One of the things that distinguishes security from other IT disciplines is its massive scope.
In simple terms, if you own the corporate network, you care about switches, routers, and traffic going from Point A to Point B. If you own security, you have to look up and down the old "technology stack" while keeping an eye of physical security and cross-company business processes. Little wonder why so many companies experience so many data breaches.
For years, the security industry seemed to disregard the broad scope of problems faced by enterprise organizations. Instead, even the biggest security firms like Check Point and McAfee simply offered the threat management widget du jour. This is like your local tire store saying that it is in the business of selling automobiles. Something had to give which is why big enterprise-savvy companies like EMC, Hewlett-Packard, and IBM entered the market.
I met with IBM at last week's RSA Conference in San Francisco, Rather than talk about threat management products from ISS or identity management software from Tivoli, IBM presented a few interesting things:
• A comprehensive security framework based upon enterprise user security requirements rather than its portfolio of products.
• Integration between security and business processes.
• IBM now has a single person, Chris Lovejoy, who is responsible for coordinating security activities across IBM product and business units.
• An aggressive partnering program to enhance its homegrown offerings.
No, IBM doesn't have all the answers. And there are probably lots of areas where others have better products. That said, IBM has organized its security portfolio in a way that meets enterprise requirements at the board level--and not just in the security products test lab.
Between this user-centric framework and its deep resources, IBM ought to win its fair share of security deals moving forward.
After four days of endless meetings, cocktail parties, and security discussions, I had a rainy weekend in Boston to reflect on last week's RSA Conference in San Francisco. Here are some of my general impressions:
• Everyone said that they are feeling the economic pinch in their businesses with deals getting smaller and often delayed.
• Ironically, with all of the industry cost-cutting, trade shows are an absolute rip-off and this one takes the cake. Want bottled water in your booth? How about $100 for a case (i.e. 24) of 8-ounce bottles? Want a table and chairs? OK, $500 per day. How do these show organizers get away with this type of extortion?
• I noticed a much bigger presence from the VC community this year. I can only imagine that there was some back-room wheeling and dealing at fire-sale prices. Look for some deals soon.
• The security market is certainly tipping toward big vendors. IBM and Hewlett-Packard presented very compelling security stories that highlight process and IT service management--not products. Bad news for security widget vendors--and there are still a lot of them around.
• After a bit of a security hiatus, Microsoft is back and talking about its next generation of security products and strategies. I found Chief Research and Strategy Officer Craig Mundie's keynote on security and privacy especially compelling and will blog about it later.
A few years ago, RSA Security (the company not the conference) CEO Art Coviello said that he didn't believe there would be a standalone security market by the end of the decade. I wouldn't go this far, but it is clear to me from this year's conference that security is slowly blending into IT and the business.
Hmm. I wouldn't be surprised at all if next year's conference is called the RSA Governance, Risk Management, and Compliance Conference--a bit cumbersome, but an increasingly more accurate description of the proceedings.
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.
SAN FRANCISCO--Malcolm Gladwell had a message for the hordes of security professionals attending RSA 2008 here on Thursday--too much information can impair your judgment.
That's one of the central themes in his bestselling book, Blink: The Power of Thinking Without Thinking. "The ability to show judgment, to exercise judgment is just about the most important thing any decision maker can possess," he said in his keynote addresses.
He then gave examples of cases in which overthinking and careful analysis have led to bad consequences.
Malcolm Gladwell at RSA 2008: 'The ability to show judgment, to exercise judgment is just about the most important thing any decision maker can possess.'
(Credit: Corinne Schulze/CNET Networks)Studies have shown, for instance, that emergency room doctors are much better at diagnosing chest pain accurately when they have only four data points (chest pain, instability, fluid in the lungs, and an electrocardiogram) instead of when they are also taking into account factors such as patient age and whether the patient smokes.
Then there's the Getty Museum's famed 14-month evaluation of what was supposed to be a 2,600-year-old Greek kouros statute. Despite art historians and other experts taking one look and declaring it a fake, the museum paid $10 million for it and later learned the mistake.
"There are lessons from the kouros about what goes into the quality of judgment," Gladwell said. Having an unconscious sense can be more important to good judgment than all the painstaking assessment and facts available, he added. "It's central to what it means to be an effective decision maker."
Bringing it home to the security world, Gladwell then spoke of the bombing of Pearl Harbor and how members of the intelligence community in Washington, D.C., were so buried in intercepted and decoded Japanese communications that they weren't able to connect the dots. "They couldn't make sense of what was in front of them," he said.
Whereas the journalists, who didn't have all the insider information, had a clearer picture and could anticipate the attack--"because they knew less."
I'll drink to that.
Elections departments around the country have spent millions on electronic voting systems that are flawed and officials aren't about to throw them out and start all over. The only solution is to conduct audits to verify the count after every election, a researcher and expert on electronic voting said at RSA 2008 on Thursday.
David Wagner, computer science professor at University of California, Berkeley, led a state of California-commissioned study last year of the three major electronic voting systems. The study found serious vulnerabilities in each system that would allow someone with access to just one of the machines to spread a virus that would infect all the other machines in the system and essentially control the outcome, he said in a panel discussion electronic voting.
The systems have architectural weaknesses, implementation flaws, and defects, similar to problems in commercial software that isn't designed with security in mind, according to Wagner.
"This puts our election officials in a terrible position," he said, adding that officials are stuck using the machines. As a result, audits are the only solution.
The audits should be public and they should be done automatically, as they are in California, which requires a paper trail, Wagner said. He praised the California audit methodology in which paper ballots are manually counted in a random sample of precincts.
Other researchers are coming to similar conclusions. At a conference in February, Princeton graduate student J. Alex Halderman suggested using machine-assisted auditing. And Ronald Rivest, professor of electrical engineering and computer science at MIT, said during a cryptographer's panel on Tuesday at RSA 2008 that voting systems should not depend on the software to capture the vote, but use paper or some other means.
The problem is, not every state that uses electronic voting equipment has a paper trail and many states don't do audits, even if they have paper ballots to count, Wagner said.
Hugh Thompson, chief security strategist at corporate security training firm People Security, who has researched flaws in e-voting systems, was pessimistic about whether audits will be widely adopted any time soon.
"If an election is close, in a lot of cases an audit, even if you have a paper trail, isn't conducted," he said. "In Florida, the election officials told us at the time that (in the event) they were suspicious, they didn't have authority to institute a recount."
It's a little slow at this year's RSA Conference, but there is still plenty of hoopla to go around. It's a retro RSA in that this year's hot topics are all oldies but goodies. The list includes:
- Compliance. Everyone is resurrecting their focus on regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and a host of others.
- Identity. Think of this as the personalization of IT. Chief information officers want to know who is on the network and what they are doing. Armed with this knowledge, they can block bad behavior and accelerate productive business activities.
- Data security. Large organizations are desperately trying to get their arms around their data by answering questions like: Where is my confidential data? Who is accessing it? What the heck are they doing with it?
Yup, what's old is new again all around this security nexus. It would be easy to say that the marketing folks are either tired or lazy, but I see a completely different meaning here. We are still struggling with basic security problems, after all these years, and the industry is thus going "back to the drawing board," if you will.
Let's just hope we get it right this time around, or we all may be in deep trouble.
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.
Security expert Bruce Schneier is rightly regarded as one of the industry's most intelligent and insightful participants. He has made substantial personal contributions to the science of cryptology, and has written some of the best books on the subject.
Like many smart people, Schneier is also highly opinionated. Although I have yet to hear a technical opinion from Schneier that I disagree with, some of his nontechnical opinions are--in my opinion--open to debate.
For example, Schneier coined the term "Security Theater" to describe measures that serve to make people feel safer without significantly improving security in any real sense.
That's a great definition. Security Theater is a real thing. But Schneier has frequently said that it's universally a bad thing...as if human psychology is irrelevant. Yes, it's obvious now that airport security checkpoints prior to September 11, 2001 were more of an inconvenience to travelers than they were to hijackers. Hijackings were rare but possible before the checkpoints, and rare but still possible after the checkpoints were set up. But without those checkpoints, a lot of people simply wouldn't have flown on commercial airlines.
At the RSA Conference this week, Schneier gave a talk on "Reconceptualizing Security" based largely on an essay on his Web site titled "The Psychology of Security."
I think this was very good work, and represents a significant maturation of Schneier's thinking on the nontechnical issues he's been covering all these years.
Most notably, it explains the proper purpose of Security Theater. When people feel less safe than they ought to given the facts of a situation, they can make bad decisions--for example, avoiding commercial aviation even when it's objectively safer than the alternatives. Security Theater brings feelings and facts back into agreement and restores rational behavior.
Security Theater isn't entirely good. It's still a kind of fraud, and the mere fact that it works doesn't mean it's an optimal solution; it just shows where this approach comes from and why it works. There are still plenty of problems with it. For example, one audience member pointed out in the Q&A session following Schneier's talk that using Security Theater to make people feel better about some threat can backfire if the reality of the situation deteriorates. People will retain the good feelings engendered by the charade and thus underestimate the real threat.
Schneier expanded on his essay by adding a third independent variable. Along with facts and feelings, we also build conceptual models for security analysis. However rational our models may be, our feelings may still be different. Although someone in the audience asked if we shouldn't just think in terms of facts and models, I think we have to accept that feelings and models are functionally distinct, and therefore we have to keep them separate. For example, we can express and analyze models far more easily than we can communicate our feelings.
But the reality of how we make security decisions begs an important question--should security professionals focus on real solutions to security problems, or just on making people feel better about security? Unfortunately, there's no easy answer to this question. It depends on who's paying the professional's salary, what they expect, and how rational they area. At one extreme, any professional should certainly want to improve security in real terms, but delivering the perception of improved security may be a practical job requirement.
There was one funny moment in the presentation that I have to relate. Schneier was describing the 1982 Tylenol crisis and the resulting broad use of tamper-evident packaging. At the very moment he made that connection, he took a bottle of water provided by the show organizers on the podium and cracked open the cap. It was apparent to me that he hadn't even noticed this connection, and when I pointed that out, he agreed--tamper-evident bottle caps are now so much a part of our everyday lives that we don't even notice them any more.
These caps don't make us much more secure in any real sense, but they allow us to feel comfortable about drinking from bottles we've never seen before. The cynical old Bruce Schneier would probably say that's a bad thing, even though the effect works on him just like anyone else. The new Bruce Schneier, I think, has a better appreciation of the role of psychology in making security decisions, and his future work will probably be better for it.
"I will tell (you) how to break into a nuclear reactor," Ira Winkler, president of security firm ISAG said as he launched into his presentation on "How to Take Down the Power Grid" at RSA 2008 on Tuesday night.
"Frankly, it's really easy to break into the power grid," he said. "It happens all the time."
First, you set up a Web server that downloads spyware onto the computers that visit.
Second, you send an e-mail to people who work inside a power station that entices them to click on a hyperlink to the Web server with the spyware. Warning them that their human resources benefits are going to be cut and sending them to a Web site with "hr.com" in the domain would work, according to Winkler, who said he has done this several times in company-approved penetration tests.
Third, you wait as the recipients--and everyone else they forwarded the e-mail to--visit the server and get infected.
"Then we had full system control," he said. "Once the malware was downloaded onto their systems...we could see the screens and manipulate the cursors."
It took about a day to set up the attack and was effective within minutes, according to Winkler.
"It had to be shut down after a couple of hours because it was working too well," he said.
This is akin to social engineering attacks that happen all the time, but this attack has more far-reaching consequences than most such attacks.
Power stations running special SCADA control software have the perception that they are more secure than other networked systems. However, they are just as vulnerable because they are connected to the Internet and run on computers that also run Windows NT, he said.
"Things are really this bad," Winkler said. "I'm not exaggerating."
Below is a video showing a staged cyber attack on a power station that Winkler showed during his presentation:
Microsoft released its new Stirling security suite in public beta at RSA 2008 on Tuesday.
The Stirling security package, the next wave of its Forefront software, offers one management console, enabling administrators to push policies out across PCs, servers, and other computers that access the Internet.
Administrators can set the system up so that policies are automatically followed or so that they require administrator approval before further action is taken, such as blocking a computer from accessing the network if the system detects that it has been compromised, said Ryan Hamlin, general manager of Microsoft's Access and Security Division.
The console is easy on the eyes, showing graphical representations of the severity of security threats to the network, even down to the individual PC level.
A beta refresh with new features will be available before the end of the year, Hamlin said.
Microsoft also is rebranding its Internet Security & Acceleration (ISA) Server as Forefront Threat Management Gateway. The software includes firewall, and Web antivirus and remote access technology for protecting computers that connect to the Internet.
Secretary of the Department of Homeland Security Michael Chertoff
(Credit: Charles Cooper/CNET News.com)Risks from cyberattacks are increasing and the consequences are so great that the country needs a "Manhattan Project" for network security, Michael Chertoff, secretary of the U.S. Department of Homeland Security, said in a keynote on Tuesday at RSA 2008.
"We need a game-changer with how we deal with attacks," he said. "In January, the president signed a homeland security directive, for a national cybersecurity initiative...almost like a Manhattan Project."
"Cyberthreats have enabled terrorists and criminals to do the kind of damage they would never be able to contemplate doing in the real world," he said.
For example, a botnet denial-of-service attack shut down the Estonian government last year for about two weeks, according to Chertoff. "It went beyond simple mischief, and represented an actual threat to government to govern its country."
"A single individual, a small group of people, or a nation-state can exact the kind of damage or disruption that in years past only came when you dropped bombs or set off explosives," he added.
The government needs the "best and brightest" from Silicon Valley and elsewhere in the private sector to work on creating an advanced warning system to prevent such cyberattacks.
"We face a very serious challenge and it's only likely to grow more serious as time passes," Chertoff said. "We're operating in a domain in which traditional military power or the power of the government is insufficient to address the full nature of the threat. A command and control response will simply not be adequate. We need a network response to deal with a network attack."
During a question-and-answer session afterward, Chertoff defended the government's Real ID law, which would create a uniform national ID card. Chertoff said the card would make the country's buildings and airplanes more safe from terrorists. Opponents say the inconvenience and privacy concerns outweigh any perceived benefits.
Chertoff asked rhetorically, when choosing between an airline that allows people without identification to board and one that doesn't, "which airline would you put your children on?"
In a keynote at the RSA conference last year, Microsoft Chairman Bill Gates and Craig Mundie, chief research and strategy officer, said the company had more to do to improve security.
Microsoft's Craig Mundie on stage at RSA 2008.
(Credit: Corinne Schulz/CNET News.com)A year later, not much has changed.
Mundie and Chris Leach, chief information security officer at Affiliated Computer Services, followed talking points about Microsoft's latest vision for End to End Trust, describing it as an industry call to action.
"The foundation has been laid for good security practices," Mundie said. "The challenge now is related to management practices."
It's all about establishing that you are who you say you are.
"We need new forms of credential," Mundie said. "You should be able to present a cert (certificate) that says, 'Hey, I'm over the age of 18'...and allow a Web site to know that you are an adult."
Mundie was laying out the parameters for Microsoft's vision for security so that the interested parties would build around the company's framework.
As if on cue, he said: "The overall management systems today are not integrated enough, they're too complicated. That has been a major focus for Microsoft." And he mentioned some Microsoft products that solve those problems.
I showed Bruce Schneier, chief security technology officer for BT, the End to End Trust documents and he said "it feels general and like marketing hype." The notion that the world needs centralized authentication "is just silly," he added.
Basically, Microsoft has used its trusted computing efforts, such as inserting identity rights management into Office 2003, to lock people into using its products, Schneier said.
"Microsoft has used this as an anti-competitive tool," he said.
In a briefing on Monday, George Stathakopoulos, general manager of Microsoft's Trustworthy Computing group, was mentally prepared for the criticism.
"With everything we do, there is always skepticism and conspiracy theories," he said. "The answer is no; this is for real."
