Reflections

A Dynamic Decade | News of the Day | Trustworthy Finally? | Crystal Ball

This article can also be found in the Premium Editorial Download: Information Security magazine: Reflections on the impact of Sarbanes-Oxley:

A Dynamic Decade
Information security has matured as a profession in a mere 10 years, despite waging an endless game of catch-up with threats, legislation and the demands of business.


If you consider yourself an observer of the past 10 years in information security, few would be surprised if you suffer from a touch of whiplash. Things moved pretty quickly, and not many security professionals had the ability to slow things down.

Where to begin? Well, at the start of Information Security's journey in December 1997, there wasn't a security profession. At least not as we understand it today. The chief information security officer was a notion whose time had not yet arrived. Compliance wasn't the bane of corporate security's existence, and macro worms were, well, around.

"The most obvious thing is that 10 years ago, there was no profession," says AT&T senior vice president and chief security officer Ed Amoroso, a veteran of the industry who in his early days at Bell Labs was immersed in a think tank surrounded by UNIX giants Dennis Ritchie and Ken Thompson. "You could be a techie, but there were no CISOs, no senior executives in a company. Now it would be almost impossible to find a large or medium-sized company or government agency that did not have a management-level security staff."

The emergence of the Internet as a ubiquitous business medium touched every facet of IT, and caused the growth of information security as a profession. Guardians like Amoroso and his peers in the enterprise had to learn a whole new lexicon between 1997 and today, and transform the way they looked at their jobs. As more business moved online, it became less of an imperative to protect networks and individual systems, and more about aligning what they do with overall business goals. Risk management became more than a term used by liability companies and financial professionals. Security pros were forced to think in these terms, and build programs to address what has become an organized criminal element targeting not only customer data, but invaluable intellectual property as part of sophisticated corporate espionage. Nations are also suspected of using computers to attack one another, not causing bloodshed but stealing secrets and threatening critical infrastructure.

"We have gone from a lot of malicious, exploratory, vandalism types of hacking to the realm where there is significant economic activity," says luminary Gene Spafford, founder of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

Criminals are organized and international. The Internet changed their economic model as well. Physical access is no longer needed to steal; a hacker is as likely to attack from a living room in Beijing as he is from a data center in Silicon Valley. Web sites are no longer defaced for fun, denial-of-service attacks no longer carried out for notoriety. Instead, hackers blackmail high-traffic, big-money sites with DDoS attacks; money is laundered over the Net, secrets stolen and business models put in jeopardy.

News of the Day
Information Security rolled off the presses in December 1997. Here's a capsule look at what was in the first issue.


Cover story Information Security's first order of business in December 1997 was to recap the incidents and happenings of the year. As the introduction to the article says, "these highlights may help organizations prepare for the new year."

Inside The meat of the issue tackled the pesky practice of doing business on the Internet, a phenomenon that was gaining steam. Internet risk and liability--­two topics still piquing interest 10 years later--were featured topics in a story titled "Paying for Peace of Mind." Writers Lorelie Masters and David Valdez examined how insurance companies were starting to provide policies that offset the risk of doing business online.

Also Two stories rounded out the first issue of Information Security.
  • "What's Brewing with Java and ActiveX" examined the computing potential--and downsides--of these programming techniques and whether they had a future.
  • "Security from the Outside In" tackled a subject that resonates today: the convergence of logical and physical security. In particular, this article looked at "entrance controls" and how CCTV monitoring, employee badges and company doors and locks should be combined with security policies and technologies.
Products Talk about a blast from the past. If you think today's security marketplace, which numbers close to 800 vendors, is a land of confusion, take a look at the offerings from 1997. CryptoCard's ST-1 Soft Token, a one-time password system for Java authentication, got top billing as a featured product. Some of the other featured products included:

ValiCert's ValiCert Suite Digital certificate authority software
WheelGroup's NetSonar Vulnerability scanner
V-One's Multi-Access VPN Virtual private network connections
CyberSafe Corp.'s TrustBroker Security Suite Authentication system for Unix, Windows NT and MVS
Biometric Access' SecureTouch Fingerprint authentication
Sonic Systems' Interpol Web and newsgroup content filter
Checkprogram Software Antivirus software
AT&T's WorldNet VPN VPN service for AT&T customers

NOWHERE TO HIDE
Yesterday's tattered system or network administrator, or Web site operator, fought back with signature-based defenses, or sometimes hid in the weeds hoping they'd plugged the latest Windows hole and prayed the latest mass-mailing worm would skip on by. That kind of security by obscurity is fatal today to many business models.

"Coupled with [the changing threat landscape] has been the transformation of attack tools, going from largely self-propagating attacks or hacker tool-kits to automated, sophisticated blended threats with a high reliance on social engineering," Spafford says. "Botnets and rootkits are prominent. For those of us looking at trends, we see a similar evolution of viruses--stealthy, widespread, automated, organized criminal activity, coming from where we were 10 years ago."

Donn Parker, a longtime computer crime observer and prominent researcher with SRI International, says the cat-and-mouse game between criminals and those paid to keep them in check followed business' migration to the Net--and he doesn't expect it to abate any time soon.

"I've said time after time, the problems associated with the use and misuse of computers is a one-upsmanship problem. The bad guys figure out new ways to beat the newest security, and good guys increase security again," Parker says. "Used to be in the 1960s, '70s, '80s, it was amateur criminal activity where the criminals were motivated to solve their own personal problems by malicious acts against computers. Gradually...it has grown into a very large-scale organized criminal activity where motivation is for financial gain."


NOT SO FAST
The frenzy for enterprises to create online business models, and rush services and products online prematurely, has in many ways contributed to the success of the criminal element. Microsoft was the biggest offender in the early part of the decade. Simple, yet extraordinarily effective, pieces of malicious code roared through gaping holes in Windows. Vulnerabilities in the IIS Web server enabled the Code Red and NIMDA worms to spread like weeds across the Internet, infecting thousands of systems with self-propagating, network-aware engines. The Slammer worm, in January 2003, may be the most infamous--and smallest--malware to hit the Net and be so prolific. Exploiting a flaw in Microsoft's SQL Server database--for which a patch had been available for months--Slammer dragged portions of the Internet to a crawl, and made life miserable for administrators slow to patch these balky products.

Microsoft, to its credit, took measures to about-face its security profile. Bill Gates' famous 2002 Trustworthy Computing memo (see "Trustworthy Finally?", below) put a temporary halt to development in Redmond, Wash. Microsoft's developers were given security mandates, and a secure development lifecycle was established. As we look at Vista, which launched this year, the security changes are stark.

Trustworthy Finally?
Microsoft makes some amends for early gaffes.

Code Red and NIMDA had ripped through the Internet in the summer of 2001, exploiting vulnerable IIS Web servers on Microsoft NT and Windows 2000 systems. Though patches were available well before the worms struck, frustrated admins wondered why Microsoft code wasn't bulletproof to begin with.

Gartner analyst John Pescatore went so far as to recommend that organizations hit by these worms investigate alternatives like iPlanet and Apache rather than try to keep running on the patching treadmill with IIS.

Small wonder when Bill Gates announced the advent of the Trustworthy Computing era in an internal email to Microsoft employees on Jan. 15, 2002, it was greeted with skepticism from some, cynicism from others and outright scorn from many more.

"Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony," Gates said.

It wasn't an easy sell. A year after Gates' email, 80 percent of readers surveyed told Information Security that Microsoft security hadn't improved and were considering non-Microsoft OSes and apps.

"If we don't do security well, people will migrate away from us. And if we don't do security right, they should," said then security strategist Scott Charney.

And in January 2004, Microsoft CEO Steve Ballmer told Information Security, "I think we have made a good start over the last two years and I believe we will have made enormous progress 10 years from now. But, as we've said many times, it really is a journey, not a destination."

In the nearly six years that have followed Gates' message, Microsoft has made indisputable progress in fulfilling its mantra with products that are secure by design, default and in deployment. It has reorganized its code development around a secure development lifecycle (SDLC) program, manifested in releases such as SQL Server 2005, Office 2007, Vista and--coming soon--Windows Server 2008 (aka Longhorn).

"Security is pretty well baked in to Microsoft's enterprise products," Pescatore says now. "It's at the top of their priority list."

--Neil Roiter

"Microsoft has made [security investment], but it's not clear that it's gone all the way yet," Spafford says. "Had Trustworthy Computing not occurred, we'd be in much worse shape than we are now. Other vendors need to get with it."

Amoroso says we're stuck with bad software--for now.

"If you look at other branches of engineering such as electrical engineering, these are fairly mature branches of engineering--thousands of years of experience built on principles. If you study engineering, there's a routine curriculum no matter where you go," Amoroso says. "Software engineering doesn't enjoy that kind of maturity. You couldn't get a software engineering degree in 1980. We have to deal with the immaturity of it as a discipline. But each year that passes, we learn more about it, and programming gets better. In the meantime, we have to be somewhat reactive. I'll say that probably in my lifetime, we won't see massively sized, complex software that's actually correct."

Adding to the complexity is the depth of the vendor pool through which security managers must wade and execute make-or-break buying decisions. The boom days of the early 2000s sprouted hundreds of companies, each with a solution to the day's most pressing problems. Unfortunately, most ended up being just different takes on the same technology, and reactions to the threat of the day. Patch management and vulnerability management firms popped up in response to Microsoft's Patch Tuesday releases. Intrusion prevention made headway against signature-based intrusion detection systems. Antivirus software became commoditized, and providers began to differentiate themselves with antispyware and antispam offerings.

SERIOUS REGULATION
And then came the Enron scandal and the Sarbanes-Oxley Act, which demanded enterprises account for the integrity of their financial reporting. IT professionals bore their share of responsibilities, and executives became aware of IT security in particular. Security pros finally had something to demonstrate their value to executive management, which was suddenly willing to spend on security tools to aid with compliance and keep them out of jail.

"Regulation--SOX, HIPAA, GLB, the credit card industry's PCI, the various disclosure laws, the Euro-pean Data Protection Act, whatever--has been the best stick the industry has found to beat companies over the head with. And it works," says Bruce Schneier, founder of BT Counterpane, creator of the Blowfish and Twofish algorithms, and a noted author and speaker. "Regulation forces companies to take security more seriously, and sells more products and services."

The ChoicePoint debacle kicked off the data breach era in 2005, and hundreds of millions of lost records later, companies have state data breach notification laws to comply with, credit card standards to adhere to, and industry-specific regulations to watch. Security and risk must work in concert, forcing IT security to emerge from clichéd basement hideouts, and often sit alongside business units in order to learn how to best tailor protections to satisfy not only management, but auditors.

"Legislation demonstrates a failure of the information security community in meeting its responsibilities and requirements," Parker says. "An analogy is the seat belt problem in cars--we had to have laws to put them in cars and use them. A similar situation, only on a grander scale, has occurred in information security. We're shifting objectives in information security from attempts to reduce risk to attempts to meet compliance with law. That's a sad commentary on information security."

As we hit the end of this decade, and look to the start of Information Security's next 10 years, we see security duties being absorbed more and more by networking groups. Security technology is being baked into infrastructure like routers and switches, and big vendors like Cisco, IBM, HP and EMC are scooping up important security technologies. Stand-alone security vendors, no matter how innovative, are sitting ducks for acquisition. Compliance is going to be a perpetual issue for security managers, and overall risk management is slowly superseding the role of the CISO.

Amoroso, for one, predicts that in 10 years, security as we know it today will be gone.

"We'll look back on this five to 10 years from now and say this was the era when we overlaid security onto networks and systems, and I think we already have learned that's a flawed model," Amoroso says. "It doesn't make sense to design a network and then build security onto it or run a network where security components are separate. That's silly."

Crystal Ball
Information Security's fifth anniversary issue was spot-on.

With a half-decade under its belt in 2002, Information Security dared to look ahead in its fifth anniversary issue, also known as the Crystal Ball issue. Several experts were given space to pontificate on what may come in the next five years. And know what? For the most part, guys like Gene Spafford, Marcus Ranum and the editors of Information Security were spot-on in their prognostications.

While Ranum writes and speaks with wit and candor, his barbs are laced with brutal honesty. In 2002, he told Information Security readers that among other things, autopatching would be predominant and that software should not be bought, but rather subscribed to.

In light of Microsoft's Patch Tuesday and Oracle's massive quarterly updates, automated patching has indeed removed the pain of maintaining system patch levels, and minimized exposure to vulnerabilities and exploits. While zero-days are a constant threat, automated patch tools help security managers keep pace.

Software as a service, on the other hand, is gaining steam, and perhaps Ranum's prediction needs a couple more years to season.

Spafford, meanwhile, signed off with eight prognostications in 2002, most of which were on the mark. For example, he said a rush-to-market for new features would create new holes and force developers to shove aside security to accommodate these demands. Spam would continue to be a problem, as would consumers' insatiable need for fad technologies. But he did miss on two predictions: that insurance companies and liability lawyers would be-come more involved in cybersecurity incidents, and that appliance-based computing would take off.

Spafford says the economics of liability and insurance prevented that prediction from coming true. For now, companies are passing the costs to consumers, he says.

"That prediction may still come to pass when the TJX class-action suits begin to be filed against them," Spafford says. "We could see that as the beginning--courts finding favor and handing out substantial damages. Once that happens, that's more than companies can pass on to consumers. We'll see third parties come into play."

As for appliance-based computing, Spafford says he didn't foresee the trend of virtualization; that coupled with the immaturity of integrated management products. It's much easier for a smaller company to roll out its own Linux-based appliance and fill that space, Spafford says.


Cover story Information Security celebrated its fifth birthday in 1997 by doing a double-take on its first five years and peering ahead at what might be the most influential companies and prominent attacks of the coming five years.
Here's how we did:

Influential companies '97-'02

  • Check Point Software Technologies
  • Computer Associates
  • Internet Security Systems
  • Network Associates
  • RSA Security
Predicted influential companies '03-'08
  • Cisco
  • IBM/Tivoli
  • Microsoft
  • Symantec
  • Tripwire and Sourcefire
Also Information Security readers were polled for the fifth anniversary issue and asked to rank the five worst attacks and predict the most ominous threats ahead.

5 Biggest Attacks '97--'02
  • Code Red
  • NIMDA
  • Melissa and LoveLetter viruses
  • Distributed denial-of-service attacks on Yahoo, eBay, et al
  • Remote control Trojan horses
Predicting 5 Biggest Threats '03--'08
  • Super worms
  • Stealth attacks
  • Automatic update exploits
  • Routing/DNS attacks
  • Combined physical/cyber threats

This was first published in January 2008

Dig deeper on Security Resources

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close