In Depth

Information Security Predictions in 2004

In 2004, information security will require a splash of the old, a dash of the new and a healthy dose of brainpower.

By Chris Lindquist

Page 3

A couple of emerging security standards may help that cause in 2004. Standards group Oasis is currently working on the Application Vulnerability Description Language (AVDL) and the Web Application Security (WAS) standard. Both promise to allow for easier communication among security devices. When finished, AVDL will let different security devices send and receive vulnerability information in a standard XML format. For example, a vulnerability scanner could send a standard report to an application gateway about what policies to implement based on discovered vulnerabilities. WAS, meanwhile, looks to establish a standard means of describing Web security threatseven those that may not yet be known. A Web security tool could detect an incoming attack, use WAS to describe its characteristics, and then send that information to other tools for analysis and response.

And as security vendors continue to consolidate (Cisco Systems buying end-point security vendor Okena, and Network Associates acquiring intrusion prevention company Entercept, for instance) it's likely that various tools will begin to work more in concerteven if only along a particular product line.Seeking ImmunityImproved communications between security components is only the next step toward a sort of immune system for infosec. "I think businesses could build an autoimmune system in the network," says Peter Cochrane, cofounder and chief technologist at technology consultancy and incubator ConceptLabs. Others agree.

"[We need] distributed network attack detection and mitigation technologies that will rely on a dynamically updated view of the network's 'health' and block malicious traffic as close to its source as possible," says MIT's Bletsas. Some such tools are already beginning to appear on the market (see "Tools for the New Era," Page 48), but they are far from mature technology.

Still, says Sunil Misra, chief security adviser at Unisys, companies shouldn't shy away from such emerging technologies. Instead, they should put them into trial and "fine-tune them for certain application sets," to get a feel for how they work, he says. " You have to learn with it."The People ProblemSecurity administrators aren't the only ones with things to learn, however. Training the people who use technology every day will be key to ameliorating the problems of the past few years. "We rely on technology too muchthat's one way we make the problem worse," says Schneier. "We need implementers. We need installers. We need maintainers. We need expertspeople who know computer and network security and can react to whatever new thing is making us miserable this week." But creating those experts is going to take timeand the help of academia. "Security is certainly a more popular topic on campuses today," says NIST's Grance, "but we're just beginning to have leading figures in security."