20 May 2004 CISCO at UQ 1

Protecting Australia's Information Infrastructure through

Education and Training

Professor William J Caelli AO,PhD (ANU), BSc (Hons) (Newc), FACS, FTICA, Sen MIEEE, CISM

Head – School of Software Engineering and Data CommunicationsFaculty of Information TechnologyQueensland University of TechnologyGPO Box 2434Brisbane. Qld. 4001. AUSTRALIAPhone: +61 – 7 – 3864 2752 Fax: +61 – 7 – 3864 1801 Email: w.caelli@qut.edu.au

Keynote Presentation to “IT Opportunities Kiosk (ITOK)”, 20 May 2004 : CISCO Academies of UQ and QUT

20 May 2004 CISCO at UQ 2

Asian Wall Street Journal11 May 2004.

..42years..

SomeCaelli

Nostalgia !

EDS&

IBM 1401

20 May 2004 CISCO at UQ 3

“..changes the costly PC-centric model for enterprise applications…”

IBM AdvertisementAsian Wall Street Journal11 May 2004.

20 May 2004 CISCO at UQ 4

SOMEBACKGROUND

20 May 2004 CISCO at UQ 5

20 May 2004 CISCO at UQ 6

“If current trends continue, Clarke told attendees at Gartner's Symposium/ITxpo 2003 here this week, the cybersecurity situation isn't just going to get worse. It's going to get exponentially worse.”

Richard A Clarke, Former USA Whitehouse IT Security AdvisorReported in ZDNet, USA – 22 October 2003. http://techupdate.zdnet.com/Clarke_issues_gloomy_report_card_.html

CLARKE, RICHARD A

20 May 2004 CISCO at UQ 7

Brian ValentineSenior Vice-PresidentMicrosoft WindowsDevelopment

“..I’m not proud…We really haven’t doneeverything we could toprotect our customers…. Our products justaren’t engineered for security”

Computerworld (Australia)September 16, 2002. Page 14.

20 May 2004 CISCO at UQ 8

MICROSOFT (Mundie, 8 Oct. 2002, RSA, Paris)MICROSOFT (Mundie, 8 Oct. 2002, RSA, Paris)• Question: 25 years to go “trustworthy” ?• Reply:

• “Customers wouldn’t pay for it until recently.• “Information officers ..only recently begun to

demand security.”• “.. Only in last 10 years that Microsoft has

attempted to play in the security-requiringworlds of banking, payroll and networkedsystems…”

VENDOR ESCAPE:

20 May 2004 CISCO at UQ 9

15 March 2004

20 May 2004 CISCO at UQ 10

Grand Challenges #2: Grand Challenges #2:

CRA Conference on:"Grand Research Challenges in Information Security & Assurance"

16 – 19 November 2003.Airlie House, Warrenton.Virginia. USA.

Sponsored by the National Science Foundation (NSF)

20 May 2004 CISCO at UQ 11

20 May 2004 CISCO at UQ 12

20 May 2004 CISCO at UQ 13

FOUR GENERATIONS OF PEOPLEIN COMPUTER SCIENCE & TECHNOLOGY

1940 – 1960 Scientist/engineerprogram, operate yourself

1960 – 1980 IT Professionalsprogrammer/analystoperations, managers

1980 – 2000 CIO / end-userssoftware industry, usercontrol, hackers

2000 – 2020? Diverse / spread profession3Cs – converged computing,communications & content

20 May 2004 CISCO at UQ 14

44thth GENERATION OF IT PROFESSIONALS GENERATION OF IT PROFESSIONALS

Generation 1 ( 1940 - 1960 ).

• Engineer / scientist

CSIRAC CSIRAC (Australia)(Australia)

COLOSSUSCOLOSSUS(UK)(UK)

20 May 2004 CISCO at UQ 15

44thth GENERATION OF IT PROFESSIONALS GENERATION OF IT PROFESSIONALS

Generation 2 ( 1960 - 1980 ).

• Elites ( Specialist professionals )• Managers

20 May 2004 CISCO at UQ 16

IBM System/360-50

Happy 40th Birthday!( 7 April 1964 )

20 May 2004 CISCO at UQ 17

44thth GENERATION OF IT PROFESSIONALS GENERATION OF IT PROFESSIONALS

Generation 3 ( 1980 - 2000 ).

• Professionals vs Hobbyists, Hackers & Amateurs

20 May 2004 CISCO at UQ 18

44thth GENERATION OF IT PROFESSIONALS GENERATION OF IT PROFESSIONALS

Generation 4 ( 2000 on ).

• Everyone (multiple levels)

Mobile PhoneMobile Phone

20 May 2004 CISCO at UQ 19

INTEGRATION & “END-TO-END” SECURITYINTEGRATION & “END-TO-END” SECURITY

“.. hardware on which applications run must be secure, as must the operating system and run time environment in between, while offering a reasonable API for application developers…

.. applications cannot be more secure than the kernel functions they call, and the operating system cannot be more secure than the hardware that executes its commands..”

Dyer et al – “Building the IBM 4758 Secure Coprocessor”IEEE Computer, October 2001.

20 May 2004 CISCO at UQ 20

EDUCATION&TRAINING

20 May 2004 CISCO at UQ 21

EDUCATION & TRAININGEDUCATION & TRAINING

DUALREQUIREMENTS

INFORMATIONSYSTEMS

(IS)

COMPUTER /COMMS

SCIENCE &ENGINEERING

(CSE)Taxis

Cars

20 May 2004 CISCO at UQ 22

EDUCATION & TRAINING

DUAL REQUIREMENTS• Industry & business (incl. commercial

government, etc.)• Emphasis on enterprise analysis, business

awareness & needs, team involvement,speed of implementation, cost, etc.

• Defence, intelligence & NIIP• Emphasis on IT & comms fundamentals,

science & engineering, protocol &computer architectures, structures, etc

20 May 2004 CISCO at UQ 23

PC Magazine – USA – 11 Feb 2004.

• Microsoft security Update MS04-007• “Critical”

• Buffer overflow in ASN.1 Library DLL• Used by security sub-system• “..the vulnerability has no workarounds..”

FACTS:* System vulnerabilities are almost completely

in system software and middleware.* ICT technology & artefacts come from mainly

one nation and a few companies, including a recognised monopoly

* China is emerging

20 May 2004 CISCO at UQ 24

EDUCATION & TRAININGEDUCATION & TRAINING

DUAL REQUIREMENTS FACTS ABOUT IS / CSE PROGRAMS AT

UNIVERSITIES / COLLEGES( USA / Australia )

• CS - NO computer structures/architectures• IS - “scripting” / Web emphasis• CSE – NO assembler level languages• CSE - <6 lectures on architecture• CSE / IS – NO undergraduate work on

software security & protection• CSE – nothing on “drivers”, kernels, crypto, etc

20 May 2004 CISCO at UQ 25

EDUCATION & TRAININGEDUCATION & TRAINING

DUAL REQUIREMENTS• FACTS ABOUT IS / CSE PROGRAMS AT

UNIVERSITIES / COLLEGES ( IIT - India )

• CSE – undergraduate project• develop RSA encryption VLSI chip for

1024 bit modulus with PKS interfacestandards support and create appropriatedriver and support software for a popularOS

20 May 2004 CISCO at UQ 26

National Cyber Security PartnershipNational Cyber Security Partnership“…public-private partnership .. established to develop shared strategies and programs to better secure and enhance America’s critical information infrastructure..”

Task forces include:• Awareness for Home Users and Small Businesses • Cyber Security Early Warning • Corporate Governance • Security Across the Software Development Life Cycle • Technical Standards and Common Criteria

http://www.cyberpartnership.org

20 May 2004 CISCO at UQ 27

Security Across the Software Development Life Cycle

Report – 1 April 2004.

SOFTWARE VALUE

INCREASE PRODUCTIVITY

& EFFICIENCY

RESILIENCE TO ATTACK

PERFORM IN BOTH NORMAL

& CRISIS SITUATIONS MULTICS

20 May 2004 CISCO at UQ 28

Security Across the Software Development Life Cycle - 1 April 2004

OVERVIEW:

“.. lack of adequate education in software security for software developers has cost the United States dearly…….”

“…if the United States is to progress beyond immature infrastructures created by amateurs, professionalism based on a sound university education is required……”

20 May 2004 CISCO at UQ 29

Security Across the Software Development Life Cycle - 1 April 2004

OVERVIEW:

“…. across the globe … software security research funding … is almost non-existent..”

20 May 2004 CISCO at UQ 30

Security Across the Software Development Life Cycle - 1 April 2004

EDUCATION SUB-GROUP FINDINGS

LOSSES IN 10s OF BILLIONS $(US)

Software security flaws Patch management

Offshoring to “more able” overseas programmers

Best people through “university degree programs”

leading to

because

20 May 2004 CISCO at UQ 31

Security Across the Software Development Life Cycle - 1 April 2004

THE PROBLEM – GETTING WORSE!IMPROVE SOFTWARE SECURITY = SAFEGUARD NII

WHO ISSUES

Universities Education & researchProducers Skills, processes,

incentivesCustomers RequirementsProviders Quality, testing

20 May 2004 CISCO at UQ 32

Security Across the Software Development Life Cycle - 1 April 2004

THE PROBLEM – GETTING WORSE!IMPROVE SOFTWARE SECURITY = SAFEGUARD NII

WHO ISSUES

Administrators Maintenance, patchingUsers Ease of useInstallers ConfigurationGovernments Enforcement

20 May 2004 CISCO at UQ 33

Security Across the Software Development Life Cycle - 1 April 2004

REQUIREMENTS ACTION

Security at the centre in Education &software design & Trainingfoundation for development process

Education subgroup

20 May 2004 CISCO at UQ 34

EDUCATION & TRAINING FOR NIIPEDUCATION & TRAINING FOR NIIP

SUMMARY ““Back to basics”Back to basics”

• Recognition / assessment of threats & vulnerabilities ( risk)

• Software from anywhere• “Skype” – Estonia / Telstra (Aust) - India • Device drivers – Russia

• Understanding of hardware (again) & softwareinteraction – compilers, libraries, etc.

• Emerging software schemes – “components”• Reverse engineering, test harnesses

20 May 2004 CISCO at UQ 35

EDUCATION & TRAINING FOR NIIPEDUCATION & TRAINING FOR NIIP

SUMMARY ““Back to basics”Back to basics”

• Re-emphasis on fundamentals of computerscience and engineering

• Education program vs. “quick” industry“training”

• Emerging requirements for “expert witnesses”in IT & sub-disciplines

• US recognises lost 20 years (NSA & NCSP)• NIIP requires national education programs• New opportunities, e.g. SeLINUX

20 May 2004 CISCO at UQ 36

THANKYOU

Visit the “Colloquium for InformationSystems Security Education (CISSE)”,

(5 – 9 June 2004)USMA, West Point, NY. USA.

See:http://www.ncisse.org