Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How Sarbanes-Oxley changed the information security profession

Sarbanes-Oxley empowered information security professionals with the clout they'd sought for so long.



Sarbanes-Oxley empowered information security professionals with the clout they'd sought for so long.


Paul Sarbanes and Michael Oxley

Like a petulant child at Thanksgiving clamoring for a seat at the lavish candlelit table alongside the adults, information security managers suffered from board envy. How could they get the attention of corporate directors, those who mattered most in companies across America? How could they justify the urgency of their constant clamoring? How could they impress that security was more than a cost center with little tangible return? Nothing had worked through 2001, not even the horrible terrorist attacks of Sept. 11, 2001, which did more for redundant data centers and business continuity than it did to spark what many believed would be a revolutionary interest in information security.

Nothing worked.

Nothing until accounting scandals tore down energy giant Enron, at the time the seventh largest company in the country, and WorldCom, one of the largest telcos in the world. The respective fraud took down not only these enterprises, but also the vaunted auditing firm Arthur Andersen, and rattled the economic foundation of a country still reeling from the 9/11 attacks and a plummeting stock exchange mired in the 7000s. Enron's collapse put Congress into motion. Two legislators, a Republican from Ohio and a Democrat from Mary-land, headed respective committees that would draft landmark legislation that on its surface has zero to do with information technology, much less information security. But more than anything, it would ultimately spur spending in the security market, and give security managers the voice they sought within the corporate structure.

Paul Sarbanes and Michael Oxley, sponsors of the Sarbanes-Oxley Act of 2002, guided the development of the law, which mandated that executives of publicly held companies sign off on the integrity of their financial reporting, otherwise be subject to fines or imprisonment. It became the most important milestone of the last 10 years in information security, and made Sarbanes and Oxley two unforgettable figures.

"Everyone was stunned with Enron, yet World-Com was four times larger than Enron. That just sucked all the oxygen out of the room and really got people's attention," says Oxley (R-Ohio). "Plus you had what I call the democratization of the capital markets. You had many more people invested in the market, just average guys taking it personally because they had Enron or WorldCom stock in their mutual funds or portfolio."




Enron and WorldCom were spectacular failures on so many levels. Executives, accountants, the board, analysts, credit rating agencies...all were complicit in facilitating an environment that fostered such book-cooking. Sarbanes-Oxley's unstated goal was to protect investors and return confidence in the markets.

"If the investor loses confidence in the capital markets, you have big problems on your hands. Part of what happened: a lot of companies just neglected their internal structure in terms of having a good command of what was happening in the company and reporting accurately," says Sarbanes (D-Md.). "IT is an important part of providing that."

Section 404 of the Sarbanes-Oxley Act is the stick information security professionals had been waiting for. Simultaneously, it was a godsend and an ungodly burden for CISOs, who were suddenly strapped with immovable deadlines for compliance. CISOs went from the server room to the board room, forced to facilitate the needs of external auditors, report to the board and guide corporate policy in order to assure internal control over financial reporting.

Spending was ratcheted up, and almost overnight, lax patching of systems, shoddy access controls and forgotten employee awareness programs were intolerable. Security companies responded too, spinning the marketing of products toward compliance and risk management. AMR Research reported in 2006 that the ongoing compliance required by SOX had spurred a $6 billion annual spurt in technology spending.

"There have been very few events like SOX that have actually caused particular technologies to blossom and practices to come to the fore," says Dick Mackey, VP of consulting at SystemExperts. "It's pretty amazing that one regulation has probably given rise to more technology deployment than any of the others."

The mandates of Section 404 were recently blunted some by the release of Auditing Standard No. 5. It requires publicly held companies to engage third-party auditors in a top-down risk assessment to assess design and operating effectiveness of internal controls, understand the flow of transactions, perform a fraud risk assessment and evaluate those controls designed to prevent or detect fraud. The new standard mirrors guidance issued by the Public Company Accounting Oversight Board (PCAOB), another offshoot of Sarbanes-Oxley, whose job is to oversee auditors of public companies.




Sarbanes acknowledges that initial costs were a huge burden because auditors were "crossing every 't' and dotting every 'i'," rather than concentrating on material risks.

"A lot of people told us once they go through [a compliance initiative], they think it's a worthwhile endeavor, and feel a lot more comfortable and secure with improved systems put into place," Sarbanes says. "We have to look at investments in better systems as capital investments in IT. You put a system in and it may cost you to put it in, but once in...the costs should decrease in subsequent years, and there's evidence that's the case. We've heard people complain about it to begin with and eventually, after they work through it and get systems in place, say this has benefited the corporation and [they're] in better control of operations."

Oxley says most of the Fortune 500 has come to terms with the legislation, and necessary expenditures and initial costs are coming down.

"Obviously our goal was to restore investor confidence, and I think there's no more objective way to measure investor confidence than the markets themselves," Oxley says. "The markets have respond- ed in a positive way to reforms. Investors are back in the game, and that's all to the good. In terms of costs, such as WorldCom disappearing overnight, their stock went from $60 to $1; that was a $100 billion loss in one company. How many WorldComs can an economy afford going forward? If we're able to stop one WorldCom or Enron, seems to me that was money well spent."


Download the complete interview with Paul Sarbanes and Michael Oxley at searchsecurity.com/10thanniversary.



8 More Security Stars

Paul Sarbanes and Michael Oxley may lead the way, but they're not alone. Here are eight more important figures from the past decade.

BRUCE SCHNEIER Bruce Schneier wants to change the way you think about security. During the past 10 years, he's explored every avenue of influence available to him--blogging, books, keynotes--to great degrees of success. Secrets and Lies: Digital Security in a Networked World, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, and Applied Cryptography are mainstays on the bookshelves of most security professionals, and the Cryptogram newsletter graces inboxes once a month, much to the glee of its thousands of readers. Schneier has his opinions, and for a decade he hasn't been shy about sharing them.

But he hasn't always been about overtly influencing thought. Schneier made his bones in cryptography, having written or co-written the Blowfish and Twofish algorithms, among many others, helping to make the practice mainstream after some shaky years battling the government over export controls.

"Electronic commerce was the killer app for cryptography, and that's what fo­rced it out of the shadows and into the mainstream," Schneier says. "But really, we won the crypto war because cryptography doesn't matter nearly as much as we thought. Back in the mid-1990s, we thought cryptography would protect our data from outsiders. But the real problems are in computer and network security. It doesn't matter how good your encryption is if the bad guys installed a Trojan on your computer, or a keylogger. I think the FBI realized, a couple of years before we all did, that cryptography wasn't all that important."

What is important these days to Schneier? Well, besides blogging about airport security, terrorism and other trends beyond information security, Schneier is tackling the subject of psychology and security. He stresses that today's CISOs must get the psychology of security correct, else security systems will fail regardless of the strength of the technology.

"If there's one thing I've learned in all my research into human psychology and how we deal with security, risk, trade-offs, costs and decision making, it's that people are not rational," Schneier says. "People make decisions in completely irrational ways, breaking all sorts of rules of logic while doing so. Our brains are weirdly engineered, with overlapping systems, fail-safe overrides, memory glitches and systemic bugs. And while we are superbly engineered for the cognitive problems that arise while living in small family groups in the East African highlands in 100,000 BC, we're much less suited to 2007 New York."


Read the complete interview with Bruce Schneier at searchsecurity.com/10thanniversary.



8 More Security Stars

MARCUS RANUM Marcus Ranum has probably forgotten more about firewalls and network security than most have learned. Author of what is considered the first commercialized proxy firewall, the DEC SEAL in 1991, Ranum is an authority on UNIX networking and security. A decade ago, he co-founded Trusted Information Systems, which developed the TIS Gauntlet firewall and TIS Internet Firewall Toolkit, and hosted the first whitehouse.gov server. Ranum founded one of the first intrusion detection companies, Network Flight Recorder, in 1997. He is a frequent speaker at conferences, a USENIX and SANS instructor, and a contributor to Information Security. He is the chief of security for Tenable Network Security, home of the Nessus network scanner. At Tenable, Ranum is responsible for research in open source logging tools, and product training.


DAN GEER Dan Geer is praised as a pioneer in information security and a visionary when it comes to illuminating the need to tackle security as a risk management exercise. Notoriety came his way in 2003 when a report he co-authored, "CyberInsecurity: The Cost of Monopoly," argued against a software monoculture and that the ubiquity of Windows was a threat to national security. The paper, released by the Computer & Communications Industry Association, cost Geer his position as CTO of @stake. But he resurfaced as VP and chief scientist at Verdasys, and he continues to be a prolific speaker at conferences and in testimony before lawmakers.


MARTY ROESCH Marty Roesch's pet project, the one conceived in the basement in his spare time, turned out OK. The open source Snort IDS, born in 1998, has become a juggernaut with more than 3 million downloads and is part of countless network security installations from small enterprises to giant defense systems. It was eventually commercialized when Roesch founded Sourcefire in 2001. Check Point Software Technologies tried to acquire Sourcefire last year, but the U.S. government squashed the deal over reported national security concerns. This year Sourcefire went public, one of the few security IPOs of the last five years.


DOROTHY DENNING Dorothy Denning is a cryptography and network security pioneer, a prolific writer and an educator. Currently Denning is a professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. Her seminal 1998 book Information Warfare and Security was a vehicle for her research and opinions on terrorism and cyberwarfare. Denning was named a Time magazine innovator in 2001. She's probably best known for her groundbreaking 1987 paper "An Intrusion Detection Model" and for her support of the Clipper Chip in the early 1990s. During her time at SRI International, she and Peter Neumann worked on SeaView, a project to develop a model for a multilevel secure database system.



8 More Security Stars

PHIL ZIMMERMANN The irony has not escaped Phil Zimmermann that cryptography, once essentially illegal in the United States, is today indispensable.

"In today's legal landscape, cryptography is encouraged; in fact, it's encouraged so much, you can get in trouble for not using it," Zimmermann says, referring to the litany of legislation including state data breach disclosure and notification laws. "The overall legal landscape is friendly toward encryption today. And it was hostile toward encryption a decade ago."

Zimmermann, best known for creating PGP (Pretty Good Privacy), ubiquitous email encryption software, has turned his attention to securing voice over IP encryption protocols. His Zfone project was released a year ago for Mac OS and Linux; a Windows version was made available this year. The software enables encrypted phone conversations to take place over the Internet.

"I've been wanting to encrypt phone calls since before I was interested in encrypting email," Zimmermann says. He points out that the Internet was not ready for VoIP a decade ago--microprocessors were too slow, VoIP standards were absent and broadband was not widespread. "What a difference a decade makes. Now we have a whole VoIP industry springing up. It's time to address it again."

Zimmermann says the need for VoIP encryption is more pressing than email encryption. Until now, the public switching telephone network physically secured phone calls, which are relatively safe from wiretapping and other intrusions. Not so with the Internet.

"With VoIP, it's possible to be wiretapped from the other side of the world because they could inject spyware into one of the many PCs in your building, and that PC could intercept all the packets on your network, including VoIP packets," Zimmermann says. "The asymmetry of difficulty of wiretapping collapses as we migrate to VoIP. If we fail to encrypt VoIP, that asymmetry will collapse. Organized crime, for example, will be able to wiretap cops, judges, prosecutors and listen to them discuss criminal investigations."

Zfone is built on the ZRTP protocol, written by Zimmermann, Jon Callas of PGP Corp. and Alan Johnston. ZRTP initiates during call setup and performs a key exchange based on Diffie-Hellman, then captures VoIP packets and encrypts and decrypts them. Users have a GUI that indicates the security of a call.

Zfone's business model is OEM. "If things go the way they appear to be heading, then there will be massive deployment of my protocol," Zimmermann says.

Hear the complete interview with Phil Zimmermann at searchsecurity.com/10thanniversary.



8 More Security Stars

REBECCA BACE Spurred on by Dorothy Denning's work around intrusion detection, Rebecca Bace took the ball and ran with it. Bace published Intrusion Detection in 2000, which encapsulates the history of intrusion detection research, defining the concepts that make up intrusion detection, analyzing non-commercial IDS and examining the legal issues of monitoring traffic and systems. Bace is a former senior electronics engineer for the National Security Agency and founder of network security consultancy Infidel. She helped connect early network security researchers with the federal government and collaborated with the FBI on a manual for computer crime investigations. At the NSA, Bace fought for funding for programs that did some of the initial work in intrusion detection and helped build academic research programs at UC-Davis and Purdue. She is also a faculty member at the Institute for Applied Network Security and still moderates the Network Security Forum, a professional development initiative for senior information security managers. Her name also appears on some of the seminal books around intrusion detection and network security. Aside from Intrusion Detection, Bace's FBI collaboration produced A Guide to Forensic Testimony, a book she co-authored with Fred Smith. She also wrote the Intrusion Detection Special Publication for the National Institute of Standards and Technology (NIST), which is known as NIST SP 800-31. Another Bace writing credit is the chapter on intrusion detection and vulnerability assessments that appears in the Computer Security Handbook, Fourth Edition, which was written in 2002.


GENE SPAFFORD His friends call him Spaf. To those who have studied under him or admired his achievements from afar, Gene Spafford is perhaps the premier mind in information security. Founder of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University, Spafford has established an infosecurity think tank that is setting the standard for study in risk management, security awareness, architecture, network security, incident detection and response, authentication and privacy, and rights management. CERIAS, like Information Security, is in its 10th year.

"I was looking back 10 years ago; there were only four university centers and we were producing two or three Ph.D.s a year in the field. Now arguably there's probably 20 research centers--one or two the size we are--and we're producing as many as 25 Ph.D.s, which is a quarter of the nation's output," Spafford says. "So that's a big change, but it's still way too small, by at least an order of magnitude, of producing the kind of expertise we need to deal with today's threats."

Business and government still don't take information security seriously enough to invest in it, Spafford says, and that has to shift rapidly. He notes Microsoft's commitment to security via Trustworthy Computing as an adequate start, but other vendors need to get with it, as well as the government.

"We still don't have enough people who are trained; we don't have enough people at higher levels taking threats seriously," Spafford says. "A sustained investment early is required to make a difference in the long run."

Spafford says he is most proud of CERIAS, which in 1998 started off with four faculty members and two graduate students. Today, there are 82 faculty members and 80 grad students.

"The biggest contribution that I personally view here is moving forward to establish a sound base of science education and policy in this arena," Spafford says. "The stuff we've been producing here as a community, and that we've been able to help other schools get their programs started, and that we've served as a resource to keep people honest about what can and cannot be done, I would view that as probably my biggest contribution."


Hear the complete interview with Spaf at searchsecurity.com/10thanniversary.



Researchers to Watch

Shaping the next 10 years of information security

Dino Dai Zovi Dino Dai Zovi dares hack where few bother: the Mac OS X platform. The former @stake and Matasano Security researcher is known for his Vitriol rootkit that targets the Mac OS X kernel, as well as KARMA, the wireless security assessment software.

Joanna Rutkowska Joanna Rutkowska has been the star of a couple of Black Hat Briefings with her virtual rootkit presentations, in particular the Blue Pill root-kit, which she claims is undetectable even on 64-bit Vista systems. This year, Rutkowska demonstrated it was possible to defeat hardware-based memory acquisition.

Billy Hoffman HP's acquisition of SPI Dynamics netted it one of the brightest Web application hackers in the business. Billy Hoffman is front and center with his research on Java and browser security, and his Jikto tool, which exploits cross-site scripting holes, opened plenty of eyes this year. Hoffman got an early start on hacking; while at Georgia Tech, he developed a tool that analyzes data on magnetic strips.

Nate Lawson Nate Lawson's current research on embedding security into devices figures to have long-standing impact on information security. Lawson, who way back helped design the RealSecure IDS, has designed the B+ DRM scheme that was adopted for inclusion in Blu-ray disks.

Adrian Perrig Adrian Perrig is one of the brightest researchers at Carnegie Mellon University's CyLab. An assistant professor of electrical and computer engineering, Perrig is working to embed security into a redesigned Internet. He's also part of a team that developed an antiphishing tool called Phoolproof Phishing that leverages a mobile device to authenticate users and servers.

David Maynor/Robert Graham Two ISS veterans, David Maynor and Robert Graham, run consultancy Errata Security, but like Dai Zovi, spend their spare time keeping vendors honest. Maynor's infamous Mac-Book Wi-Fi hack demonstration at Black Hat two years ago blazed the trail; Graham followed this year with a presentation of a tool that hijacks user sessions on Web-based mail programs and social networking sites.



Researchers to Watch

Dan Kaminsky Dan Kaminsky's Black Ops sessions at Black Hat have been a must-see for years. His research of large networks has resulted in innovative findings on DNS rebinding, SSL scanning and CAPTCHA analysis. Kaminsky is a staunch advocate of Net Neutrality.

Vern Paxson Vern Paxson is the authority on Internet worms and modeling their behavior. Research to watch: Paxson is part of the National Science Foundation's network telescope project, which is meant to be an early warning system for worm activity. Recently he joined the Electrical Engineering and Computer Sciences College of Engineering at Cal-Berkeley.

Jeremiah Grossman An authority on Web application security, Jeremiah Grossman probably has the best understanding of Web site and browser vulnerabilities in the industry. Grossman is the founder and CTO of White Hat Security and a former information security officer at Yahoo. He also co-founded the Web Application Security Consortium.

Jose Nazario Jose Nazario is one of Arbor Networks' leading network security researchers and a thought leader on worms and worm detection, botnets and distributed denial-of-service attacks. Nazario has developed automated botnet tracking and malware analysis tools and is responsible for six CVE entries.



Melting Pot
by Dennis Fisher
Seems like everyone who was anyone worked at one time for @stake.

For talented security engineers, hardware and software hackers and researchers, there was no cooler place to work in the early part of this decade than @stake. The seminal security consulting firm at one time or another employed just about every top researcher in the field. Dave Aitel, Joe Grand, Chris Wysopal, Peiter "Mudge" Zatko, David and Mark Litchfield, Dino Dai Zovi, Dave Goldsmith, Brian Oblivion and dozens of others spent time at @stake.

In 2000, 2001 and 2002, when money was flowing and the company could barely hire consultants to keep up with the demand for its services, @stake was on top of the security world. The deep talent pool attracted other smart people and @stake cultivated a casual, hip image and allowed employees to work on interesting, challenging projects.

"It really became a cool place to work. It just sort of happened at some point," says Grand, a member of the L0pht hacking collective that formed the foundation of @stake in 2000. "The people there were really open to a lot of different things. It was the place to be. There wasn't a lot of structure."

The presence of guys like Grand, Zatko and Wysopal--all of whom had a lot of credibility in the hacker underground--served as a positive and a negative in the early days. Having them in the office was a definite re-cruiting tool, but it also caused some uneasiness among customers and potential clients.

At the time of @stake's founding, the members of the L0pht were seen variously as tremendously talented researchers who used whatever methods served their needs, or borderline criminals who flouted the law in the name of fame and fortune. Many critics publicly questioned the wisdom of hiring this group of mavericks to secure corporate networks. The L0pht made no bones about its connections to the hacker underground and was unafraid to force a vendor's hand by publicizing a vulnerability or attack method if the vendor didn't move quickly.



Melting Pot

"The fact that the L0pht was there along with all of this consulting talent, we were creating a new kind of company that didn't exist before," says Wysopal. "It created this new kind of culture of a lot of dialogue and research going on internally and it took a while to figure out how to capitalize that. And I'm not sure it ever jelled completely."

"The mystique was having the L0pht guys there. But if that's all we had, we never would have made it to where we did," says Rob Cheyne, an original consultant, along with Goldsmith and Andrew Jaquith. "We hired great people. Every time I got bored, I'd go find something new to do."

But as the security market stagnated in 2003 and other consulting shops like Foundstone began getting more attention--and work--investors began looking for a way to get a return on their considerable investment. Inevitably, things started to change. Gone were the all-hands learn-and-burn off-site meetings, the freedom to work on independent projects and the laid-back atmosphere. In their place was an increased focus on creating products from the company's research and security assessment methods, and a more corporate, businesslike attitude soon pervaded their sleek Cambridge, Mass., headquarters.

"It became so corporate," says Grand, who left the company in 2002. "I was sick of relying on people who don't work the same way or believe the same things I do. It wasn't fun anymore."

Many ex-employees mentioned the September 2003 firing of former CTO Dan Geer--over a paper he co-authored on Microsoft's dominance of the desktop environment and its effect on security--as the beginning of the end. But the business model the company had adopted was not designed for long-term employee retention, either. Consultants traveled nearly full time, working on projects for a few weeks at a time before moving on to another customer in another city. That lifestyle burned out a lot of talented people, who eventually moved on to other companies.

"I think we had a pretty typical attrition rate for a consulting company," says Chris Eng, who joined @stake from the National Security Agency in 2000. "People just get burned out. Some who left, like Frank Swiderski and Window Snyder, had been there for three years and moved on to other things."



Melting Pot

By the time Symantec bought @stake in 2004, the talent drain was well under way. Zatko had left in 2002. The Litchfield brothers had left to start NGS Software, along with Chris Anley and a couple of other @stakers. Snyder and Swiderski took off for jobs in Microsoft's new security organization. Adrian Ludwig, an application security consultant, jumped at a chance to create the Secure Software Engineering team at Macromedia (now Adobe), and four other @stake employees later followed.

"Everybody's mindset was 'Let's break even.' We did way better than a lot of other companies that didn't make it as long as @stake did," says Christien Rioux, a former L0pht member who joined @stake at its founding. "I don't think there were any hurt feelings. Everyone was pleased that @stake had a sustainable business model. But the question was, would it ever expand or grow."

Since the acquisition, the critical mass of talent assembled at @stake has spread out across a number of industries, creating a diaspora that has served as the foundation for any number of start-ups, security teams and consulting shops.

To wit:

  • Frank Heidt, Rex Warren and Kevin Rich, all former @stake employees, founded security consultancy Leviathan Security in Seattle.

  • Aitel, another NSA and @stake veteran, started pen-test software provider Immunity Security.

  • Former @stakers Goldsmith, Dai Zovi and Snyder, along with Thomas Ptacek, founded Matasano Security in New York.

  • @stake veterans Tim Newsham, Alex Stamos and Himanshu Dwivedi founded iSEC Partners in San Francisco.

  • George Gal, a former @stake consultant, founded Virtual Security Research in Boston.

  • Of the L0pht members who joined @stake, Wysopal and Rioux, known as Weld Pond and Dil-dog, respectively, are at Veracode, an application security company; Brian Hassick, who went by Brian Oblivion, is working for a defense contractor; Zatko works at BBN; Grand, known as Kingpin, runs his own company, Grand Idea Studio; Karl Kasper, known as John Tan, does penetration testing in the financial services industry; and Paul Nash, known as Silicosis, remains at Symantec.

The role @stake and its people played in shaping today's security industry was significant, and it's clear its influence will be felt for many years.

"We had the biggest congregation of application security experts by far. At some point it just couldn't grow anymore because we had already amassed everyone," says Wysopal. "I'm surprised by how often we bump into an [email protected] We're everywhere, running security teams, doing application testing, everything. It was a great place."



@stake, where are they now? (PDF)

@stake was the place to work if you were a security researcher or ­consultant. Wondering what became of some members of @stake? Wonder no more.



Where Are They Now?
Catching up with 10 blasts from the past.

1 Bill Cheswick
Lead member, technical staff, AT&T Research

If you hate some of the clichés that are the sole domain of information security, such as the one describing corporate networks as a "crunchy shell around a soft, chewy center," point your ire at Bill Cheswick. He coined the phrase. While you're at it, though, consider that this may be the only debit on Cheswick's ledger sheet.

His contributions to network security are innumerable. A firewall pioneer, Cheswick co-authored the seminal Firewalls and Internet Security: Repelling the Wily Hacker with Steve Bellovin in 1994, and it remains the bible of network security professionals. The first edition sold 100,000 copies, and a second edition was printed in 2003. He also ran a project starting in 1998 with Bell Labs colleague Hal Burch to map the Internet. That data is still used to map routing issues, DDoS attacks and traceback.

"One of the reasons I did it was to get data for the researchers, and there have been papers written analyzing the data we collected," Cheswick says. "I don't know if it's changed the world particularly. The images themselves have been a marketing breakthrough." Cheswick notes the images are prominent in some senators' offices and many corporate board rooms.

After years at Bell Labs, Cheswick joined Lumeta Corp., as its chief scientist in 2000, before returning to his roots this year at AT&T Research as a member of its technical staff.

"My legacy was training the first generation of network administrators in security," Cheswick says.

The next generation? Well, for starters, Cheswick isn't so sure the Internet is as broken as everyone seems to think, considering the industry built upon it. He concedes there are security worries, but innovation in Vista and other platforms is a solid starting point. He's also aboard with the notion that the network perimeter is toast and most computers can indeed live without a firewall.

"Perimeter security was an excuse for not securing our hosts, which we didn't know how to do, or couldn't do very well," Cheswick says. "Getting out from behind the DMZ is a paper I have in mind. We have VPNs, stronger host security, crypto, a variety of tools that make us more secure. We're learning that hiding behind a wall isn't such a safe thing."

Cheswick is also aboard with virtualization and sandboxing systems.

"There's lots of commercial and academic activity on caging software. I think we have to do this because basic programs running browsers and mail readers are giant, dangerous programs that I doubt we'll ever get in secure state," Cheswick says. "You want them in a sandbox. My goal is for grandma to click on any site and not have her computer taken over."

Hear the complete interview with Bill Cheswick at searchsecurity.com/10thanniversary.



Where Are They Now?

2 Peter Tippett
VP, research and intelligence, Verizon Business Security Solutions

Being Information Security's first publisher probably isn't prominent on Peter Tippett's resume. When you're an M.D., a pilot, started ICSA Labs, pioneered security risk management metrics and, oh yeah, created the first commercial antivirus product that eventually became Norton Antivirus, media mogul takes a backseat. Tippett was scooped up in Verizon's acquisition of Cybertrust, where he was CTO, and now he has access to one of the world's largest Internet backbones "There's lots of instrumentation and smart people here, but [the merger] has turned out to be even more powerful than I expected," Tippett says. "More data, reach, customers and capabilities to do pragmatic stuff on behalf of our clients and the Internet. That's been a pleasant surprise."

3 Mafiaboy

Crime pays? Apparently so for MafiaBoy, the teen-aged Canadian hacker turned columnist for Le Journal de Montreal in 2005. MafiaBoy, a script kiddie, pulled off the infamous 2000 denial-of-service attacks against Yahoo, Amazon, eBay, CNN and others. The FBI and Royal Canadian Mounted Police caught up to MafiaBoy after he shot off his mouth in an IRC chat room that he had taken down Dell.com, an attack that had not yet been publicized. He was fined and sentenced to eight months of house arrest and a year of probation. In 2005, he wrote a computer security column for the Montreal newspaper.

4 Peter "Mudge" Zatko
Division scientist, BBN Technologies

Peiter Zatko, leader of the L0pht Heavy Industries hacking team that became @stake, is a scientist and technical director for BBN Technologies' national intelligence research and applications division. At BBN, his work includes developing advanced models for network data traffic analysis for the firm's government customers. Mudge developed several security tools, including L0phtCrack, now an industry standard Windows password auditing tool called LC5. He advised President Clinton on information security, and famously warned a Senate committee in 1998 that he could take down the Internet in 30 minutes. After leaving @stake in 2002, he was chief scientist at the now defunct insider-threat specialist Intrusic before rejoining BBN, where he had worked in the '90s.



Where Are They Now?

5 Jim Bidzos
Chairman, VeriSign

For years, Jim Bidzos was the face of RSA Security, holding titles such as president and CEO, executive VP and vice chairman. He was also the emcee of the RSA Conference before stepping aside after the 2003 event. Bidzos is an important figure in the history of cryptography, lobbying policy makers in Washington to help relax restrictions on crytpo export controls, and advancing the commercialization of encryption software. Bidzos was a founder of VeriSign, where this year he returned to the job of chairman of the board of directors, which he held from 1995-2001. He served as vice chairman of the board for the past six years.

6 Peter G. Neumann
Principal scientist, SRI International

Peter Neumann continues his work at SRI International's computer science lab, where he is a principal scientist focused on security, reliability, voting system integrity, crypto policy and other issues. He joined SRI in 1971 after 10 years at Bell Labs, where he was heavily involved in development of Multics, a timesharing operating system. Alongside his many SRI projects, he continues to write articles, and moderate the Association for Computing Machinery's Risks Forum.

7 Cristopher Klaus
Founder, CEO, Kaneva

Christopher Klaus, who founded Internet Security Systems (ISS) in 1994 and masterminded its groundbreaking vulnerability scanning technology, now applies his entrepreneurial and technical skills to the world of online social networking. He is founder and CEO of Kaneva, which touts itself as a "virtual entertainment world" for the masses.

Klaus was chief security adviser at ISS before IBM bought the company for $1.3 billion in 2006. In 1999, he donated $15 million to his alma mater, the Georgia Institute of Technology. Today he serves on a number of boards, including the Georgia Film, Video and Music Advisory Commission.



Where Are They Now?

8 Kevin Poulsen
Senior editor, Wired

Kevin Poulsen's high-profile hacker exploits are in the distant past. He is a senior editor at Wired News and previously wrote news for SecurityFocus. Long before he became a journalist, his hacks included taking over the phone lines of a Los Angeles radio station to ensure he'd be the 102nd caller, netting him a Porsche and cash. Last year at Wired, he uncovered the prevalence of registered sex offenders, including pedophiles, on MySpace.com.

9 Bill Larson
Parts unknown

Bill Larson, former CEO of Network Associates (now McAfee), appears to have retreated from public life. During his eight-year reign at Network Associates, he oversaw 14 acquisitions and turned the company into an antivirus leader before leaving in the aftermath of an accounting scandal in 2000. Since then, Larson served on the board of directors for several technology companies, including Proofpoint. A Proofpoint spokesperson described him now only as a private citizen.

10 Eric Corley
Publisher, 2600: The Hacker Quarterly Eric Corley, aka Emmanuel Goldstein, is the publisher of the long-standing hacker magazine 2600: The Hacker Quarterly. Corley is a multimedia figure; he also hosts a radio show for hackers called "Off the Hook" on WBAI-FM in New York, and another current events show called "Off the Wall" on WUSB-FM on Long Island, N.Y. Corley was the lone defendant in a 2000 appeal of a ruling in favor of the Motion Picture Association of America (MPAA), which wanted to bar sites from offering code that would decrypt DVDs. 2600.com was hosting DeCSS source code that could be used to beat the ontent-Scrambling System used by DVDs. Corley solely took on the MPAA and challenged the legality of the Digital Millenium Copyright Act to no avail.

2600: The Hacker Quarterly continues to publish quarterly, as it has since 1984.



Face Off
Caution: Turbulence Ahead
Bruce Schneier and Marcus Ranum look at the security landscape of the next 10 years.

Bruce Schneier
Predictions are easy and difficult. Roy Amara of the Institute for the Future once said: "We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run."

Moore's Law is easy: In 10 years, computers will be 100 times more powerful. My desktop will fit into my cell phone, we'll have gigabit wireless connectivity everywhere, and personal networks will connect our computing devices and the remote services we subscribe to. Other aspects of the future are much more difficult to predict. I don't think anyone can predict what the emergent properties of 100x computing power will bring: new uses for computing, new paradigms of com- munication. A 100x world will be different, in ways that will be surprising.

But throughout history and into the future, the one constant is human nature. There hasn't been a new crime invented in millennia. Fraud, theft, impersonation and counterfeiting are perennial problems that have been around since the beginning of society. During the last 10 years, these crimes have migrated into cyberspace, and over the next 10, they will migrate into whatever computing, communications and commerce platforms we're using.

The nature of the attacks will be different: the targets, tactics and results. Security is both a trade-off and an arms race, a balance between attacker and defender, and changes in technology upset that balance. Technology might make one particular tactic more effective, or one particular security technology cheaper and more ubiquitous. Or a new emergent application might become a favored target.

I don't see anything by 2017 that will fundamentally alter this. Do you?



Face Off

Marcus Ranum
I think you're right; at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective. It's 2007 and we haven't seemed to accept that:
  • You can't turn shovelware into reliable software by patching it a whole lot.
  • You shouldn't mix production systems with non-production systems.
  • You actually have to know what's going on in your networks.
  • If you run your computers with an open execution runtime model you'll always get viruses, spyware and Trojan horses.
  • You can pass laws about locking barn doors after horses have left, but it won't put the horses back in the barn.
  • Security has to be designed in, as part of a system plan for reliability, rather than bolted on afterward.
The list could go on for several pages, but it would be too depressing. It would be "Marcus' list of obvious stuff that everybody knows but nobody accepts."

You missed one important aspect of the problem: By 2017, computers will be even more important to our lives, economies and infrastructure.

If you're right that crime remains a constant, and I'm right that our responses to computer security remain ineffective, 2017 is going to be a lot less fun than 2007 was.

I've been pretty dismissive of the concepts of cyberwar and cyberterror. That dismissal was mostly motivated by my observation that the patchworked and kludgy nature of most computer systems acts as a form of defense in its own right, and that real-world attacks remain more cost-effective and practical for terror purposes.

I'd like to officially modify my position somewhat: I believe it's increasingly likely that we'll suffer catastrophic failures in critical infrastructure systems by 2017. It probably won't be terrorists that do it, though. More likely, we'll suffer some kind of horrible outage because a critical system was connected to a non-critical system that was connected to the Internet so someone could get to MySpace--and that ancillary system gets a piece of malware. Or it'll be some incomprehensibly complex software, layered with Band-Aids and patches, that topples over when some "merely curious" hacker pushes the wrong e-button. We've got some bad-looking trend lines; all the indicators point toward a system that is more complex, less well-understood and more interdependent. With infrastructure like that, who needs enemies?

You're worried criminals will continue to penetrate into cyberspace, and I'm worried complexity, poor design and mismanagement will be there to meet them.



Face Off

Bruce Schneier
I think we've already suffered that kind of critical systems failure.

The August 2003 blackout that covered much of northeastern United States and Canada--50 million people--was caused by a software bug.

I don't disagree that things will continue to get worse. Complexity is the worst enemy of security, and the Internet--and the computers and processes connected to it--is getting more complex all the time. So things are getting worse, even though security technology is improving. One could say those critical insecurities are another emergent property of the 100x world of 2017.

Yes, IT systems will continue to become more critical to our infrastructure--banking, communications, utilities, defense, everything.

By 2017, the interconnections will be so critical that it will probably be cost-effective--and low-risk--for a terrorist organization to attack over the Internet. I also deride talk of cyberterror today, but I don't think I will in another 10 years.

While the trends of increased complexity and poor management don't look good, there is another trend that points to more security--but neither you nor I is going to like it. That trend is IT as a service.

By 2017, people and organizations won't be buying computers and connectivity the way they are today. The world will be dominated by telcos, large ISPs and systems integration companies, and computing will look a lot like a utility. Companies will be selling services, not products: email services, application services, entertainment services. We're starting to see this trend today, and it's going to take off in the next 10 years. Where this affects security is that by 2017, people and organizations won't have a lot of control over their security. Everything will be handled at the ISPs and in the backbone. The free-wheeling days of general-use PCs will be largely over. Think of the iPhone model: You get what Apple decides to give you, and if you try to hack your phone, they can disable it remotely. We techie geeks won't like it, but it's the future. The Internet is all about commerce, and commerce won't survive any other way.



Face Off

Marcus Ranum
You're right about the shift toward services--it's the ultimate way to lock in customers.

If you can make it difficult for the customer to get his data back after you've held it for a while, you can effectively prevent the customer from ever leaving. And of course, customers will be told "trust us, your data is secure," and they'll take that for an answer. The back-end systems that will power the future of utility computing are going to be just as full of flaws as our current systems. Utility computing will also completely fail to address the problem of transitive trust unless people start shifting to a more reliable endpoint computing platform.

That's the problem with where we're heading: the endpoints are not going to get any better. People are attracted to appliances because they get around the headache of system administration (which, in today's security environment equates to "endless patching hell"), but underneath the slick surface of the appliance we'll have the same insecure nonsense we've got with general-purpose desktops. In fact, the development of appliances running general-purpose operating systems really does raise the possibility of a software monoculture. By 2017, do you think system engineering will progress to the point where we won't see a vendor release a new product and instantly create an installed base of 1 million-plus users with root privileges? I don't, and that scares me.

So if you're saying the trend is to continue putting all our eggs in one basket and blithely trusting that basket, I agree.

Another trend I see getting worse is government IT know-how. At the rate outsourcing has been brain-draining the federal workforce, by 2017 there won't be a single government employee who knows how to do anything with a computer except run PowerPoint and Web surf. Joking aside, the result is that the government's critical infrastructure will be almost entirely managed from the outside. The strategic implications of such a shift have scared me for a long time; it amounts to a loss of control over data, resources and communications.



Face Off

Bruce Schneier
You're right about the endpoints not getting any better. I've written again and again how measures like two-factor authentication aren't going to make electronic banking any more secure. The problem is if someone has stuck a Trojan on your computer, it doesn't matter how many ways you authenticate to the banking server; the Trojan is going to perform illicit transactions after you authenticate.

It's the same with a lot of our secure protocols. SSL, SSH, PGP and so on all assume the endpoints are secure, and the threat is in the communications system. But we know the real risks are the endpoints.

And a misguided attempt to solve this is going to dominate computing by 2017. I mentioned software-as-a-service, which you point out is really a trick that allows businesses to lock up their customers for the long haul. I pointed to the iPhone, whose draconian rules about who can write software for that platform accomplishes much the same thing. We could also point to Microsoft's Trusted Computing, which is being sold as a security measure but is really another lock-in mechanism designed to keep users from switching to "unauthorized" software or OSes.

I'm reminded of the post-9/11 anti-terrorist hysteria--we've confused security with control, and instead of building systems for real security, we're building systems of control. Think of ID checks everywhere, the no-fly list, warrantless eavesdropping, broad surveillance, data mining, and all the systems to check up on scuba divers, private pilots, peace activists and other groups of people. These give us negligible security, but put a whole lot of control in the government's hands.

Computing is heading in the same direction, although this time it is industry that wants control over its users. They're going to sell it to us as a security system--they may even have convinced themselves it will improve security--but it's fundamentally a control system. And in the long run, it's going to hurt security.

Imagine we're living in a world of Trustworthy Computing, where no software can run on your Windows box unless Microsoft approves it. That brain drain you talk about won't be a problem, because security won't be in the hands of the user. Microsoft will tout this as the end of malware, until some hacker figures out how to get his software approved. That's the problem with any system that relies on control: Once you figure out how to hack the control system, you're pretty much golden. So instead of a zillion pesky worms, by 2017 we're going to see fewer but worse super worms that sail past our defenses.

By then, though, we'll be ready to start building real security. As you pointed out, networks will be so embedded into our critical infrastructure--and there'll probably have been at least one real disaster by then--that we'll have no choice. The question is how much we'll have to dismantle and build over to get it right.



Face Off

Marcus Ranum
I agree regarding your gloomy view of the future. It's ironic the counterculture "hackers" have enabled (by providing an excuse) today's run-patch-run-patch-reboot software environment and tomorrow's software Stalinism.

I don't think we're going to start building real security. Because real security is not something you build--it's something you get when you leave out all the other garbage as part of your design process. Purpose-designed and purpose-built software is more expensive to build, but cheaper to maintain. The prevailing wisdom about software return on investment doesn't factor in patching and patch-related downtime, because if it did, the numbers would stink. Meanwhile, I've seen purpose-built Internet systems run for years without patching because they didn't rely on bloated components. I doubt industry will catch on.

The future will be captive data running on purpose-built back-end systems--and it won't be a secure future, because turning your data over always decreases your security. Few possess the understanding of complexity and good design principles necessary to build reliable or secure systems. So, effectively, outsourcing--or other forms of making security someone else's problem--will continue to seem attractive.

That doesn't look like a very rosy future to me. It's a shame, too, because getting this stuff correct is important. You're right that there are going to be disasters in our future. I think they're more likely to be accidents where the system crumbles under the weight of its own complexity, rather than hostile action. Will we even be able to figure out what happened, when it happens?

Folks, the captains have illuminated the "Fasten your seat belts" sign. We predict bumpy conditions ahead.


Bruce Schneier is CTO of BT Counterpane and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. For more information, visit his Web site at www.schneier.com.

Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit his Web site at www.ranum.com.

Send comments on this column to [email protected].


Dig Deeper on Information security policies, procedures and guidelines