In Depth

Information Security Predictions in 2004

In 2004, information security will require a splash of the old, a dash of the new and a healthy dose of brainpower.

By Chris Lindquist

Page 4

Beyond training tomorrow's leaders, CSOs need to worry about training today's userseven in the most basic issues. "We need a way to keep people from double-clicking on every e-mail attachment that they get," says William Orvis, senior security specialist for the Department of Energy's Computer Incident Advisory Capability, noting that that has been a primary source of worm distribution.

Wireless security is another area where users need significant training. "I saw five laptops with Wi-Fi signals on an airplane," says Cochrane. "Three had WEP [wired equivalent privacy] turned off, and I could see their hard drives. These are people with IT departments, but they're not training their executives in use of Wi-Fi."New Tech, New QuestionsThe coming year won't be just about reusing old technology. New technologies exist that could resolve a number of our more pressing security problemseverything from spam to denial-of-service attacks. But putting these technologies to use will require careful thought to balance risks and rewards.

"In spam mail, right now it's possible in our current e-mail technology to fake just about everything in the message," says Orvis. But the next-generation Internet protocol, IPv6, includes mechanisms to certify where packets come from andby extensionwhere mail is coming from, which will make it more difficult for spammers to mask their identities. However, Orvis cautions, "things like [IPv6] involve a pretty large change in how the network does business." Other technologies that could be invaluable in theoryincluding DNSsec and PKIrequire similarly large up-front investments.

"A lot of schemes are very effective but can exist only in laboratories because they're not cost effective," says Grance. "Should people move to IPv6? Perhaps, but they have to first answer questions like, What does it do to my infrastructure? and How does it affect other security measures? Plus there's all the business questions about scalability, interoperability and effectiveness. Technology will always solve and create problems at the same time," he warns. "Virtual private networks can be a hole too, not just a secure tunnel."