In the Report to the President on Cyber Security: A Crisis of Prioritization (February 2005) was published the cyber security priorities, theses were:
- Authentication Technologies
- Secure Fundamental Protocols
- Secure software Engineering and Software Assurance
- Holistic System Security
- Monitoring and Detection
- Mitigation and Recovery Methodologies
- Cyber Forensics: Catching Criminals and Deterring Criminals activities
- Modeling and Testbeds for New Technologies
- Metrics, Benchmarks, and Best Practices ... and
- Non-Technology Issues than can Compromise Cyber security
Well, everything sounds known, but what does Holistic System Security mean?.
The report answers perfectly and explains why it is a priority:
4. Holistic System Security
Effective security in a complex, many-layered, global infrastructure such as the Internet and its nodes requires more than the security of its component parts. Establishing sound methods for authentication, secure protocols for basic Web operations, and improved software engineering will undoubtedly become
part of an evolving solution to this problem. But most importantly, researchers must recognize from the outset that an end-to-end architectural approach to the security of the whole necessarily transcends the security of the individual parts.For example, customers assume that their online banking transactions, based on secure socket layer (SSL), are indeed secure. But by spoofing the associated underlying protocols or end-user software, a malicious party can make a user’s transaction appear secured by SSL while allowing the theft of confidential data. It is also possible to compromise the security of the end computing systems, obtaining the data even though it was secure in transit.
Software usability itself is a legitimate and important research topic in cyber security. Incorrectly used software or hostile or confusing user interfaces can lead to user frustration and unauthorized workarounds that can compromise even the most robust security schemes. Research is also needed on how to make large and complex systems, where components can interact in unexpected ways, secure as a whole. Ultimately, fundamental research should address the development of entirely new, holistic security architectures including hardware, operating systems, networks, and applications. Research subtopics include:
- Building secure systems from trusted and untrusted components, and integrating new systems with legacy components
- Proactively reducing vulnerabilities
- Securing a system that is co-operated and/or co-owned by an adversary
- Comprehensively addressing the growing problem of insider threats
- Modeling and analyzing emergent failures in complex systems
- Human factors engineering, such as interfaces that promote security and user awareness of its importance
- Supporting privacy in conjunction with improved security
I think this approach (holism) is obvious, but is not for technical or developers of Software. The usability is very importan, This says that incorrectly used software or confusing UI can lead to user frustration and security controls misused.
I would like to highlight these words:
- Holism Security: include software/applications, s.o., hardware, networks ... and the people (end-user)
- Software Usability: human factors engineering, such as interfaces that promote security and user awareness of its importance.