This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
Despite the availability of digital certificates, PKI and complex authentication schemes, security experts say there isn't a ubiquitous technology that can guarantee a person isn't a hacker.
E-commerce and B2B transactions depend on irrefutable identification of the person using the machine. Certificate authorities are expensive, difficult to manage in broad deployments and lack accepted standards. And, biometrics isn't feasible because of the expense and limited installment base. Instead, enterprises must rely on conventional authentication schemes (passwords, tokens and certificates), which aren't necessarily bad or unreliable. But they aren't foolproof, either.
What users wish for is a mechanism that binds the user to the machine to form a nonreputable authentication and signing scheme that would cut down online fraud and theft.
Eliminate E-mail Anonymity
Spammers love the ease and anonymity of e-mail. They can create tens of thousands of Hotmail, Yahoo! and private domain accounts from which to launch spam.
Users wish that ISPs and e-mail vendors would require the validation of an e-mail address--marrying the account to the owner--before it becomes operational.
Eventually, this would create a central e-mail registry, which would help facilitate antispam/antifraud efforts, such as Microsoft's SenderID.
There's no shortage of tools for scanning, auditing and assessing the health of network devices. What's missing is a tool that can check all devices, regardless of their OS or vendor make, for compliance with security policies.
This cross-platform tool would check for parameter settings required by security policies, log noncompliant devices with a risk weight (green, yellow, red) and issue detailed reports to security managers.
Current tools such as FireMon claim this functionality and capability, but users insist that universal scanning and auditing tools aren't available. Once such a tool is available, users would then want common processes to conduct risk assessments and business impact analysis throughout their enterprise.
Trusted E-mail Wrappers
Encryption has long been the Achilles' Heel of antivirus technology because conventional scanners can't break through its shield. Readers wish for more than just real-time, outbound host and network AV scanning; they want to know they can trust e-mails coming from trusted domains, and they want a mechanism to convey that trust. One reader calls it a "trust wrapper."
Here's how it would work: A user completes an e-mail with an attachment. The system automatically scans the e-mail for malware, signs it with the user's key and encrypts it. The whole package is then placed in the trust wrapper that's signed with the corporate key. The wrapper tells the recipient that the sending enterprise verifies it's the e-mail's source, and that the e-mail is safe.
Of course, such a system would depend on enterprises establishing trusted relationships. If e-mail wrappers come to pass, they could cut down on AV scanning and put a dent into spam.
This was first published in January 2005