There were interesting events on the security radar screen last week. Rather than drilling into a particular announcement or event, this week's column highlights events that were particularly thought-provoking.
In a significant sign of the government's commitment to improving its cybersecurity profile, the Department of Homeland Security said it could hire 1000 security professionals over the next three years. This is welcome news for those seeking cybersecurity jobs. A longer-term view of the problem of securing the national technical infrastructure would have DHS allocating more of its $40 billion total budget authority to cybersecurity educational programs. We've heard reports about the problem of filling and retaining professionals in government information security jobs. In addition to existing degree programs at a few universities, perhaps cybersecurity can also be featured in Reserve Officers Training Candidate programs to develop military leadership well-versed in cybersecurity skills. Presently, neither the Army ROTC nor the Air Force ROTC shows cybersecurity as a career choice.
Eric Ogren's recent security columns:
Whitelists, SaaS modify traditional security, tackle flaws
It is time for IT professionals to transform security into a capability that is as dynamic as the attack landscape, says security expert Eric Ogren of the Ogren Group.
Secure virtual desktop software enables remote client security: Virtual desktops control endpoints and cut costs for an Atlanta-based financial company. The setup helps IT control core essentials and enforce acceptable use policy.
Security vendors can learn from ConSentry Networks demise The switch-oriented NAC vendor serves as a sad reminder that security often only has niche appeal, says security expert Eric Ogren.
In a move that was long overdue, the payment card industry is moving closer to defining requirements for virtualization infrastructure. Most businesses have virtualization in the data center and many are looking at virtualization for desktops and applications. The PCI Virtualization Special Interest Group is looking at the security impact of virtual terminals. Two payment processors are also focusing on end-to-end crypto and tokenization. The first two technologies would remove machine-readable credit card information from personal computers and point-of-sale devices; tokenization would replace duplicate copies of credit card numbers in databases with internal token identifiers that would be meaningless to an outsider. These mechanisms of changing the way credit card data is handled are examples of more promising approaches to reducing the risk of data theft, the ultimate goal of PCI DSS.
In other news, while major antivirus vendors scoff that "you get what you pay for," there can be no doubt that Microsoft Security Essentials, the free endpoint security package made widely available last week, will have a competitive impact on the consumer markets. Microsoft has made MSE free for consumers in an attempt to assure ubiquitous AV protection against viruses, spyware and other threats. Service providers should quickly be closing deals with Microsoft about distributing MSE to their consumer clients or at least use the threat of MSE to negotiate better terms with established AV vendors. Comcast Corp. presently distributes McAfee Inc. for free to its Internet subscribers. We do not know about the strength of MSE, but it has to be more effective than no AV at all.
While on the topic of free AV, AVG is releasing version 9.0 with a smarter algorithm which promises to substantially improve scanning performance by half. There is a lot written about AV effectiveness, including the latest Anti-Virus Comparative report; however, most consumers purchase endpoint security based on brand and then deactivate the product for performance. Consumers with limited IT budgets run on older machines that are sensitive to noticeable performance degradation during system boot, system scans and real-time security inspections. Given that a system scan could touch roughly 400,000 objects, the latest version of AVG is an improvement that could shave 30 minutes off the system scan time. The Anti-Virus Comparative has some data ranking Avast Corp. and Symantec Corp. highly for full system scans (kudos to Symantec for big performance improvements). Let's hope that future editions do a more thorough job of measuring full system scan performance, as well as including latency introduced into boot times, installation time and time to effectively remove an AV product to switch vendors.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.