RealTime IT News

Network Security: Be Afraid, Be Very Afraid

NEW YORK -- There's a lot to be afraid of in the world of network security threats.

That was the general consensus of a diverse panel at Interop that included vendors, an analyst and an enterprise user. The panel agreed that NAC (network access control) isn't necessarily the solution and that much more needs to be done within enterprises themselves to properly understand the threats they face.

"I don't want to be a FUD [Fear. Uncertainty. Doubt.] dealer but the truth is there is quite a lot to be afraid of," Joshua Corman, host protection architect at ISS (Internet Security Systems), told the capacity crowd.

"It's time for a reset on education. You can't defend against what you don't understand."

According to Corman, network security professionals are all chasing vulnerabilities and compliance-related items. Hackers know this fact, too. The hackers know what you're doing.

"The bad guy is getting badder, the techniques better and the volume of badness worse," Elliott Glazer, director of security architecture and consulting at Depository Trust Clearing Corp., said. "We don't see solutions keeping pace."

The issue, though, isn't entirely about technology or even compliance; sometimes there may be too much technology in play.

Mike McKinnon, director of security of ProCurve Networking by HP, noted that his firm advises enterprises to start small when trying to figure out what they need.

The portion of the enterprise that is most vulnerable from a business perspective should be addressed first.

"It's one thing to pass an audit, it's another thing to be secure," McKinnon said.

Glazer agreed with McKinnon and added that his firm started out by putting a moratorium on buying more technology. Instead what he did was look at their own existing inventory of hardware, platforms, data and devices and look at the risk of each based on location.

Though NAC technologies are the topic of much buzz at Interop NYC, panelists weren't exactly buzzing about it.

"Be very careful when you're investigating NAC," Corman advised. "It's becoming the buzzword. Everybody says they've got a NAC solution but they really don't."

Corman also suggested the enterprises don't get educated purely by the vendors about what NAC can do.

"Some of the vendors had a product for something different, and then when NAC got hot it became a NAC solution," Corman said. "On this topic there is extreme exaggeration about what the capabilities are."

Glazer suggested that enterprises need to think about whether NAC is actually secure enough for their environments. He advised that even before an enterprise embarks on the NAC path they make sure they've already provisioned a secure environment.

He also noted that for his own enterprise, it's still a little bit too early for him to deploy NAC.

"You can be completely patched and up to date and still get infected by something," Corman said. "There is a fundamental assumption that NAC will make you safer. It won't make you immune though."

Forrester Research Security Analyst Paul Stamp pointed out another big threat, namely the inability of some enterprises to act.

In his experience, people justify security expenses only after they've experienced an incident within their own enterprise or are aware of one that their peers have had.

"Our biggest threats are CEOs, not rootkits," Stamp said somewhat sarcastically.

Glazer was somewhat more focused on where the threat lies and what makes him nervous.

"We're nervous about what we see; it's a more professional bad guy, code is getting better fast and that's scary," Glazer said.

"Combine that with targeted attacks, the attack is not going to be seen or known and also there are self-deleting attacks."

Amidst all that nervousness, Corman believes that there is also another contributing factor for network insecurity, and that might be coming from security vendors themselves.

In particular those that continue to push signature-based antivirus solutions.

"You're not getting the education from your trusted security advisors," Corman argued. "This is not a virus problem."

In the virus problem model there has to be a patient zero, the first person that gets infected, and then AV vendors can produce a signature.

According to Corman, criminals are writing tailored targeted viruses that may never hit more than patient zero.

"The AV model requires discovery," Corman said emphatically, "When it's a targeted attack, giving a signature is like giving a vaccine to a corpse."