Computer Crime Research Center


Conversations in Security

Date: December 02, 2004
Source: Network Computing
By: the CMP team

Security is hard work, exclaimed Bruce Schneier, CTO and founder of Counterpane at the recent CSI-Asia Conference &Exhibition 2004. We’ve gathered in these pages the CSI-Asia speakers’ views on the technology roadmaps, security trends in the coming months, and their thoughts on secure processes.

Computer Associates
We’ve got to start looking at an integrated “network systems, storage, and security management” approach, says Ron Moritz, Computer Associates’s (CA) chief security strategist.

This approach is preferred over getting seven to eight different products from point-solution vendors—a trend that Moritz sees happening.

He recalls that the security market today looked a lot like what the network systems management (NSM) market was 10 years ago, with thousands of solutions available.

“I believe the security world is moving mid-way to end-to-end security suites,” he adds. “Security will be integrated into enterprise infrastructure management to become ‘network systems, storage, security management’.

We’re two to three years out from this, and from a recognition that security is like any business process you do.”

CA provides three broad categories of security products: security of exclusion, covered under eTrust Threat Management; security of inclusion, under Identity and Access Management; and security of accountability, covered by Security Information Management.
Its strategy is to take security elements like antivirus, spyware, anti-spam, Web filtering, and “sell them as a single secure content management platform, rather than different products,” says Moritz.

Given this trend, Moritz believes startups that specialise in a niche security technology area, such as phishing, spyware, and spamware, will become acquisition targets.

“The days of startups becoming big security standalone companies are over,” he ventures. “You will see innovations but none of the classic disruptive technologies.”

As CA works on its security software, it is also making sure it develops secure software—a more effective way to stall cyber-crime.
To get secure software, Moritz says that an overhaul of current software engineering mentality and practices is necessary to improve software quality and security.

Within CA, some developer groups are focused on extreme programming—they write the test kits to test the software, even before the first line of code is written—and then extend these kits to other groups in CA.

“We’re doing by group. My group is developing internal white papers encapsulating best ideas from the groups,” adds Moritz. “The key driver is the need to capture and publish these because customers are asking us what we’re doing to deliver secure products.” — Jorina Choy

Symantec believes there will be a shift towards integrated security appliances over the next 12 months.

Linda McCarthy, executive security advisor for the office of the CTO, Symantec, says the reason is companies find it difficult managing many appliances.

“It used to be that you could just put a firewall up to protect yourself, but today, the amount of different technology needed to protect an enterprise is staggering,” she elaborates. “There’s virus protection, intrusion prevention, policy management, and a whole lot of appliances and devices to manage. End-users are telling us enough is enough; we don’t have the time to properly manage them anymore.”

However, she does not think there will be one security appliance that can do it all. “That would be nice! But such a silver bullet is a pretty tough thing to do; you are talking about a lot of different things in one product and some companies just do not need all that.”

McCarthy also believes that security is difficult for some companies and will not be possible for them to handle it all. Hence, she believes security outsourcing will be on the agenda of security professionals in the near future.

“But whether the company should outsource everything or not would depend on what they want and the company’s culture,” she adds.
As for product development cycles always being behind the latest threats, McCarthy says that companies should start thinking a few steps ahead of hackers.

This can be done by better understanding their networks and operating systems, and proactively seeking out the possible vulnerabilities within.

“Start forming teams with the aim of hunting down vulnerabilities; probe and think about what can bring your business down, and then protect the company against that,” McCarthy advises. — Sng Chee Khiang

Cisco Systems
Cisco Systems’ direction for the next year sees a continuance in the development of “self-defending networks”, says Bernie Trudel, security consultant, Asia-Pacific, Cisco Systems.

The company will focus on automating protection via a proactive approach to security, using techniques like “scrubbing” to identify and eliminate traffic associated with DDoS attacks.

Trudel says that three main features ought to be present in a security product: detection; policy decisions based on what is detected; and enforcing the policy. He adds that these activities would be spread throughout a self-defending network.

“What you are going to see from Cisco is more and more of our network products having self-defending mechanisms in them,” says Trudel. “Our network products will have the ability to detect attacks, and also have the ability to enforce policies against these attacks.”
Worms will continue to dominate in the next year, exploiting vulnerabilities even faster than today. Trudel believes that there will be more sophisticated social engineering attacks, such as phishing.

While worms have so far been used to wreak havoc or farm botnets, Trudel was also concerned that they may, in the future, have damaging payloads, such as the ability to erase disk drives.

Stating that security is more than just technology, Trudel underscores the importance of putting processes in place and having best practices, as well as increasing user awareness of security. “Users have to become more paranoid about how they use the Internet, about responding to unsolicited e-mail,” he says.

Coupled with technology, these processes can help protect organisations against the latest threats in the long run, offers Trudel.
Deploying technology, he stresses, is not about finding a silver bullet to solve security problems, but about putting multiple layers of defence in place. He believes that in five to ten years, we will see a greater integration of best practices and processes with technology into operating systems, applications, and networks. A result of the benefit of the experience of past users. — Jeffrey Lim

Computer Security Institute
If you are thinking of implementing radio frequency identification (RFID) technology within your organisation and have yet to consider the security implications, you could be treading on dangerous ground.
Issuing this warning was John O’Leary, director of education at the Computer Security Institute (CSI).

He points out that RFID involves the access of information wirelessly, and thus should be subject to the same concerns associated with other types of wireless technologies.

This is even more crucial as the usage of RFID technology extends into areas such as air ticketing, toll collection, physical access control, electronic article surveillance, animal identification, and even waste disposal. “RFID chips, in the billions, will generate mountains of information. How do we protect the information? What do we share with trading partners? And what do we do with all the RFID chips we generate?” he posits.

Business rules will be needed to manage and direct the flood of information. RFID technology is also liable to malfunction or be subject to misuse, so organisations have to prepare to handle such problems should they arise. For instance, people with malicious intent could use immobilisers to disrupt delivery fleets causing damage to the organisation, says O’Leary.

Encrypting the data transmitted could be one way to prevent outsiders from accessing the information.

One would have to balance the cost of encryption, infrastructure, and operation against the value of the information that is being protected as well. If there is information to be protected, who should then be in charge, asks O’Leary.

“The business manager responsible for the application for which RFID is being implemented must be involved in the discussion of protecting RFID data and its metadata.

Likewise, the information security manager must be involved in selecting the methods to secure what the business manager deems necessary,” he advises.

Users definitely have to start thinking about security as well, if RFID implementation is on the cards. Organisations could bear the impact of regulatory and legal infringements, if they fail to adequately protect information. “You don’t want to be made a business case study of how to do it wrong,” O’Leary quips....
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo