Interesting People mailing list archives
Security Biz Thrives on Fear
From: Dave Farber <dave () farber net>
Date: Wed, 16 Apr 2003 12:31:46 -0400
Security Biz Thrives on Fear By Joanna Glasner Story location: http://www.wired.com/news/infostructure/0,1377,58492,00.html 02:00 AM Apr. 16, 2003 PT SAN FRANCISCO -- One of the peculiar traits of the computer security industry is that, generally speaking, no one takes much interest in it unless they are actually feeling insecure. And the more insecure they feel, the more apt companies, individuals and government agencies are to spend time and money on tools to block worms, viruses and assorted malicious hacks. This being the prevailing mindset, it is not entirely surprising that presenters at a security conference this week in San Francisco -- in addition to praising recent advancements in the field -- spent a good chunk of time pointing out why computer users should still be very much afraid. Citing the proliferation of under-protected mobile data networks, the uptick in identity-theft crimes and the increasing complexity of government and corporate networks, speakers at the RSA Security Conference did much to create the impression of the Net as a still very insecure place. "This is not something (where) we can merely put a fence around the borders," said Howard Schmidt, White House cybersecurity adviser and former chief security officer for Microsoft, who spoke Tuesday regarding the progress of the president's National Strategy to Secure Cyberspace. The strategy blueprint, adopted by the White House earlier this year, calls for greater cooperation between government and private industry "to protect against the debilitating disruption of information systems." Priorities outlined in the plan include development of a rapid-response system for large-scale intrusions, funding for security research, securing of government networks, and international cooperation in protecting cyberspace. While risks of cyberattack remain high, Schmidt said he was encouraged by the fact that no debilitating Internet attacks occurred in the last several weeks, as the start of war in Iraq elevated threat levels. He credited heightened monitoring by IT security specialists for deterring cyberattacks. Still, he warned against maintaining a high danger alert level too long, as it can breed complacence. "We have to be cautious, because you can cry 'Chicken Little' too many times," he said. Among security experts at this year's RSA confab, however, the opposite fear seemed prevalent. If no one harps on risk, no one will spend money on new worm-detection software, authentication systems, next-generation smartcards and consultants trained to detect the holes in corporate security systems. "This has been characterized as the golden age of hacking," said Art Coviello, CEO of RSA Security, citing figures from the CERT Coordination Center, which tracks network security breaches. CERT found that the number of reported incidents spiked from nearly 53,000 in 2001 to more than 82,000 in 2002. Even if technology is secure, there are always employees to worry about. This was the topic that celebrity hacker-turned-consultant Kevin Mitnick harped upon Tuesday in a lecture on social engineering, which is the practice of manipulating people into giving away sensitive information. Mitnick, who now heads his own computer security company, Defensive Thinking, said the greatest security risk in most companies stems not from computers but from the people they employ to run them. He cited examples from his own criminal past, including one escapade in which he masqueraded as an employee, hacked into a voice mailbox and convinced a network administrator to give him a password to access the company intranet. Perhaps the chief champion of the insecurity theme was the conference chairman, Jim Bidzos, who actually went to the trouble of compiling an "insecurity index" to demonstrate how much more precarious computer networks have become in the past year. On a scale of one to 10, with 10 being most insecure, Bidzos rated current security levels at six, one point above last year. Although some areas have improved as companies add more IT security staff and as funding for security-related startups grows, Bidzos believed the bad news -- growing risk of wireless-network intrusions, threats of cyberterrorism and rising identity theft -- outweighed the good. "People are rightfully afraid to put personal information on the Internet," he said. Of course, this could actually be a good thing for companies that sell security software. ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Security Biz Thrives on Fear Dave Farber (Apr 16)