As told to Anil Chopra by Mark Bregman, CTO Symantec Corporation
Think about how security threats are evolving. We've moved beyond flashy
viruses to cybercrime, and as a result, one of the challenges is that people are
not aware of it. Most of them don't read the headlines about hundreds of
computers being infected, and therefore let down their guards. The second thing
is that in many cases the threat is no longer against the infrastructure, or the
system. The idea used to be to disable the computer via a Denial of Service
attack. Now it's against the actual information. Most criminal behavior today is
not to shut down the system, but rather to try and get in there without your
knowing about it and then taking the information. These two issues make the
problem quite difficult and interesting.
There's actually a third level that we're trying to touch, called the
security of interactions. One of the nice things when we meet somebody face to
face is that we know something about each other even without saying anything. On
the Internet however, you can't tell anything, which makes it much more
difficult to have certain kinds of interactions, even social interactions. So we
have to continue protecting the infrastructure, which is necessary but not
sufficient. We also have to protect the information and interactions, which is
where security is moving.
We also have an important role in educating the public about what the threat
really is. When I was a kid in the US, there was a big govt. funded effort to
teach kids about physical crime. They used to have a cartoon dog, McGruf, and
the ads were aimed at “taking a bite out of crime”. The messages were like “make
sure you lock the house, don't talk to strangers, etc”. All these things nobody
thought about a generation before because there wasn't a threat. In the cyber
world however, it's happening much more quickly. We have a lot of challenges to
teach people. We want to make our technology is less intrusive, has lesser
impact on resources, is more protective and also provides more education and
guidance to users. So you'll see technologies like white listing and things like
warning a user about websites. We don't tell you to go to the website, but warn
you that it's a little dangerous if you do go. Or if you get an email, verify
this is the sender. Those kinds of things are getting the information and
interaction layer involved and not just the infrastructure layer.
What's interesting is that just a few years ago, the security industry
thought that the problem was solved. This was similar to the medical world,
where vaccinations were discovered for small pox, measles, and polio, and we
thought that it was almost solved. But then AIDS came along, and other more
dreadful things came along. A similar problem exists in the cyber world, where
as we were solving a particular problem, the threat changed dramatically. This
is a resurgent era of innovation in security-white listing, end point management
as linked to security, data loss prevention and data classification. Another
thing that will emerge in the next few years is robust enterprise rights
management.
Is white listing the way forward?
It's part of the way. The challenge is that in the last 12 months, we've created
more black signatures than in the whole history of the company before. That's
ridiculous, and it's getting worse. At a certain point, there's so much malware
that you almost can't keep up. This requires a change of strategy. Instead of
finding malware, list the good ware, which is called white listing. That also
has a lot of challenges. For instance, if you think about whether Windows should
be white listed, then you have to keep in mind that Windows is different on
every machine. It varies depending upon patches applied, drivers and lots of
different things. It's a very complex problem for white listing to resolve, but
is probably the right approach. Another advantage of white listing for companies
is that apart from malware, they can also choose to block other things that they
don't want. You can't do that with a black list, because we're not going to put
it on the black list. Another advantage of white list is that you can manage
what is used on the endpoint. IT's not going to eliminate a black list. Just
because you have a white list, and we know what's ok to let in, we don't want
all the pipes clogged with bad stuff. So we still want to block that where we
can, just to keep the Signal-to-Noise ratio reasonable, otherwise, we'll be
flooded with malware. It won't come in, but it will still cause problems on the
network and everywhere.
Technologies to combat cyber terrorism
You have to think about what is cyber terrorism, because there's cyber crime,
and we all know what it is-stealing information, money, etc. Terrorism is
traditionally different from crime. When terrorists go and blow something up,
they're not doing it for economic gain. And so, cyber terrorism is distinct from
terrorism in the physical world, which is different from crime. In the cyber
world, it's more similar, because what the cyber terrorists are doing is mostly
using IT to gain money or information, and to some extent they're doing crude
things that are equivalent to blowing things up, like Denial of Service attacks.
But it's not very effective, so the real question we have is if we can really
fight cyber crime, we can mostly resolve cyber terrorism. Will there be
terrorist groups or cyber war activity trying to cause DoS--probably. We saw
this in Georgia recently, and in Estonia a year ago, but the really interesting
problem is arguably, that terrorist groups like Al Qaida are highly enabled by
the Internet. So the same tools you use to fight cyber crime mostly will be
effective there.
Changing face of cyber criminals
One thing that has changed over the last few years is that cyber crime has
become a business. In a lot of criminal activities in the physical world, it's
also become a business. If you want to be a criminal, you don't have to
personally go out and make drugs or kill people. You can hire a business
organization that does that. Same thing has happened in the cyber world. If you
want to be a cyber criminal, you don't have to be an expert hacker. You can go
and find expert hackers that can sell you the tools. You can go and rent time in
a botnet. It's organized crime, and that's one of the things that make it highly
scalable.
When it required you to be a really smart programmer to be a criminal, it
kind of limited the number of criminals. Now the few really smart criminal
programmers can have their results amplified because they can sell their tools.
So it becomes a real criminal enterprise as opposed to individual criminals.
Who are the criminals?
I'm not worried about the general/casual programmer who couldn't be
successful as a programmer so became a criminal. The worrying lot are the evil
geniuses, a few that are really smart but applying their intelligence in a bad
way. In the past, they could only attack what they could personally do. Now they
can make their capability available to many other criminals. That's why it's
scaling up so fast, and it's only a part of the problem. The level of
sophistication has been raised to a very high level. Today if you really wanted
to create an attack, it's much harder, but there are still people who can do it.
One challenge in understanding security is to understand its economics. It's
easy to think of it as black and white-either it's secure or not secure, but
that's the wrong way to think about it. You have a lock on your door at your
house that prevents people from getting in, but a professional lockpicker could
still get in. But that doesn't really worry you because you may not have things
that are so valuable that make it worthwhile for him to do that. More
importantly you would say that if somebody had such skills, then they would
attack maybe your neighbor's house coz he has more stuff. Someone else is a
better target. You've raised the level of protection to the economically
important level and then you stop. You don't have cameras on the door, an
electrified fence, or bars on windows. All those things could make it more
secure, but it's not worth it. In the cyber security world, we have to think of
the same things. If I'm trying to protect my personal data on my PC, I need to
make it only hard enough so that it's just not worth the efforts. However, if
I'm trying to protect corporate information, then it's more worthwhile for a
criminal. Likewise, if I'm protecting nuclear secrets of my govt, then that has
to be protected even more strongly.
Therefore, having an understanding of the right level of protection is
important, and the mistake that's often made in the public mind about security,
is that “I need security” as if it's black and white. It's not black and white.
As told to Anil Chopra by Mark Bregman, CTO Symantec Corporation