[ISN] Securing the cloud

From: InfoSec News (isnat_private)
Date: Tue Oct 29 2002 - 22:59:39 PST

  • Next message: InfoSec News: "[ISN] Windows 2000 gains government-based security certification"

    Forwarded from: Chris Wysopal <cwysopalat_private>
    Oct 24th 2002 
    From The Economist print edition
    Digital security, once the province of geeks, is now everyone's
    concern. But there is much more to the problem - or the solution -
    than mere technology, says Tom Standage
    WHEN the world's richest man decides it is time for his company to
    change direction, it is worth asking why. Only rarely does Bill Gates
    send an e-mail memo to the thousands of employees at Microsoft, the
    world's largest software company, of which he is chairman. He famously
    sent such a memo in December 1995, in which he announced that
    Microsoft had to become "hardcore" about the Internet. In January this
    year Mr Gates sent another round-robin. Its subject? The importance of
    computer security.
    Until recently, most people were either unaware of computer security
    or regarded it as unimportant. That used to be broadly true, except in
    a few specialised areas - such as banking, aerospace and military
    applications - that rely on computers and networks being hard to break
    into and not going wrong. But now consumers, companies and governments
    around the world are sitting up and taking notice. Why?
    The obvious answer seems to be that last year's terrorist attacks in
    America have heightened awareness of security in all its forms. But
    the deeper reason is that a long-term cultural shift is under way.  
    Digital security has been growing in importance for years as more and
    more aspects of business and personal life have come to depend on
    computers. Computing, in short, is in the midst of a transition from
    an optional tool to a ubiquitous utility. And people expect utilities
    to be reliable. One definition of a utility, indeed, is a service that
    is so reliable that people notice it only when it does not work.  
    Telephone service (on fixed lines, at least), electricity, gas and
    water supplies all meet this definition. Computing clearly does not,
    at least not yet.
    One of the many prerequisites for computing to become a utility is
    adequate security. It is dangerous to entrust your company, your
    personal information or indeed your life to a system that is full of
    security holes. As a result, the problem of securing computers and
    networks, which used to matter only to a handful of system
    administrators, has become of far more widespread concern.
    Computers are increasingly relied upon; they are also increasingly
    connected to each other, thanks to the Internet. Linking millions of
    computers together in a single, cloud-like global network brings great
    benefits of cost and convenience. Dotcoms may have come and gone, but
    e-mail has become a vital business tool for many people and an
    important social tool for an even larger group. Being able to access
    your e-mail from any web browser on earth is tremendously useful and
    liberating, as both business travellers and backpacking tourists will
    attest. Corporate billing, payroll and inventory-tracking systems are
    delivered as services accessible through web browsers. Online shop
    fronts make it fast and convenient to buy products from the other side
    of the world.
    The price of openness
    The flip side of easy connectivity and remote access, however, is the
    heightened risk of a security breach. Bruce Schneier, a security
    expert, points out that when you open a shop on the street, both
    customers and shoplifters can enter. "You can't have one without the
    other," he says. "It's the same on the Internet." And as music,
    movies, tax returns, photographs and phone calls now routinely whizz
    around in digital form, the shift from traditional to digital formats
    has reached a critical point, says Whitfield Diffie, a security guru
    at Sun Microsystems: "We can no longer continue this migration without
    basic security."
    The September 11th attacks, then, reinforced an existing trend.  
    Government officials, led by Richard Clarke, America's cyber-security
    tsar, gave warning of the possibility that terrorists might mount an
    "electronic Pearl Harbour" attack, breaking into the systems that
    control critical telecommunications, electricity and utility
    infrastructure, and paralysing America from afar with a few clicks of
    a mouse. Most security experts are sceptical, but after spending years
    trying to get people to take security seriously, they are willing to
    play along. Scott Charney, a former chief of computer crime at the
    Department of Justice and now Microsoft's chief security strategist,
    says Mr Clarke's scare-mongering is "not always helpful, but he has
    raised awareness."
    The terrorist attacks certainly prompted companies to acknowledge
    their dependence on (and the vulnerability of) their networks, and
    emphasised the importance of disaster-recovery and back-up systems. A
    survey of information-technology managers and chief information
    officers, carried out by Morgan Stanley after the attacks, found that
    security software had jumped from fifth priority or lower to become
    their first priority. "It's moved up to the top of the list," says
    Tony Scott, chief technology officer at General Motors. "It's on
    everybody's radar now."
    The growing emphasis on security over the past year or two has been
    driven by a combination of factors, and has shown up in a variety of
    ways. Chris Byrnes, an analyst at Meta Group, a consultancy, notes
    that the proportion of his firm's clients (mostly large multinational
    companies) with dedicated computer-security teams has risen from 20%
    to 40% in the past two years. He expects the figure to reach 60-70%
    within the next two years. Previously, he says, it was
    financial-services firms that were most serious about security, but
    now firms in manufacturing, retailing and other areas are following
    One important factor is regulation. Mr Byrnes points to the change
    made to American audit standards in 1999, requiring companies to
    ensure that information used to prepare public accounts is adequately
    secured. This has been widely interpreted, with the backing of the
    White House's critical-infrastructure assurance office, to mean that a
    company's entire network must be secure.
    Similarly, the April 2003 deadline for protecting patients' medical
    information under the Health Insurance Portability and Accountability
    Act (HIPAA) has prompted health-care providers, pharmaceutical
    companies and insurers to re-evaluate and overhaul the security of
    their computers and networks. In one recent case, Eli Lilly, a drug
    maker, was accused of violating its own online privacy policy after it
    accidentally revealed the e-mail addresses of 669 patients who were
    taking Prozac, an anti-depressant. The company settled out of court
    with America's Federal Trade Commission and agreed to improve its
    security procedures. But once HIPAA's privacy regulations come into
    force, companies that fail to meet regulatory standards will face
    stiff financial penalties. The same sort of thing is happening in
    financial services, where security is being beefed up prior to the
    introduction of the Basel II bank-capital regulations.
    The growth of high-profile security breaches has also underlined the
    need to improve security. The number of incidents reported to Carnegie
    Mellon's computer emergency response team (CERT), including virus
    outbreaks and unauthorised system intrusions, has shot up in recent
    years (see chart 1) as the Internet has grown. The "Love Bug", a virus
    that spreads by e-mailing copies of itself to everyone in an infected
    computer's address book, was front-page news when it struck in May
    2000. Many companies, and even Britain's Parliament, shut down their
    mail servers to prevent it from spreading.
    There have been a number of increasingly potent viruses since then,
    including Sircam, Code Red and Nimda, all of which affected hundreds
    of thousands of machines. The latest, called Bugbear, struck only this
    month. Viruses are merely one of the more visible kinds of security
    problem, but given the disruption they can cause, and the widespread
    media coverage they generate, such outbreaks prompt people to take
    security more seriously.
    Fear, sex and coffee
    Spending on security technology grew by 28% in 2001 compared with the
    year before, according to Jordan Klein, an analyst at UBS Warburg. Mr
    Klein predicts that spending will continue to grow strongly over the
    next few years, from around $6 billion in 2001 to $13 billion in 2005
    (see chart 2). A survey carried out by Meta Group in August found that
    although only 24% of firms had increased their technology budgets in
    2002, 73% had increased their spending on security, so security
    spending is growing at the expense of other technology spending. This
    makes it a rare bright spot amid the gloom in the technology industry.
    Steven Hofmeyr of Company 51, a security start-up based in Silicon
    Valley, says his company is pushing at a wide-open door: there is no
    need to convince anyone of the need for security technology. Indeed,
    Nick Sturiale of Sevin Rosen, a venture-capital fund, suggests that
    security is already an overcrowded and overfunded sector. "Security is
    now the Pavlovian word that draws the drool from VCs' mouths," he
    says. Security vendors are really selling fear, he says, and fear and
    sex are "the two great sales pitches that make people buy
    So, a bonanza for security-technology firms? Not necessarily. The
    sudden interest in security does not always translate into support
    from senior management and larger budgets. A recent report from Vista
    Research, a consultancy, predicts that: "While the need to protect
    digital assets is well established, companies will pay lip service to
    the need to invest in this area and then largely drag their feet when
    it comes to capital spending on security."
    Even where security spending is increasing, it is from a very low
    base. Meta Group's survey found that most companies spend less than 3%
    of their technology budgets on security. Technology budgets, in turn,
    are typically set at around 3% of revenues. Since 3% of 3% is 0.09%,
    most firms spend more on coffee than on computer security, according
    to a popular industry statistic. The purse strings loosen only when
    companies suffer a serious security breach themselves, see one of
    their rivals come under attack or are told by auditors that lax
    security could mean they are compromising due diligence.
    Jobs on plates
    Mr Byrnes notes another factor that is impeding growth of the security
    market: a shortage of senior specialists. For much of the past year,
    he says, "There was more security budget than ability to spend it."  
    John Schwarz, president of Symantec, a security firm, puts the number
    of unfilled security jobs at 75,000 in America alone. As a result, the
    security boom widely expected last year has yet to materialise. But Mr
    Hofmeyr reckons that the increase in security spending is just
    starting to kick in.
    Given the new interest in security, established technology firms,
    which have seen revenues plunge as firms slash technology spending in
    other areas, are understandably keen to jump on the bandwagon
    alongside specialist security vendors. Sun's advertisements boast: "We
    make the net secure." Oracle, the world's second-largest software
    firm, has launched a high-profile campaign trumpeting (to guffaws from
    security experts) that its database software is "unbreakable". Whether
    or not this is true, Oracle clearly regards security as a convenient
    stick with which to bash its larger arch-rival, Microsoft, whose
    products are notoriously insecure - hence Mr Gates's memo.
    It suits vendors to present security as a technological problem that
    can be easily fixed with more technology - preferably theirs. But
    expecting fancy technology alone to solve the problem is just one of
    three dangerous misconceptions about digital security. Improving
    security means implementing appropriate policies, removing perverse
    incentives and managing risks, not just buying clever hardware and
    software. There are no quick fixes. This survey will argue that
    digital security depends as much—if not more - on human cultural
    factors as it does on technology. Implementing security is a
    management as well as a technical problem. Technology is necessary,
    but not sufficient.
    A second, related misperception is that security can be left to the
    specialists in the systems department. It cannot. It requires the
    co-operation and support of senior management. Deciding which assets
    need the most protection, and determining the appropriate balance
    between cost and risk, are strategic decisions that only senior
    management should make. Furthermore, security almost inevitably
    involves inconvenience. Without a clear signal from upstairs, users
    will tend to regard security measures as nuisances that prevent them
    from doing their jobs, and find ways to get around them.
    Unfortunately, says Mr Charney, senior executives often find computer
    security too complex. "Fire they understand," he says, because they
    have direct personal experience of it and know that you have to buy
    insurance and install sensors and sprinklers. Computer security is
    different. Senior executives do not understand the threats or the
    technologies. "It seems magical to them," says Mr Charney. Worse, it's
    a moving target, making budgeting difficult.
    A third common misperception concerns the nature of the threat. Even
    senior managers who are aware of the problem tend to worry about the
    wrong things, such as virus outbreaks and malicious hackers. They
    overlook the bigger problems associated with internal security,
    disgruntled ex-employees, network links to supposedly trustworthy
    customers and suppliers, theft of laptop or handheld computers and
    insecure wireless access points set up by employees. That is not
    surprising: viruses and hackers tend to get a lot of publicity,
    whereas internal security breaches are hushed up and the threats
    associated with new technologies are often overlooked. But it sets the
    wrong priorities.
    Detective stories
    A final, minor, misperception is that computer security is terribly
    boring. In fact, it turns out to be one of the more interesting
    aspects of the technology industry. The war stories told by security
    consultants and computer-crime specialists are far more riveting than
    discussion of the pros and cons of customer-relationship management
    systems. So there really is no excuse for avoiding the subject.
    Anyone who has not done so already should take an interest in computer
    security. Unfortunately there is no single right answer to the
    problem. What is appropriate for a bank, for example, would be
    overkill for a small company. Technology is merely part of the answer,
    but it has an important role to play, so that is where this survey
    will start.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 01:29:39 PST