Bruce Forman

 
 
By John McCormick  |  Posted 2006-05-15
 
 
 

Are software makers doing enough to secure their products? Are chief information and security officers getting the resources they need? And how are companies going to protect pervasive computing environments? Baseline e-mailed these and other questions to some of the nation's top security experts. Here's what they said:

Next page: M&T Bank's Matthew M. Speare

 

. Speare">

Matthew M. Speare
Group Vice President, Corporate Information
Security Officer, M&T Bank

1 - How does the notion of pervasive computing (where computers are deeply integrated throughout a corporate environment rather than being distinct objects) impact security and privacy?

Pervasive computing provides new challenges to security and privacy. Organizations must thoroughly examine how they control rights to sensitive information resources and limit the ability to conduct common tasks such as printing, attaching and e-mailing. Digitial Rights Management, a methodology to allow users to define these parameters for information resources, will require a cultural change and enhanced understanding of personal responsibility and accountability for information rights, yet provides the best opportunity to mitigate the risks associated with pervasive computing.

2 - Would a more proactive approach to security—working to ensure that stronger software security is built into software applications—work any better than the reactive approaches, such as patches and external software safeguards?

Proactive security is a more sustainable model than reactive security for providing reliable, secure application services. This is not to discount the additional requirement for monitoring and response, which will continue to be absolutely necessary for secure computing.

The greatest hurdle to achieving this proactive model is to require software vendors to adhere to security standards based on a common model. Unfortunately, until customers speak with their wallets concerning unsecured applications, there is little economic incentive for software providers to change.

3 - Do you think computer attacks are getting more sophisticated or less sophisticated? Why?

Attacks are becoming more sophisticated and financially driven.

The overall sophistication of viruses continues to lapse, while we have seen the rise of incredible complex malware infestations that are economically driven.

4 - Do corporations today have the financial and human resources they need to protect their computing environments?

You can never have enough. However, organizations need to balance the need for resources against the risk to their environments and take prudent steps to mitigate the risks appropriately.

5 - What are the top two or three things companies can do to manage security risks?

1. Assess the risks to understand which threats pose the greatest likelihood of harm.

2. Mitigate the high-probability, high-impact risks first and then continue to work down the list.

3. Measure the effects of your mitigation solutions and modify your plan in response to a change threat environment.

Next page: Counterpane Internet Security's Bruce Schneier

 


Bruce Schneier
Founder and CTO, Counterpane Internet Security

1 - Would a more proactive approach to security—working to ensure that stronger software security is built into applications—work any better than the reactive approaches, such as patches and external software safeguards?

Of course. It's the only possible approach. The notion that we can write lousy software, throw it out into the world and then patch it later has failed. It doesn't work. We need to write more secure software from the beginning.

2 - How satisfied do you think corporate CIOs and CSOs are with the effort their software vendors are putting into delivering more secure products? Do you see the quality of the security built into software products getting better or worse?

Most software vendors aren't putting much effort into delivering more secure products, so I hope CSOs are unsatisfied.

It's a slow process. Five years ago, Microsoft made a commitment to more security in their products, and we're just now seeing significant improvements from that. And they've got a long way to go.

My hope is that CSOs force software vendors to take security more seriously.

It's always easier to write a press release than to change engineering practices, and unless there is market pressure, software vendors will continue to do that.

3 - Do you think computer attacks are getting more sophisticated or less sophisticated? Why?

Computer attacks are getting more sophisticated, of course. Everything about computers is always getting more sophisticated—CPUs, operating systems, networks, e-mail, word processors—and computer attacks are no exception.

4 - Do corporations today have the financial and human resources they need to protect their computing environments?

Corporations certainly have the financial resources; it's just a question of proper risk management.

I have long thought that corporations are spending about the right amount of money on security, but they're spending it very badly.

Human resources are a much bigger problem, but that's why security outsourcing is such a big business these days. Corporations need to learn to outsource the skills they don't have internally.

5 What are the top two or three things a modern enterprise can do to properly manage security risk?

The first is to understand the risks, to pay attention. Network security is a business risk, and needs to be treated as such.

And the second is to work to mitigate that risk. These are general recommendations instead of specific ones, but that's the way it should be. Network technologies are all the same, but business risks are specific to the business. And look to Managed Security Services companies for the expertise you don't have.

Next page: Genesis HealthCare's Bruce Forman

 


Bruce Forman
Director of Information Security, Genesis HealthCare

1 - How does the notion of pervasive computing (where computers are deeply integrated throughout a corporate environment rather than being distinct objects) impact security and privacy?

Pervasive, or ubiquitous, computing impacts security and privacy in several ways. From the perspective of securing these devices, managing vulnerabilities and implementing code fixes to correct these vulnerabilities become problematic. Maintaining privacy becomes difficult when computing is pervasive, primarily because individuals will have difficulty determining which of their activities are being tracked. RFID technology can be utilized to track products from manufacturer through sale and use.

2 - Would a more proactive approach to security—working to ensure that stronger software security is built into applications—work any better than the reactive approaches, such as patches and external software safeguards?

External software safeguards and patches are Band-Aids. They don't necessarily address all of the weaknesses of the software. Vulnerabilities exist in code from the time that the code is written; patches are only created at the point in time that vulnerability is discovered.

It would be great if stronger security were built into software products initially, and some companies such as Microsoft have made great strides in this area. However, as code becomes more and more complex, the likelihood of introducing vulnerabilities increases. The level of testing required to identify more of the existing vulnerabilities in code may become prohibitive, and we as consumers are constantly demanding more features and functions and are not as concerned, as evidenced by what we agree to pay for, about the security of the software. So, why should the software vendors change?

3 - How satisfied are you with the effort software vendors are putting into delivering more secure products? Do you see the quality of the security built into software products getting better or worse?

As I noted above, as complexity increases, so does that likelihood of increased vulnerabilities. Code is getting more complex; therefore, products likely are less secure.

4 - Do corporations today have the financial and human resources they need to protect their computing environments?

Financial and human resources are always tight, but the reality is that securing computing environments is a cost of doing business. It enables companies to do business in ways that would have been too risky without applying the appropriate security controls.

5- What are the top two or three things a modern enterprise can do to properly manage security risk?

1. Perform a risk assessment; rank the findings by level of risk and develop a plan to either address or accept each identified risk.

2. Implement a security awareness program to teach employees the basic security requirements that they need to understand.

3. Establish processes and procedures for granting or revoking system access, and for monitoring system and network security.

Next page: Cigital's Gary McGraw

 

Gary McGraw
Chief Technology Officer, Cigital

1 - How does the notion of pervasive computing (where computers are deeply integrated into the environment rather than being distinct objects) impact security and privacy?

Pervasive computing will likely be the most significant challenge for information security over the next decade. The idea of objects as computers, as opposed to computers as separate devices, means that computers will be embedded in surprising and interesting places—and interaction with computers will be almost unavoidable. This poses a challenge for information security, which incidentally seems to have its hands full with the much simpler and yet almost unworkable model of computers as separate entities that you can somehow cordon off from each other.

Think about how easy it is to misplace or completely lose your cell phone. What are the security implications of that? Now multiply that by gazillions of little embedded gizmos, and you get an inkling of the challenge we face.

2 - Will a more proactive approach to security, built around building security in, work any better than the reactive approaches of the past?

One would hope. These days, it seems that most normal people have an implicit sense of security that may not be justified. They count on security that just isn't there. The best way to address this disconnect is to build things—systems, devices, software, etc.—that do have security built in. Note that I don't mean security features like cryptography, but rather the ability to withstand intelligent, coordinated attack from an adversary.

In any case, I think it is pretty clear that a reactive approach to security is not working. The notion of protecting the "chewy middle" from the sharp teeth of the circling wolves is simply wrong. We need to build systems that defend themselves, with our mind clearly focused on the bad guy.

I hold out great hope for software security, a field I have been very active in bootstrapping. We're busy identifying and codifying simple best practices that all software practitioners should adopt. Common sense for software: The time has come.

3 - What impact will Trusted Computing—an initiative, backed by a number of companies, to develop and promote open, vendor-neutral, industry-standard specifications for improving software building blocks and software interfaces across multiple platforms—have on computer security and user privacy?

The ancient Chinese curse is upon us: "May you live in interesting times." Trusted Computing could rescue us from the uncertainty of relying on "turtles all the way down" for trust. After all, we don't really know where trust starts on most of our machines today. Trusted Computing could help with that problem.

But Trusted Computing is a double-edged sword. For if your computer has security hardware that is "trustworthy" built right into it, the real question to ask is, who is that hardware worthy of trust to? A giant corporation? A digital oligarchy? Hollywood? The record industry? You?

We have to be very careful when trading off personal liberty for a sense of security. Trusted Computing is by no means a no-brainer. It's rather a [case of] "look before you leap." The jury is out and a raging debate is necessary.

4 - Do corporations today have the financial and human resources they need to protect their computing environments?

Some corporations are investing heavily in software security, in security engineering, and in security as a proactive discipline. To be sure, they are coming up short when it comes to human resources, but they are working like the dickens to solve that problem. For them, money is not an issue, because this is a question of risk management. I work with these people every day. Other corporations are stuck in the swamp of never-ending reactive security—buying endless stacks of network security pizza boxes from clueless vendors. These guys are not going to make it to the next level.

5 - What are the top 5 things that a modern enterprise can do today to properly manage security risk?

1. Start thinking about software security.

2. Assess your software risk.

3. Understand who poses a threat to your business.

4. Do something sane to manage security risk from a business perspective.

5. Find some excellent software security people and get them on staff.

Next page: T. Rowe Price Investment Technologies' Scott K. Davis

Scott K. Davis
Manager, Network Security, T. Rowe Price Investment Technologies

1 - How does the notion of pervasive computing (where computers are deeply integrated throughout a corporate environment rather than being distinct objects) impact security and privacy?

The biggest challenge has become the mobility of computers and data. The laptop, PDA, BlackBerry, USB drive, etc., all have greatly increased the risk to corporate assets and the data that resides on these assets. As the workforce has become mobile, trying to keep up with securing these devices has become difficult. In addition, as the storage capacity increases, the amount of data at risk does as well.

2 - Would a more proactive approach to security work any better than the reactive approaches, such as patches?

Yes, a more proactive approach to security would reduce long-term security efforts. Building security into software applications would, over time, develop more secure applications, reducing the risk of software vulnerabilities. The individual efforts of software developers to develop secure applications is much less than the enormous effort needed to address the constant flood of software vulnerabilities. The layers of security devices, and the system administration and coordination required to deal with the numerous application security issues, are a drain on valuable resources.

3 - How satisfied are you with the effort software vendors are putting into delivering more secure products?

I definitely believe there is a much greater awareness, and efforts have been put into trying to reduce the overall problem. However, I still think the software companies have a long way to go. The standard answer is still patch, patch, patch. Also, layer upon layer of security software—virus scanners, spyware removers, personal firewalls. Each addresses different issues, but is still part of the larger issue. Until there are fundamental changes in the consumer and business worlds to demand secure products, companies will still do the minimum they can to get their product to market.

Computer attacks have evolved over the past decade to be much more sophisticated. If you look at early viruses, they were a nuisance; they altered or destroyed data on your computer. As viruses and network worms evolved, they moved up the ladder to affect servers and network devices. Now, they are targeting the central computing resources of entire companies rather than individual computers. Now, with the rise of phishing, spyware and identity theft, the threats are using multiple vectors and methods to attack large-scale populations harvesting personal data. The people behind the attacks have changed as well ; they have evolved from the hacker looking for notoriety to organized criminals running a business whose purpose is to defraud the general public.

4 - Do corporations today have the financial and human resources they need to protect their computing environments?

Generally, I do not think so. Computer security in the corporate world has gone largely underfunded from a capital and human perspective. The security group within many companies has evolved out of the user provisioning world, setting up authentication and authorization, providing application security such as single sign-on, managing the security infrastructure, firewalls and IDS, etc. In many cases, these functions are not even under a single department; they are scattered around in various areas.

There has been a greater awareness in companies of the need for a central security organization and what roles and responsibilities are required. As companies have seen the effect of security incidents on their bottom line, their name in the press and reputation losses, they have realized the true value of security. I still believe that as these incidents increase and the security industry matures and evolves, security spending will increase and larger security organizations will become part of the cost of doing business.

5 - What are the top two or three things a modern enterprise can do to properly manage security risk?

1. Defense in depth. Apply multiple layers of security. It has been proved time and time again that by implementing layered security, you reduce the risk and decrease your exposure to loss.

2. Make security a fundamental part of doing business. Whether it is in the applications that a company uses or develops, or in the way it conducts business, lack of security has a cost associated with it and those costs are on the rise.

3. Education and awareness. Make sure your employees are aware of the threats and risk to the company, make sure they understand each person's role in keeping the company secure, and make sure everyone understands the consequences if good security practices are not followed.