Brian McKenney and Peter Tasker
Articles and headlines about Internet risks, computer
vulnerabilities, viruses, and hacker attacks appear in the news
media on a daily basis. Internet Service Providers and media companies
such as Yahoo! have been exposed to Distributed Denial of Service
attacks. Popular Web sites have been defaced and altered with
obscene material. Credit card information and passwords flowing
over the Internet have been compromised. Internet sites have been
penetrated by hackers using a variety of techniques, such as exploiting
documented vulnerabilities or employing readily available, user
friendly "point-and-click" tools. New strains of computer
viruses continue to pose challenges for sites and anti-virus vendors.
The "I Love You" virus, for example, infected millions
of computers and disrupted business operations worldwide.
Corporate intranets or enclaves consist of enterprise resources
such as data, information systems, desktop workstations, and infrastructure
elements. They require connectivity to the Internet in order to
communicate with other networks and to access information resources.
As a result, they must be protected from external adversaries
(e.g., hackers), malicious insiders, and the possibility that
users may unknowingly retrieve viruses and other malicious code
by clicking on an email message or a link to a Web site. Security
measures must support user access and business operations so that
they can continue to be available even when they are under attack.
As more enclaves become highly interconnected, the risks accepted
by one enclave may not be acceptable to the community at large.
In essence, a risk accepted by one is a risk shared by all. So,
security must be a shared responsibility. The community must work
together to share information on threats and vulnerabilities and
to build defenses across the community.
Managers must make effective risk management decisions that guide
practical, cost-effective security engineering. Otherwise, the
resulting enterprise security architecture may provide security
that is inadequate or overly expensive. Managers will not be able
to eliminate all risk. They must define and operate at an acceptable
level of residual risk, making tradeoffs between risk and cost.
This issue of The EDGE is devoted to these and other issues of
Information Assurance (IA)—the protection and management
of enterprise-wide resources against unauthor- ized access. The
following articles illustrate the range of MITRE's technical contributions
in IA, from security architecture definition to research and development
to operational deployment of security solutions in sponsor environments.
Each article addresses an element of Defense
in Depth (DiD), a strategy that combines the capabilities
of people, operations, and security technologies to establish
multiple layers of protection. Two articles deal with infrastructure
security, namely Public Key Infrastructure (PKI) and secure infrastructure
operations, which include network management security. Another
article deals with monitoring and analyzing system and network
activity via Intrusion Detection Systems (IDS) and computer forensics.
A fourth article describes MITRE's research in analyzing cryptographic
protocols. Finally, we include a compilation of IA activities
and a summary of our Common Vulnerabilities and Exposures (CVE)
collaboration, which provides a growing compendium of common names
for publicly known vulnerabilities and exposures.
For more information, please contact
guest editors Brian mcKenney or Peter Tasker using
the employee directory.