Gary McGraw

By John McCormick Print this article Print

Five top computer security experts offer advice on pervasive computing, ever-more-sophisticated hacker attacks, and corporate security resources.

Gary McGraw
Chief Technology Officer, Cigital

1 - How does the notion of pervasive computing (where computers are deeply integrated into the environment rather than being distinct objects) impact security and privacy?

Pervasive computing will likely be the most significant challenge for information security over the next decade. The idea of objects as computers, as opposed to computers as separate devices, means that computers will be embedded in surprising and interesting places—and interaction with computers will be almost unavoidable. This poses a challenge for information security, which incidentally seems to have its hands full with the much simpler and yet almost unworkable model of computers as separate entities that you can somehow cordon off from each other.

Think about how easy it is to misplace or completely lose your cell phone. What are the security implications of that? Now multiply that by gazillions of little embedded gizmos, and you get an inkling of the challenge we face.

2 - Will a more proactive approach to security, built around building security in, work any better than the reactive approaches of the past?

One would hope. These days, it seems that most normal people have an implicit sense of security that may not be justified. They count on security that just isn't there. The best way to address this disconnect is to build things—systems, devices, software, etc.—that do have security built in. Note that I don't mean security features like cryptography, but rather the ability to withstand intelligent, coordinated attack from an adversary.

In any case, I think it is pretty clear that a reactive approach to security is not working. The notion of protecting the "chewy middle" from the sharp teeth of the circling wolves is simply wrong. We need to build systems that defend themselves, with our mind clearly focused on the bad guy.

I hold out great hope for software security, a field I have been very active in bootstrapping. We're busy identifying and codifying simple best practices that all software practitioners should adopt. Common sense for software: The time has come.

3 - What impact will Trusted Computing—an initiative, backed by a number of companies, to develop and promote open, vendor-neutral, industry-standard specifications for improving software building blocks and software interfaces across multiple platforms—have on computer security and user privacy?

The ancient Chinese curse is upon us: "May you live in interesting times." Trusted Computing could rescue us from the uncertainty of relying on "turtles all the way down" for trust. After all, we don't really know where trust starts on most of our machines today. Trusted Computing could help with that problem.

But Trusted Computing is a double-edged sword. For if your computer has security hardware that is "trustworthy" built right into it, the real question to ask is, who is that hardware worthy of trust to? A giant corporation? A digital oligarchy? Hollywood? The record industry? You?

We have to be very careful when trading off personal liberty for a sense of security. Trusted Computing is by no means a no-brainer. It's rather a [case of] "look before you leap." The jury is out and a raging debate is necessary.

4 - Do corporations today have the financial and human resources they need to protect their computing environments?

Some corporations are investing heavily in software security, in security engineering, and in security as a proactive discipline. To be sure, they are coming up short when it comes to human resources, but they are working like the dickens to solve that problem. For them, money is not an issue, because this is a question of risk management. I work with these people every day. Other corporations are stuck in the swamp of never-ending reactive security—buying endless stacks of network security pizza boxes from clueless vendors. These guys are not going to make it to the next level.

5 - What are the top 5 things that a modern enterprise can do today to properly manage security risk?

1. Start thinking about software security.

2. Assess your software risk.

3. Understand who poses a threat to your business.

4. Do something sane to manage security risk from a business perspective.

5. Find some excellent software security people and get them on staff.

Next page: T. Rowe Price Investment Technologies' Scott K. Davis

Scott K. Davis
Manager, Network Security, T. Rowe Price Investment Technologies

1 - How does the notion of pervasive computing (where computers are deeply integrated throughout a corporate environment rather than being distinct objects) impact security and privacy?

The biggest challenge has become the mobility of computers and data. The laptop, PDA, BlackBerry, USB drive, etc., all have greatly increased the risk to corporate assets and the data that resides on these assets. As the workforce has become mobile, trying to keep up with securing these devices has become difficult. In addition, as the storage capacity increases, the amount of data at risk does as well.

2 - Would a more proactive approach to security work any better than the reactive approaches, such as patches?

Yes, a more proactive approach to security would reduce long-term security efforts. Building security into software applications would, over time, develop more secure applications, reducing the risk of software vulnerabilities. The individual efforts of software developers to develop secure applications is much less than the enormous effort needed to address the constant flood of software vulnerabilities. The layers of security devices, and the system administration and coordination required to deal with the numerous application security issues, are a drain on valuable resources.

3 - How satisfied are you with the effort software vendors are putting into delivering more secure products?

I definitely believe there is a much greater awareness, and efforts have been put into trying to reduce the overall problem. However, I still think the software companies have a long way to go. The standard answer is still patch, patch, patch. Also, layer upon layer of security software—virus scanners, spyware removers, personal firewalls. Each addresses different issues, but is still part of the larger issue. Until there are fundamental changes in the consumer and business worlds to demand secure products, companies will still do the minimum they can to get their product to market.

Computer attacks have evolved over the past decade to be much more sophisticated. If you look at early viruses, they were a nuisance; they altered or destroyed data on your computer. As viruses and network worms evolved, they moved up the ladder to affect servers and network devices. Now, they are targeting the central computing resources of entire companies rather than individual computers. Now, with the rise of phishing, spyware and identity theft, the threats are using multiple vectors and methods to attack large-scale populations harvesting personal data. The people behind the attacks have changed as well ; they have evolved from the hacker looking for notoriety to organized criminals running a business whose purpose is to defraud the general public.

4 - Do corporations today have the financial and human resources they need to protect their computing environments?

Generally, I do not think so. Computer security in the corporate world has gone largely underfunded from a capital and human perspective. The security group within many companies has evolved out of the user provisioning world, setting up authentication and authorization, providing application security such as single sign-on, managing the security infrastructure, firewalls and IDS, etc. In many cases, these functions are not even under a single department; they are scattered around in various areas.

There has been a greater awareness in companies of the need for a central security organization and what roles and responsibilities are required. As companies have seen the effect of security incidents on their bottom line, their name in the press and reputation losses, they have realized the true value of security. I still believe that as these incidents increase and the security industry matures and evolves, security spending will increase and larger security organizations will become part of the cost of doing business.

5 - What are the top two or three things a modern enterprise can do to properly manage security risk?

1. Defense in depth. Apply multiple layers of security. It has been proved time and time again that by implementing layered security, you reduce the risk and decrease your exposure to loss.

2. Make security a fundamental part of doing business. Whether it is in the applications that a company uses or develops, or in the way it conducts business, lack of security has a cost associated with it and those costs are on the rise.

3. Education and awareness. Make sure your employees are aware of the threats and risk to the company, make sure they understand each person's role in keeping the company secure, and make sure everyone understands the consequences if good security practices are not followed.

This article was originally published on 2006-05-15
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.