Using Security White Papers Effectively

White papers can help you prepare for a business meeting, execute mission-critical tasks, or corroborate your existing information with a second or third source. But how can you quickly determine the reliability and usefulness of any given white paper?
Documenting what we know remains a challenge in the computer security profession. Various resources exist: the Internet, web pages on intranets, articles, email, and technical white papers. White papers are probably the most formal method, and they have the advantage of wide dissemination. These documents usually speak to a specific issue in depth. The range varies though with respect to the quality of coverage.

Here's a sampling of titles from the Mind Share Systems, Inc. website:

  • "Coping with the Threat of Computer Security Incidents: A Primer from Prevention through Recovery" by Russell L. Brand

  • "An Architectural Overview of Unix Network Security" by Robert B. Reinhardt

  • "Unix Password Security" by Walter Belgers

The practical questions to ask about security white papers revolve around their effectiveness. When should I use them? What benefits do they provide? How can I judge their validity and reliability?

Using White Papers

When facing a new challenge — perhaps you are new to Unix and Unix security issues — reading "Unix Password Security" saves a great deal of time. Cutting straight to the main issues eliminates much tedious introductory material found in textbooks. Or, if you are installing a bastion host for the first time, a paper may provide step-by-step instructions.

Or you may simply desire a broad overview or perspective on a topic. For example, attending a technical seminar or business meeting on a new topic may prompt doing some homework in advance.

Then the white paper's two main functions are to save time in absorbing new information, and to act as a checklist in undertaking new procedures. So close reading of the paper takes place at two levels. First, you read for knowledge or understanding. And second, you judge the reliability and validity of the paper's information. If the work being done is mission- or safety-critical, then evaluating the reliability and validity of the material becomes vital.

Reading for Knowledge

We live under a torrent of data, but data is not knowledge. Only when data is placed in a proper context does it become more than a curiosity. The writer creates context through aids to the reader. These aids include good organization of the material, internal hyperlinking, and external ties or pointing to other resources.

Good organization could be an outline at the beginning of the white paper. Then, each major division in the outline equates to a section in the paper. Ideally, the document will be web pages so that each item in the outline hyperlinks to its section in the paper's main body. With information changing at a ferocious pace, web pages, easily updated, modular in organization, and internally referenced, provide flexible, current communication.

While the specific topics will vary according to the subject, an ideal sequence in a paper would be:

  1. Statement of the Problem

  2. Alternative Solutions

  3. The Preferred Method

  4. Troubleshooting or Implementation Steps

  5. Other Sources for Information

Pointing to other materials not only gives the reader additional resources but also helps the reader update the material. External hyperlinks afford different, and hopefully, timely perspectives on the paper. If the author cannot update the paper directly, an external link to his or her website (or email address) gives the reader opportunities to obtain current information.

Establishing Reliability and Validity

Perhaps the most important hallmark for reliability is the white paper's date. Papers should supply an initial creation date and the date of the last revision. Ideally, the information should be posted right at the top of the article. And, preferably alongside the date, the author's name and brief biographical data should appear. "John Jones, Ass't Professor, Computer Science, Caltech"; or "Bob Peters, Network Engineer, Cisco Systems," for example, at least give us some idea of the author's qualifications. We need to ask, "Is the paper from a reliable, knowledgeable source?"

Of course, references in the paper's body and bibliography to recognized sources establish reliability further. (How dependable is the information? What is the track record of the source?) Look for recognized citations like "CERT Advisory CA-2001.03, VBS/OnTheFly (Anna Kournikova) Malicious Code" or "Guide to Handling a Worm Virus Attack on Microsoft Exchange Server 5.5." Always consider the background and reputation of the source. What makes them knowledgeable and authoritative about the issues involved?

Validity, how well the information corresponds to reality, rests upon the author's ability to recognize real-world problems. Does the paper's author understand only academic perspectives? Are only best-case scenarios considered?

Or, does the author admit where he or she could be uncertain? Does the author recognize logical flaws or questionable assumptions? Are caveats supplied to warn you about pitfalls? And, does the author discuss both the advantages and disadvantages of a particular course of action or procedure? Most important, does the author avoid questionable claims or outlandish statements? Terms like "absolute security," "impregnable," "foolproof," and "total protection" should raise a skeptical eye. Real security exists at differing degrees of insecurity, not at absolute levels.

This balanced approach can be very important, especially when doing mission-critical work. If you want recent examples, read the technical papers of Bruce Schneier or his latest book, Secrets and Lies. He rarely loses sight of real-world concerns when discussing computer security.

Finally, don't be afraid to check the validity of links and works cited in the paper. Don't forget Professor Kingsfield's warning to his students in the television show The Paper Chase, "Not all answers are found in books!" Call knowledgeable people and associates for their opinions and perspectives on the paper. They can be a real safety net when you are doing vital, critical work.


Mind Share Systems, Inc. White Papers

Pollard's Security Index

"The Art of Good Security Writing," by Ronald L. Mendell

Microsoft Security White Papers

"Guide to Handling a Worm Virus Attack on Microsoft Exchange 5.5."

CERT CA-2001.03

Bruce Schneier, Secrets and Lies, John Wiley & Sons, Inc., 2000.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.