This article can also be found in the Premium Editorial Download "Information Security magazine: Market for vulnerability information grows."
Download it now to read this article plus other related content.
Just as enterprise security teams were in the thick of budgeting for next year, I took the post of editorial director of TechTarget’s security websites, as well as this magazine. The excellent editorial team I now work with was deep into creating this issue and analyzing the priorities security folks told us they are concerned about in our recent survey. We’ll go into depth on that in our next issue, for now, we’re looking at several other security concerns.
As you already know, within the pages of Information Security, we’re not trying to write about everything that might be construed to have something to do with security. To take a far-flung example, you won’t find us offering lists of the funniest moments in IT security. My arrival here won’t change that. Much of what makes up the block and tackle of security programs remains stubbornly constant from year to year. The classics endure, I guess.
But there are some new pieces to the puzzle. Recently our News Director Robert Westervelt reported on Dmitri Alperovitch, co-founder and CTO of security firm CrowdStrike, who claimed that the time for “active defense,” had arrived. “Active defense,” he said, “is a euphemism for going outside of your network and taking some action to disrupt, degrade or take down your adversary’s infrastructure.”
That’s a lot more active than the defenses most organizations currently pursue. It’s not entirely clear what the legality of such actions are, nor is it necessarily clear which country’s laws will have jurisdiction in any case where packets have crossed international borders.
The active defense strategy already has some strong critics. In his SearchSecurity.com column, security consultant Gary McGraw takes on the military side of the active defense issue:
Perhaps the real purpose behind active defense is to act as deterrence. But is a strong offense a real deterrent? What is critical to understand is that developing offensive capabilities does nothing to prevent others from doing so.
Just because you can attack your attacker doesn’t mean they’ll stop attacking you. The odds are that you’ll both wind up taking some hard hits.
Speaking of “active”-- perhaps even aggressive—security behavior, how about Luigi Auriemma, co-founder of security research firm ReVuln, who is quoted in this issue saying that when his team finds zero-day flaws, “we don’t report our findings to vendors, in order to respect both the investments of our customers and the other companies that follow a business model similar to ours.” Forget about the common good, I guess. Find out more on the state of vulnerability management in the feature, Private and Profitable, by Robert Lemos.
Information Security also interviewed several prominent players about critical infrastructure protection this month to determine whether there are any immediate solutions to the complex problem. Old, antiquated systems and a widening skills gap are adding to the challenge of protecting critical infrastructure. Those experts say stronger defenses are necessary to defend against escalating nation-state cyberweapon and cyberespionage activities, as well as the threats posed by hacktivists and terrorist groups.
We also look at options for authentication that don’t rely solely on conventional passwords in this issue. Contributor David Jacobs took a preliminary look at biometric authentication on smartphones for our SearchSecurity.com site last May, but he’s back this month to update his findings on new strategies to consider as mobile devices outnumber desktops in the enterprise.
As for those budgets of yours, we’re just finishing up our annual survey of what you see as next year’s priorities. We’ll be drilling down on your concerns both here and at SearchSecurity.com.
Robert Richardson recently joined TechTarget as editorial director of the Security Media Group. Previously, he served as editorial director for Black Hat and, prior to that, was director of the Computer Security Institute. Reach him at firstname.lastname@example.org.
This was first published in November 2012