the risks are -- to embrace and use good technology and techniques to protect their systems.

A lot of the attacks that we're seeing now are coming from systems that have been subverted, sometimes by automated agents -- worms, break-in toolkits, massive denial of service tools -- that are taking over home computers [and] small business computers, and are using those as platforms to launch attacks. That's a big threat because those systems are not run by people who really understand ANYTHING at all about security, and the systems are also built and sold by companies that haven't found a reason to include better security in their products. So we have to find some way to get all of these people using these systems to effectively use some technologies to protect their systems and to want to embrace it, even if it costs a little bit more.

I would say that's the most encompassing problem. There are lots of other research problems that can fit in: building cost-effective security, good metrics for security -- so if we make changes, we know if we've made something better, and if so, by how much. Forensics is a big issue.


"Security doesn't work as an add-on"

PKIForum.com: What kind of advanced systems that individuals can use are you talking about? Are there any out there right now?

Spafford: Well, the closest that we have to that [is] some of the antivirus tools, some of the personal firewall kits and application of security patches or applying individual security scanners to know that the patches need to be put in place. But most of those really require deeper understanding of what's going on with the system than your average user has the capability to apply. So, we aren't really there yet.

If you think about the typical home system, it's probably a 3/4 of a gigahertz processor, a lot of RAM and disk [space], it's got a network connection, [it] may be connected to an always-on [Internet] connection through a DSL or cable-modem, [it has a] big, general purpose operating system with lots of utilities, a full protocol stack for the network, a debugger, a compiler [and] all of these other kinds of things. And yet, the person at home is using it for potentially three applications: a Web browser, e-mail and a game. That's it.

So we have a big mismatch between the needs and the understanding and the capabilities and what's actually there. We need to understand better how, perhaps, to shape the systems to meet the [user's] needs, and that could also help [improve security]. So instead of layering something on a system, actually replacing it with a better match [is a solution].

Security doesn't work as an add-on. It really needs to be built-in from the beginning.

PKIForum.com: Do you see this kind of built-in security being implemented now, or are people still working on it?

Spafford: Many researchers are looking at that, [as are] some vendors, but the problem there -- from a commercial standpoint -- is [that] there's little motivation for vendors. There aren't enough consumers who are demanding those features, there is very little liability or regulation feedback/pushback on systems that don't include it, and it won't come for free. It's going to take an investment, and in a typical corporate environment, making a significant investment of that kind -- which may delay time to market, increase the cost of the product, increase its complexity -- isn't a good investment for them without some kind of change in the bottom line: either a lowering of their profile risk or an increase in sales.


"To realize the promise of digital government or of e-commerce, we're going to have to have some stronger authentication mechanisms"

next >>>

 



 Copyright © PKIForum.comTM 1999-2003. All Rights Reserved.  The PKIForum.com logo, "PKIForum.com", "PKI Forum.com" and "PKI Forum" are trademarks of PKIForum.com and its proprietors.