Dorothy Denning on infosec and physical security

Dorothy Denning is one of the world’s leading information security experts. She has testified before US Congress on encryption policy and cyber-terrorism, and has served in leadership and advisory positions with US government agencies and private sector companies. She has published 120 articles and four books, the most recent being Information Warfare and Security. She is currently a professor in the Department of Defense Analysis at the US Naval Postgraduate School in California.

Earlier this year (ISC)² gave her the 2004 Harold F. Tipton Award in recognition of her outstanding information security career.

Patricia Gilmore, (ISC)²’s board vice president and awards committee chairman commented: “Dr. Denning is a pioneer in the science of cryptography and an expert in information warfare. She has made many significant contributions to the field of information security as an author, professor and researcher, and (ISC)² is pleased to recognize her many accomplishments with our most prestigious award.”

Brian McKenna spoke to Dr Denning at the time of the award.

You currently work at the US Naval Postgraduate School. Do you think there is a lot that civilian information security professionals can learn from the military?

Classified information standards are much higher than is generally necessary, so there is a limit. But I have, for example, recently been working a lot in the area of deception. The military have been doing that kind of thing to protect the security of their information for a long time. We are starting to see ideas from that coming into computer security — with honeypots, for example. I’ve written some things in that area.

In general, do you think infosec professionals can learn things from the physical security world.

We have a different attitude in information security, which is that everything has to be perfect. When you are in the virtual environment, if someone has an attack tool and a lot of systems can be compromised. In the physical world you can’t go around picking all the locks in the world.

So, in the physical world we accept that things cannot be full-proof. You don’t want to be locked out! But in the infosec world we haven’t taken that view.

Another contrast is that locksmiths have a tradition of keeping the knowledge of how to pick lots rather secret, within their own community. In the virtual world you get all this publishing of vulnerabilities. That raises a lot of difficult issues. You’ve got to stop at some point; you cannot fix all the vulnerabilities after all.