Security Watch

Rebecca Mercuri authors the featured "Security Watch" column for the Communications of the Association for Computing Machinery.  Articles will be linked here in html (containing interactive links) and pdf (best for printing) formats as they appear. [RM Note: Links within the html versions may not necessarily currently reflect the same material that was originally referenced when these articles were published. It is appreciated if readers who locate a link's new location let me know where it has moved, so I can provide an update. Broken links need not be notified.]
With the ubiquity of computer-based devices in everyday use, forensic techniques are increasingly being applied to a broad range of digital media and equipment, thus posing many challenges for experts as well as for those who make use of their skills. This article draws on the author's experience as a computer forensic investigator and expert witness in addressing best practices, training, certification, toolset, and laboratory issues in this rapidly expanding field.   
Transparency is playing an increasingly important role in the world of computer security. But as with many sociological interactions with technology, an optimal balance is difficult to quantify. The consideration of a trust-centric approach (as opposed to a vulnerability-based one) may help achieve the transparency needed to ensure confidence and reduce perceived (and perhaps even actual) risks in transactional experiences.
Digital multimedia (whether it be audio, video, or still photography and art) is exposed to a broad spectrum of security problems, and involves significant gray areas in terms of methods and laws. From the standpoint of the media provider, protection of artistic content from unauthorized distribution or modification is a primary concern. At the delivery end, recipients want to ensure that downloads are virus-free and legitimately obtained. This article juxtaposes the benefits and risks of various aspects of digital rights management.
Deadlines for compliance with the Health Insurance Portability and Accountability Act (HIPAA) have caused a major crunch for the computer security industry. This hippopotamus-sized legislation, enacted in 1996, consists of two major provisions: insurance reform (so that preexisting conditions do not result in denial of coverage when one changes jobs); and administrative simplification (intended to reduce health care costs through standardized electronic transmission of transactions). HIPAA violations can carry fines of up to $250,000 and jail time of up to 10 years, so you can bet that organizations are taking this federal law very seriously.
Advances in high-performance computing (such as exponential increases in computational speed, memory capacity, and bandwidth) have found their counterpart in new security threats. Yet there is an interesting twist in that computational expansion tends to be relatively predictable, whereas security challenges are typically introduced and mitigated (when possible) in a more chaotic fashion. It is useful, therefore, to consider some of the impacts of scaled-up computing on our overall security environment.
Standards can play an important role in security by enforcing baselines and enabling compatibilities among products.  In the best of worlds, standards provide a neutral ground where methodologies are established that advance the interests of manufacturers as well as consumers, while providing assurances of safety and reliability. At the opposite extreme, standards can be inappropriately employed to favor some vendors' products over others, make competition costly, and encourage mediocrity over innovation, all of which can have negative effects on security. This article considers the current security standards environment and offers suggestions for its increased understanding and improvement.

Author's Note:  Astute readers pointed out the omission of some well-known computer security-related standards groups from my table. Although the original list was not intended to be comprehensive, I thought it would be helpful to cite these additional ones here.

Information Systems Audit and Control Association
IS and IT audit and control, accounting, information security
ISACA membership
International Telecommunication Union
Global telecom networks and services
Government, United Nations, private sector
Rebecca Mercuri has also been a frequent contributor to Peter Neumann's popular "Inside Risks" column in the Communications of the Association for Computing Machinery.  Some of her articles that directly pertain to computer security are linked below, others can be found via her electronic voting page.
The belief that computer security can be provided by obscurity is a multi-faceted myth. Various real-world scenarios are presented and shattered.
The ISO Common Criteria identifies numerous dependencies (if you implement X, you are required to implement Y and perhaps also Z, and so on) among the items necessary to provide security assurance, but it omits the specification of counterindications (if you implement J then you cannot implement K and perhaps not also L).  This flaw has serious implications in the application of the standard where counterindications (such as the simultaneous requirement for anonymity and auditability of certain voting systems) must be mitigated.  

Permission to make digital or hard copies of all or part of these works for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

To purchase reprints contact:
2 Penn Plaza, Suite 701
New York, NY  10121-0701 USA
800/342-6626 (toll-free USA and Canada)
212/626-0500 (Global)

For re-publication or quotation permission contact:
Dr. Rebecca Mercuri
P.O. Box 1166 -- Dept. W
Philadelphia, PA  19105  USA
609/587-1886 or 215/327-7105
mercuri AT acm DOT org