Opinion

Business Partner Security: Mistrust Never Sleeps

A healthy suspicion of every business partner can pay dividends for the CSO.

By David H. Holtzman

Some services that provide their own authentication are as guileless as a kindergartner. The domain name system (DNS) has always had this weakness. There are many incidents of "DNS spoofing" and "cache poisoning" against large companies. No amount of money can protect a company against this problem because DNS attacks hypnotize the audience, not the victim.

Any technology that incorporates authentication or encryption is critically dependent on trust. Most network security schemes rely on secure sockets layer, but who hands out the server certificates using what identification criteria? What happens when the certificate is revoked? The importance of those questions became apparent in March 2001, when Microsoft released a highly publicized security advisory because VeriSign had issued two digital certificates to some entity that claimed to be Microsoftand wasn't. Microsoft created a software patch to invalidate the bogus credentials because it turned out that Internet Explorer didn't have a revocation capability. Think about that the next time you click "OK" when the pop-up asks if you always want to trust content from someone.Practice Security by Managing TrustWar, if it occurs, will no doubt bring new challenges for the CSO. There are too many well-known soft spots in the security levees of the IT industry to believe there won't be breaches. There will be. The attacks, when they happen, will come from somewhere you trust. The wise security officer, knowing this, will manage trust by challenging assumptions and diversifying vulnerability.

• Email
• Print
• Comments
• Digg This
• SlashDot

• How to Minimize E-Commerce Risk
• SAS 70
• Don't Mind Your Own Business