Paula DeWitte - St. Mary’s Law School in San Antonio
"Developing an Operational Framework for Integrated System Security"
Nov 01, 2006Download: MP4 Video Size: 219.8MB
Watch on YouTube
AbstractSystems are composed of multiple complex levels including the physical infrastructure, personnel or “humans-in-the-loop”, administration policies and procedures, computers, networks, and the communication protocols for connectivity that tie the system into a workable unit. Each aspect is in itself a complex system. When we consider system security, we tend to focus on the electronic components—the connectivity, computers, and network—over the non-electronic. Although we rigorously implement security in the various system components, the security is rarely integrated across the boundaries of the entire system spectrum. We tend to implement security on the distinct levels of the system without considering the impact or interaction with other system levels. For example, we may fully implement encryption, passwords, and firewalls and feel that our electronic systems are secure, while the weakest link may be staff members who fall victim to social engineering techniques and unknowingly reveal sufficient information to allow a perpetrator to circumvent our best security. Or we may have fortified computer systems and well trained personnel, but neglect the fact that we are being monitored through the building’s walls, floors, and windows.
Without true understanding of the nature of the interactions of the system, we cannot fully understand how vulnerabilities in one level of the system such as the physical infrastructure can be exploited to allow attacks on another level such as the computer networks. By taking advantage of these vulnerabilities, perpetrators are able to circumvent even the most effective computer and network security, breach that security, and achieve their goals. We only need to consider the current challenges of insider threats or threats from coordinated attacks on the physical infrastructure and the computer networks to appreciate the need for better integrated system security.
Our goal is to provide analytical tools for the real world, focusing on the decision makers who implement security policies across the system spectrum. Further, to be effective, these analytical tools must be implemented within an organizing framework that provides both an integrated view of security as well as the insight and understanding necessary to make effective security issues. This necessitates the development of step-by-step processes for analyzing and implementing security decisions. While this may seem to be a soft and less complete technical solution, it is actually implementing technology at the highest level because of the integration required to address each aspect of the system as well as the multi-disciplinary approach blending computer science, engineering, psychology, linguistics, and management in developing such analytic tools.
This presentation will discuss work in progress in developing these analytical tools as well as the overarching framework for implementing integrated system security. Our intention is to understand “what can be” or “what could happen”. With this insight, they can more effectively provide prevention, protection, or remediation strategies.
About the Speaker
Paula deWitte received a Ph.D. in Computer Science from Texas A&M University in 1989 where her dissertation work focused on retrieving useful information from physician-dictated medical records. For over twenty years, she has engaged in various research and technology development endeavors in natural language processing applications as well as systems and information integration. She has significant success in commercializing research results into fielded applications and analysis products. Her current research interests are in building natural language based tools for reducing the time required for certifying and accrediting security systems. As a mid-career redefinition, she is currently pursuing a law degree at St. Mary’s Law School in San Antonio, TX where she intends to focus on technology and privacy issues. She also holds a B.S. and M.S. from Purdue University.
Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...