Security managers should focus more effort on people and how they do their jobs, and less on raw technology, if they are to overcome the biggest security challenges of the next ten years.
That was among the major themes of a two-day meeting of security experts from government, industry and academia last week in Chicago sponsored by Andersen Consulting and the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
"Security ends up being a result of what people do, whether it's a network administrator managing a firewall or a user protecting their ID and password," said John Clark, Global Security Practice Leader at Andersen Consulting in Northbrook, Ill., and co-host of the roundtable. "There's an awful lot of attention focused on the technology aspects of security, and not enough on the issue of business processes and controls."
That concern surfaced repeatedly as the 15 security experts examined issues ranging from how to protect data in "smart appliances" to how to stop cyber-criminals from robbing bank accounts on the other side of the world. Their goal is to release a list of the top security trends of the next ten years, and a "call to action" to address the most serious threats, sometime next month.
Panel members included Rebecca Gurley Bace, a National Security Agency veteran who is now CEO of Infidel Inc., a security consulting firm, Michael Jacobs, a deputy director of the National Security Agency, Howard Schmidt, director of information security for Microsoft and Eugene Spafford, the director of CERIAS.
Besides training users and IT staff in how to keep computer systems and networks secure, said Clark, organizations should also consider steps such as background checks during the hiring process to weed out possible internal hackers. Another step might be to tighten computer security for users at times when they might have a grudge against their employer, such as employees who have just been fired or are feeling unsure about the effects of a major reorganization.
Improving business processes � how people do their jobs � is also crucial, he said. This ranges from verifying the identity of customers calling a help center to better procedures for writing software and for ensuring that security policies and standards are enforced. One crucial area for security managers to address, he said, is making sure IT staffs are doing a good job of version control and systems management, closing newly-discovered holes in vulnerable systems and tracking which changes in systems make them vulnerable to attack.
"Somehow, we need to increase the number of individuals with the expertise needed to secure systems," he said, as well as "some sort of baseline safeguards and practices" for those individuals to follow.
Another crucial, non-technical issue was how to investigate and prosecute crimes committed on the Web across national boundaries. If a hacker in one country breaks into a system in another country to steal data or money, said Clark, "Who do I call?" The electronic path the criminal took may have passed through multiple networks and servers in various countries. With the rise of the Web, "The criminal now lives next door to you" even if they're in another country, "but we don't really have a global force that is doing this kind of investigation," he said.
The group was divided on the role governments should play in battling international cyber-crime. "Some feel individuals and organizations should learn to protect themselves," he said, while others want national governments to form international enforcement agencies.
While some of the remedies might have more to do with people than with bits and bytes, the technical fragility of the world's rapidly-expanding electronic networks was much on the minds of the panel members.
Fifteen years ago, a new computer system for a business might take several years to deploy and run on two or three proven, relatively secure mainframe technologies, said Clark. "Now, a typical ecommerce system could include five, ten, or 15 different software components," which are deployed in three to six months without being tested or despite the fact some of the software has known security holes.
The availability of automated tools over the Internet make it easy for even inexperienced people to launch, for example, a distributed denial of service attack which floods the target site with more requests for information than it can handle. "How do I patch (the security holes) and do it quickly? We see that as a tremendous challenge," said Clark.
And yet software companies don't have a strong incentive to deliver more secure products, he said. "They're driven by the demands of their customers, who are asking more loudly for new features and functionality than for security provisions or for very thoroughly tested software."
Some panel members called on security managers to rely less on security at the "edge" of corporate networks, where outsiders enter through firewalls or intrusion detection systems, and instead to beef up the security of applications and operating systems within the network. This is especially important as outsourcing, joint product development and similar initiatives blur the lines between a company's internal systems and those of its business partners, said Clark.
"We used to say we'd try to put boundaries around (our) network," said Clark. "It's getting to the point where it's going to be next to impossible to do that."Robert L. Scheier, former Technology Editor at Computerworld, can be reached at firstname.lastname@example.org