Reflections

If you consider yourself an observer of the past 10 years in information security, few would be surprised if you suffer from a touch of whiplash. Things moved pretty quickly, and not many security professionals had the ability to slow things down.

Where to begin? Well, at the start of Information Security's journey in December 1997, there wasn't a security profession. At least not as we understand it today. The chief information security officer was a notion whose time had not yet arrived. Compliance wasn't the bane of corporate security's existence, and macro worms were, well, around.

"The most obvious thing is that 10 years ago, there was no profession," says AT&T senior vice president and chief security officer Ed Amoroso, a veteran of the industry who in his early days at Bell Labs was immersed in a think tank surrounded by UNIX giants Dennis Ritchie and Ken Thompson. "You could be a techie, but there were no CISOs, no senior executives in a company. Now it would be almost impossible to find a large or medium-sized company or government agency that did not have a management-level security staff."

The emergence of the Internet as a ubiquitous business medium touched every facet of IT, and caused the growth of information security as a profession. Guardians like Amoroso and his peers in the enterprise had to learn a whole new lexicon between 1997 and today, and transform the way they looked at their jobs. As more business moved online, it became less of an imperative to protect networks and individual systems, and more about aligning what they do with overall business goals. Risk management became more than a term used by liability companies and financial professionals. Security pros were forced to think in these terms, and build programs to address what has become an organized criminal element targeting not only customer data, but invaluable intellectual property as part of sophisticated corporate espionage. Nations are also suspected of using computers to attack one another, not causing bloodshed but stealing secrets and threatening critical infrastructure.

"We have gone from a lot of malicious, exploratory, vandalism types of hacking to the realm where there is significant economic activity," says luminary Gene Spafford, founder of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

"Coupled with [the changing threat landscape] has been the transformation of attack tools, going from largely self-propagating attacks or hacker tool-kits to automated, sophisticated blended threats with a high reliance on social engineering," Spafford says. "Botnets and rootkits are prominent. For those of us looking at trends, we see a similar evolution of viruses--stealthy, widespread, automated, organized criminal activity, coming from where we were 10 years ago."

Donn Parker, a longtime computer crime observer and prominent researcher with SRI International, says the cat-and-mouse game between criminals and those paid to keep them in check followed business' migration to the Net--and he doesn't expect it to abate any time soon.

"I've said time after time, the problems associated with the use and misuse of computers is a one-upsmanship problem. The bad guys figure out new ways to beat the newest security, and good guys increase security again," Parker says. "Used to be in the 1960s, '70s, '80s, it was amateur criminal activity where the criminals were motivated to solve their own personal problems by malicious acts against computers. Gradually...it has grown into a very large-scale organized criminal activity where motivation is for financial gain."

NOT SO FAST
The frenzy for enterprises to create online business models, and rush services and products online prematurely, has in many ways contributed to the success of the criminal element. Microsoft was the biggest offender in the early part of the decade. Simple, yet extraordinarily effective, pieces of malicious code roared through gaping holes in Windows. Vulnerabilities in the IIS Web server enabled the Code Red and NIMDA worms to spread like weeds across the Internet, infecting thousands of systems with self-propagating, network-aware engines. The Slammer worm, in January 2003, may be the most infamous--and smallest--malware to hit the Net and be so prolific. Exploiting a flaw in Microsoft's SQL Server database--for which a patch had been available for months--Slammer dragged portions of the Internet to a crawl, and made life miserable for administrators slow to patch these balky products.

Amoroso says we're stuck with bad software--for now.

"If you look at other branches of engineering such as electrical engineering, these are fairly mature branches of engineering--thousands of years of experience built on principles. If you study engineering, there's a routine curriculum no matter where you go," Amoroso says. "Software engineering doesn't enjoy that kind of maturity. You couldn't get a software engineering degree in 1980. We have to deal with the immaturity of it as a discipline. But each year that passes, we learn more about it, and programming gets better. In the meantime, we have to be somewhat reactive. I'll say that probably in my lifetime, we won't see massively sized, complex software that's actually correct."

Adding to the complexity is the depth of the vendor pool through which security managers must wade and execute make-or-break buying decisions. The boom days of the early 2000s sprouted hundreds of companies, each with a solution to the day's most pressing problems. Unfortunately, most ended up being just different takes on the same technology, and reactions to the threat of the day. Patch management and vulnerability management firms popped up in response to Microsoft's Patch Tuesday releases. Intrusion prevention made headway against signature-based intrusion detection systems. Antivirus software became commoditized, and providers began to differentiate themselves with antispyware and antispam offerings.

SERIOUS REGULATION
And then came the Enron scandal and the Sarbanes-Oxley Act, which demanded enterprises account for the integrity of their financial reporting. IT professionals bore their share of responsibilities, and executives became aware of IT security in particular. Security pros finally had something to demonstrate their value to executive management, which was suddenly willing to spend on security tools to aid with compliance and keep them out of jail.

The ChoicePoint debacle kicked off the data breach era in 2005, and hundreds of millions of lost records later, companies have state data breach notification laws to comply with, credit card standards to adhere to, and industry-specific regulations to watch. Security and risk must work in concert, forcing IT security to emerge from clichéd basement hideouts, and often sit alongside business units in order to learn how to best tailor protections to satisfy not only management, but auditors.

"Legislation demonstrates a failure of the information security community in meeting its responsibilities and requirements," Parker says. "An analogy is the seat belt problem in cars--we had to have laws to put them in cars and use them. A similar situation, only on a grander scale, has occurred in information security. We're shifting objectives in information security from attempts to reduce risk to attempts to meet compliance with law. That's a sad commentary on information security."

As we hit the end of this decade, and look to the start of Information Security's next 10 years, we see security duties being absorbed more and more by networking groups. Security technology is being baked into infrastructure like routers and switches, and big vendors like Cisco, IBM, HP and EMC are scooping up important security technologies. Stand-alone security vendors, no matter how innovative, are sitting ducks for acquisition. Compliance is going to be a perpetual issue for security managers, and overall risk management is slowly superseding the role of the CISO.

Amoroso, for one, predicts that in 10 years, security as we know it today will be gone.

"We'll look back on this five to 10 years from now and say this was the era when we overlaid security onto networks and systems, and I think we already have learned that's a flawed model," Amoroso says. "It doesn't make sense to design a network and then build security onto it or run a network where security components are separate. That's silly."