In Brief
Paul Kocher: The Numbers Man
Paul Kocher, president and chief scientist at Cryptography Research, has made a career out of using cryptography algorithms to protect companies from fraud and piracy.
By Katherine Walsh
How can we overcome this?
On the one hand, it’s just the landscape we have to deal with, but there are technology decisions that can make a dramatic difference. In my company, we deal with highly sensitive data, so we run a network with no connections to the outside world. That immediately solves a lot of problems. If you ask yourself, “Could this system be broken?” the answer is always going to be yes or maybe. No useful system is impenetrable. But if you think of it as a risk equation and ask yourself if the value delivered by this system is appropriate for the risks it introduces, and are there ways you can reduce those risks, very often you find effective techniques that don’t cost very much.
Looking ahead, what will be the biggest challenges for security of cryptosystems?
We’ve already talked about the challenge of increasing complexity, which is making it more difficult to protect information. The second dimension to that is the problem of user education. It’s pretty easy to build a security system where a perfect user could operate it securely but end users aren’t necessarily consistent in doing things right. The third is an economic challenge. People who suffer the risk and those who are in a position to pay for and deploy mitigation measures are different entities, which results in an economically suboptimal spending on security. The big nasty problems like spam, piracy or operating system security—these are problems where entities who do not suffer the brunt of the problem are the ones securing mitigation measures. ISPs have the largest control over spam, but the recipient incurs the cost. Similarly, if an OS security disaster affects your laptop, Microsoft isn’t spending thousands of dollars to fix it; you are.
So how do we go about mitigating these risks?
In many cases we don’t. When there is a lack of alignment with economic interests, there are really two approaches that can solve the problem: technological changes that realign control into the hands of the entities that incur the risk, and legislative solutions. Those would include mandates that ISPs filter outgoing messages that are [going in high volumes] and that particular product protection technologies be implemented. That may be inefficient, but in many cases it’s the only way to handle these problems.
-Katherine Walsh
Other stories by Katherine Walsh
paul kocher
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
