Advertisment

Security Outlook Today

author-image
PCQ Bureau
New Update

As told to Anil Chopra by Mark Bregman, CTO Symantec Corporation

Advertisment

Think about how security threats are evolving. We've moved beyond flashy

viruses to cybercrime, and as a result, one of the challenges is that people are

not aware of it. Most of them don't read the headlines about hundreds of

computers being infected, and therefore let down their guards. The second thing

is that in many cases the threat is no longer against the infrastructure, or the

system. The idea used to be to disable the computer via a Denial of Service

attack. Now it's against the actual information. Most criminal behavior today is

not to shut down the system, but rather to try and get in there without your

knowing about it and then taking the information. These two issues make the

problem quite difficult and interesting.

There's actually a third level that we're trying to touch, called the

security of interactions. One of the nice things when we meet somebody face to

face is that we know something about each other even without saying anything. On

the Internet however, you can't tell anything, which makes it much more

difficult to have certain kinds of interactions, even social interactions. So we

have to continue protecting the infrastructure, which is necessary but not

sufficient. We also have to protect the information and interactions, which is

where security is moving.

We also have an important role in educating the public about what the threat

really is. When I was a kid in the US, there was a big govt. funded effort to

teach kids about physical crime. They used to have a cartoon dog, McGruf, and

the ads were aimed at “taking a bite out of crime”. The messages were like “make

sure you lock the house, don't talk to strangers, etc”. All these things nobody

thought about a generation before because there wasn't a threat. In the cyber

world however, it's happening much more quickly. We have a lot of challenges to

teach people. We want to make our technology is less intrusive, has lesser

impact on resources, is more protective and also provides more education and

guidance to users. So you'll see technologies like white listing and things like

warning a user about websites. We don't tell you to go to the website, but warn

you that it's a little dangerous if you do go. Or if you get an email, verify

this is the sender. Those kinds of things are getting the information and

interaction layer involved and not just the infrastructure layer.

Advertisment

What's interesting is that just a few years ago, the security industry

thought that the problem was solved. This was similar to the medical world,

where vaccinations were discovered for small pox, measles, and polio, and we

thought that it was almost solved. But then AIDS came along, and other more

dreadful things came along. A similar problem exists in the cyber world, where

as we were solving a particular problem, the threat changed dramatically. This

is a resurgent era of innovation in security-white listing, end point management

as linked to security, data loss prevention and data classification. Another

thing that will emerge in the next few years is robust enterprise rights

management.

Is white listing the way forward?



It's part of the way. The challenge is that in the last 12 months, we've created
more black signatures than in the whole history of the company before. That's

ridiculous, and it's getting worse. At a certain point, there's so much malware

that you almost can't keep up. This requires a change of strategy. Instead of

finding malware, list the good ware, which is called white listing. That also

has a lot of challenges. For instance, if you think about whether Windows should

be white listed, then you have to keep in mind that Windows is different on

every machine. It varies depending upon patches applied, drivers and lots of

different things. It's a very complex problem for white listing to resolve, but

is probably the right approach. Another advantage of white listing for companies

is that apart from malware, they can also choose to block other things that they

don't want. You can't do that with a black list, because we're not going to put

it on the black list. Another advantage of white list is that you can manage

what is used on the endpoint. IT's not going to eliminate a black list. Just

because you have a white list, and we know what's ok to let in, we don't want

all the pipes clogged with bad stuff. So we still want to block that where we

can, just to keep the Signal-to-Noise ratio reasonable, otherwise, we'll be

flooded with malware. It won't come in, but it will still cause problems on the

network and everywhere.

Technologies to combat cyber terrorism



You have to think about what is cyber terrorism, because there's cyber crime,
and we all know what it is-stealing information, money, etc. Terrorism is

traditionally different from crime. When terrorists go and blow something up,

they're not doing it for economic gain. And so, cyber terrorism is distinct from

terrorism in the physical world, which is different from crime. In the cyber

world, it's more similar, because what the cyber terrorists are doing is mostly

using IT to gain money or information, and to some extent they're doing crude

things that are equivalent to blowing things up, like Denial of Service attacks.

But it's not very effective, so the real question we have is if we can really

fight cyber crime, we can mostly resolve cyber terrorism. Will there be

terrorist groups or cyber war activity trying to cause DoS--probably. We saw

this in Georgia recently, and in Estonia a year ago, but the really interesting

problem is arguably, that terrorist groups like Al Qaida are highly enabled by

the Internet. So the same tools you use to fight cyber crime mostly will be

effective there.

Advertisment

Changing face of cyber criminals



One thing that has changed over the last few years is that cyber crime has
become a business. In a lot of criminal activities in the physical world, it's

also become a business. If you want to be a criminal, you don't have to

personally go out and make drugs or kill people. You can hire a business

organization that does that. Same thing has happened in the cyber world. If you

want to be a cyber criminal, you don't have to be an expert hacker. You can go

and find expert hackers that can sell you the tools. You can go and rent time in

a botnet. It's organized crime, and that's one of the things that make it highly

scalable.

When it required you to be a really smart programmer to be a criminal, it

kind of limited the number of criminals. Now the few really smart criminal

programmers can have their results amplified because they can sell their tools.

So it becomes a real criminal enterprise as opposed to individual criminals.

Who are the criminals?



I'm not worried about the general/casual programmer who couldn't be

successful as a programmer so became a criminal. The worrying lot are the evil

geniuses, a few that are really smart but applying their intelligence in a bad

way. In the past, they could only attack what they could personally do. Now they

can make their capability available to many other criminals. That's why it's

scaling up so fast, and it's only a part of the problem. The level of

sophistication has been raised to a very high level. Today if you really wanted

to create an attack, it's much harder, but there are still people who can do it.

One challenge in understanding security is to understand its economics. It's

easy to think of it as black and white-either it's secure or not secure, but

that's the wrong way to think about it. You have a lock on your door at your

house that prevents people from getting in, but a professional lockpicker could

still get in. But that doesn't really worry you because you may not have things

that are so valuable that make it worthwhile for him to do that. More

importantly you would say that if somebody had such skills, then they would

attack maybe your neighbor's house coz he has more stuff. Someone else is a

better target. You've raised the level of protection to the economically

important level and then you stop. You don't have cameras on the door, an

electrified fence, or bars on windows. All those things could make it more

secure, but it's not worth it. In the cyber security world, we have to think of

the same things. If I'm trying to protect my personal data on my PC, I need to

make it only hard enough so that it's just not worth the efforts. However, if

I'm trying to protect corporate information, then it's more worthwhile for a

criminal. Likewise, if I'm protecting nuclear secrets of my govt, then that has

to be protected even more strongly.

Therefore, having an understanding of the right level of protection is

important, and the mistake that's often made in the public mind about security,

is that “I need security” as if it's black and white. It's not black and white.

As told to Anil Chopra by Mark Bregman, CTO Symantec Corporation

Advertisment