In Depth

Information Security Predictions in 2004

In 2004, information security will require a splash of the old, a dash of the new and a healthy dose of brainpower.

By Chris Lindquist

Page 2

Companies are also working to create tools that deal with vulnerabilities that have nothing to do with holes in the underlying code, McClure says, but simply in users' difficulty with properly configuring systems. "Vulnerabilities make up maybe half, maybe two-thirds of the attacks," he notes. The rest, he says, are misconfigurations: systems with default passwords still in place, ports open unnecessarily and security features not even turned on. Today's tools don't really deal with these configuration issues sufficiently, McClure says, though a few have begun to try.

And then there's the other answerbuild better software in the first place. "We invest a lot at the end on the problem areas," says Tim Grance, group manager in the computer security division at the National Institute of Standards and Technology (NIST). "People spend a lot learning to patch systems, but it would be better if we wrote them better in the first place."Simplifying ComplexitySimplifying security tools might also go a long way toward solving the problems patches fend off today. "[We need a] distributed, simple approach, built out of simple elements that can be tested and proven to work," says Michail Bletsas, director of computing at MIT's Media Lab. Bletsas and other experts also promote the idea of pushing simplified security technology as close to end nodes as possible, rather than creating large, complex systems on the perimeter. He points to security features built into switches as an example of how not to do things.

"You end up loading a device that can't fail," Bletsas says. "You exercise it when your switch melts after the next worm attack. Remember, the Internet is an end-to-end network, which by design is supposed to do nothing more than forward packets at its core. Every defense strategy that relies on adding more complex functions to the network's core is bound to fail."

There are other security areas begging for simplification as well. Encryption technologies are common culprits, requiring a complex infrastructure and laborious user interaction to use effectively. "Strong e-mail has been available, but almost no one uses it because it's too complicated. PKI has failed completely because the user interface makes no sense to most people. Many don't use file encryption because they're afraid that they'll lose the data if they forget the key," says Counterpane's Schneier. "The security works greatbut it doesn't get deployed properly."

"We need to hide the complexity," says Grance. "We want [security] to be like a TV. We don't know exactly how it works, but we know how to watch it."Getting TogetherCommunication and cooperation must also play a role going forward. At the macro level, organizationsfrom the government to private businesseswith a common interest in security need to work together to create solutions. At the micro level, security tools need to share their information more quickly with other products, providing a more cohesive defense against attack.