Introduction by
Brian McKenney and Peter Tasker
Guest Editors

Articles and headlines about Internet risks, computer vulnerabilities, viruses, and hacker attacks appear in the news media on a daily basis. Internet Service Providers and media companies such as Yahoo! have been exposed to Distributed Denial of Service attacks. Popular Web sites have been defaced and altered with obscene material. Credit card information and passwords flowing over the Internet have been compromised. Internet sites have been penetrated by hackers using a variety of techniques, such as exploiting documented vulnerabilities or employing readily available, user friendly "point-and-click" tools. New strains of computer viruses continue to pose challenges for sites and anti-virus vendors. The "I Love You" virus, for example, infected millions of computers and disrupted business operations worldwide.

Corporate intranets or enclaves consist of enterprise resources such as data, information systems, desktop workstations, and infrastructure elements. They require connectivity to the Internet in order to communicate with other networks and to access information resources. As a result, they must be protected from external adversaries (e.g., hackers), malicious insiders, and the possibility that users may unknowingly retrieve viruses and other malicious code by clicking on an email message or a link to a Web site. Security measures must support user access and business operations so that they can continue to be available even when they are under attack.

As more enclaves become highly interconnected, the risks accepted by one enclave may not be acceptable to the community at large. In essence, a risk accepted by one is a risk shared by all. So, security must be a shared responsibility. The community must work together to share information on threats and vulnerabilities and to build defenses across the community.

Managers must make effective risk management decisions that guide practical, cost-effective security engineering. Otherwise, the resulting enterprise security architecture may provide security that is inadequate or overly expensive. Managers will not be able to eliminate all risk. They must define and operate at an acceptable level of residual risk, making tradeoffs between risk and cost.

This issue of The EDGE is devoted to these and other issues of Information Assurance (IA)—the protection and management of enterprise-wide resources against unauthor- ized access. The following articles illustrate the range of MITRE's technical contributions in IA, from security architecture definition to research and development to operational deployment of security solutions in sponsor environments. Each article addresses an element of Defense in Depth (DiD), a strategy that combines the capabilities of people, operations, and security technologies to establish multiple layers of protection. Two articles deal with infrastructure security, namely Public Key Infrastructure (PKI) and secure infrastructure operations, which include network management security. Another article deals with monitoring and analyzing system and network activity via Intrusion Detection Systems (IDS) and computer forensics. A fourth article describes MITRE's research in analyzing cryptographic protocols. Finally, we include a compilation of IA activities and a summary of our Common Vulnerabilities and Exposures (CVE) collaboration, which provides a growing compendium of common names for publicly known vulnerabilities and exposures.

For more information, please contact guest editors Brian mcKenney or Peter Tasker using the employee directory.