Saturday, June 15, 2024

Using Security White Papers Effectively

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Documenting what we know remains a challenge in the computer security profession.
Various resources exist: the Internet, web pages on intranets, articles, email,
and technical white papers. White papers are probably the most formal method,
and they have the advantage of wide dissemination. These documents usually
speak to a specific issue in depth. The range varies though with respect to
the quality of coverage.

Here’s a sampling of titles from the Mind Share Systems, Inc. website:

  • “Coping with the Threat of Computer Security Incidents: A Primer from
    Prevention through Recovery” by Russell L. Brand

  • “An Architectural Overview of Unix Network Security” by Robert
    B. Reinhardt

  • “Unix Password Security” by Walter Belgers

The practical questions to ask about security white papers revolve around their
effectiveness. When should I use them? What benefits do they provide? How
can I judge their validity and reliability?

Using White Papers

When facing a new challenge — perhaps you are new to Unix and Unix security
issues — reading “Unix Password Security” saves a great deal of time.
Cutting straight to the main issues eliminates much tedious introductory material
found in textbooks. Or, if you are installing a bastion host for the first time,
a paper may provide step-by-step instructions.

Or you may simply desire a
broad overview or perspective on a topic. For example, attending a technical
seminar or business meeting on a new topic may prompt doing some homework in

Then the white paper’s two main functions are to save time in absorbing new
information, and to act as a checklist in undertaking new procedures. So close
reading of the paper takes place at two levels. First, you read for knowledge
or understanding. And second, you judge the reliability and validity of the
paper’s information. If the work being done is mission- or safety-critical,
then evaluating the reliability and validity of the material becomes vital.

Reading for Knowledge

We live under a torrent of data, but data is not knowledge. Only when data
is placed in a proper context does it become more than a curiosity. The writer
creates context through aids to the reader. These aids include good organization
of the material, internal hyperlinking, and external ties or pointing to other

Good organization could be an outline at the beginning of the white
paper. Then, each major division in the outline equates to a section in the
paper. Ideally, the document will be web pages so that each item in the outline
hyperlinks to its section in the paper’s main body. With information changing
at a ferocious pace, web pages, easily updated, modular in organization, and
internally referenced, provide flexible, current communication.

While the specific topics will vary according to the subject, an ideal sequence
in a paper would be:

  1. Statement of the Problem

  2. Alternative Solutions

  3. The Preferred Method

  4. Troubleshooting or Implementation Steps

  5. Other Sources for Information

Pointing to other materials not only gives the reader additional resources
but also helps the reader update the material. External hyperlinks afford different,
and hopefully, timely perspectives on the paper. If the author cannot update
the paper directly, an external link to his or her website (or email address)
gives the reader opportunities to obtain current information.

Establishing Reliability and Validity

Perhaps the most important hallmark for reliability is the white paper’s date.
Papers should supply an initial creation date and the date of the last revision.
Ideally, the information should be posted right at the top of the article.
And, preferably alongside the date, the author’s name and brief biographical
data should appear. “John Jones, Ass’t Professor, Computer Science, Caltech”; or “Bob Peters, Network Engineer, Cisco Systems,” for example,
at least give us some idea of the author’s qualifications. We
need to ask, “Is the paper from a reliable, knowledgeable source?”

Of course, references in the paper’s body and bibliography to recognized sources
establish reliability further. (How dependable is the information? What is
the track record of the source?) Look for recognized citations like “CERT
Advisory CA-2001.03, VBS/OnTheFly (Anna Kournikova) Malicious Code” or
“Guide to Handling a Worm Virus Attack on Microsoft Exchange Server 5.5.”
Always consider the background and reputation of the source. What makes them
knowledgeable and authoritative about the issues involved?

Validity, how well the information corresponds to reality, rests upon the author’s
ability to recognize real-world problems. Does the paper’s author understand
only academic perspectives? Are only best-case scenarios considered?

Or, does the author admit where he or she could be uncertain? Does the author
recognize logical flaws or questionable assumptions? Are caveats supplied to
warn you about pitfalls? And, does the author discuss both the advantages and
disadvantages of a particular course of action or procedure? Most important,
does the author avoid questionable claims or outlandish statements? Terms like
“absolute security,” “impregnable,” “foolproof,”
and “total protection” should raise a skeptical eye. Real security
exists at differing degrees of insecurity, not at absolute levels.

This balanced approach can be very important, especially when doing mission-critical
work. If you want recent examples, read the technical papers of Bruce Schneier
or his latest book, Secrets and Lies. He rarely loses sight of real-world concerns when discussing computer security.

Finally, don’t be afraid to check the validity of links and works cited in
the paper. Don’t forget Professor Kingsfield’s warning to his students in the
television show The Paper Chase, “Not all answers are found in
books!” Call knowledgeable people and associates for their opinions and
perspectives on the paper. They can be a real safety net when you are doing
vital, critical work.


Mind Share Systems, Inc. White Papers

Pollard’s Security Index

“The Art of Good Security Writing,” by Ronald L. Mendell

Microsoft Security White Papers

“Guide to Handling a Worm Virus Attack on Microsoft Exchange 5.5.”

CERT CA-2001.03

Bruce Schneier, Secrets and Lies, John Wiley & Sons, Inc.,

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles