By John McCormick
March 15, 2007
Ed Amoroso, AT&T's chief security officer, is one of the nation's top
computer security experts. He started his career at Bell Laboratories,
where he worked on, among other things, Unix security, and since then
has been involved in various aspects of defending computer networks.
Today, he's charged with both securing the communication company's
internal networks and overseeing the development of its computer
security products. Amoroso is also an adjunct professor at Stevens
Institute of Technology, where he teaches computer security, and is the
author of several books on data protection. His latest is Cyber Security
 (Silicon Press, 2006). He sat down recently with Baseline
editor-in-chief John McCormick.
What are some of the major themes of your most recent book?
The first theme is that most enterprise security groups are pretty
concerned that the security problem seems to be somewhat unbounded. A
lot of CIOs will say: "Where is this all going? I [put] up a firewall in
'95, and then I bought an intrusion detection system in '98, and then I
bought antivirus and antispam in 2000. And then I bought D-DOS
[distributed denial of service] protection in 2002. And it seems like
viruses and worms and botnet attacks and break-ins are just getting
And the question keeps arising: What can we do as a carrier? What we've
noticed over the last few years is we can see attacks as they occur. In
2003, I watched the Slammer worm happening. I was amazed. We just saw
the anomalies on ports. Since then, we've basically watched in living
color just about every named attack that you talk about in your
We also noticed that we have the ability to mediate these types of
things. We've started introducing firewall and intrusion detection right
into the network; instead of doing it at the perimeter, we can stop
different types of things in the network. You tell me what the policy
is. Instead of a firewall sitting at the edge of your enterprise, we
join your VPN with firewall equipment and software that sits in the
[network] clouds, virtualized. So, if you say I don't want [a particular
service], well, we route your traffic through a complex that knows that.
And I stop the packet long before it gets anywhere near your enterprise.
And I think that revolutionizes the way networking works.
You also talk about software engineering. What's the problem there?
Software engineering, as a discipline right now, is shamefully broken.
When you go to the university to study engineering, you see that
electrical engineering and chemical engineering and mechanical
engineering are grounded in science.
Computing is all sort of wacky, because computer programming runs the
gamut. If you're watching TV, a commercial will say, hey, you've got no
job; you can take up small-appliance repair or hairdressing or computer
programming. It's almost like computer programming is akin to fixing a
toaster, in terms of the skills that are needed.
So software, right now, across the board, is somewhat a victim to the
fact that the software engineering profession needs to have more
attentiveness. And this is an issue for academia. Even in terms of the
way businesses are run and operated, we need to rethink the way
software's developed. We need to start rethinking the way we train
What do I.T. people spend a lot of their time doing? Patching operating
systems. Every month their whole place comes to a grinding halt, and
everybody patches everything in sight[like] putting duct tape on an
What's the reason? Who's to blame?
You can't really blame any company, or the industry, but it's important
now for security officers and CIOs to start recognizing that we have to
start steering the Queen Mary in a different direction.
One way to do it is fewer features. So, you need to be more demanding of
features. Feature creep is out of control.
Second, the issue of system administration around software is something
that we should all be somewhat ashamed of. The system administrative
burden is pretty significant. I'm sure that everyone you know, every
family member, they're all system administrators. My kids
systems-administer one of the machines at home. That's kind of an
amazing burden on people, and it's remarkably easy to mis-administer
So, what we see in the AT&T network is that these mis-configurations,
including modifying patches, result in your computer very easily being
taken over by a bot controller. Our measurements suggest that on any
given day, there are a minimum of 10 million machines that are
exhibiting some type of scanning behavior. They've been taken over.
There is a bot that exploited a vulnerability that wasn't patched.
So, who do you blame for that? You could blame the system administrator.
But that's a little hollow.
You could blame the software companies, but that's a little difficult,
because the software companies are just a reflection of the software
So, what do you do?
You need to just have a collective sigh that this is an immature
discipline that's got to grow up. And one of the ways it can grow up, I
believe, is that the carrier can step in and do some things.
For example, a PC that's spewing [out] a bunch of garbage. Your cable or
DSL [provider] can see that. And they could do volume metrics on your
PC. I don't mean look at your sensitive data - they could care less
about that. But look and see, for example, that from 2 a.m. to 6 a.m.,
for the last 300 nights, there's almost no traffic; then all of a
sudden, they start to see bursts of [computer port] scanning coming out
of your PC. They could stop it [if it's in] the service-level agreement
that they have with you.
Why isn't that done today?
It's partly because they know that you, as a customer, would probably be
nervous about them blocking things. You'd say, "Look, it's not that I
think you're trying to do anything funny. I'm just afraid I'm going to
be trying to Google 'dinosaurs' to help my son with his report, and
you're going to be blocking it or something."
[But] if we can get to the point where a consumer or business people
feel more comfortable having the carrier do more security, and the
security ranges from stopping spam to stopping a denial-of-service
attack to calling you when there's fraud or something, then that's good
That's a shift in security - and privacy.
If the carrier sees any really nasty traffic being aimed at your PC,
like a botnet attack, for us to say we're going to characterize that and
block it and notify you, it's hard to even conceive of any potential
privacy issue there whatsoever.
When toll fraud was becoming an issue in the '70s, the solution to toll
fraud was simply that when you made an [initial] international call, you
would be put into a grouping of people who just made their first
international call. Let's say you called Albania. That call got put into
a database. And if [right after that] you made another call to Albania,
it would trip off an operator who [would] then call you up and say,
"Hey, do you mean to be calling Albania? We noticed this odd calling
pattern." And for decades, I don't think they ever had anybody complain
about privacy in that scenario.
In the Internet era, people have a different concept. A phone bill is a
list of calls that you've made. How would you feel if your ISP gave you
a URL bill with the sites that you visited? Nobody would want that.
People would be aghast at the "privacy" implications.
Our feeling is that the total cost of ownership for a CIO or CSO or
CISO, at the perimeter, has been rising. There wasn't even a perimeter
10 years ago, except routers, maybe, doing a little bit of packet
filtering. We went from that to now, where some banks here in New York
City have teams of 200 people that do nothing but police the enterprise.
So, whether you would consider that a problem situation or not, it's
certainly something that has the attention of a CIO, because the CIO
would ask, "What am I getting out of this?"
What does a CIO get out of all this?
The first [thing] is that all the equipment that would correspond to
firewall, IDS filtering, URL, antispam, threat management security,
information managementall that capital and all those licensees can, in
some sense, vanish, because by virtualizing that in the network, we keep
the capital. We keep the hardware.
The second thing is that most CIOs will pick an antivirus tool. And
usually, there are 10 pluses and four minuses for this vendor, 13 pluses
and two minuses for this other vendor, and so on. It's more pluses and
fewer minuses. But there are still minuses there.
A carrier can give you the best of everything, because there's always a
horse race with vendors. And we can make sure that you're always getting
the latest and greatestupdates, signatures, any type of configuration
change that needs to be done on a daily basis.
Has AT&T been offering these services for a while?
Yes, for some time. They're all different services.
And you're using these tools inside the company?
I have an initiative to use all those things to protect us.
AT&T must be a huge target for hackers.
There isn't a carrier on this planet that's not attacked.
How often are you attacked?
You have to go by the definition of "attack." The first thing is that
anybody who's ever done security and thought about it for more than an
hour realizes that it's impossible to say "I measure all my attacks,"
because sometimes, there's an attack that you don't see. I mean, it's
insiders or others [who] might, you know, successfully attack you.
But knock wood: We haven't had a security event that has caused
significant widespread problems for customers.
Copyright (c) 2007 Ziff Davis Media Inc. All Rights Reserved.
Visit the InfoSec News Security Bookstore