Johannes Ullrich,chief research officer of SANS Internet Storm Center
With his able group of “handlers,” Ullrich tracks threats to the internet by correlating and analyzing logs from contributors worldwide. As a result, he consistently interacts with users, designers and other developers to help those tethered to the internet stay clear of the newest attacks. His early warning system has led to the discovery of many well-known threats, such as Code Red, Ramen and other worms.
During 2005, one of the most complex challenges he faced was the DNS cache poisoning problem. He says: “The main approach to solving this and other challenges is an open and global collaboration. With the Internet Storm Center and our ‘diaries,’ we are able to disseminate information very rapidly. In return, we do get a large number of [experts] to work on questions we pose. In order to solve the DNS cache poisoning issue, we had experts in the U.S., South America, Europe and Asia involved.”
He explains further that getting the early warnings about the newest threats out to organizations is not contingent on agreement among experts or users around the world, but certainly helps to trigger readers to write in with their own observations. “So we do not wait until we have all the answers before we post something,” he says.
For example, with the DNS cache poisoning issue, a couple of readers initially wrote in voicing concerns. But when the warning was posted to the site, others corroborated the observation. “In the end, we had people send us logs from servers used in the attack, and our handler in Korea was provided access to the DNS server at the core of the attack,” he says. “Given all the help, we were able to uncover a rather complex flaw in a common DNS server configuration.”
Howard Schmidt, president and chief executive officer of R&H Security Consulting
As former cyber security advisor to the U.S. White House and former vp and ciso of eBay, Schmidt is travelling hither and yon to highlight various IT security problems and possible resolutions. He now is the president and ceo of R&H Security Consulting, through which he had been contracted as the chief security strategist with the US-CERT Partners Program.
Most recently, he has found himself debating with another of our thought leaders, Bruce Schneier, about how software developers should be held accountable for the holes they miss in software they write.
Although Scmidt says his comments have been taken out of context, that has not stopped Schneier from using them as a launching pad to tout his own opinions on the subject.
Bruce Schneier, chief technology officer of Counterpane Internet Security
The seemingly constant industry buzz surrounding Schneier is well-deserved. With a trail of bestselling books in his wake and two encryption algorithms, Blowfish and Twofish, to his credit, Schneier is well-placed to discuss/argue various IT security-related issues in his free monthly newsletter Crypto-Gram. Most recently, he questioned reported comments made by Howard Schmidt that noted Schmidt’s support for holding programmers personally accountable for insecure code. These published accounts, which sometimes seem to allude to personal liability, are inaccurate, Schmidt says. He notes that his comments were made “in the context of how [programmers’] ability to write secure code should be a part of performance reviews.” Schneier says, however, “It is the software manufacturers that should be held liable” for insecure code. Although the additional costs for making products more secure would fall to consumers, he says securer solutions would prove cost-effective in the long run since users already pay more than they bargained for to fix holes of products they have deployed.
Mary Ann Davidson,chief security officer of Oracle
Davidson is working with a team inside her company to try to nix software vulnerabilities, deliver fixes that are easier for customers to administer, and trumpet the need to reduce software coding flaws overall. In touting ways to better develop more secure software, Davidson has said that an audit standard would help the process. To audit software properly and consistently she believes standards bodies, such as the National Institute of Standards for Technology (NIST), must establish benchmarks to help guide the software industry to make safer software. Additionally, she encourages customers to seek from their vendors lock-down configurations of products they have purchased, and is going so far as to convince them to demand secure configurations during the overall procurement process.
Frank Fanzilli Jr.,former managing director and global chief information officer of Credit Suisse First Boston
One of our Editorial Advisory Board members says that “this guy really gets technology in corporate America.” Although he is retired, in truth, he seems busier than ever. In addition to once being a board member of PeopleSoft and currently serving on the boards of the Open Source Development Labs, nLayers and a few others, he is heavily involved with various IT security companies through venture capitalist groups for which he serves as an advisor. Additionally, he speaks at a slew of high level industry events. Not only is he very influential, but he has a strong knowledge and understanding of security requirements related to business undertakings – meaning he is far from just a security practitioner who pushes IT security practices for their own sake. In the end, for him IT securityis a requirement of doing business – a concept he continues to promote.