http://www.baselinemag.com/article2/0,1540,2100136,00.asp By John McCormick March 15, 2007 Ed Amoroso, AT&T's chief security officer, is one of the nation's top computer security experts. He started his career at Bell Laboratories, where he worked on, among other things, Unix security, and since then has been involved in various aspects of defending computer networks. Today, he's charged with both securing the communication company's internal networks and overseeing the development of its computer security products. Amoroso is also an adjunct professor at Stevens Institute of Technology, where he teaches computer security, and is the author of several books on data protection. His latest is Cyber Security [1] (Silicon Press, 2006). He sat down recently with Baseline editor-in-chief John McCormick. What are some of the major themes of your most recent book? The first theme is that most enterprise security groups are pretty concerned that the security problem seems to be somewhat unbounded. A lot of CIOs will say: "Where is this all going? I [put] up a firewall in '95, and then I bought an intrusion detection system in '98, and then I bought antivirus and antispam in 2000. And then I bought D-DOS [distributed denial of service] protection in 2002. And it seems like viruses and worms and botnet attacks and break-ins are just getting worse." And the question keeps arising: What can we do as a carrier? What we've noticed over the last few years is we can see attacks as they occur. In 2003, I watched the Slammer worm happening. I was amazed. We just saw the anomalies on ports. Since then, we've basically watched in living color just about every named attack that you talk about in your magazine. We also noticed that we have the ability to mediate these types of things. We've started introducing firewall and intrusion detection right into the network; instead of doing it at the perimeter, we can stop different types of things in the network. You tell me what the policy is. Instead of a firewall sitting at the edge of your enterprise, we join your VPN with firewall equipment and software that sits in the [network] clouds, virtualized. So, if you say I don't want [a particular service], well, we route your traffic through a complex that knows that. And I stop the packet long before it gets anywhere near your enterprise. And I think that revolutionizes the way networking works. You also talk about software engineering. What's the problem there? Software engineering, as a discipline right now, is shamefully broken. When you go to the university to study engineering, you see that electrical engineering and chemical engineering and mechanical engineering are grounded in science. Computing is all sort of wacky, because computer programming runs the gamut. If you're watching TV, a commercial will say, hey, you've got no job; you can take up small-appliance repair or hairdressing or computer programming. It's almost like computer programming is akin to fixing a toaster, in terms of the skills that are needed. So software, right now, across the board, is somewhat a victim to the fact that the software engineering profession needs to have more attentiveness. And this is an issue for academia. Even in terms of the way businesses are run and operated, we need to rethink the way software's developed. We need to start rethinking the way we train software engineers. What do I.T. people spend a lot of their time doing? Patching operating systems. Every month their whole place comes to a grinding halt, and everybody patches everything in sight[like] putting duct tape on an engine. What's the reason? Who's to blame? You can't really blame any company, or the industry, but it's important now for security officers and CIOs to start recognizing that we have to start steering the Queen Mary in a different direction. One way to do it is fewer features. So, you need to be more demanding of features. Feature creep is out of control. Second, the issue of system administration around software is something that we should all be somewhat ashamed of. The system administrative burden is pretty significant. I'm sure that everyone you know, every family member, they're all system administrators. My kids systems-administer one of the machines at home. That's kind of an amazing burden on people, and it's remarkably easy to mis-administer some things. So, what we see in the AT&T network is that these mis-configurations, including modifying patches, result in your computer very easily being taken over by a bot controller. Our measurements suggest that on any given day, there are a minimum of 10 million machines that are exhibiting some type of scanning behavior. They've been taken over. There is a bot that exploited a vulnerability that wasn't patched. So, who do you blame for that? You could blame the system administrator. But that's a little hollow. You could blame the software companies, but that's a little difficult, because the software companies are just a reflection of the software engineering discipline. So, what do you do? You need to just have a collective sigh that this is an immature discipline that's got to grow up. And one of the ways it can grow up, I believe, is that the carrier can step in and do some things. For example, a PC that's spewing [out] a bunch of garbage. Your cable or DSL [provider] can see that. And they could do volume metrics on your PC. I don't mean look at your sensitive data - they could care less about that. But look and see, for example, that from 2 a.m. to 6 a.m., for the last 300 nights, there's almost no traffic; then all of a sudden, they start to see bursts of [computer port] scanning coming out of your PC. They could stop it [if it's in] the service-level agreement that they have with you. Why isn't that done today? It's partly because they know that you, as a customer, would probably be nervous about them blocking things. You'd say, "Look, it's not that I think you're trying to do anything funny. I'm just afraid I'm going to be trying to Google 'dinosaurs' to help my son with his report, and you're going to be blocking it or something." [But] if we can get to the point where a consumer or business people feel more comfortable having the carrier do more security, and the security ranges from stopping spam to stopping a denial-of-service attack to calling you when there's fraud or something, then that's good for everybody. That's a shift in security - and privacy. If the carrier sees any really nasty traffic being aimed at your PC, like a botnet attack, for us to say we're going to characterize that and block it and notify you, it's hard to even conceive of any potential privacy issue there whatsoever. When toll fraud was becoming an issue in the '70s, the solution to toll fraud was simply that when you made an [initial] international call, you would be put into a grouping of people who just made their first international call. Let's say you called Albania. That call got put into a database. And if [right after that] you made another call to Albania, it would trip off an operator who [would] then call you up and say, "Hey, do you mean to be calling Albania? We noticed this odd calling pattern." And for decades, I don't think they ever had anybody complain about privacy in that scenario. In the Internet era, people have a different concept. A phone bill is a list of calls that you've made. How would you feel if your ISP gave you a URL bill with the sites that you visited? Nobody would want that. People would be aghast at the "privacy" implications. Our feeling is that the total cost of ownership for a CIO or CSO or CISO, at the perimeter, has been rising. There wasn't even a perimeter 10 years ago, except routers, maybe, doing a little bit of packet filtering. We went from that to now, where some banks here in New York City have teams of 200 people that do nothing but police the enterprise. So, whether you would consider that a problem situation or not, it's certainly something that has the attention of a CIO, because the CIO would ask, "What am I getting out of this?" What does a CIO get out of all this? The first [thing] is that all the equipment that would correspond to firewall, IDS filtering, URL, antispam, threat management security, information managementall that capital and all those licensees can, in some sense, vanish, because by virtualizing that in the network, we keep the capital. We keep the hardware. The second thing is that most CIOs will pick an antivirus tool. And usually, there are 10 pluses and four minuses for this vendor, 13 pluses and two minuses for this other vendor, and so on. It's more pluses and fewer minuses. But there are still minuses there. A carrier can give you the best of everything, because there's always a horse race with vendors. And we can make sure that you're always getting the latest and greatestupdates, signatures, any type of configuration change that needs to be done on a daily basis. Has AT&T been offering these services for a while? Yes, for some time. They're all different services. And you're using these tools inside the company? I have an initiative to use all those things to protect us. AT&T must be a huge target for hackers. There isn't a carrier on this planet that's not attacked. How often are you attacked? You have to go by the definition of "attack." The first thing is that anybody who's ever done security and thought about it for more than an hour realizes that it's impossible to say "I measure all my attacks," because sometimes, there's an attack that you don't see. I mean, it's insiders or others [who] might, you know, successfully attack you. But knock wood: We haven't had a security event that has caused significant widespread problems for customers. Copyright (c) 2007 Ziff Davis Media Inc. All Rights Reserved. [1] http://www.amazon.com/exec/obidos/ASIN/0929306384/c4iorg http://www.shopinfosecnews.org _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 15 2007 - 22:40:00 PST