Grand Challenges for Engineering - May 21, 2013
Authentication, monitoring, crime prevention -- will these approaches protect both cyberspace security and individual privacy? How can engineers design software that is inherently more robust?
A special web browser may help a lot..
Ban phishing websites..security checks should be increased..
It is very unlikely that we can make a system that is 100% while being open but what we CAN do is make it so hard to crack that it isn't worth it to hack it.
I think it is best to follow google's approach on their web browser Chrome. Make a machine as secure as you possibly can then offer money for anyone who can find a venuverability eventually almost everything will be secured. But, even the most secure software is only as secure as the people using it.
We Could Create A Program That LOOKS Appealing To Hackers,But Really Is A Virus Eliminater(hee-hee-hee)
Internet should be family friendly for kids and adults.
PPS: Per the good ideas posted by others, my next-gen system integrates all of them and much more down to the kernel and core communication logic architecture. Additionally, though my approach involves a human engineering component (real world ID verification & multi-biometrics) removing anonymity for critical transactions & communications, it permits maximum privacy & optimal security at all levels & within data streams & routers. While it automates secure coding Schneier says is uncrackable, it also permits flagging of suspect keywords to alert the intelligence community or CSOs of possible threats & risks. All the security & compression functions are integral, automatic, and beyond user control & tampering. It does the same for any network enabled with my system or embedded subsystems.
I use a private computer in my home. Often, when I am logging out, a message comes up stating that other people are logged on to my computer and shutting down will also shut them down. How are people hacking into my computer without my knowledge or consent? Is it possible to track down the hacker? I'd appreciate any information you may be able to share. Thanks, Deb Fusco
The major way of authentication in most of the websites is by user name & password which is vulnerable to many types of attacks like Phishing(which happens in many ways).Two-factor authentication is also proved to be vulnerable.There is a necessity of designing protocols or methods such that even though the theft of identity can not do harm to customers or users.There should be multi levels of authentication but not at cost of time & speed!
Hackers are always a step ahead in technology.we are thinking of solutions after attack is done.Instead of that Ethical hacking is to be done & possible know attacks are to be prevented.Educating normal internet user yields more benefit in avoiding phishing attacks.The war between hackers & cyber security people is never ending!
We need to take better cues from physical security controls such as video surveillance. By recording all network traffic at choke points or boundaries between AS's and proactively inspecting that traffic for malware or ill intent, attak vectors can be better understood faster for quicker detection. Video surveillance is pervasive in physical security. Why hasn't it caught on with networks? The ability to capture packet data at multigigabit speeds and store it on multiterabyte storage has been around for a few years now. Surveillance has a deterent effect as well that should not be underestimated.
"We need a network that can survive, and function well, even if a majority of the connected hosts are compromised and trying to do it harm. "
Too many ideas in the information/computer/netw ork security fields rely on stopping vulnerabilities. We can block a piece of malware if we know what it looks like. We can block a piece of confidential information from leaving our network if we know what it looks like. Well, we don't know what these things look like until it is too late. This is why we need more resilient systems. We need a network that can survive, and function well, even if a majority of the connected hosts are compromised and trying to do it harm. We need hosts that can survive even if a majority of the programs and services running on it are compromised. We need information that can survive being processed by a compromised host. In the real world, our bodies are subjected to viruses, bacteria, and many other baddies all of the time. Yet we continue to function fine, a vast majority of the time without being aware of the battle going on inside of us between these interlopers and our own immune system. The body learns about what is attacking it and it comes up with a solution while only compromising what it must. Until we can build information systems that can respond in a similar way, cyberspace will never be "secure."
We need advanced automated predictive and proactive response systems at all levels on our digital infrastructures (both communications, computing and control).
The concept of balancing the approaches to protect individual privacy rights with out compromising cyberspace security is a difficult challenge. The use of engineering solutions to reduce anonymity is not the precise approach for cyberspace security or protection of individual privacy rights. Fearing someone that is anonymous tells a lot about your data assurance. The problem space is to identify the greatest risk not a user that decides to conceal his identity. The solution is not to develop more anti-privacy software. The theory of being completely anonymous over the Internet to begin with is not possible. There is plenty of security solutions used to reveal the true identity of a user. For Example; when a user connects to the Internet the computer is assigned an IP address which is often logged by a web site or an ISP. Therefore, the problem does not exist in individuals having complete control over their anonymity. This approach would not help prevent against attackers but would open more doors for loss in confidentiality and integrity of information. Reducing the ability to be anonymous could cause leaks in personal information. This could be used by marketers, identity thieves, and online predators. Instead, engineers should focus more on the idea of creating solutions to protect anonymity over the Internet.
"We do need engineering solutions to reduce the ability to be anonymous..."
We keep the internet safe and open the same we do rest of our infrastructure - fear of punishment and real enforcement. This issue is mostly a national and international rule of law issue. Why do most people no destructive and follow the rules? They get caught and go to jail if they do not (or at least are afraid they will). We do need engineering solutions to reduce the ability to be anonymous -- better cyber forensics in essence and then the national and international will to prosecute crimes (or when state sponsored -- treat as acts of war)
@Charles M. Barnard - proactive protection by definition does not detect and neutralize anything, that is reactive. What is needed are mechanisms at the OS level that determines acceptable or authorized behaviors, including data access, and denies everything else in a default deny framework that supercedes the normal kernel mechanisms that allow software vulnerabilties to be enacted on. This approach is deterministic and is a viable proactive approach. A secondary problem is the inadequateness of network security to provide information-centric security. Does not work and will never work. People are starting to figure that out now. With the right approach you can secure the internet one computer at a time. :)
The net needs proactive protection, software that can reliably detect and neutralize malware, including the ability to analyze new software for potential threats. Like any tool, the same techniques used to create malware can and are used to create useful tools as well as such weapons. The creation and use of such weapons is a social problem, like all crime, and the net needs to be able to detect, isolate and remove malware in as short a period as possible to avoid its spread, and also locate the source(s) for apprehension and detention of the purpetrators. None of this is simple.
My opinion for enchancing Cyber security is first we must create an awareness about the various ways in which one can be exploited and also the ways in which to avoid them. My main view is that many people around the world are ignorant to these security issues and become aware of them only when they themself are exploited.As someone said "Security isnt a process it's just a state of mind".... By doin this even though we cant entirely stop cyber crimes we could atleast decrease it by a great amount.
create a security kookee of sort to keep track of key words and forget about my privacy........... i rather loose some of my privacy and know that my kids are safe on the www
Internet is a great tool. So far, viruses have caused minor damages, thankfully. But the numbers of viruses and frauds on the internet are rising. Let us have reliable tracing tools and international laws in order to face this problem before it snowballs, and we would get back to the days we were living in caves i.e. without internet.
The biggest problem I see is Microsoft Windows. First, it is poorly designed and allows too much access to OS functions and thus requires constant patches to fix holes. In contrast, Java was designed to avoid security holes. Second, it defaults to the admin user account, which allows toxic software to be installed. Defaulting to limited accounts would provide a much more secure environment. I initially started using a limited account just to protect my system from stupid mistakes.
Information security is not a technology problem. It is a human nature problem. Thank you for stating as much in your document. Once you figure out how to induce software and hardware makers to only produce secure code and devices you can start on the human psychology issues. I wish you luck and am happy to help in any way that I am able.
"...it is the lack of vigilance and knowledge from the general public that is a huge threat..."
As a graduating electrical engineer and partial network security analyst, the biggest problem is not the lack of features or security measures available to the general public. Rather, it is the lack of vigilance and knowledge from the general public that is a huge threat. How many people did not activate basic security on their wireless network? This specific problem is so bad that exploiting this vulnerability has its own name: wardriving. People do not need to know how stuff works - they need to know how to use it. In an analogy with a car, people don't need to understand combustion chemistry, mechanical physics or heat transfer - they do need to know how to change a flat tire and fill up the tank and windshield washer fluid, however. In the 21st century, our relationship with technology has become no longer a luxury, but the new standard of efficiency. How can we depend upon sytems and technologies that are as clear to us as black magic?
Many of the technological elements for achieving secure and reliable computation and communications infrastructures already exist, or are in an advanced research stage: - encryption: www.pgp.com - authentication: www.credentica.com - digital notarization: www.surety.com - computing: http://research.microsoft .com/os/singularity What remains is for visionary entrepreneurs to integrate these elements in the form of practical commercial products and services. However, engineering alone is not sufficient. What is needed in addition is a sound understanding of security practices. Good references are Bruce Schneier's "Secrets and Lies", and "Beyond Fear". Above all, we need a culture that understands and respects individual sovereignty and liberty, that recognizes that individual privacy is not at odds with security, but an essential component of it, and that implements these philosophies through effective governance models and social institutions. See Bruce Schneier's 2008-01-29 blog entry titled "Security vs Privacy" at http://www.schneier.com/b log/archives/2008/01/. Without the support base of such a culture of freedom, all the engineering solutions in the world will not help us--as history has repeatedly demonstrated. For an innovative social governance model that supports a culture of freedom, see www.instituteforfreedom.o rg.