By Sumner Lemon
October 18, 2006
IDG News Service
In a keynote speech that was webcast at last month's Hack in the Box
Security Conference in Kuala Lumpur, Malaysia, Bruce Schneier, chief
technology officer of managed security services provider Counterpane
Internet Security Inc., identified 10 trends affecting information
1. Information is more valuable than ever.
For example, Amazon.com Inc. relies on information to make purchasing of
books easier through its one-click purchasing system. Similarly, when
Internet retailer Pets.com went belly-up, the company's database of
customers "was the only asset of value they had," he said.
Information also has value for controlling access, such as single
sign-on and authentication for users, and law enforcement, which uses
information to help track criminals and gather evidence.
2. Networks are critical infrastructure.
The Internet was not designed to serve as critical infrastructure. "It
just sort of happened," Schneier said, noting that hasn't stopped more
critical systems from migrating to the Internet.
The Internet helps companies run more efficiently and eases
communication between people, but there are real economic risks
involved. "If the Net goes down, or part of the Net goes down, it really
affects the economy," he said.
3. Users do not necessarily control information about themselves.
For example, Internet service providers have control over records the
Web sites that users visit and email messages they send and receive.
Also, some mobile operators keep a copy of users' phone books on their
"There's a lot of value in information about you," Schneier said. "But
you have no control over the security of that information, even though
it may be highly personal."
4. Hacking is increasingly a criminal profession.
Hacking is no longer for hobbyists. More and more, attacks are organized
and led by criminals who are driven by a profit motive. "The nature of
the attacks is changing because the adversary is changing," Schneier
Extortion related to denial of service attacks and phishing attacks are
two examples of criminal attacks. In addition, there is a black market
for exploits that allow attackers to penetrate corporate IT systems.
5. Complexity is your enemy.
"As systems get more complex they get less secure," Schneier said,
calling the Internet "the most complex machine ever built."
Advances in security technology simply have not kept pace with the
Internet's growth. "Security is getting better, but complexity is
getting worse faster," Schneier said.
6. Attacks are faster than patches.
New vulnerabilities and exploits are being discovered faster than
vendors can patch them. In other cases, vulnerabilities in some embedded
systems, such as Cisco Systems Inc. routers, cannot be patched, leaving
7. Worms are more sophisticated than ever.
They already contain vulnerability assessment tools, and are scanning
corporate defenses for weaknesses and using Google Inc. for intelligence
gathering. "This trend is a result of more worms being criminal."
8. The endpoint is the weakest link.
"It doesn't matter how good your authentication schemes are if the
remote computer isn't trustworthy," Schneier said. In many cases,
computers outside your company's security are the weakest link. These
computers are often infected with worms and spyware, presenting an
opportunity for attackers.
9. End users are seen as threats.
Companies are increasingly developing software that is intended to
defend against the end user, Schneier said, citing DRM (digital rights
management) software as an example. "More and more we're seeing security
that doesn't protect the user, but protects against the user."
In at least one case, involving DRM software installed by Sony Corp.
without users' permission, the software caused damage to the end user's
computer. "Rules and regulation around this is going to be a big
battleground," Schneier said, predicting that a battle will be fought
between PC software that is protecting the user and software that is
designed to protect against the user.
10. Regulations will drive security audits.
Theres no shortage of regulations that detail how companies should
handle data. Regulations such as the Sarbanes-Oxley Act will be the
driving force behind corporate security audits.
Visit the InfoSec News store!