This has been a very good year - especially for the hackers. Ben Rothke wonders if we have learned anything from the experience
Infosecurity hit the headlines in 2003 as in no other year before. The coverage helped to satiate the thirst for information about the topic among corporate executives. After all, this was the year that company networks all over the globe were taken out by the likes of Blaster and Slapper.
Even with this fervent interest in infosec, however, a slew of similar IT security problems from the year before ring true for this one as well. Despite all of the growth and interest in infosecurity and privacy issues, the arena on the whole appears to remain stuck in its formative years.
However, as legendary American author Norman Cousins puts it: "History is a vast early warning system." While any type of prediction is challenging, the ones about information security are incredibly difficult. The dynamic nature of the security market, combined with its seemingly perpetual immaturity, can leave any forecast about its future off target. Nevertheless, perhaps we can learn some of what's in store for us next year by taking a look back at the past 12 months.
Pete Lindstrom, research director at analyst Spire Security, says that in 2003 the worm took top priority for security professionals. Now, he adds, "containment is... the name of the game." This game has created a new range of products from vendors such as Mirage Networks (www.miragenetworks.com), Silicon Defense (www.silicondefense.com) and others.
After the plague of viruses and worms, the main security issues of 2003 were identity theft, spam, keyboard loggers and social engineering. The many vulnerabilities peppered throughout software from the likes of Microsoft was another primary worry.
Virus, worm and trojan attacks are a pain felt by all. The time between exploit publication and patch publication needs to be short to keep up with the attackers. Although most IT security professionals do their best, the proliferation
of vast numbers of patches is such that their implementation throughout an extended network is sometimes fatally delayed. Looking forward, the consensus is that people who understand basic software security concepts must write the code for products that support so many organizations' infrastructures.
"It seems I've heard this story before - that this will be the year of security," says Jacques Francoeur, chief executive of trustEra. "Haven't we learned anything from the past?"
Francoeur believes that before security is given the resources it needs, and is perceived as a priority among executives, it must evolve its value proposition as one of electronic business enablement. Security must also be elevated to an enterprise-level, integrated solution that facilitates the reliable and repeatable execution of trustworthy critical business processes. For now, he adds, security has not aligned itself and broadened its value proposition to address the inherent new risks - ensuring the trustworthiness, stability and recoverability of an electronic enterprise.
The good news
Awareness of information security and privacy, while still not at the point that it should be, is at an all-time high, however. What's more, a growing amount of security software and hardware is being installed and more companies are hiring chief security officers (CSOs) and chief privacy officers (CPOs).
In 2003, we saw the security market mature, with the science of management finally being applied to the art of security. Now, infosec can start playing a broader role within technology. Rather than security being a series of defensive, reactionary stopgap measures, security management will become a key component of the network and systems management philosophy.
Most importantly, information in the back-office systems of organizations is greatly improved when it is released to customers, partners and suppliers. Companies that continue to operate in lockdown mode, applying only the security of exclusion and disablement, will perish in the long term. In contrast, companies that intelligently manage
the relationship of users to services to enable transactions - that is, companies which practice the security of enablement - will flourish.
Microsoft made waves in 2002 with its Trustworthy Computing initiative, but that wave did not turn into a security tsunami in 2003, as many would have hoped. In Microsoft's defense, this is a multi-year effort and anyone looking for complete success in 2003 is expecting too much, too soon.
Another distinction often lost is that the Trustworthy Computing initiative is focused on more than just security, although infosec is clearly a key priority and emphasis. It is predicated not just on security, but also privacy, reliability and business integrity. Microsoft feels that it is the balance of all four areas that will make systems more inherently trustworthy. But that does not underscore the fact that the biggest security problems of this year - viruses - were propagated primarily though Microsoft Windows systems.
"In 2003, we pretty much did more of the same - only harder and no more successfully," recalls Marcus Ranum, a senior scientist at TruSecure. "Thanks to new outbreaks of worms, approximately once a month system administrators were flogged with an unending stream of patches and hot-fixes - and still it was not enough."
This sentiment is supported by Andreas Antonopoulos, security practice director at security consultancy ThruPoint, Inc. "This was the year that proved once and for all that patch management in itself was no longer a viable solution to the Microsoft security problems," he asserts.
The irony is that, for the most part, all it takes to stop viruses is a cheap piece of commodity software: namely anti-virus software. "SoBig was a blip on my radar screen, trivially deflected by my $19.95 anti-virus solution," notes TruSecure's Ranum. "Yet, somehow, major corporations, government agencies and mission critical infrastructure were brought offline by the worm. For lack of $19.95, you can lose an entire corporation's productivity for two days. From where I stand, 2003 looks a lot like 2002 - a year in which there were plenty of wake-up calls that only caused us to roll over and hit the snooze button."
While most of the worms in 2003 attacked Microsoft systems, worms are a problem across the board. "Microsoft certainly has a very large responsibility to improve the quality of its products, and to ease the pain of the patching process for customers, which it is actively working to do," according to Scott Culp, senior security strategist for Microsoft Corporation. But, he adds, it is an industry-wide problem that needs solving.
"For example, open-source software has also been exposed to viruses and worms, such as the recent open-source worm, Slapper," he says. "Because there are far fewer open-source users, Slapper's impact from was less widespread than the impact from Blaster, but otherwise the parallels between the two worms are quite similar."
Microsoft does seem to be taking security seriously. Windows is now by default a lot more restrictive, Microsoft's patch-management process for customers is improving, and it is working heavily in the home user area to help consumers increase the security of their computers and stay secure online.
While Trustworthy Computing will indeed take years to ultimately fulfill its promise, Ron Moritz, chief security strategist at Computer Associates, believes that infosec and other corporate professionals alike are demanding that software vendors, and Microsoft in particular, make their products more secure. Based on meetings with Fortune 500 CSOs, Moritz says that companies are moving away from "buying more security solutions towards buying secure software."
"After a decade of cool, but ultimately untested, technology with the latest bells-and-whistles, or reactive solutions to keep the worm du jour off the enterprise menu, CIOs are now partnering with major software vendors that provide high-quality, secure applications to run their businesses," adds Moritz.
While innovation will always be important, being first-to-market will be less important for software vendors than producing safe, secure software that works. The vendors that make quality a foundation will emerge as leaders during the next wave of consolidation. Most importantly, the definition of best-of-breed is rapidly changing to one where the primary ingredient will be software quality and reliability.
Is IDS really dead?
June 2003 saw the shot heard around the infosec world when Gartner Research released its Intrusion detection on the way out report. It's hard to find an analyst report that has created as much contention, derision and debate in the security industry as this one.
Richard Stiennon, vice-president of research at Gartner, wrote: "IDS as a security technology is going to disappear." He added that he expects next-generation network-based firewalls to so successfully protect back-end applications from attack, and that companies will conduct continuous vulnerability assessment and remediation to such a degree, that IDS will become outmoded.
Stiennon believes there is no single replacement for IDS, and states that "anything that protects a network is better than IDS; anti-virus, firewalls, host IPS, network IPS, vulnerability assessment and remediation are all technologies that prevent intrusions."
In a town-hall type meeting at the Pentagon in July 2003, at which the IDS report was discussed at length, the only thing that all the parties agreed on was that these systems issue far too many false positives. But the problem of false positives will never go away unless we become comfortable with the likelihood of false negatives. Intrusion prevention essentially forces a decision between the two. And since intrusion prevention devices use exactly the same techniques as intrusion detection, intrusion prevention devices will inherit the same problems suffered by IDSs.
Spire's Lindstrom takes a different view of things. "To say 'IDS is dead' suggests an outdated understanding of IDS and a lack of insight into how products and markets mature," he insists. "Using the same logic, we must conclude that firewalls, anti-virus, VPN, single sign-on solutions and any other product category that has evolved are dead as well."
The truth is that an IDS is a necessity, both in the physical world and in the digital world. Take, for example, a recent project designed for the needs of a specific government agency office. Bill Evanina, an FBI special agent assigned to the Newark FBI Counter-Terrorism Squad, was the project coordinator for the design and construction of the new state-of-the-art FBI office in Newark, NJ. He says that the need for external physical intrusion detection systems is an imperative.
"Not only is an intrusion system mandatory, the only facet more important than the system is the human element monitoring and administering it," he says. You won't find a more hardened building in Newark than the FBI building; and physical intrusion detection is an integral part of that system.
Stiennon is unrepentant in his assessment of the IDS market, which he feels is withering away. He sees intrusion prevention technology as its successor. In fact, concludes Stiennon, "looking back on it, history will demonstrate that my conclusions on IDS were late."
TruSecure's Ranum believes "many organizations have policies that are highly permissive, yet still expect IDS or even a firewall to help them. My experience has been that IDS works pretty well, but the IDS customers are trying to use it in a way that makes no sense. That's exactly what happened with firewalls, so why should we expect that IPS won't get equally mis-deployed?"
But, says Ranum, the report has had its effect, noting that Gartner's report stirred a lot of mud into the waters, with many vendors rushing to rebrand their existing technology as IPS - whether it was a firewall, an anti-virus tool, or an IDS.
"Gartner's ex cathedra pronouncements still carry a great deal of weight with less technically savvy C-level executives, so Stiennon is in the interesting position of being able to write self-fulfilling prophecy," he explains.
The real issue, which Gartner's report ignores, is that to do intrusion prevention you have to be able to accurately detect intrusions to prevent them, he adds. So it is contradictory for Gartner on one hand to say: "IDS - too many false positives" and, on the other hand, "IPS will save us."
What is useful and necessary for the network in the long run is a distributed threat management architecture that includes analysis engines on multiple platforms (the successor to traditional IDS) using different detection techniques funneling information to a security event management back end - the console, contends Spire's Lindstrom. At various points, these sensors can then provide information to response agents (network or host-based) that act on packet streams, sessions or system activities to protect the environment using blocking and alerting techniques, along with deception, throttling and so on.
Regulations and compliance issues are yet more happenings that hit 2003 in a big way. Sarbanes-Oxley, California SB1386, HIPAA (Health Insurance Portability and Accountability Act) to SEC 17a-3 and 17a-4 and a plethora more made their presence known in the past 12 months. Organizations are now facing complex requirements to comply with security and privacy standards and regulations as security slowly finds its way out of the data center and into the corporate boardroom.
Organizations that fail to comply with the regulations will be exposing themselves to legal and financial liability from customers, in addition to state and federal regulators. With so much regulatory presence in the air, it is simply a matter of time until much of cyberspace is regulated.
The downside is that many regulations in their initial state are often out of date, ineffective or difficult to implement when they finally become law. As an example, HIPAA was first drafted in the mid-1990s and was only signed into law earlier this year.
Once passed, however, companies must follow the rules. Because of the various legislation and regulatory concerns, many financial companies are performing due-diligence to ascertain the security readiness of their business partners. Service companies are all inundated with risk-assessment and audit questionnaires. Yet, at the same time, it is an unfortunate fact that our infosec industry still has no widely accepted standardized measurements.
This was supposed to be the year of HIPAA. The Act's Privacy rule became enforceable in April and the final Security rule was also signed into law. Covered entities were supposed to start moving ahead at warp speed. But, even though the dates for HIPAA compliance with security rules are relatively close, the expected HIPAA wave has still yet to hit. In fact, in the eyes of many industry pundits, there is still a low tide for HIPAA.
Kate Borten, president of The Marblehead Group, notes that HIPAA has not caused significantly improved security in the healthcare industry in 2003. She states: "While the HIPAA Privacy Rule became enforceable in April, and it required information security, many, if not most, healthcare providers still haven't faced up to what that really means." Unfortunately, she further explains, there still seems to be a lot of denial as well as a lack of fundamental understanding about what an information security program entails.
Healthcare managers typically think security is not due until 2005, a serious misunderstanding of that artificial HIPAA date. And they all too often, along with information technology staff, continue to think that information security is mainly about viruses, passwords, encryption, and the like. "Yes, there's a lot of technology involved," notes Borten, "but as security pros know, it's even more about process; and that means getting lots of people involved throughout the organization to develop policies, implement workforce training, provide ongoing monitoring, and so on."
On a technical note, the healthcare industry as a whole has not been viewed as a technology leader. However, it is at the leading edge when it comes to handheld devices and wireless. The benefits from these technologies in relation to effective patient care are indisputable.
As happens far too often, the technology precedes the policy, notes Borten, adding that the security risks are clearly on the rise and will continue to rise until there's a greater management awareness of the risks and until mitigation solutions are given a higher priority than they are today.
While far too many corporate computers are in an insecure state, computers owned by home users are woefully inadequate. The majority of home users lack essentials, such as patched systems, personal firewalls or up-to-date virus definitions.
Another huge problem is the use of P2P software. While it can be debated whether the sharing of music files is illegal or not (and it is not clear), a real issue is that many users misconfigure software such as Kazaa and Morpheus and end up sharing their entire hard drive, not just their music files. The problem here is that huge amounts of corporate data end up on home hard drives, and are not protected by the corporate firewall, or any firewall for that matter. Significant amounts of proprietary and confidential corporate data often sits on these hard drives.
Experimenting with this in October 2003, in under two hours via Kazaa, the following was downloaded:
- Restricted access to Boeing 737 and 777 flight manuals (more than 5,000 pages) for a major U.S. airline;
- A plethora of end-user password lists in Word, including passwords for bank, student loan, frequent flyer, and various email accounts;
- Case histories of various psychiatric patients;
- Personnel review records;
- Divorce strategy and litigation for a couple whose relationship was on the rocks, and much more.
The message is that far too many home users are sharing more than just songs. Security consultant Fred Avolio agrees that there is a large growth in broadband users with unsecured computers. As a solution, he says that "ISPs should firewall off home users for the good of all - not to keep them completely isolated, but to provide some security that typical home users lack."
The future of hardware and software
While a relatively slow year in the mergers and acquisitions (M&A) sector, 2003 saw significant M&A activity in the security arena. What will 2004 bring? Computer Associates' Moritz feels that in the next 12 months "there will be continued consolidation in the security space, in tandem with a compression of security product categories."
As an example, secure content management will likely emerge as a single category - a superset of anti-virus, anti-spam, content filtering, adware, spyware, malicious code protection and more. In addition to consolidation, there will be moves to offer integrated identity and access management suites.
"Just as companies have chosen to partner with an Oracle or SAP to run all their business processes, customers will partner with a single vendor to manage all their network, systems, physical and cyber-security functions," he says. "The security industry is about to relive the network and systems management evolution."
Gregg Moskowitz, research analyst with Susquehanna Financial Group, agrees with Moritz's comments about consolidation. He states that "a growing number of enterprises seem to be getting more frustrated with having to purchase, configure and manage a multitude of security products from a wide range of vendors. As a result, we will begin to see a more pronounced shift from best-of-breed to an integrated security approach in 2004 versus prior years."
While noting that best-of-breed in security is hardly extinct, Moskowitz expects more customers to take a closer look at all-in-one products, such as the latest Symantec Security Gateway appliance that includes anti-virus, firewall, VPN, network-based intrusion detection, content filtering and anti-spam on flexible licensing terms, or
the forthcoming integration of the OneSecure intrusion prevention technology into NetScreen's firewall and VPN ASIC-based appliances.
Security job market
One of the better barometers of the industry is the state of the hiring. "As the economy continues to rebound from the precipitous market declines and from the resulting economic downturns, corporations have begun to focus their sites on capital spending for the future," explains Lee Kushner, president of LJ Kushner and Associates, an executive recruitment firm that specializes in information security.
This focus is the effect of the lag in technology spending caused when companies looked everywhere for savings. Projects that were shelved are now back on drawing boards. Companies are now assessing the return on investment for these improvements, as well as the potential risk scenarios from further delay.
The after-effects of 9/11, in the form of security concerns and ever-tightening legislation, have placed security on the front burner. Concerns for privacy of information, protection against cyberattacks, cybertheft and the safeguarding of proprietary information have shifted the focus of technology spending to these areas.
Specific focus has been centered around the areas of application security and identity management, which has created new opportunities for security professionals.
Kushner notes that "where in the past most opportunities were concentrated with the third-party security vendors, including managed-services providers, security consultants and security-product companies, today a considerable amount of opportunity has developed in the world of Fortune-size companies. These companies have begun to recognize the need to develop in-house capabilities to deal with all of the issues that present potential liability to them."
However, the slow pace of the economic turnaround has created a reluctance among many companies to staff up too quickly, causing some to increase their reliance on third--party providers.
During the second half of this year, inquiries by Fortune companies into the availability of managed-security services and security products has intensified. The good news, according to Kushner, is that this should be followed by an increase in spending and staffing during the first half of 2004.
Moskowitz is forecasting that the security market (software plus firewall/VPN appliances) will reach around $8.3 billion in 2004, which would represent roughly 15 percent growth since 2002. The biggest growth drivers from his vantage point have been anti-virus and firewall/VPN appliances. He says that anti-virus spending has surged in 2003, due primarily to higher spending by consumers and small and medium sized businesses, with much of the heightened interest originating from the recent Blaster and Sobig.F worms.
Moskowitz notes that firewall/VPN appliances are continuing to win favor across businesses of all sizes due to ease of installation and a lower cost of management versus many open-system solutions. Furthermore, SSL VPN products from companies like Neoteris (which has been recently acquired by NetScreen) and Aventail have been gaining a lot of momentum in the marketplace.
For 2004, Moskowitz estimates the market will grow by about 16 percent to $9.6 billion. While the aforementioned two security segments should again fare well in 2004, he expects smaller segments and technologies - like antispam, enterprise security management and managed security services - to grow at higher rates.
Another development he highlights as one to watch is Microsoft, which has recently made a few interesting moves in security, most notably the acquisitions of Pelican and GeCAD.
While Microsoft recently announced several improvements slated for 2004, such as better patch management and a more secure and robust firewall as part of Windows XP, Moskowitz notes that "the $64,000 question is what will Microsoft do in anti-virus?" He expects Microsoft to release a subscription-based anti-virus service, initially to consumers and then to enterprises, but details remain ambiguous at this point.
"Why should we expect the progress of security to be any different than the slow, evolutionary, call-to-awareness approach of the President's Critical Infrastructure Protection Board issued last September at Stanford?" asks Jacques Francoeur of trustEra.
He feels that "if we want security to leap forward, a revolutionary call to arms will need to be issued commensurate with the true nature of the new risks. Or as some in the government believe, they would rather stick their heads in the sand and wait for a September 11 in cyberspace before mobilizing. The writing is on the wall!"
Whether 2004 will be a revolutionary year in security or simply an evolutionary one, most practitioners would agree that it is an exciting sector to be a part of. No doubt it will become even more interesting as time passes and the tricks and the trade continue to mature. n
Ben Rothke, CISSP, is a senior security consultant with ThruPoint, Inc. and the author of "Computer security: 20 things every employee should know"