Security Biz Thrives on Fear

[Dave Farber <dave () farber net>]

Security Biz Thrives on Fear  By Joanna Glasner

Story location: http://www.wired.com/news/infostructure/0,1377,58492,00.html
02:00 AM Apr. 16, 2003 PT
SAN FRANCISCO -- One of the peculiar traits of the computer security
industry is that, generally speaking, no one takes much interest in it
unless they are actually feeling insecure.
And the more insecure they feel, the more apt companies, individuals and
government agencies are to spend time and money on tools to block worms,
viruses and assorted malicious hacks.
This being the prevailing mindset, it is not entirely surprising that
presenters at a security conference this week in San Francisco -- in
addition to praising recent advancements in the field -- spent a good chunk
of time pointing out why computer users should still be very much afraid.
Citing the proliferation of under-protected mobile data networks, the uptick
in identity-theft crimes and the increasing complexity of government and
corporate networks, speakers at the RSA Security Conference did much to
create the impression of the Net as a still very insecure place.
"This is not something (where) we can merely put a fence around the
borders," said Howard Schmidt, White House cybersecurity adviser and former
chief security officer for Microsoft, who spoke Tuesday regarding the
progress of the president's National Strategy to Secure Cyberspace.
The strategy blueprint, adopted by the White House earlier this year, calls
for greater cooperation between government and private industry "to protect
against the debilitating disruption of information systems."
Priorities outlined in the plan include development of a rapid-response
system for large-scale intrusions, funding for security research, securing
of government networks, and international cooperation in protecting
cyberspace. 
While risks of cyberattack remain high, Schmidt said he was encouraged by
the fact that no debilitating Internet attacks occurred in the last several
weeks, as the start of war in Iraq elevated threat levels. He credited
heightened monitoring by IT security specialists for deterring cyberattacks.
Still, he warned against maintaining a high danger alert level too long, as
it can breed complacence.
"We have to be cautious, because you can cry 'Chicken Little' too many
times," he said. 
Among security experts at this year's RSA confab, however, the opposite fear
seemed prevalent. If no one harps on risk, no one will spend money on new
worm-detection software, authentication systems, next-generation smartcards
and consultants trained to detect the holes in corporate security systems.
"This has been characterized as the golden age of hacking," said Art
Coviello, CEO of RSA Security, citing figures from the CERT Coordination
Center, which tracks network security breaches. CERT found that the number
of reported incidents spiked from nearly 53,000 in 2001 to more than 82,000
in 2002. 
Even if technology is secure, there are always employees to worry about.
This was the topic that celebrity hacker-turned-consultant Kevin Mitnick
harped upon Tuesday in a lecture on social engineering, which is the
practice of manipulating people into giving away sensitive information.
Mitnick, who now heads his own computer security company, Defensive
Thinking, said the greatest security risk in most companies stems not from
computers but from the people they employ to run them.
He cited examples from his own criminal past, including one escapade in
which he masqueraded as an employee, hacked into a voice mailbox and
convinced a network administrator to give him a password to access the
company intranet. 
Perhaps the chief champion of the insecurity theme was the conference
chairman, Jim Bidzos, who actually went to the trouble of compiling an
"insecurity index" to demonstrate how much more precarious computer networks
have become in the past year.
On a scale of one to 10, with 10 being most insecure, Bidzos rated current
security levels at six, one point above last year.
Although some areas have improved as companies add more IT security staff
and as funding for security-related startups grows, Bidzos believed the bad
news -- growing risk of wireless-network intrusions, threats of
cyberterrorism and rising identity theft -- outweighed the good.
"People are rightfully afraid to put personal information on the Internet,"
he said. 
Of course, this could actually be a good thing for companies that sell
security software. 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/