Why can't the information security problem be solved? First, the motivation for computer criminals to find vulnerabilities is now primarily all about money. Identity theft is now one of the most lucrative of all criminal activities. It is estimated that the total worldwide yield of cybercrime could reach $1 trillion in 2006. Organizations concerned with information security must now have security budgets that NASA would envy. Second, unlike NASA, organizations are not planning, testing or verifying the code on their systems. It is unlikely that they ever will since it would mean reviewing each line of code connected to the perimeter and analyzing for security vulnerabilities.
Even with perfect coding, modern enterprise environments are now complex beyond comprehension. Systems and devices on the enterprise network are running numerous networking services. The internet is now ruled by over 4,000 RFCs [request for comments] that detail how data moves across it. Keeping up with how to properly configure all the differently coded network devices is now one of the biggest dilemmas for today's IT worker. Configuration mistakes are now the norm. I recently discovered over 800 different computer languages traveling across my agency's network. The modern enterprise environment is a virtual Tower of Babel. In this environment, controlling a perimeter effectively is never going to be perfect. Other solutions are required.
It is past time for security vendors to provide effective intrusion prevention solutions that can not only block a visitor based upon known attack patterns and signatures, but can also interactively re-route and block IP addresses based on traffic history. Dynamic security controls that can assign threat levels would save corporations real dollars every year. Since the internet has a finite number of IP addresses, block lists can be integrated to create more effective intrusion prevention. This would hold IP block owners accountable for the ranges they own. IP providers could be forced to limit who can use their IP addresses, and could sanction users for malicious behavior for fear of getting on a block list.
Although difficult, managing and assigning risk values to IP ranges is possible. Effective internet traffic enforcement is past due, and until IP range owners join the fight, anyone anywhere will potentially be able to wreak havoc. The odds of convicting a hacker today is now reported to be one in 7,000. The only really effective way businesses are going to maintain a high level of security is to keep track of those who visit their resources, and grant access based on IP history.
In addition, operating systems need to have levels of access beyond "guest," and users such as "new guest," "known guest," "probationary guest," and "malicious guest," etc., need to be created. These users can then be grouped and access levels assigned to limit the resources, systems and networks they are allowed to touch.
Dynamic perimeters are the only effective way to ensure that systems remain operating during critical times. Automatic visitor threat assessment (AVTA) would not only block malicious IP addresses, it would also allow businesses to identify priority customers based on their IP history and grant them bandwidth and other resources over others. This would not only protect businesses, but would allow security vendors to add value to business processes.
Walker Johnson is an information security manager for the South Carolina CIO. In addition he is an Encase Certified Computer Forensic Examiner.