This page contains a Flash digital edition of a book.
@InfosecurityMag


when ARPAnet was paralyzed by widespread buffer crashes, it was still possible to shut down and reboot each node. Today’s interconnections mean recovering from pervasive failure is far more diffi cult. A complicating aspect of this that Anderson points out is escalating complexity. “When we were kids all mechanisms were – in principle and in practice – comprehensible by an intelligent ten-year-old”, he says. “Now you can’t do that. You need to come to [university] for three years, and at the end of it you have a vague outline of how the world works underneath.”


The Human Elements This escalating complexity has several implications for security. In an increasingly automated world, decisions affecting millions of lives may be made by algorithms that only a handful of people really understand (as Woodrow Hartzog noted at the recent We Robot conference at the University of Miami). “The idea of building security in seamlessly is largely a myth”, says Neumann. “When something goes wrong, we typically don’t have a clue what’s needed.” Watch your kids’ response to uncertainty:


today’s answer when anything goes wrong with a machine is to turn it off and back on again. That’s no way to fi x a security hole – if you even know it’s there. The Verizon report notes that 92% of victims had no idea they had experienced a breach until being informed by law enforcement. In a 2009 lecture he says is still current, Bruce Schneier (like Anderson and Ari Juels, the head of research at RSA Data Security) argued that security products will vanish into the infrastructure services we buy, rather than being sold directly to end users. For Schneier, that’s a sign of a maturing industry: “You don’t buy a car and pick up brakes on the way home.”


Schneier believes the industry will bifurcate – one strand paying for security, the other getting it embedded in free services where they have very little power. And possibly little confi dence: at a meeting of digital payments specialists last year, it was notable that attendees were far more worried about


someone hacking their webmail accounts than their bank accounts. First, because those (free) email accounts are locked to everything they do online,


and second, because they do not believe they can get anyone to help them at the big webmail providers, whereas banks have established procedures.


Anderson imagines a slightly different bifurcation: “Perhaps we will end up with separation into those countries where consumer protection law works and those where it doesn’t.” The former will trust electronic services; the latter won’t. “In infosecurity”, he adds, “there will be a separation between the kind of attacks that cost a few cents per machine, and those that cost several thousand dollars per target.” Think botnets versus Sarah Palin. For some years, experienced infosecurity professionals have advised newcomers to learn business management. For Neira Jones, head of payment security at Barclaycard, such a change can’t come soon enough.


The idea of building security in seamlessly is largely a myth


Peter Neumann SRI


For Bart Vansevenant, the executive director of global security solutions for Verizon, however, even this career path will shortly be superseded: “Much security decision-making will be outsourced”, he predicts, “and the CISO will become more advisory”.


Catching a Cloud Yet what quality of advice can a CISO give when so much is unknown about the inner workings of cloud offerings? Neira Jones thinks behavioral analysis based on heuristics and artifi cial intelligence (AI) will be increasingly important. But she fi nds


the disappearance of security into the infrastructure alarming. “You’re not in charge of your own infrastructure”, she says, “and [your provider] won’t tell you what they’re doing”. She points to stats at DataLossDb.org showing that data breaches are up 20% year on year – and all involve third parties. “The online value chain with the cloud is really dangerous”, Jones concludes. In addition, data protection reform, when it’s complete in two or three years, will spur a cultural shift in the EU that may not be mirrored in the US.


One consequence of security as a service that RSA’s Juels was willing to contemplate was the demise of secure tokens such as his own company’s bread and butter, SecurID. “Even passwords will meet their demise”, he says. Juels predicts trusted paths from users to resources, a reframing of security away from authentication, behavioral detection, community sharing of malware detection, and a shift in our ideas about privacy away from data disclosure and toward data use and the algorithms controlling it. Still, he says, using all that to detect and prevent fraud will be a much bigger technical challenge in the IT world than it has been in the fi nancial world. “It’s a much richer domain”, Juels asserts. His preferred future scenario? “Turn my mobile phone into a cloud portal onto a desktop image, a cache I don’t have to worry too much about securing. That would be good.” Wave Systems’ Brian Berger thinks the solution is hardware-based trusted computing. “Known machines”, he says, “providing data or access to data in a known way”.


Fact and Fiction


Juels’ wish for his mobile phone portal is widely shared. Mobile vendors and specialists in digital payments like Consult Hyperion’s Dave Birch want mobile payments to replace cash; even now, many people’s phones are their primary repository of personal data. Today’s kids – tomorrow’s workers – take theirs to bed at night. And yet, as Sotiris


www.infosecurity-magazine.com /// 37


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52