Developing an Operational Framework for Integrated System Security
Paula DeWitte - St. Mary’s Law School in San Antonio
Nov 01, 2006Size: 219.8MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractSystems are composed of multiple complex levels including the physical infrastructure, personnel or “humans-in-the-loop”, administration policies and procedures, computers, networks, and the communication protocols for connectivity that tie the system into a workable unit. Each aspect is in itself a complex system. When we consider system security, we tend to focus on the electronic components—the connectivity, computers, and network—over the non-electronic. Although we rigorously implement security in the various system components, the security is rarely integrated across the boundaries of the entire system spectrum. We tend to implement security on the distinct levels of the system without considering the impact or interaction with other system levels. For example, we may fully implement encryption, passwords, and firewalls and feel that our electronic systems are secure, while the weakest link may be staff members who fall victim to social engineering techniques and unknowingly reveal sufficient information to allow a perpetrator to circumvent our best security. Or we may have fortified computer systems and well trained personnel, but neglect the fact that we are being monitored through the building’s walls, floors, and windows.
Without true understanding of the nature of the interactions of the system, we cannot fully understand how vulnerabilities in one level of the system such as the physical infrastructure can be exploited to allow attacks on another level such as the computer networks. By taking advantage of these vulnerabilities, perpetrators are able to circumvent even the most effective computer and network security, breach that security, and achieve their goals. We only need to consider the current challenges of insider threats or threats from coordinated attacks on the physical infrastructure and the computer networks to appreciate the need for better integrated system security.
Our goal is to provide analytical tools for the real world, focusing on the decision makers who implement security policies across the system spectrum. Further, to be effective, these analytical tools must be implemented within an organizing framework that provides both an integrated view of security as well as the insight and understanding necessary to make effective security issues. This necessitates the development of step-by-step processes for analyzing and implementing security decisions. While this may seem to be a soft and less complete technical solution, it is actually implementing technology at the highest level because of the integration required to address each aspect of the system as well as the multi-disciplinary approach blending computer science, engineering, psychology, linguistics, and management in developing such analytic tools.
This presentation will discuss work in progress in developing these analytical tools as well as the overarching framework for implementing integrated system security. Our intention is to understand “what can be” or “what could happen”. With this insight, they can more effectively provide prevention, protection, or remediation strategies.
About the Speaker
Paula deWitte received a Ph.D. in Computer Science from Texas A&M University in 1989 where her dissertation work focused on retrieving useful information from physician-dictated medical records. For over twenty years, she has engaged in various research and technology development endeavors in natural language processing applications as well as systems and information integration. She has significant success in commercializing research results into fielded applications and analysis products. Her current research interests are in building natural language based tools for reducing the time required for certifying and accrediting security systems. As a mid-career redefinition, she is currently pursuing a law degree at St. Mary’s Law School in San Antonio, TX where she intends to focus on technology and privacy issues. She also holds a B.S. and M.S. from Purdue University.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.