Marcus Ranum on Network Security

Marcus J. Ranum is a world-renowned expert on security system design and implementation. He is recognized as an early innovator in firewall technology and the implementer of the first commercial firewall product. What does he expect in network security for 2009? (Part of the What Happens Next security predictions series.) CSO: Can you think of any technological developments this year that will have a big impact on network security in 2009 and beyond? If so, what do security pros need to be doing about it?

Marcus Ranum: I don’t think there’s anything particularly new that will have a large impact. The Web 2.0 layers are going to cause their share of problems, but those problems are nothing new; they’re just software flaws. What will be interesting is that they’ll be widespread and the Web programming model may make it hard for some sites to fix flaws as fast as they are discovered. That will cause considerable pain, is my guess.

In your opinion, what is the current weakest link in the network security chain that will need to be dealt with next year and beyond?

There are two huge problems: Software development and network awareness. The software development aspect is pretty straightforward. Very few people know how to write good code and even fewer know how to write secure code. Network awareness is more subtle. All through the 1990s until today, organizations were building massive networks and many of them have no idea whatsoever what’s actually out there, which systems are crucial, which systems hold sensitive data, etc. The 1990s were this period of irrational exuberance from a security standpoint – I think we are going to be paying the price for that, for a long time indeed. Not knowing what’s on your network is going to continue to be the biggest problem for most security practitioners.

What kind of changes in the bad guys’ behavior have you noticed most this year, and what might the impact be going forward?

The bad guys continue to professionalize. I’m not sure how I feel about that. Many old school security practitioners have been predicting this would happen for some time, but now that it’s upon us, it sure looks ugly. One thing it’s going to do is clarify how narrow the grey area between “black hats” and “white hats” is. In fact, I think the grey area is nearly completely gone, now.

Of the most common components of security programs in use today, are there any best practices that are particularly important today but might not be in the coming year? In other words, Anything in the threat landscape that will require a reshuffling of the best practices totem pole?

The best practices totem pole, as you put it, is already too subject to fads. The real best practices have been the same since the 1970s: know where your data is, who has access to what, read your logs, guard your perimeter, minimize complexity, reduce access to “need only” and segment your networks. Those are the practices and techniques that result in real security. There are loads of fads vying for people’s attention, but when they come and go, the fundamentals will remain the same.