More security education needed to avoid a cybersecurity disaster, experts warn

Article

More security education needed to avoid a cybersecurity disaster, experts warn

Robert Westervelt, News Editor

The United States is more prepared than ever for a major cybersecurity attack, but a panel of prominent security experts warned Tuesday that more needs to be done to increase awareness about cybersecurity issues and better educate future IT pros.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

There will be local events and I worry about those having an effect on a particular region.
Howard Schmidt,
president and CEOH&L Security Consulting

"We need to provide resources for future problems," said Eugene Spafford, the executive director of Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS). "Patching the latest problem isn't getting us anywhere."

Spafford joined well known security experts Howard Schmidt, president and CEO of H&L Security Consulting and security luminary Bruce Schneier at the Information Security Decisions conference in Chicago for a discussion about cyber threats in 2008 and beyond. The panelists agreed that it would likely take a major cybersecurity event before the public becomes motivated enough to demand better security.

The panelists agreed that growing backdoor Trojan horse programs and herds of bots continue to be a problem moving forward, but it's unclear if they'll by used by cybercriminals to take down the electronic infrastructure of entire nations or in isolated targeted incidents for financial gain.

"We've had plans in place for a long time to minimize the impact [of an attack]," said Schmidt, who once served as a White House cybersecurity adviser. "There will be local events and I worry about those having an effect on a particular region."

Businesses have been preparing for an attack and systems would be initially disrupted, but they could be brought back online in time to minimize the impact, Schmidt said.

While businesses have been mainly addressing the threats from external sources, internal threats are becoming a growing problem. The panelists agreed that the drive for money among cybercriminals is still the basis of nearly all attacks, making data-level protection technologies a top priority.

Secure software development:
Tech vendors team up for secure software development: A group of technology heavy hitters, including Microsoft Corp. and Symantec Corp., joined forces on Tuesday to launch an organization devoted to finding ways to improve the quality and reliability of software.

SANS: New exam program about more secure code The SANS Institute has unveiled a skills assessment and certification exam program designed to test the secure coding skills of software programmers.

"As we've noted there's a greater temptation for insiders … We've seen individuals more willing to take risks when they run into money issues," Spafford said. "Typical enterprises no longer have a typical perimeter … We have to move the defenses closer to the valuable data."

Web applications continue to be targeted and Voice over Internet Protocol (VOIP) attacks in which attackers can intercept and sell company meeting minutes, inject misleading spam messages or create massive outages could also pose a problem for enterprises, the experts said. Phishing attacks are also becoming more targeted and sophisticated tricking end users into giving up sensitive information.

The group lauded efforts by vendors to better educate developers on safe coding practices. A new SAFECode (Software Assurance Forum for Excellence in Code) organization was formed last month and is being led by industry giants, such as Microsoft Corp. and Symantec Corp., to highlight best practices in the security development lifecycle.

"Education should be driven by the market; it's the responsibility of the commercial vendor community," Spafford said.

The panelists stopped short of calling for government regulations to push vendors into making more secure products. Spafford said there likely isn't enough public outrage to force the Federal government to enact legislation. Also, the need to increase profit margins has done enough to push vendors into developing more standards and it could be the main driver to better educate their workforce on security issues.

Schneier took it a step further, saying electronic devices, such as computers, PDAs and cell phones have too many features opening them up to cyberattacks. While consumers want more features, they're not necessarily using them and software developers and engineers are failing to make devices with security in mind, he said.

"Attacks are now targeting people rather than the syntax of the software," Schneier said.