WASHINGTON - When Dorothy Denning was doing her doctoral dissertation on information security 30 years ago, she...
thought security was a problem that could be solved.
Denning, who now teaches computer science at Georgetown University, envisioned creating secured operating systems to solve it. At that time Purdue University (Denning's school) had only two mainframes. One system was for the administration and another for students. They weren't even networked.
"We could show it mathematically," said Denning at the Sector 5 conference last week. The conference brought together experts to discuss cyberterrorism.
Now, time has shown there are no easy answers to solving security. As software and systems become more complex so do attackers and their techniques. Some are starting to question whether security can keep step with threats.
Some people go so far as to say nothing substantive can be done about security so they hope nothing happens to them. Others are a little more optimistic and think security measures can decrease security threats to an acceptable level.
Jeff Moss, CEO of Black Hat Inc., a Seattle security company which sponsors the popular Black Hat Briefings conferences, tends to fall in the first camp. "Security is getting worse faster than it will ever be fixed," he said.
Moss foresees security getting worse over time and people will have to learn how to deal with it. "It was this way 10 years ago but we are still here," he said.
Tim Belcher, CTO of Riptech Inc., a security monitoring service in Alexandria, Va., is a little more optimistic about the security landscape. It would be "foolish to say we couldn't get workable (security) solutions," he said.
Increasing security isn't an impossible task. For example, 93% of attacking systems monitored by Riptech were only active for one day. But the remaining 7% did 40% of the attacks, Belcher said. So targeting those machines would decrease many attacks.
Matthew Devost, president and CEO of Terrorism Research Center, an independent institute dedicated to terrorism research, doubts there will ever be perfect security. Companies can do a lot more, especially since 98% of attacks involve machines that have known vulnerabilities or are misconfigured. "It's easier to remain one step behind your adversaries than if you are 10 steps away," he said.
Companies can't keep ahead of security threats by themselves but need the assistance of the greater community. An analogous situation would be a neighbor watch program, where neighbors keep tabs on their block and share information with each other, said John Frazzini a special agent with the U.S. Secret Service who coordinated that agency's Electronic Crimes Task Force Initiative.
The concept of information sharing among companies isn't new. In 1998, former President Bill Clinton outlined plans for Information Sharing and Analysis Centers to foster sharing of information about attacks and vulnerabilities among vital U.S. industries such as financial services, IT and telecommunications.
Groups such as Frazzini's and the FBI's National Infrastructure Protection Center help the government and the private sector share security information.
But there is a piece missing in the equation, said Saul Wilen, CEO of International Horizons Unlimited, a national think tank in San Antonio, Texas, that specializes in terrorism prevention.
"We are stopping short when we talk about public private partnerships. Community is the third piece," he said.
Security requires the assistance of everyone including the proverbial "man on the street," he said.