PREFACE

Advances in computer security technologies are occurring at a fast pace. As a result, defenses (over time) are dynamic and forever evolving. As new protective measures appear, new attacks are developed to defeat them, leading to corrective improvements in the protective measures, new attacks, and so on. Hacker organizations, often formed with the intent of forcing developers to improve and harden the security features of their products, meet frequently to discuss new security technologies as well as new attack tools. Challenges and contests in which participants try to break security products or operating systems are mounted frequently and the results published broadly, often to the consternation of the product developer. As more applications migrate to open source, the opportunity for deeper testing of security features is enhanced.

By its very nature, any book on the topic of computer security will be a snapshot of current protection technologies and common attack approaches. For example, even as this book goes to press, new articles are appearing on a possible vulnerability of quantum cryptography, which to date has been considered unbreakable by the intelligence community. Of course, the assertion will be studied and tested by countless groups around the world, and will likely result in an improvement.

With this dynamic quality in mind, readers should review each of the technologies discussed in this book periodically to determine if enhancements or fundamental changes have been made since the time of publishing. New technologies will appear as well, and they need to be subjected to careful analysis and testing before being deployed on mission critical systems. That having been said, the basic physics, mathematics, and electronics that are used to build these technologies do not change, and so the core principles remain the same. The specific implementations are usually the elements that evolve.

The book has been designed to present each security technology from a fundamental principles perspective first, so that the reader can understand the issue that motivated the creation of the technology. With this in mind, the subsequent analysis of the technology's ability to meet those goals and withstand attacks is generally easier to accomplish. Perhaps as important, such an understanding will help a user appreciate the need to implement each technology properly so that the intent of the developers is preserved. Otherwise, additional vulnerabilities due to mismatching interdependencies may be introduced that compromise a specific implementation.

Dependencies are another important aspect of security elements in an information processing environment. No single product is developed without attention to other components or critical processes upon which it depends. Failure of IT administrators to understand such dependencies can undermine a security rollout. Moreover, as specific security technology elements are broken, awareness of the impact on other elements within a deployment must be evaluated immediately to determine if the entire system is now compromised.

Security administrators must establish early on which priorities override others. For example, in high security organizational systems, control of access or knowledge of employee activities may override privacy of employees. It is important that policy governing these priorities be established early and communicated broadly throughout the organization so that implementations meet the requirements and that employee expectations are not misplaced.

Implementations, interdependencies, specific (existing and new) security technologies and organizational security goals should be revisited annually to assure that mission critical systems continue to be protected to the highest level possible. A fresh review and audit of the choices available and made (as described in Chapter 14 of this book) should be completed by a knowledgeable committee of internal and external auditors annually, and a summary of the current or recommended security implementation should be presented to executive management annually as well. This process need not be expensive nor time consuming, but the benefit will be measurable as new attacks appear and new technologies surface.

Finally, technology must not become a smokescreen for what is happening within the core of a security product. Security is an essential element of an information technology environment, and as such, must be chosen with care. A deep understanding of the processes might require some additional education in a specific field (such as optics, electronics, or even introductory quantum theory), but the benefit of such an understanding is that no marketing material will succeed in obscuring the true limitations and capabilities of a technology from someone who has taken time to master its basic principles. To quote Francis Bacon, “knowledge is power.”

Roger R. Dube
Rochester, NY