Dale Reynolds, Visiting Professor, DeVry University and its Keller Graduate School of Management, President & CEO at edelan

By Dale Reynolds, Visiting Professor, DeVry University and its Keller Graduate School of Management, President & CEO at edelan

Today’s systems are quite well protected by isolating the systems from the outside world.  We have a wide range of commercially available tools to check systems from all kinds of malware.  Nevertheless our systems are compromised by attacks.  Why is this?  We have built deep moats around the castle, put iron bars on all the doors and windows and conclude we have protected ourselves, while the real truth is that the enemy is already within the gates.

What we need to do is to assume that any user running on the system could be malicious. What I mean by this is that the attacker penetrated the castle by sneaking in through the secret gate. Attackers use ruses such as phishing attacks, contaminated documents and unpatched problems in software (most often browser plug-ins) to compromise our systems.  For example, installing malware to capture names and passwords and using them to install software that is basically free to do whatever it wants.

This kind of internal protection can best be achieved by providing secure application development platforms.  To fight against this we have to verify every user through credential checks.  Whenever a running program performs an operation, the system asks the question, “who is this person and are they allowed to do what they are trying to do,” e.g., invoke a database call to read a record?

Role-based Security

Through role-based security and provisioning we can do this. This kind of functionality is available in many system facilities such as Microsoft .NET and Oracle J2EE. For example, when an application code is built in the .NET environment, it is compiled into intermediate code which is not compiled to executable code until run time.  During this final process the system checks the credentials of the user to see if they are real and have permissions to perform the operation being attempted.  If they do not then the system generates various kinds of signals indicating that an illegal operation is being attempted.  In this way any compromised user will be detected and the enemy within the gates is detected.  These users are most likely unaware that their credentials have been stolen and that there is an attempt to use them in an illegal way.  In order for this kind of a system to function with accuracy, each user’s roles and credentials must be carefully specified and maintained.  That is a topic for another post.

The bottom line is that we have now protected the system from most external attacks and the ones that do get through are detected.

Organizational Effects

How does this effect organizations?  First application developers and system analysts must be skilled in this kind of application development and deployment.  This includes commercial software packages.  Only those which meet these requirements are purchased.  In addition IT must be diligent about insuring that all available software patches are deployed to the systems and that user systems are always up to date. Management also needs to put in place training that consistently provides information to employees on how to detect these types of attacks.

What DeVry University Offers

DeVry University offers programs in both the undergraduate and graduate level that teach these cyber security principles.  Courses in Network and Communications Management provide for students a foundation in understanding the design and management of secure systems.  Development language classes such as Java, C++, C# and Visual Basic in a .NET environment provide the hands-on experience necessary to prepare students for a career where secure programming models are required.

Dale Reynolds graduated from the University of Utah with a Masters in Computer Science and has worked in the computer industry ever since.  His first love was operating systems and he was the design manager for the IBM S/38 and AS/400 system software.

His first introduction to personal computers was the five years spent at Dell computers, where he was the VP of Development. He then went on to start his own company, WorkFlow Technologies which majored in collaborative software, particularly in distributed project management. He has also worked at several software startups and IT consulting firms.