View/Open - JUWEL - Forschungszentrum Jülich
View/Open - JUWEL - Forschungszentrum Jülich
View/Open - JUWEL - Forschungszentrum Jülich
Erfolgreiche ePaper selbst erstellen
Machen Sie aus Ihren PDF Publikationen ein blätterbares Flipbook mit unserer einzigartigen Google optimierten e-Paper Software.
Bad memories, bad dreams in library ICT security?<br />
rudimentary. They are not "naturally" mobile in that they rely on their external environment<br />
(and often our own stupidity) for their mobility. They are not able to recognise<br />
energy/information as a resource to be stored for later use . They do not exploit addition<br />
sensory information that's now appearing in IT systems that would normally allow them to<br />
optimise their impact as a function of their external environment. Remember the "sit and<br />
wait" virus mentioned in one of the presentations - a virus that goes undetected and then<br />
wakes up months later and damages systems. Even that is dumb in that it is not really<br />
autonomous, self-aware and self-adapting . We don't yet have viruses that can run and hide!<br />
But we heard that the majority of really damaging viruses come out of university departments .<br />
And that tells us that new viruses will inevitably become more intelligent, be able to adapt<br />
and evolve, will learn to husband resources, migrate "natural", and understand their<br />
surroundings, and above all - will learn to optimise their destructive effects.<br />
We also leamt that viruses are part of the emerging "e-war" - the information war. Both<br />
Fabio Ghioni from Telecom Italia and our white-hat hacker Jan Guldentops noted that so far<br />
viruses and hacking in general has notbeen really evil - but we all know that can't last!<br />
Already today we learned that IT security is a big business cost, with physical protection and<br />
isolation as well as the increasingly centralised management and continuous monitoring and<br />
testing programmes . What we saw is that the effects ofviruses are expensive in terms ofIT<br />
budget/staff, in terms of company revenues, and in terms of organisations branding and<br />
marketing . We also saw that people don't want to talk about attacks (successful or<br />
unsuccessful). They deliberately choose not to publicise the damage caused . In addition<br />
companies "image" or "brand" is often highjacked, e .g. we have all seen the dubious<br />
applications sending requests or product listing under a high-jacked company logo. And still<br />
companies react badly by ignoring this and claiming to be neither morally more financially<br />
responsible for the damage inflicted.<br />
How would a library or museum react if their brand was highjacked? Our Danish friend Bo<br />
Weymann gave us a first hand insight into the question. And it was not pretty to hear. Our<br />
friendly hacker Jan Guldentops also stressed this point - but from another perspective . He and<br />
I think rightly clamed that there was a place for the ethical tracker. That is not only to probe<br />
weaknesses but also to highlight and publicise those weaknesses, probably through a<br />
recognised pre-declaration procedure .<br />
Throughout the 2-day meeting we had the opportunity to see - in a very practical away - how<br />
some libraries and other institutions are facing up to the security challenge.<br />
What I retained from that was firstly the very broad-scale of the efforts made, secondly the<br />
considerable cost that must be associated with that effort, and thirdly the great body of<br />
expertise and skills that have been acquired. Again this effort is understandable - since<br />
libraries, research centres, etc are high-profile targets, and in some cases are by definition<br />
open locations . We heard that such sites often hold personal data, valuable experimental<br />
results, etc, and sensitive administrative information. We also heard that, perhaps, not enough<br />
is yet done to protect these "back-shop" operations . Again Jan Guldentops highlighted how<br />
easy it still was to find the weakest link and get past 400,000 ¬ of security on the "front door"<br />
by spending 400 ¬ to go through the back door. And another speaker stressed that we are in<br />
the near future going to be faced with a multitude of new challenges - the nomadic user with<br />
his desire for anytime/anywhere access groups collaborating over different locations, and the<br />
strong move towards a philosophy of openness . The same speaker mentioned that we could<br />
learn from the world of GRID'S in their attempt to foster good security by making it easy .<br />
Sounds simple - but its true today that security measures are still far too complex, costly and,<br />
let's face it, `high tech". What the GRID'S approach offers for the future is easy cryptography<br />
along with a fine-again control ofaccess rights.<br />
132