Published: 04 Jan 2008
| A Dynamic Decade
Information security has matured as a profession in a mere 10 years, despite waging an endless game of catch-up with threats, legislation and the demands of business.
Where to begin? Well, at the start of Information Security's journey in December 1997, there wasn't a security profession. At least not as we understand it today. The chief information security officer was a notion whose time had not yet arrived. Compliance wasn't the bane of corporate security's existence, and macro worms were, well, around.
"The most obvious thing is that 10 years ago, there was no profession," says AT&T senior vice president and chief security officer Ed Amoroso, a veteran of the industry who in his early days at Bell Labs was immersed in a think tank surrounded by UNIX giants Dennis Ritchie and Ken Thompson. "You could be a techie, but there were no CISOs, no senior executives in a company. Now it would be almost impossible to find a large or medium-sized company or government agency that did not have a management-level security staff."
The emergence of the Internet as a ubiquitous business medium touched every facet of IT, and caused the growth of information security as a profession. Guardians like Amoroso and his peers in the enterprise had to learn a whole new lexicon between 1997 and today, and transform the way they looked at their jobs. As more business moved online, it became less of an imperative to protect networks and individual systems, and more about aligning what they do with overall business goals. Risk management became more than a term used by liability companies and financial professionals. Security pros were forced to think in these terms, and build programs to address what has become an organized criminal element targeting not only customer data, but invaluable intellectual property as part of sophisticated corporate espionage. Nations are also suspected of using computers to attack one another, not causing bloodshed but stealing secrets and threatening critical infrastructure.
"We have gone from a lot of malicious, exploratory, vandalism types of hacking to the realm where there is significant economic activity," says luminary Gene Spafford, founder of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
| Criminals are organized and international. The Internet changed their economic model as well. Physical access is no longer needed to steal; a hacker is as likely to attack from a living room in Beijing as he is from a data center in Silicon Valley. Web sites are no longer defaced for fun, denial-of-service attacks no longer carried out for notoriety. Instead, hackers blackmail high-traffic, big-money sites with DDoS attacks; money is laundered over the Net, secrets stolen and business models put in jeopardy.
| NOWHERE TO HIDE
Yesterday's tattered system or network administrator, or Web site operator, fought back with signature-based defenses, or sometimes hid in the weeds hoping they'd plugged the latest Windows hole and prayed the latest mass-mailing worm would skip on by. That kind of security by obscurity is fatal today to many business models.
"Coupled with [the changing threat landscape] has been the transformation of attack tools, going from largely self-propagating attacks or hacker tool-kits to automated, sophisticated blended threats with a high reliance on social engineering," Spafford says. "Botnets and rootkits are prominent. For those of us looking at trends, we see a similar evolution of viruses--stealthy, widespread, automated, organized criminal activity, coming from where we were 10 years ago."
Donn Parker, a longtime computer crime observer and prominent researcher with SRI International, says the cat-and-mouse game between criminals and those paid to keep them in check followed business' migration to the Net--and he doesn't expect it to abate any time soon.
"I've said time after time, the problems associated with the use and misuse of computers is a one-upsmanship problem. The bad guys figure out new ways to beat the newest security, and good guys increase security again," Parker says. "Used to be in the 1960s, '70s, '80s, it was amateur criminal activity where the criminals were motivated to solve their own personal problems by malicious acts against computers. Gradually...it has grown into a very large-scale organized criminal activity where motivation is for financial gain."
| Microsoft, to its credit, took measures to about-face its security profile. Bill Gates' famous 2002 Trustworthy Computing memo (see "Trustworthy Finally?", below) put a temporary halt to development in Redmond, Wash. Microsoft's developers were given security mandates, and a secure development lifecycle was established. As we look at Vista, which launched this year, the security changes are stark.
| "Microsoft has made [security investment], but it's not clear that it's gone all the way yet," Spafford says. "Had Trustworthy Computing not occurred, we'd be in much worse shape than we are now. Other vendors need to get with it."
Amoroso says we're stuck with bad software--for now.
"If you look at other branches of engineering such as electrical engineering, these are fairly mature branches of engineering--thousands of years of experience built on principles. If you study engineering, there's a routine curriculum no matter where you go," Amoroso says. "Software engineering doesn't enjoy that kind of maturity. You couldn't get a software engineering degree in 1980. We have to deal with the immaturity of it as a discipline. But each year that passes, we learn more about it, and programming gets better. In the meantime, we have to be somewhat reactive. I'll say that probably in my lifetime, we won't see massively sized, complex software that's actually correct."
Adding to the complexity is the depth of the vendor pool through which security managers must wade and execute make-or-break buying decisions. The boom days of the early 2000s sprouted hundreds of companies, each with a solution to the day's most pressing problems. Unfortunately, most ended up being just different takes on the same technology, and reactions to the threat of the day. Patch management and vulnerability management firms popped up in response to Microsoft's Patch Tuesday releases. Intrusion prevention made headway against signature-based intrusion detection systems. Antivirus software became commoditized, and providers began to differentiate themselves with antispyware and antispam offerings.
| "Regulation--SOX, HIPAA, GLB, the credit card industry's PCI, the various disclosure laws, the Euro-pean Data Protection Act, whatever--has been the best stick the industry has found to beat companies over the head with. And it works," says Bruce Schneier, founder of BT Counterpane, creator of the Blowfish and Twofish algorithms, and a noted author and speaker. "Regulation forces companies to take security more seriously, and sells more products and services."
The ChoicePoint debacle kicked off the data breach era in 2005, and hundreds of millions of lost records later, companies have state data breach notification laws to comply with, credit card standards to adhere to, and industry-specific regulations to watch. Security and risk must work in concert, forcing IT security to emerge from clichéd basement hideouts, and often sit alongside business units in order to learn how to best tailor protections to satisfy not only management, but auditors.
"Legislation demonstrates a failure of the information security community in meeting its responsibilities and requirements," Parker says. "An analogy is the seat belt problem in cars--we had to have laws to put them in cars and use them. A similar situation, only on a grander scale, has occurred in information security. We're shifting objectives in information security from attempts to reduce risk to attempts to meet compliance with law. That's a sad commentary on information security."
As we hit the end of this decade, and look to the start of Information Security's next 10 years, we see security duties being absorbed more and more by networking groups. Security technology is being baked into infrastructure like routers and switches, and big vendors like Cisco, IBM, HP and EMC are scooping up important security technologies. Stand-alone security vendors, no matter how innovative, are sitting ducks for acquisition. Compliance is going to be a perpetual issue for security managers, and overall risk management is slowly superseding the role of the CISO.
Amoroso, for one, predicts that in 10 years, security as we know it today will be gone.
"We'll look back on this five to 10 years from now and say this was the era when we overlaid security onto networks and systems, and I think we already have learned that's a flawed model," Amoroso says. "It doesn't make sense to design a network and then build security onto it or run a network where security components are separate. That's silly."