Information Security Predictions in 2004

News alert: The perfect firewall isn’t going to ride in on a white horse. A “god box” won’t magically appear on your desk to protect your network from the evil that lurks a thin wire away. In fact, the coming year isn’t likely to see any major advances in security technology, according to experts. Instead, 2004 will be all about evolutionary improvement, end user education and making the best use of the tools we have.

While a few folks still opt out, most prefer a vaccine to tempting a case of hepatitis. The same holds true for computer systems. Almost universally, security experts point to patching as a key tool to keep the bad guys at bay. But they acknowledge that current patching tools are still in their infancy and need to improve.

Security experts generally agree that the bulk of all attacks take advantage of vulnerabilities for which there are already solutions, either through patches or configuration changes. As such, numerous companies have lined up to create tools that automatically identify and patch operating systems and applications. But current tools are often less than subtle, simply patching any and every device regardless of whether it is actually prone to the attack. And many companies have discovered to their dismay that a patch designed to fix a hole may create more problems by bringing down previously stable systemsor even introducing new vulnerabilities.

That has led some companies to take a slower approach to patching their systems, giving their IT departments time to run tests and make sure a patch won’t do more harm than good. Unfortunately, a delay of even a few days could spell the difference between surviving an attack and becoming the next headline.

But sometimes the patches arrive after the attack is under way. And when the latest worms can spread in moments, even the most sophisticated patching tool may not be enough. “Patching technologies are overhyped,” says Bruce Schneier, founder and chief technical officer at Counterpane Internet Security and author of several security books (most recently Beyond Fear: Thinking Sensibly About Security in an Uncertain World). “They’re not going to do much good in a world where worms spread in 15 minutes.”

As such, technologies are emerging that can buy IT departments the time they need to deploy patches once an attack commences. “[New tools] will need to shut down services, throw up rules on the firewall and provide breathing room to [let people] start fixing the problem,” says Stuart McClure, president and chief technology officer of vulnerability product vendor Foundstone and author of Hacking Exposed: Network Security Secrets and Solutions. “They’re really running a marathon, these IT and security guys. They need a little reprieve.”

Companies are also working to create tools that deal with vulnerabilities that have nothing to do with holes in the underlying code, McClure says, but simply in users’ difficulty with properly configuring systems. “Vulnerabilities make up maybe half, maybe two-thirds of the attacks,” he notes. The rest, he says, are misconfigurations: systems with default passwords still in place, ports open unnecessarily and security features not even turned on. Today’s tools don’t really deal with these configuration issues sufficiently, McClure says, though a few have begun to try.

And then there’s the other answerbuild better software in the first place. “We invest a lot at the end on the problem areas,” says Tim Grance, group manager in the computer security division at the National Institute of Standards and Technology (NIST). “People spend a lot learning to patch systems, but it would be better if we wrote them better in the first place.”Simplifying ComplexitySimplifying security tools might also go a long way toward solving the problems patches fend off today. “[We need a] distributed, simple approach, built out of simple elements that can be tested and proven to work,” says Michail Bletsas, director of computing at MIT’s Media Lab. Bletsas and other experts also promote the idea of pushing simplified security technology as close to end nodes as possible, rather than creating large, complex systems on the perimeter. He points to security features built into switches as an example of how not to do things.

“You end up loading a device that can’t fail,” Bletsas says. “You exercise it when your switch melts after the next worm attack. Remember, the Internet is an end-to-end network, which by design is supposed to do nothing more than forward packets at its core. Every defense strategy that relies on adding more complex functions to the network’s core is bound to fail.”

There are other security areas begging for simplification as well. Encryption technologies are common culprits, requiring a complex infrastructure and laborious user interaction to use effectively. “Strong e-mail has been available, but almost no one uses it because it’s too complicated. PKI has failed completely because the user interface makes no sense to most people. Many don’t use file encryption because they’re afraid that they’ll lose the data if they forget the key,” says Counterpane’s Schneier. “The security works greatbut it doesn’t get deployed properly.”

“We need to hide the complexity,” says Grance. “We want [security] to be like a TV. We don’t know exactly how it works, but we know how to watch it.”Getting TogetherCommunication and cooperation must also play a role going forward. At the macro level, organizationsfrom the government to private businesseswith a common interest in security need to work together to create solutions. At the micro level, security tools need to share their information more quickly with other products, providing a more cohesive defense against attack.

A couple of emerging security standards may help that cause in 2004. Standards group Oasis is currently working on the Application Vulnerability Description Language (AVDL) and the Web Application Security (WAS) standard. Both promise to allow for easier communication among security devices. When finished, AVDL will let different security devices send and receive vulnerability information in a standard XML format. For example, a vulnerability scanner could send a standard report to an application gateway about what policies to implement based on discovered vulnerabilities. WAS, meanwhile, looks to establish a standard means of describing Web security threatseven those that may not yet be known. A Web security tool could detect an incoming attack, use WAS to describe its characteristics, and then send that information to other tools for analysis and response.

And as security vendors continue to consolidate (Cisco Systems buying end-point security vendor Okena, and Network Associates acquiring intrusion prevention company Entercept, for instance) it’s likely that various tools will begin to work more in concerteven if only along a particular product line.Seeking ImmunityImproved communications between security components is only the next step toward a sort of immune system for infosec. “I think businesses could build an autoimmune system in the network,” says Peter Cochrane, cofounder and chief technologist at technology consultancy and incubator ConceptLabs. Others agree.

“[We need] distributed network attack detection and mitigation technologies that will rely on a dynamically updated view of the network’s ‘health’ and block malicious traffic as close to its source as possible,” says MIT’s Bletsas. Some such tools are already beginning to appear on the market (see “Tools for the New Era,” Page 48), but they are far from mature technology.

Still, says Sunil Misra, chief security adviser at Unisys, companies shouldn’t shy away from such emerging technologies. Instead, they should put them into trial and “fine-tune them for certain application sets,” to get a feel for how they work, he says. ” You have to learn with it.”The People ProblemSecurity administrators aren’t the only ones with things to learn, however. Training the people who use technology every day will be key to ameliorating the problems of the past few years. “We rely on technology too muchthat’s one way we make the problem worse,” says Schneier. “We need implementers. We need installers. We need maintainers. We need expertspeople who know computer and network security and can react to whatever new thing is making us miserable this week.” But creating those experts is going to take timeand the help of academia. “Security is certainly a more popular topic on campuses today,” says NIST’s Grance, “but we’re just beginning to have leading figures in security.”

Beyond training tomorrow’s leaders, CSOs need to worry about training today’s userseven in the most basic issues. “We need a way to keep people from double-clicking on every e-mail attachment that they get,” says William Orvis, senior security specialist for the Department of Energy’s Computer Incident Advisory Capability, noting that that has been a primary source of worm distribution.

Wireless security is another area where users need significant training. “I saw five laptops with Wi-Fi signals on an airplane,” says Cochrane. “Three had WEP [wired equivalent privacy] turned off, and I could see their hard drives. These are people with IT departments, but they’re not training their executives in use of Wi-Fi.”New Tech, New QuestionsThe coming year won’t be just about reusing old technology. New technologies exist that could resolve a number of our more pressing security problemseverything from spam to denial-of-service attacks. But putting these technologies to use will require careful thought to balance risks and rewards.

“In spam mail, right now it’s possible in our current e-mail technology to fake just about everything in the message,” says Orvis. But the next-generation Internet protocol, IPv6, includes mechanisms to certify where packets come from andby extensionwhere mail is coming from, which will make it more difficult for spammers to mask their identities. However, Orvis cautions, “things like [IPv6] involve a pretty large change in how the network does business.” Other technologies that could be invaluable in theoryincluding DNSsec and PKIrequire similarly large up-front investments.

“A lot of schemes are very effective but can exist only in laboratories because they’re not cost effective,” says Grance. “Should people move to IPv6? Perhaps, but they have to first answer questions like, What does it do to my infrastructure? and How does it affect other security measures? Plus there’s all the business questions about scalability, interoperability and effectiveness. Technology will always solve and create problems at the same time,” he warns. “Virtual private networks can be a hole too, not just a secure tunnel.”