Bruce FormanBy John McCormick | Posted 2006-05-15 Email Print
Five top computer security experts offer advice on pervasive computing, ever-more-sophisticated hacker attacks, and corporate security resources.
Director of Information Security, Genesis HealthCare
1 - How does the notion of pervasive computing (where computers are deeply integrated throughout a corporate environment rather than being distinct objects) impact security and privacy?
Pervasive, or ubiquitous, computing impacts security and privacy in several ways. From the perspective of securing these devices, managing vulnerabilities and implementing code fixes to correct these vulnerabilities become problematic. Maintaining privacy becomes difficult when computing is pervasive, primarily because individuals will have difficulty determining which of their activities are being tracked. RFID technology can be utilized to track products from manufacturer through sale and use.
2 - Would a more proactive approach to security—working to ensure that stronger software security is built into applications—work any better than the reactive approaches, such as patches and external software safeguards?
External software safeguards and patches are Band-Aids. They don't necessarily address all of the weaknesses of the software. Vulnerabilities exist in code from the time that the code is written; patches are only created at the point in time that vulnerability is discovered.
It would be great if stronger security were built into software products initially, and some companies such as Microsoft have made great strides in this area. However, as code becomes more and more complex, the likelihood of introducing vulnerabilities increases. The level of testing required to identify more of the existing vulnerabilities in code may become prohibitive, and we as consumers are constantly demanding more features and functions and are not as concerned, as evidenced by what we agree to pay for, about the security of the software. So, why should the software vendors change?
3 - How satisfied are you with the effort software vendors are putting into delivering more secure products? Do you see the quality of the security built into software products getting better or worse?
As I noted above, as complexity increases, so does that likelihood of increased vulnerabilities. Code is getting more complex; therefore, products likely are less secure.
4 - Do corporations today have the financial and human resources they need to protect their computing environments?
Financial and human resources are always tight, but the reality is that securing computing environments is a cost of doing business. It enables companies to do business in ways that would have been too risky without applying the appropriate security controls.
5- What are the top two or three things a modern enterprise can do to properly manage security risk?
1. Perform a risk assessment; rank the findings by level of risk and develop a plan to either address or accept each identified risk.
2. Implement a security awareness program to teach employees the basic security requirements that they need to understand.
3. Establish processes and procedures for granting or revoking system access, and for monitoring system and network security.