In Depth

Information Security Predictions in 2004

In 2004, information security will require a splash of the old, a dash of the new and a healthy dose of brainpower.

By Chris Lindquist

December 01, 2003 — CSO — News alert: The perfect firewall isn't going to ride in on a white horse. A "god box" won't magically appear on your desk to protect your network from the evil that lurks a thin wire away. In fact, the coming year isn't likely to see any major advances in security technology, according to experts. Instead, 2004 will be all about evolutionary improvement, end user education and making the best use of the tools we have.

While a few folks still opt out, most prefer a vaccine to tempting a case of hepatitis. The same holds true for computer systems. Almost universally, security experts point to patching as a key tool to keep the bad guys at bay. But they acknowledge that current patching tools are still in their infancy and need to improve.

Security experts generally agree that the bulk of all attacks take advantage of vulnerabilities for which there are already solutions, either through patches or configuration changes. As such, numerous companies have lined up to create tools that automatically identify and patch operating systems and applications. But current tools are often less than subtle, simply patching any and every device regardless of whether it is actually prone to the attack. And many companies have discovered to their dismay that a patch designed to fix a hole may create more problems by bringing down previously stable systemsor even introducing new vulnerabilities.

That has led some companies to take a slower approach to patching their systems, giving their IT departments time to run tests and make sure a patch won't do more harm than good. Unfortunately, a delay of even a few days could spell the difference between surviving an attack and becoming the next headline.

But sometimes the patches arrive after the attack is under way. And when the latest worms can spread in moments, even the most sophisticated patching tool may not be enough. "Patching technologies are overhyped," says Bruce Schneier, founder and chief technical officer at Counterpane Internet Security and author of several security books (most recently Beyond Fear: Thinking Sensibly About Security in an Uncertain World). "They're not going to do much good in a world where worms spread in 15 minutes."

As such, technologies are emerging that can buy IT departments the time they need to deploy patches once an attack commences. "[New tools] will need to shut down services, throw up rules on the firewall and provide breathing room to [let people] start fixing the problem," says Stuart McClure, president and chief technology officer of vulnerability product vendor Foundstone and author of Hacking Exposed: Network Security Secrets and Solutions. "They're really running a marathon, these IT and security guys. They need a little reprieve."