RSA Reminds Us to Fight The Good Fight


SAN FRANCISCO — No matter where I go around here, people ask me what I
think of this year’s RSA Conference. I tell them this is my first RSA show, so I don’t know what to compare it to.

But that’s a bald-faced lie. I have repeatedly copped out with that answer. I do have an opinion.


Here’s my impression, my bottom line, my conclusion from spending five days
talking to vendors and customers about security until we were all blue in
the face: Based on the information I took in this week, I believe that we are, ultimately treading water when it comes to computer security, waiting for the next wave to drag us under.


But we need to keep trying to stem the tide.


I think it’s great that Microsoft CardSpace is going to work
with OpenID.


It’s great that the world’s most powerful software vendor is going to
support an open source specification that lets anyone identify
themselves on the Internet, much like Web sites do with a URL.


I think EMC buying
RSA (and with that, this show) and IBM buying
Internet Security Systems and BT buying
Counterpane and Websense buying
PortAuthority and Microsoft buying
Whale Communications are all fine moves.


I believe in network access control, intrusion prevention systems,
anti-malware, identity management. I put stock in encrypting data in transit
and data at rest.


The deals, innovations and ideologies indicate that security is a serious
problem that vendors want to generate more dollars from trying to fix.


Industry luminaries Bill Gates, Howard Schmidt and Bruce Schneier convinced
me that they understand the problems and flaws with computer security. They
all spoke eloquently about the need for solutions that can adapt to quickly
morphing threats.


Caveat: None of them convinced me they have the answer. And that’s because
there is no answer. Our computers will never be airtight.


Maybe I’m a tad frustrated. Maybe I’m a bit jaded because my friend had to
change her bank account number because TJX had a massive data breach.


Bottom line: we’re still screwed. Whether you use IBM’s Tivoli identity
management products or Oracle’s identity management software or VeriSign’s
digital certificates, you’re always going to be at risk of getting your
information pilfered.


What is wrong with me? Why have I come to such a dire conclusion? Isn’t RSA
supposed to be the show that leaves us feeling better about the safety of our
personal or privileged information?


Aren’t we supposed to sleep better at night after hearing Microsoft’s Bill Gates, EMC RSA’s Art Coviello, Symantec’s John Thompson, Oracle’s Larry
Ellison proxy Hasan Rizvi and CA’s John Swainson talk about how we need to
shore up our PC defenses?


We are, I think. But I don’t. I worry more because the threats to computer
security are legion and always changing. Like mutating viruses, really.


Bruce Schneier, CTO for BT Counterpane, said he was trying to think of a major security attack in 2006 and couldn’t come up with any one specific incident.

That’s when it hit him that attacks are becoming reported so frequently that they hardly make big news anymore.


“A lot of these attacks are now so frequent that they are not big news,”
Schneier told about 50 RSA attendees at a luncheon Wednesday afternoon.
“That’s not good for two reasons. Not good because they’re more common and
because our bosses won’t read about them in the Wall Street Journal.”


He also said we’re seeing more massive, targeted attacks. This is, of
course, a frightening observation. There’s just something sinister and nasty
about some stranger coming after my credit card number through your
computer.


“Spammers are actually targeting attacks to ZIP codes,” Schneier said.
“They’re actually doing marketing. The normal spam platform is not just a
spammed computer, it’s a hacked computer so it’s actually only good for a
limited time.


“The attacks are also now more stealthy. The attacks that drop computers and
make news are the exception. The attacks that take over our computers and
turn them into bots are much more common.”


I actually have to stop and think: would I rather be mugged on the street,
or have my bank account information compromised by a hacker a world away?
I’ll have to think about that but the bottom line is that Schneier’s comments scared
me.

Next page: Is there possibly a solution?

Page 2 of 2


I took no comfort in hearing his prognostications about how the world will
continue to be plagued by crimeware and its creators. Or that the changing
nature of Web and computer threats will continue.


Consider what Thomas Noonan, co-founder of Internet Security Systems, said
in his keynote speech Wednesday night:


“We know that the threat spectrum will continuously change and
evolve … next-generation security cannot be a single threat vector reactive
signature architecture.


We know that our infrastructure will always be vulnerable to
something … next-generation security must be enabled by core vulnerability
detection systems that intelligently monitor every aspect of our
infrastructure.


We know that bad actors will forever attempt to access our sensitive
information. So, we know that seamlessly managing and monitoring identity
and enforcing access, while protecting data sources are essential to
managing risk.”


Noonan’s solution?


“We must look beyond the silo model and seek answers to the problem from an
enterprise perspective, taking a systems-level approach to managing the
real-time coordination and control of threats, vulnerabilities and
identities while ensuring that access is a privilege into our sensitive
information and not a de facto right.”


Noonan is talking about providing security on demand — the
IBM way.


Whether it’s on demand, on target, or on steroids, security
technologies will never be good enough. We’re all just prolonging the
agony, just trying to get by and keep our computers online and in line.


I’ll use the same argument that startups claim when they tell me how they compete
with the big guys. They say they compete and win accounts because they are
smaller and more nimble; they are more flexible and can adjust to meet
customer demands.


I say hackers and virus creators are nimble in a similar fashion. One person
can stop the Internet in its tracks, striking quick and heading to the
top of the volcano to watch the lava sear everything in its path.


Take your basic database breach, usually triggered by some cowardly sneak
trying to skim some bucks from innocent victims, or teach us the already
well-known lesson that our data isn’t safe.


Teams of opportunistic, malevolent Internet predators plague us, too, taking
a little bit of knowledge about us and milking it to bilk us.


Howard Schimdt, who has worked to improve security measures for Microsoft,
eBay and the United States (okay, a bit of name-dropping here, but if anyone
is qualified to explain how screwed we are, wouldn’t he be top of mind?)
told me about a variation of the Nigerian e-mail scam that uses a customized approach to dupe victims into coughing up
dollars to get more dollars.


Those social networks you love so much? MySpace and Facebook? Consider them
hackers’ shopping malls for learning more about you so they can concoct more
realistic scams.


The rub is this: whether you’re using NAC, IPS, data leakage software,
anti-malware, identity management or a complex combination of all of them,
you’re still at risk. You may be complying with Sarbanes-Oxley and HIPAA,
but at the end of the day, you’re still at risk.


Enterprising hackers will find a way. They always do. And they always will.


Depressed? Has your anger turned inward? Want to throttle me silly?


I’m not advocating that we don’t need security appliances or encryption
software. We need these things very much. Like the suburban soccer mom
hurtling around town in a tank-like Escalade, we feel spending more money to
protect our personal assets is the way to go.


Just don’t get too comfortable or confident with security technology; the
moment “good programmers” create security applications or gateways, the
“dark side” or malicious contingent of humanity will flip over the hour
glass and begin poking around to find vulnerabilities.


Trustworthy Computing. Security on-demand or as a service. Pick your
paradigm. Buy into it wholesale to suit your business model. But make no
mistake: The definitive computer security model will forever elude us.


Why?


Gates, Noonan, Thompson and others relentlessly drilled this lesson into RSA
attendees: Threats keep changing in shape and form, and they are always
darting into the shadows, remaining just of reach.


With our identities and ability to work online at stake, we need to keep
chipping away. We need to remind ourselves to keep fighting the good fight.

Clint Boulton is managing editor of internetnews.com.

News Around the Web