Computer security in the future

Document Type: REVIEW PAPER

Author

Abstract

Until recently, computer security was an obscure discipline that seemed to have little relevance to everyday life. With the rapid growth of the Internet, e-commerce, and the widespread use of computers, computer security touches almost all aspects of daily life and all parts of society. Even those who do not use computers have information about them stored on computers. This paper reviews some aspects of the past and current state of computer security, and speculates about what the future of the field will being.

Keywords


[1] B. Metcalfe. The Stockings Were Hung by the Chimney with Care. RFC 602, 1973.

[2] F. Cohen. Computer Viruses: Theory and Experiments. In Proceedings of the 7th DOD/NBS Computer Security Conference, pages 240-263, 1984.

[3] M. Eichin and J. Rochlis. With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, pages 326-343, 1989.

[4] C. Stoll. An Epidemiology of Viruses and Network Worms. In Proceedings of the 12th National Computer Security Conference, pages 369-377, 1989.

[5] W. Du. Job Candidates Getting Tripped Up by FaceBook. MSNBC News, Aug. 14, 2007. Available at http://www.msnbc.msn.com/id/20202935/ns/business-personal_finance/.

[6] J. Grasz. 45% Employers Use Facebook- Twitter to Screen Job Candidates. Oregon Business Report, Aug. 24, 2009. Available at http://oregonbusinessreport.com/2009/08/45-employers-use-facebook-twitter-to-screen-job-candidates/.

[7] B. Buchanan. Founder Shares Cautionary Tale of Libel in Cyberspace. First Amendment Center, Nov. 17, 2006. Available at http://www.firstamendmentcenter.org/news.aspx?id=17798.

[8] N. Chatzis. Motivation for Behavior-Based DNS Security: A Taxonomy of DNS-Related Internet Threats. In Proceedings of the International Conference on Emerging Security Information, Systems, and Technologies, pages 36-41, 2007.

[9] K. Butler, T. Farley, P. McDaniel, and J. Rexroad. A Survey of BGP Security Issues and Solutions. Proceedings of the IEEE, 98(1), pages 100-122, 2010.

[10] L. Eko. New Medium, Old Free Speech Regimes: The Historical and Ideological Foundations of French & American Regulation of Bias-Motivated Speech and Symbolic Expression on the Internet. Loyola L.A. International & Comparative Law Review, 28, pages 69-127, 2006.

[11] Windows Firewall May Block Some Programs from Communicating Over the Internet After You Install Windows XP Service Pack 2. Article 842242, Revision 9.4, Microsoft Corp., Redmond, WA, Nov. 13, 2007. Available at http://support.microsoft.com/kb/842242.

[12] Trusted Computer System Evaluation Criteria, DOD 5200.28-STD, U.S. Department of Defense, Washington DC, 1985.

[13] Information Technology Security Evaluation Criteria, Version 1.2, Commission of the European Communities, Brussles, Belgium, 1991.

[14] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and General Model, Version 3.1, Revision 2, Final, Common Criteria Recognition Arrangement Management Board, July 2009. Available at http://www.commoncriteriaportal.org.

[15] Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Components, Version 3.1, Revision 2, Final, Common Criteria Recognition Arrangement Management Board, July 2009. Available at http://www.commoncriteriaportal.org.

[16] Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Components, Version 3.1, Revision 2, Final, Common Criteria Recognition Arrangement Management Board, July 2009. Available at http://www.commoncriteriaportal.org.

[17] Security Requirements for Cryptographic Modules, FIPS PUB 140-2, Information Technology Laboratory, National Institute of Science and Technology, Gaithersburg, MD, USA, 2001.

[18] Voting System Standards, Election Assistance Commission, Washington DC, USA, 2002.

[19] Voluntary Voting System Guidelines, Version 1.0, Election Assistance Commission, Washington, DC, USA, 2005.

[20] E. Barr, M. Bishop, and M. Gondree. Fixing Federal E-Voting Standards. Communications of the ACM, 50(3), pages 19{24, 2007.

[21] M. Bishop, Overview of Red Team Reports, Office of the California Secretary of State, Sacramento, CA, USA, 2007.

[22] D. Wagner, Principal Investigator's Statement on Protection of Security-Sensitive Information, Office of the California Secretary of State, Sacramento, CA, USA, 2007.

[23] Project Everest (Evaluation and Validation of Election-Related Equipment, Standards, and Testing) Risk Assessment Study of Ohio Voting Systems: Executive Report, Office of the Secretary of State of Ohio, Columbus, OH, USA, 2007.

[24] A. Kiayais, L. Michel, A. Russell, and A. Shvartsman, Integrity Vulnerabilities in the Diebold TSX Voting Terminal, VoTeR Center, University of Connecticut, Storrs, CT, USA, 2007.

[25] E. Proebstel, S. Riddle, F. Hsu, J. Cummins, F. Oakley, T. Stanionis, and M. Bishop. An Analysis of the Hart Intercivic DAU eSlate. In Proceedings of the 2007 USENIX/ACCURATE Electronic Voting Technology Workshop, 2007.

[26] RABA Innovative Solution Cell, Trusted Agent Report Diebold AccuVote-TS Voting System, RABA Technologies LLC, Columbia, MD 21045, 2004.

[27] M. Bishop. About Penetration Testing. IEEE Security & Privacy, 5(6), pages 84-87, 2007.

[28] F. Gallegos and M. Smith. Red Teams: An Audit Tool, Technique, and Methodology for Information Assurance. Information Systems Control Journal, 2, pages 51-56, 2006.

[29] C. Weismann. Security Penetration Testing Guideline. Chapter 10, Handbook for the Computer Security Certification of Trusted Systems, TM 5540:082A, Naval Research Laboratory, Washington DC, USA, 1995.

[30] Technical Guidelines Development Committee, Voluntary Voting System Guidelines Recommendations to the Election Assistance Commission, Election Assistance Commission, Washington DC, USA, 2007.

[31] M. Bishop, S. Engle, S. Peisert, S. Whalen, and C. Gates. We Have Met the Enemy And He Is Us. In Proceedings of the 2008 Workshop on New Security Paradigms, pages 1-12, 2008.

[32] Y. Katz. Facebook Details Cancel IDF Raid. The Jerusalem Post, Mar. 4, 2010. Available at http://www.jpost.com/Israel/Article.aspx?id=170156.

[33] Military Gives OK to Twitter and Facebook. CBS News, Feb. 26, 2010. Available at http://www.cbsnews.com/stories/2010/02/26/tech/main6247874.shtml.

[34] D. McCullagh. DVD Lawyers Make Secret Public. Wired, Jan. 26, 2000. Available at http://www.wired.com/politics/law/news/2000/01/33922.

[35] D. McCullough. Specification for Multi-Level Security and a Hook-Up Property. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 161-166, 1987.

[36] H. Mantel. On the Composition of Secure Systems. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 88-102, 2002.

[37] E. Al-Shaer and H. Hamed. Discovery of Policy Anomalies in Distributed Firewalls. In Proceedings of the 23rd Annual Joint Conference of the IEEE Computer and Communication Societies, Vol. 4, pages 2605-2616, 2004.

[38] L. Yuan, H. Chen, J. Mai, C.-N. Chuah, Z. Su, and P. Mohapatra. FIREMAN: A Toolkit for Firewall Modeling and Analysis. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 213-227, 2006.

[39] C. Chung, M. Gertz, and K. Levitt. Discovery of Multi-Level Security Policies. In Proceedings of the IFIP TC11/WG11.3 14th Annual Working Conference on Database Security, pages 173-184, 2000.

[40] A. Hadbah, A. Kalam, and H. Al-Khalidi. The Subsequent Security Problems Attributable to Increasing Interconnectivity of SCADA Systems. In Proceedings of the 2008 Australasian Universities Power Engineering Conference, pages 1-4, 2009.

[41] M. Bishop, S. Engle, S. Peisert, S. Whalen, and C. Gates. Case Studies of an Insider Framework. In Proceedings of the 42nd Hawaii International Conference on System Sciences, 2009.

[42] A. Neier, Dossier: The Secret Files They Keep on You, Stein and Day, Briarcliff Manor, NY, USA, 1974.

[43] M. Barbaro and T. Zeller, Jr.. A Face Is Exposed for AOL Searcher No. 4417749. The New York Times, Aug. 9, 2006. Available at http://www.nytimes.com/2006/08/ 09/technology/09aol.html.

[44] B. Stelter. Political Cauldron Stirred by Old Video of Candidate. The New York Times, Sep. 19, 2010. Available at http://www.nytimes.com/2010/09/20/us/politics/20odonnell.html.

[45] AOLStalker.com: Searching and Finding for You. Available at http://www.aolstalker.com.

[46] J. Masterman, The Double-Cross System in the War of 1935 to 1945, Yale University Press, New Haven, CT, USA, 1972.

[47] A. Brown, Bodyguard of Lies, Harper & Row Publishers, Inc., New York, NY, 1975.

[48] B. Macintyre, Operation Mincemeat: How a Dead Man and a Bizarre Plan Fooled the Nazis and Assured an Allied Victory, Crown, London, UK, 2010.

[49] G. Orwell, Nineteen Eighty-Four, Secker and Warburg, London, UK, 1949.

[50] V. Prevelakis and D. Spinellis. The Athens Affair. IEEE Spectrum, 44(7), pages 26-33. 2007.

[51] J. A. Simpson and E. S. C. Weiner (eds.), The Oxford English Dictionary, 2nd Edition, Clarendon Press, Oxford, UK, 1991.

[52] E. Rescorla, SSL and TLS: Designing and Building Secure Systems, Addison-Wesley Professional, Boston, MA, USA, 2000.

[53] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, 2008.

[54] S. Deering and R. Hinden. Internet Protocol, Version 6 (IPv6) Specification. RFC 2460, 1998.

[55] S. Kent. IP Authentication Header. RFC 4302, 2005.

[56] S. Kent. IP Encapsulating Security Payload (ESP). RFC 4303, 2005.

[57] P. Mockapetris. Domain NamesConcepts and Facilities. RFC 1034, 1987.

[58] P. Mockapetris. Domain NamesImplementation and Specification. RFC 1035, 1987.

[59] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. RFC 4033, 2005.

[60] R. Arends, R. Austein, M. Larson, D.Massey, and S. Rose. Resource Records for the DNS Security Extensions. RFC 4034, 2005.

[61] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS Security Extensions. RFC 4035, 2005.

[62] S. Kent and K. Seo. Security Architecture for the Internet Protocol. RFC 4301, 2005.

[63] Data Encryption Standard, FIPS PUB 46, National Bureau of Standards, Gaithersburg, MD, USA, 1977.

[64] Advanced Encryption Standard, FIPS PUB 197, National Institute of Standards and Technology, Gaithersburg, MD, USA, 2001.

[65] S. Kent. Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management. RFC 1422, 1993.

[66] P. Zimmermann, PGP User's Guide, MIT Press, Cambridge, MA, USA, 1994.

[67] H. Burch and B. Cheswick. Tracing Anonymous Packets to Their Approximate Source. In Proceedings of the 14th USENIX Conference on System Administration, pages 319-328, 2000.

[68] S. Savage, D.Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. SIGCOMM Computer Communications Review, 30(4), pages 295-306, 2000.

[69] A. Snoeren. Hash-Based IP Traceback. In Proceedings of the 2001 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 3-14, 2001.

[70] A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, B. Schwartz, S. Kent, and W. Strayer, Single-Packet IP Traceback. IEEE/ACM Transactions on Networking, 10(6), pages 721-734, 2002.

[71] S. Staniford-Chen and L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, 1995.

[72] T. Daniels and E. Spafford. Network Traffic Tracking Systems: Folly in the Large?" In Proceedings of the 2000 Workshop on New Security Paradigms, pages 119-124, 2000.

[73] M. Bishop, C. Gates, and J. Hunker. The Sister-hood of the Traveling Packets. In Proceedings of the 2009 Workshop on New Security Paradigms, pages 1-12, 2009.

[74] M. Piatek, T. Khono, and A. Krishnamurthy. Challenges and Directions for Monitoring P2P File Sharing Networks; or, Why My Printer Received a DMCA Takedown Notice. In Proceedings of the 3rd USENIX Workshop on Hot Topics in Security, 2008.

[75] R. Bajcsy, T. Benzel, M. Bishop, B. Braden, C. Brodley, S. Fahmy, S. Floyd, W. Hardaker, A. Joseph, G. Kesidis, K. Levitt, B. Lindell, P. Liu, D. Miller, R. Mundy, C. Neuman, R. Ostrenga, V. Paxson, P. Porras, C. Rosenberg, J. D. Tygar, S. Sastry, D. Sterne, and S. Wu. Cyber Defense Technology Networking and Evaluation. Communications of the ACM, 47(3), pages 58-61, 2004.

[76] B. Chun, D. Culler, T. Roscoe, A. Bavier, L. Peterson, M. Wawrzoniak, and M. Bowman. PlanetLab: An Overlay Testbed for Broad-Coverage Services. ACM SIGCOMM Computer Communications Review, 33(3), pages 3-12, 2003.

[77] Global Environment for Network Innovation, 2006. Available at http://www.geni.net.

[78] GENI System Overview, Document GENI-SE- SY-SO-02.0, Sep. 2008. Available at http://groups.geni.net/geni/attachment/wiki/GeniSysOvrvw/GENISysOvrvw092908.pdf.

[79] B. Lampson.ANote on the Confinement Problem. Communications of the ACM, 16(10), pages 613-615, 1973.

[80] R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung, D. Webber, S. Webster, D. Wyschograd, R. Cunningham, and M. Zissman. Evaluating Intrusion Detection Systems: The 1998 DARPA Off-Line Intrusion Detection Evaluation. In Proceedings of the DARPA Information Survivability Conference and Exposition, pages 12-26, 2000.

[81] J. McHugh. Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratories. ACM Transactions on Information and System Security, 3(4), pages 262-294, 2000.

[82] K. Tan and R. Maxion. "Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 188-201, 2002.

[83] R. Khasasch, The Institutional Imperative: How to Understand the United States Government and Other Bulky Objects, Charterhouse Books, New York, NY, USA, 1973.

[84] R. Linde. Operating Systems Penetration. In Proceedings of the National Computer Conference and Exposition (AFIPS '75 ), pages 361-368, 1975.

[85] M. Bishop and B. Orvis. A Clinic to Teach Good Programming Practices. In Proceedings of the 10th Colloquium for Information Systems Security Education, pages 168-1174, 2006.

[86] K. Nance. Teach Them When They Aren't Looking: Introducing Security in CS1. IEEE Security & Privacy, 7(5), pages 53-55, 2009.

[87] T. Walcott and M. Bishop. Traducement: A Model for Record Security. ACM Transactions on Information and System Security, 7(4), pages 576-590, 2004.

[88] Common Weakness Enumeration, The MITRE Corporation, 2006. Available at http://cwe.mitre.org.

[89] Common Vulnerabilities and Exposures, The MITRE Corporation, 2002. Available at http://cve.mitre.org.

[90] B. Tung. The Common Intrusion Specification Language: A Retrospective. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, Volume 2, pages 36-45, 2002.

[91] W. Ware, Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security, RAND Report R609-1, The RAND Corporation, Santa Monica, CA, USA, 1970.

[92] J. Anderson, Computer Security Technology Planning Study, Technical Report ESD-TR-73-51, ESD/AFSC, Hanscom Air Force Base, Bedford, MA, USA, 1972.

[93] D. Bell and L. LaPadula, Secure Computer System: Unified Exposition and Multics Interpretation, Technical Report MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA, USA, 1975.

[94] R. Abbott, J. Chin, J. Donnelley, W. Konigsford, S. Tokubo, and D. Webb, Security Analysis and Enhancements of Computer Operating Systems, Technical Report NBSIR 76-1041, ICET, National Bureau of Standards, Washington DC, USA, 1976.

[95] R. Bisbey II and D. Hollingsworth, Protection Analysis: Final Report, Technical Report ISI/SR-78-13, University of Southern California Information Sciences Institute, Marina Del Rey, CA, USA, 1978.

[96] M. Bishop. Ten Years Past and Ten Years from Now. Actas de la X Journada de Seguridad Informtica, June 2010.

[97] M. Bishop. Technology, Training, and Transformation. IEEE Security & Privacy, 8(5), pages 72-75, 2010.

[98] K. Thompson. Reflections on Trusting Trust. Communications of the ACM, 27(8), pages 761-763, 1984.