Scribd Logo
Upload

Welcome to Scribd!

  • Infosec Research Council Hard Problems List: Dept. of Homeland Security Science & Technology Directorate

    Uploaded by

    Jimdo
    11 views16 pages
    The document summarizes the Infosec Research Council's (IRC) 2005 Hard Problems List, which identifies the most difficult unsolved challenges in information security research. The IRC is a roundtable of major government investors in cybersecurity. The 2005 list was developed through workshops and reviews, and identifies 8 problems including global identity management, insider threats, availability of time-critical systems, and developing security metrics. The document provides background on the IRC and outlines each of the 8 problems, describing their motivation, challenges, and goals.

    Original Description:

    Original Title

    Irc Csia Maughan 012606

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document summarizes the Infosec Research Council's (IRC) 2005 Hard Problems List, which identifies the most difficult unsolved challenges in information security research. The IRC is a roundtable of major government investors in cybersecurity. The 2005 list was developed through workshops and reviews, and identifies 8 problems including global identity management, insider threats, availability of time-critical systems, and developing security metrics. The document provides background on the IRC and outlines each of the 8 problems, describing their motivation, challenges, and goals.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views16 pages

    Infosec Research Council Hard Problems List: Dept. of Homeland Security Science & Technology Directorate

    Uploaded by

    Jimdo
    The document summarizes the Infosec Research Council's (IRC) 2005 Hard Problems List, which identifies the most difficult unsolved challenges in information security research. The IRC is a roundtable of major government investors in cybersecurity. The 2005 list was developed through workshops and reviews, and identifies 8 problems including global identity management, insider threats, availability of time-critical systems, and developing security metrics. The document provides background on the IRC and outlines each of the 8 problems, describing their motivation, challenges, and goals.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    Dept.

    of Homeland Security Science & Technology Directorate

    Infosec Research Council


    Hard Problems List
    CSIA IWG
    Washington, DC
    January 26, 2006

    Douglas Maughan, Ph.D.


    Program Manager, HSARPA
    douglas.maughan@dhs.gov
    202-254-6145 / 202-360-3170
    Background
    z INFOSEC Research Council (IRC)
    ‹ Roundtable of major government investors in Information
    Security Research

    z http://www.infosec-research.org/
    z In existence since 1996

    26 January 2006 2
    IRC Participating “Agencies”
    z ARDA - Advanced Research and Development Activity
    z CIA - Central Intelligence Agency
    z DOD - Department of Defense (including the Air Force, Army, Defense
    Advanced Research Projects Agency, National Reconnaissance Office,
    National Security Agency, Navy, and Office of the Secretary of Defense)
    z DOE - Department of Energy
    z DHS - Department of Homeland Security
    z FAA - Federal Aviation Administration
    z NASA - National Aeronautics and Space Administration
    z NIH - National Institutes of Health
    z NIST - National Institute of Standards and Technology
    z NSF - National Science Foundation
    z TSWG - Technical Support Working Group.

    z In addition, the IRC is regularly attended by partner organizations from


    Canada and the United Kingdom.

    26 January 2006 3
    Hard Problems List (HPL)
    z Original Version
    ‹ Composed in 1997-98 based on several government sponsored
    workshops; Published in 1999
    z Topics
    ‹ 1. Intrusion and Misuse Detection
    ‹ 2. Intrusion and Misuse Response
    ‹ 3. Security of Foreign and Mobile Code
    ‹ 4. Controlled Sharing of Sensitive Information
    ‹ 5. Application Security
    ‹ 6. Denial of Service
    ‹ 7. Communications Security
    ‹ 8. Security Management Infrastructure
    ‹ 9. Information Security for Mobile Warfare
    ‹ A. Secure System Composition
    ‹ B. High Assurance Development
    ‹ C. Metrics for Security
    26 January 2006 4
    Hard Problems List (HPL)
    z 2005 Version
    ‹ In the works since Summer 2003
    ‹ First attempt in over 6 years to identify at Federal level the hardest and
    most important scientific challenges facing the US in Information
    Security research
    ‹ External Review Board
    „ Steve Bellovin
    „ Marc Donner
    „ Joan Feigenbaum
    „ James R Gosler
    „ Steve Kent
    „ Peter G. Neumann
    „ Fred Schneider
    ‹ Document Structure

    26 January 2006 5
    IRC HPL 2005 Topics
    1. GLOBAL SCALE IDENTITY MANAGEMENT
    2. INSIDER THREAT
    3. AVAILABILITY OF TIME-CRITICAL SYSTEMS
    4. BUILDING SCALABLE SECURE SYSTEMS
    5. ATTACK ATTRIBUTION AND SITUATIONAL
    UNDERSTANDING
    6. INFORMATION PROVENANCE
    7. SECURITY WITH PRIVACY
    8. ENTERPRISE LEVEL SECURITY METRICS

    26 January 2006 6
    1. GLOBAL SCALE IDENTITY
    MANAGEMENT
    z Scope: Identification, authentication, authorization,
    requisite key infrastructure
    z Motivation: Need for seamless IAA across many
    systems, costs of divergent IAA systems, limits of
    current PKI, quantum.
    z Challenges: Scale, churn, anonymity, federation.
    z Metrics: Scale and adversary work factor.

    26 January 2006 7
    2. INSIDER THREAT
    z Motivation: Frequency and severity of incidents
    historically, increasing potential.
    z Challenges: Not unauthorized access, Inside
    knowledge of defenses, “help” from outsiders with
    substantial resources.
    z Approaches: Connections to HP #1, pervasive
    auditing, and redundancy.
    z Goal: Mitigate the insider threat in cyber space so far
    as it is in physical space.

    26 January 2006 8
    3. AVAILABILITY OF TIME-
    CRITICAL SYSTEMS
    z Motivation: SCADA, military, home-land security
    first responders often
    ‹ Valueavailability over secrecy.
    ‹ Work in lossy, ad hoc wireless environments.

    z Challenges: limited resources


    ‹ Computational processing power.
    ‹ Service quality guarantees given dynamics.
    ‹ Distributed systems compound problem.

    z Metric: Range of circumstances over which results


    can be guaranteed.

    26 January 2006 9
    4. BUILDING SCALABLE SECURE
    SYSTEMS
    z Motivation: High Consequence Systems
    z Challenges: Today’s systems are huge.
    ‹ Catastrophic
    bugs can be tiny.
    ‹ Some developers may be working against us.
    ‹ Components, subsystems, architectures.

    z Approaches: Help formal verification scale.


    ‹ Development and formal V&V environments.
    ‹ Means of correctly composing formal models.

    z Goal: Fully verified truly trustworthy TCB.

    26 January 2006 10
    5. ATTACK ATTRIBUTION AND
    SITUATIONAL UNDERSTANDING
    z Motivation: Respond to the unpreventable.
    z Challenges:
    ‹ Some attacks may be acts of war, others the work of teens,
    others nations posing as teens.
    ‹ Hostile networks, anonymizers, recordless public access
    such as wi-fi and internet cafes.
    ‹ Big picture and appropriate response

    z Metrics:
    ‹ Response selection: Degradation of mission.
    ‹ Attribution: ID of adversaries in exercises.

    26 January 2006 11
    6. INFORMATION PROVENANCE
    z Motivation: Life-critical and releasability decisions
    both require pedigree of data.

    z Challenges: Volume, degree of automated processing


    and transformation. Connections to HP #7.

    z Goal: Track pedigree for every byte of information in


    exabyte scale systems transforming terabytes of data
    per day.

    26 January 2006 12
    7. SECURITY WITH PRIVACY
    z Motivation: More of our interactions and transactions
    are occurring in cyberspace. Data mining poses risks
    to privacy and identity theft poses risks to security.
    z Challenges: Current strategies for security often
    involve surveillance at cost of privacy
    z Scope: IRC NOT defining privacy policy.
    z Approach:
    ‹ Tools to help users keep private info private.
    ‹ Privacy sensitive data mining techniques.

    26 January 2006 13
    8. ENTERPRISE LEVEL SECURITY
    METRICS
    z Motivation: Without means to measure progress, we’re not
    likely to see much…
    z Challenges: Inability to quantify security leaves us with
    systems that we can’t describe
    ‹ Impacts on deployment of security technology
    z Goal: IRC supports CRA challenge that within 10 years,
    quantitative information-systems risk management should be
    at least as good as quantitative financial risk management.

    26 January 2006 14
    Summary
    z “Stake in the ground” from the front-line
    z Topics selected because of their importance to Government
    missions and the lack of solutions
    z Not the only challenges in the IT security space
    z Information security is not only about technology
    z Several non-technical issues impact the protection of
    information and systems
    ‹ Policy issues,
    ‹ Legal issues,
    ‹ Technology transition challenges,,
    ‹ Economics and market forces
    ‹ Academic education and training

    26 January 2006 15
    Douglas Maughan, Ph.D.
    Program Manager, HSARPA
    douglas.maughan@dhs.gov
    202-254-6145 / 202-360-3170

    26 January 2006 16

    You might also like