- Email: [email protected]
The enemy is us
c o l u m n
The enemy is us Jay Heiser [email protected]
Jay Heiser The rapid introduction of new technology is making the infosecurity job more complex. As we all know, complexity leads to instability, and instability to vulnerability. Here’s what to do.
artoonist Walt Kelly cleverly expressed political insights through the furry mouths of ‘gators, ‘possums and ‘coons that lived in a remote Georgia swamp. Pogo, his spikey-haired lead character, most memorably commented,“We have met the enemy, and he is us.”
C
Today, that same enemy is building an increasingly frail digital electronic infrastructure, and we’re eagerly using it for a growing number of critical economic and social functions. As Pogo suggested, humans tend to ignore the downside of rapid development. In the digital world, the more complex a network, and the greater the functionality of the devices on it, the more vulnerable it is. Isolated and even cascading failures are inevitable.With massively interconnected grid networks now in planning, are we sowing the seeds of a digital disaster? The answer to that requires a deeper look at both the evolving nature of IT vulnerabilities and attacks against them. Infosecurity Today July/August 2005
It’s impossible to quantify the losses, but the combination of ubiquitous USB and cheap personal storage is dramatically increasing the amount of valuable corporate data that silently leaks out the door.The phenomenon is not new — 40 years
ago the office copier was a boon to employees who wanted personal copies of corporate data, and confidential data has been leaking through the internet for a decade.
“The social cost is to have a closer relationship with the digital Big Brother.” When someone in Sales resigns, it is understood that they keep their personal list of contacts (indeed, they were probably hired because they claimed to have lots of contacts). In the days when each sales rep kept their own contact list on paper in their own briefcase, there was little opportunity for departing reps to ‘borrow’ each other’s lists.Today we’ve provided sales reps with USB-enabled laptops connected to global corporate data warehouses. Is there any reason to believe anyone will leave without large amounts of corporate information? Perhaps 40 years of exponential growth, employee data theft has finally levelled off, but the implications of the current leakage
rate are not yet understood.This worry is encouraging exploration of new forms of access control, especially corporate digital rights management. But even if sophisticated new forms of access control can be implemented, they may be only partially effective against external attack. Complexity breeds vulnerability
Two rapidly changing technologies are increasing vulnerability to external attack. One is the complexity of listening services; the other is the number of ways to connect to those services. For example, the Bluetooth services now running on mobile phones are relatively primitive.They have carefully limited capabilities, and low signal strength limits connectivity. In
42
c o l u
Of all the evolving factors affecting computer security, the growing threat of hostile code is perhaps the easiest to predict. Over two decades, malware has steadily spread faster, grown better at hiding itself, and is more capable of manipulating compromised PCs. Once, it was only hobbyists who experimented with hostile capability. But the appearance of organised and ‘professional’ cybercriminals represents a significant escalation of the threat. It has been only four years since a virus tried (unsuccessfully) to capture the PINs of UBS’s online banking customers.
The response to the increasing problems of both leakage and theftware is to increase explicit
While we may make the technology effective, we have barely scratched the surface of the human issues involved. Organisations with large amounts of privacy data need to be thinking now about their network content management plan. If they decide against implementing technical controls, they will need to document the decision with evidence that they followed a sound risk analysis process. And if they do go ahead, how they will deal with the social fall-out.
While we wait, a growing number of non-PC devices is running Windows. This includes medical equipment, factory equipment, and cash registers. Thanks to Windows, such devices now suffer from worms, too. Suddenly IT departments are being told to manage devices that they were never responsible for in the past. Even if such non-traditional IT systems are carefully isolated, if they are attached to an internet protocol network, there will be times when both software and human attackers are able to reach and subvert unpatched devices. Unmanaged devices are becoming a liability that enterprises can no longer afford.The owners and vendors alike of medical and manufacturing systems, smart printers, and electronic point of sale systems are now coming to terms with the need to manage these systems explicitly.This includes the ability to roll out immediate security updates.
Rights rule
So far, enterprise digital rights management remains expensive and awkward, but growing levels of data leakage and legal accountability will encourage suppliers to develop more practical forms of the technology. Most companies will address both the new internal and external threats through the comprehensive management of platforms.As long as attack-resistance depends on being up to date with patches, signatures, and other downloads, there will be a need for automated solutions to ensure that all systems are compliant. Effective update solutions, what Gartner calls network access control, require the interoperation of endpoints with network devices. The market is still waiting for
“IT departments are being told to manage devices that they were never responsible for in the past.” All trends indicate that organisations that do not improve continuously their level of device management will find themselves increasingly vulnerable in an ever more hostile world. About the author Jay Heiser is vice president and director of research, Gartner Research, and can be reached at [email protected]
Infosecurity Today July/August 2005
But cybercriminals keep learning. The potential to make big money (fraud involving identity theft is worth an estimated $50 billion per year) has encouraged new levels of hacking effort. We need to prepare for subtle attack code that slurps up our passwords as we type them, neatly circumventing the supposed protection of SSL.
We will still be able to take advantage of all the fancy new technology, and there will continue to be increases in automation efficiency. But the social cost is having a closer relationship with the digital Big Brother. It is already routine for global financial services firms to use sophisticated monitoring systems that look for inappropriate content in email. It is becoming easier to implement similar controls for web traffic and instant messaging.
Microsoft and Cisco, which largely control these areas, to deliver on their promises of cooperation.
n
“The market is still waiting for Microsoft and Cisco to deliver on their promises of cooperation.”
control over network connectivity, and especially the end point systems (PCs, laptops, Internet PDAs, vending machines, etc.)
m
contrast,Windows-based systems run a rich variety of complex services, all of which are potentially accessible from any other PC on the internet. Consequently,Windows systems suffer from worms; today, mobile phones do not. But as they approach the feature- and connectivity-richness of PCs, mobile phones will find themselves directly in the path of tomorrow’s attack code.
43
The enemy is us Jay Heiser [email protected]
Jay Heiser The rapid introduction of new technology is making the infosecurity job more complex. As we all know, complexity leads to instability, and instability to vulnerability. Here’s what to do.
artoonist Walt Kelly cleverly expressed political insights through the furry mouths of ‘gators, ‘possums and ‘coons that lived in a remote Georgia swamp. Pogo, his spikey-haired lead character, most memorably commented,“We have met the enemy, and he is us.”
C
Today, that same enemy is building an increasingly frail digital electronic infrastructure, and we’re eagerly using it for a growing number of critical economic and social functions. As Pogo suggested, humans tend to ignore the downside of rapid development. In the digital world, the more complex a network, and the greater the functionality of the devices on it, the more vulnerable it is. Isolated and even cascading failures are inevitable.With massively interconnected grid networks now in planning, are we sowing the seeds of a digital disaster? The answer to that requires a deeper look at both the evolving nature of IT vulnerabilities and attacks against them. Infosecurity Today July/August 2005
It’s impossible to quantify the losses, but the combination of ubiquitous USB and cheap personal storage is dramatically increasing the amount of valuable corporate data that silently leaks out the door.The phenomenon is not new — 40 years
ago the office copier was a boon to employees who wanted personal copies of corporate data, and confidential data has been leaking through the internet for a decade.
“The social cost is to have a closer relationship with the digital Big Brother.” When someone in Sales resigns, it is understood that they keep their personal list of contacts (indeed, they were probably hired because they claimed to have lots of contacts). In the days when each sales rep kept their own contact list on paper in their own briefcase, there was little opportunity for departing reps to ‘borrow’ each other’s lists.Today we’ve provided sales reps with USB-enabled laptops connected to global corporate data warehouses. Is there any reason to believe anyone will leave without large amounts of corporate information? Perhaps 40 years of exponential growth, employee data theft has finally levelled off, but the implications of the current leakage
rate are not yet understood.This worry is encouraging exploration of new forms of access control, especially corporate digital rights management. But even if sophisticated new forms of access control can be implemented, they may be only partially effective against external attack. Complexity breeds vulnerability
Two rapidly changing technologies are increasing vulnerability to external attack. One is the complexity of listening services; the other is the number of ways to connect to those services. For example, the Bluetooth services now running on mobile phones are relatively primitive.They have carefully limited capabilities, and low signal strength limits connectivity. In
42
c o l u
Of all the evolving factors affecting computer security, the growing threat of hostile code is perhaps the easiest to predict. Over two decades, malware has steadily spread faster, grown better at hiding itself, and is more capable of manipulating compromised PCs. Once, it was only hobbyists who experimented with hostile capability. But the appearance of organised and ‘professional’ cybercriminals represents a significant escalation of the threat. It has been only four years since a virus tried (unsuccessfully) to capture the PINs of UBS’s online banking customers.
The response to the increasing problems of both leakage and theftware is to increase explicit
While we may make the technology effective, we have barely scratched the surface of the human issues involved. Organisations with large amounts of privacy data need to be thinking now about their network content management plan. If they decide against implementing technical controls, they will need to document the decision with evidence that they followed a sound risk analysis process. And if they do go ahead, how they will deal with the social fall-out.
While we wait, a growing number of non-PC devices is running Windows. This includes medical equipment, factory equipment, and cash registers. Thanks to Windows, such devices now suffer from worms, too. Suddenly IT departments are being told to manage devices that they were never responsible for in the past. Even if such non-traditional IT systems are carefully isolated, if they are attached to an internet protocol network, there will be times when both software and human attackers are able to reach and subvert unpatched devices. Unmanaged devices are becoming a liability that enterprises can no longer afford.The owners and vendors alike of medical and manufacturing systems, smart printers, and electronic point of sale systems are now coming to terms with the need to manage these systems explicitly.This includes the ability to roll out immediate security updates.
Rights rule
So far, enterprise digital rights management remains expensive and awkward, but growing levels of data leakage and legal accountability will encourage suppliers to develop more practical forms of the technology. Most companies will address both the new internal and external threats through the comprehensive management of platforms.As long as attack-resistance depends on being up to date with patches, signatures, and other downloads, there will be a need for automated solutions to ensure that all systems are compliant. Effective update solutions, what Gartner calls network access control, require the interoperation of endpoints with network devices. The market is still waiting for
“IT departments are being told to manage devices that they were never responsible for in the past.” All trends indicate that organisations that do not improve continuously their level of device management will find themselves increasingly vulnerable in an ever more hostile world. About the author Jay Heiser is vice president and director of research, Gartner Research, and can be reached at [email protected]
Infosecurity Today July/August 2005
But cybercriminals keep learning. The potential to make big money (fraud involving identity theft is worth an estimated $50 billion per year) has encouraged new levels of hacking effort. We need to prepare for subtle attack code that slurps up our passwords as we type them, neatly circumventing the supposed protection of SSL.
We will still be able to take advantage of all the fancy new technology, and there will continue to be increases in automation efficiency. But the social cost is having a closer relationship with the digital Big Brother. It is already routine for global financial services firms to use sophisticated monitoring systems that look for inappropriate content in email. It is becoming easier to implement similar controls for web traffic and instant messaging.
Microsoft and Cisco, which largely control these areas, to deliver on their promises of cooperation.
n
“The market is still waiting for Microsoft and Cisco to deliver on their promises of cooperation.”
control over network connectivity, and especially the end point systems (PCs, laptops, Internet PDAs, vending machines, etc.)
m
contrast,Windows-based systems run a rich variety of complex services, all of which are potentially accessible from any other PC on the internet. Consequently,Windows systems suffer from worms; today, mobile phones do not. But as they approach the feature- and connectivity-richness of PCs, mobile phones will find themselves directly in the path of tomorrow’s attack code.
43