This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
|8 More Security Stars
REBECCA BACE Spurred on by Dorothy Denning's work around intrusion detection, Rebecca Bace took the ball and ran with it. Bace published Intrusion Detection in 2000, which encapsulates the history of intrusion detection research, defining the concepts that make up intrusion detection, analyzing non-commercial IDS and examining the legal issues of monitoring traffic and systems. Bace is a former senior electronics engineer for the National Security Agency and founder of network security consultancy Infidel. She helped connect early network security researchers with the federal government and collaborated with the FBI on a manual for computer crime investigations. At the NSA, Bace fought for funding for programs that did some of the initial work in intrusion detection and helped build academic research programs at UC-Davis and Purdue. She is also a faculty member at the Institute for Applied Network Security and still moderates the Network Security Forum, a professional development initiative for senior information security managers. Her name also appears on some of the seminal books around intrusion detection and network security. Aside from Intrusion Detection, Bace's FBI collaboration produced A Guide to Forensic Testimony
|, a book she co-authored with Fred Smith. She also wrote the Intrusion
Detection Special Publication for the National Institute of Standards and Technology (NIST), which
is known as NIST SP 800-31. Another Bace writing credit is the chapter on intrusion detection and
vulnerability assessments that appears in the Computer Security Handbook, Fourth Edition,
which was written in 2002.
GENE SPAFFORD His friends call him Spaf. To those who have studied under him or admired his achievements from afar, Gene Spafford is perhaps the premier mind in information security. Founder of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University, Spafford has established an infosecurity think tank that is setting the standard for study in risk management, security awareness, architecture, network security, incident detection and response, authentication and privacy, and rights management. CERIAS, like Information Security, is in its 10th year.
"I was looking back 10 years ago; there were only four university centers and we were producing two or three Ph.D.s a year in the field. Now arguably there's probably 20 research centers--one or two the size we are--and we're producing as many as 25 Ph.D.s, which is a quarter of the nation's output," Spafford says. "So that's a big change, but it's still way too small, by at least an order of magnitude, of producing the kind of expertise we need to deal with today's threats."
Business and government still don't take information security seriously enough to invest in it, Spafford says, and that has to shift rapidly. He notes Microsoft's commitment to security via Trustworthy Computing as an adequate start, but other vendors need to get with it, as well as the government.
"We still don't have enough people who are trained; we don't have enough people at higher levels taking threats seriously," Spafford says. "A sustained investment early is required to make a difference in the long run."
Spafford says he is most proud of CERIAS, which in 1998 started off with four faculty members and two graduate students. Today, there are 82 faculty members and 80 grad students.
"The biggest contribution that I personally view here is moving forward to establish a sound base of science education and policy in this arena," Spafford says. "The stuff we've been producing here as a community, and that we've been able to help other schools get their programs started, and that we've served as a resource to keep people honest about what can and cannot be done, I would view that as probably my biggest contribution."
Hear the complete interview with Spaf at searchsecurity.com/10thanniversary.
This was first published in January 2008