[Am-info] EXPERTS PREDICT THE FUTURE OF COMPUTER SECURITY

[Fred A. Miller]

Note the comments about MickySoft, and others that elude to M$. From SANS.

Fred
____________________

EXPERTS PREDICT THE FUTURE OF COMPUTER SECURITY

Over the past few weeks, many of the most respected leaders in the
security field took time out to give NewsBites readers a glimpse
inside their crystal balls.  The question they answered: "What are
the most important and interesting trends that will face computer
security professionals during 2003?

In this special issue of SANS NewsBites, you'll find illuminating
and often provocative answers to this question from

*Bruce Schneier, CTO of Counterpane Internet Security, Inc.,
*Bill Murray, Executive Consultant, TruSecure Corporation
*Eugene Spafford, Professor and Director, Purdue University CERIAS
*Stephen Northcutt, Director of Education, SANS Institute
*Marcus Ranum, Consultant, Ranum.com
*Eugene Schultz, Principal Engineer with Lawrence Berkeley National
Laboratory and faculty member at Univ. of California, Berkeley
*Tom Noonan, Chairman, President and Chief Executive Officer, Internet
Security Systems
*Gil Shwed, Chairman and Chief Executive Officer, Check Point Software
Technologies Ltd.
*Rob Clyde, VP & Chief Technology Officer, Symantec Corporation
*Greg Akers, SVP, CTO Security and Strategic Services, and John
N. Stewart, Director, Information Security, Cisco Systems, Inc.

****************** This Issue Sponsored By Nokia **********************

Powerful, automated, intrusion protection in an easy-to-deploy solution

Introducing the new Nokia IP380 - a sleek 1-RU intrusion detection
appliance that tightly integrates Internet Security Systems'
RealSecure(R) Network Sensor and SiteProtector Management. This
cost effective and easy to deploy solution provides anomaly and
signature-based analysis, stateful packet inspection and protocol
analysis for complete network protection.

Learn about special bundle offerings available through Westcon and
GE Access.
Visit http://www.nokia.com/internet/na

***********************************************************************

***********************************************************************
Bruce Schneier
CTO of Counterpane Internet Security, Inc.,

I think the next big Internet security trend is going to be crime. Not
the spray-painting, cow-tipping, annoyance-causing crime we've been
seeing over the past few years. Not the viruses and Trojans and DOS
attacks for fun and bragging rights. Not even the epidemics that sweep
the Internet in hours and cause millions of dollars of damage. Real
crime. On the Internet.

Crime on the Internet is nothing new. We've all heard isolated stories
of competitors breaking into each other's networks, hackers breaking
into networks and extorting money from dazed sysadmins, and industrial
espionage, identity theft, simple monetary theft from banks and other
financial institutions, but it's the Nimdas and the root-name-server
attacks that make the headlines. And while we're worrying about those
threats, the criminals are slipping by unnoticed. They're stealing
money and things they can sell for money. They're stealing credit card
numbers and identity information and using it to commit fraud. They're
engaging in industrial espionage. The crimes never change; only the
tactics are new.

I predict that people will start noticing. Companies have a
strong self-interest not to publicize any real crime against their
networks. The bad press from making an attack public is often more
harmful than the attack itself. But the times are changing. Just
this year, California passed a law--with large loopholes,
unfortunately--requiring companies to make these attacks public. I
predict more of these laws in the future.

Criminals tend to lag technology by five to ten years, but eventually
they figure it out. Just as Willie Sutton robbed banks because
"that's where the money is," modern criminals will attack computer
networks. Increasingly, value is online instead of in a vault;
illicitly changing a number in a database can be more lucrative than
staging a robbery.

Real crime is hard to detect. When your network is being scanned dozens
of times a day by script kiddies, the one serious criminal can sneak
in unnoticed. At Counterpane, we monitor hundreds of networks against
attack. Our hardest job, and the thing we spend the most time worrying
about, is catching the real criminals among the hundreds of annoying
hackers.It's the insider trying to change his salary in the human
resources computer. It's the robbers trying to manipulate account
balances on a bank computer. This is the real crime on the net, and
when we catch these guys, our customers are elated. More and more,
this is going to be where companies want their computer security
dollars to be spent.

***********************************************************************
Bill Murray
Executive Consultant, TruSecure Corporation

Predicting the future can best be done by identifying those trends
that are unlikely to change.

First, the bad news. Habit, bureaucracy, inertia, and institutional
consent to bad practice resist any improvement.

The Internet is resistant to all change in the short run; in the long
run its security is likely to get worse before it gets better.

Small improvements in software quality will be overwhelmed by increases
in software.

There will continue to be a preference for applications and low
price over security in choosing operating systems. [We will continue
to complain about Microsoft security while using its products for
applications and environments for which they are not intended and do
not meet the security requirements.]

We will continue to try and patch and fix our way to security; we
will continue to fail.

Government will continue to chide the private sector while connecting
weak systems to the public networks.

Business will continue to attach weak systems to public networks in
the name of "early to market," "first mover advantage," and ease of
operation and management.

Government will continue to focus on user-to-user isolation at the
operating system layer while authenticating those users only with
passwords at the network and application layers. They will continue
to prefer mandatory access controls over strict accountability.

Government security efforts will continue to focus on preserving its
secrets while tolerating fraud, waste, and abuse.

Rogue hackers will continue to contaminate the Internet with viruses
and worms in the name of improving security while continuing to be
lionized by the media as "security experts" and continuing to elude
law enforcement.

Law enforcement will continue to whine about business' reluctance to
share intelligence while abusing and misusing such intelligence as
they have.

Vulnerability researchers will continue to publish exploits in the
name of improving security; the media will continue to refer to them as
"security experts."

Governments around the world will continue to reward rogue hackers
with security job offers; leopards will still not change their spots.

Privacy will continue to vary in proportion to the cost of surveillance
to the government; that cost will continue to fall.
Get used to it.

Now for the good news. Economics is on our side.
Cheap hardware firewalls, other application appliances, strong
authentication, and end-to-end encryption (e.g., SSL, SSH, VPNs)
will be used to hide operating system vulnerabilities, privileged
controls, sensitive applications, and gratuitous functionality from
the public networks.

Driven by demand from their customers, threat of government
regulation, and competition and example from AOL, retail ISPs and
other edge-connectors will take more responsibility for protecting
their customers from spam, viruses, DoS, and other attacks and for
protecting the rest of us from rude behavior by their users.

While users will continue to click on strange files and icons,
default use and automatic update of scanners will make us collectively
resistant to viruses.

Cheap hardware will accelerate the preference for single user and
single application systems over multi-user multi-application systems.

Led by reluctant heroes like Visa, American Express, and their
competitors, and to meet the higher expectations of their customers,
e-merchants and e-fiduciaries will continue to improve the security
of the applications that they attach to the Internet.

Investors, inventors, product vendors, and service providers continue
to invest, invent, innovate, provide, and encourage.

Government, industry, and professional organizations encourage
training, education, commitment, and continuing development of
professional knowledge, skills, and abilities.

While we will continue to experience attacks and breaches to define
the limits of our success, security will continue to be just barely
good enough to escape chaos and preserve public trust and confidence.

***********************************************************************
Dr. Eugene Spafford
Professor and Director, Purdue University CERIAS

Here are three predictions:

1) Consumers in the US in particular are going to be drawn into more
public debates about on-line privacy. Growing threats of identity
theft and spam, along with increasing government interest in data
mining and surveillance as well as intrusive DRM schemes by vendors,
will all serve to sensitize users to issues of on-line privacy.
Although largely unorganized compared to organizations of marketers,
music companies and the Attorney General expect a growing political
and economic backlash to perceived infringements of perceived and
real personal privacy.

2) Sometime in the next year, we will see destructive political cyber
attacks. The increasingly strident rhetoric in the international arena
will be echoed on the Internet as programmed attacks are developed
with a political theme. Some of these will be by long-time malicious
code authors, who add the political label as a rationalization, but
others will be by newcomers who are radicalized by on-going events.
Expect some criminal elements to exploit this opportunistically.
Interest in wide-scale IDS and forensics should increase as a result.

3) As a result of #1 and #2, and several vendors, suggesting that
they could do with better security, expect to see lawsuits filed for
negligence against some major ISPs and vendors. Most will be settled
out of court, or dismissed outright, but others will continue.

Security firms making claims about the coverage of their
products/services will make particularly attractive targets for
aggrieved victims since the claims are overstated, and the products
not as comprehensive as claimed.

North Korea might well be a major flashpoint, possibly requiring
additional military presence. If so, it could result in worsening
relations with China (as would action in Iraq without UN
mandate). India and Pakistan could also boil over if the world's
attention were focused elsewhere. Real worst-case here is millions
dead and vast areas covered in radioactive by-products. Don't expect
the people of China and other countries downwind to be very happy
about this and stand by idly if it happens. In addition to widespread
destruction, this would also lead to massive starvation because of
contaminated crops and mass migration away from contaminated areas.

Now, think of where many of our chip fabrication plants are located,
and where we get many other computing components. World unrest
could easily choke off supply of many critical items, leading to
huge shortages in the computing hardware industry. This would also
drive down the demand for software. Coupled with lack of consumer
confidence from possible terrorist incidents, and a soaring Federal
deficit because of tax cuts and increased military spending, we see
the possibility of a global economic depression. Regional wars would
make this especially severe.

To make this even more complete, geologic activity suggests a near-term
earthquake of magnitude greater than 7.0 in the SF Bay area. If only
a couple of quakes occur offshore, a tsunami would certainly affect
Hawaii and points in the Pacific, including Japan.

So, why present such a gloomy forecast for 2003? Well, that's worst
case. If we make it through the next 12 months without such disasters,
with good health and at least some income, we should celebrate
Thanksgiving with attitude. Sometimes, we take too much for granted.

Best wishes for 2003.

***********************************************************************
Stephen Northcutt
Director of Education, The SANS Institute

There is an old joke about a mathematician during a hotel fire. He
wakes up, smells the smoke, grabs his notepad and furiously calculates
how much water is needed from the hotel room-drinking cup, and where it
needs to be placed. With the problem "solved" he goes back to sleep. I
think during 2003 we are going to be tempted to let our guard down
just a bit. As a community, we are close to understanding what we
need to implement to achieve a reasonable degree of risk management,
and some of us will probably mistake knowing what needs to be done
for having the problem solved.

I learned a new word this week - glicee: it is a digitized picture
that looks like an artist's painting -- you can even see brush
strokes because the printers used are that advanced. Who in their
right mind would ever pay full price for an "original" artwork after
knowing how easy it is to produce a perfect copy? It seems that one
of the hottest issues in the near future has to be digital rights
management.  This issue is far more serious and complex than college
kids downloading .mp3s. It is not a new issue of course, but it is
one that is rapidly growing in importance to both individuals and
organizations. A large and rapidly growing part of what we consider
valuable -- software, music, money, photographs, movies, art, and the
intellectual property that we ourselves have created -- is digital
at heart, and can be deleted, modified or copied pretty easily. We
need to develop the laws, processes, even terminology to effectively
manage and protect digital property.

***********************************************************************
Marcus Ranum
Consultant, Ranum.com

The 5 most important developments to look for in Computer security:
1) Federal IT procurements beginning to put teeth behind standards.
Private sector companies have no problem standardizing their firewall
access rules and mandating antivirus on desktops. Why can't the feds
do likewise?

2) Security companies stop marketing themselves by trumpeting flaws.
Soap boxing about vulnerabilities you discover doesn't impress
people anymore.

3) The torrent of patches and hotfixes must cease or everyone will
start to ignore them and sink into a coma of security-apathy. Vendors:
we want products that work -- save the features for later!

4) Standards bodies need to be ahead of the state-of-the-art,
not ratifying bodies that bless the technology with the largest
installed base.

5) Feds stop using the excuse "but no classified materials were
accessed" whenever a government site gets hacked. We all know that
unclassified machines contain tons of sensitive information. Stop
making excuses and secure those systems!

***********************************************************************
Eugene Schultz
Principal Engineer with Lawrence Berkeley National
Laboratory and faculty member at Univ. of California, Berkeley

My predictions for next year include:

* The hype concerning cyberterrorism will gradually subside, much
the same as the panic over Y2K came and went.

* U.S. Presidential panels and commissions will continue to generate
a great deal of rhetoric about protecting critical computing
infrastructures, but, as in previous years, with little effect.

* There will be an increasing demand for appliances that provide
security-devices that come preconfigured and ready-to-run.

* Worms and viruses will continue to be less successful than they
were in previous years because organizations are adopting appropriate
measures to counter them.

* An abundance of security-related flaws in Microsoft products will
continue to emerge; it is still too early for Microsoft's Trusted
Computing Initiative to make much of a difference in the security of
Microsoft products.

* The Digital Millennium Copyright Act (DMCA) will prompt an
increasing number of arrests and prosecutions of individuals who
discover vulnerabilities in or reverse engineer vendor software.

***********************************************************************
Tom Noonan
Chairman, President and Chief Executive Officer, Internet Security Systems

The IT Security industry is undergoing one of the most dramatic
technological periods of advancement it has had in the last five
years. The advent of the hybrid threat that began with Code Red
and Nimda was a catalyst for this technological revolution. Security
measures that rely solely on signatures and port blocking for detecting
and/or preventing threats have become obsolete against these threats
that pack malicious payloads into trusted or unknown applications. The
technology trends that will rise to prominence in 2003 include:

1.Intrusion detection technology advancing into intrusion
protection. This technology will combine pattern matching, several
layers of protocol analysis, pre-emptive behavioral inspection, anomaly
detection and firewall blocking to not only detect online threats,
but also to block them altogether. This technology will operate at
wire speeds and will reside in-line on network segments as well as on
servers and desktops. Most have viewed dynamic detection and prevention
systems as the next generation firewall?2003 will be the year that
these systems displace static "header" based firewall systems.

2.The integration of vulnerability assessment technology into intrusion
protection. There are many advantages to converging these technologies;
among them are improved and more timely threat analysis as well as a
reduced number of false alarms. A threat against a vulnerable system
presents manifest risk; a threat against invulnerable systems is a
false positive. Without each other, these systems are under-optimized.

3.Finally, we will see disparate point solutions migrate into
a single protection platform. Bringing intrusion protection and
vulnerability assessment for networks, servers and desktops under a
single architecture will provide for more tightly integrated defense
against threats as well as increased ease of security management.

4.The business model changed with e-commerce; the security model did
not. 2003 will usher in the realization of a new model and a new era of
dynamic protection for every device on the network. Static perimeter
defense will give way to modern day dynamic device protection. Core
supplanting protection agents will challenge the Cold War-legacy
technologies with higher-scale, lower-cost of ownership and more
automated and effective protection. Individual protection agents will
protect the enterprise systems from the entire spectrum of Internet
threats including viruses, malicious content, Trojans, worms, hybrids,
unauthorized access and hacking and misuse.

***********************************************************************

Gil Shwed
Chairman and Chief Executive Officer, Check Point Software Technologies Ltd.

Internet security has expanded its role in today's networks.  The
traditional firewall became the key building block for virtual private
networks, connecting a company's branch offices, business partners
and remote employees.  On-going advances in network connectivity and
network attacks that become more sophisticated by the day require
a high level of flexibility.  In the security market, much emphasis
has been placed on "form factor" -- making firewall/VPN devices look
and feel like network infrastructure devices.  While these are often
good qualities, manufacturers tend to drift away from the fundamental
challenge - making the Internet secure.

In 2003, we see a continued increase in application layer security
activities.  To address that trend, we need systems that will make
security deeper, broader and smarter.

Deeper understanding of network protocols is essential.  For example,
HTTP is no longer used only for web browsing.  It has become a
transport layer for a variety of applications, from instant messaging
to business transactions.  Technologies like Application Intelligence
are required to safeguard corporate networks from violation through
application layer vulnerabilities.

Broader deployment of network security is essential.  With the
proliferation of Internet connectivity, broadband (always on) networks,
wireless LANs and cellular networks, the scope of network security is
expanding beyond the traditional security perimeter.  Technology to
consistently manage and enforce security policies must be deployed
both in front of and behind the perimeter to secure all access points.

Smarter security decisions are a crucial element as a mix of security
technologies are deployed more broadly.  Active Defense technologies
allow an attack detected in one part of the network to be instantly
avoided at other access points.  A distributed security model
requires the ability to make sense of the enormous volume of raw
data generated in a typical enterprise network security deployment.
A firewall/VPN system alone can collect five to ten million records
per day in a mid-size corporation.  Technologies to analyze, correlate,
and translate this data into action are essential.

These changes in the security marketplace--deeper understanding of
attacks, broader deployment of security, and smarter analysis --will
enable organizations to ensure comprehensive network security.

***********************************************************************
Rob Clyde
VP & Chief Technology Officer, Symantec Corporation

Over the next year, we will likely see developments in the following
areas affecting security, for users across the world.

New Attackers
It is clear that our global economy is increasingly dependent on the
Internet.  Online machines now control numerous, crucial infrastructure
elements of our society, including financial transactions, power
generation, business supply chains, and many others.

Until now, most of the highest-profile attacks on the Internet have
been undertaken by "amateurs", young people with no particular
motivation or target in mind.  However, we expect that over the
coming year and beyond, we will see a rise in more "professional"
types of attackers, targeting specific, crucial online systems and
posing great potential dangers not only to the Internet, but also to
our national security, and our entire way of life.

New Platforms
Over the coming year and beyond, there will be continued growth
of new systems on the Internet.  In particular, we believe that
home broadband, instant messaging, wireless communications, and
business-to-business web services will all become progressively more
widespread.  All of these technologies are highly connected, and if
not properly secured, could serve as increasingly important conduits
or targets for attacks on the Internet.  Appropriate security will
be crucial to reaping the full benefits of these systems as their
popularity grows.

New Protection
Many of today's security solutions are geared towards the detection of
"known" attacks (attacks which researchers have previously analyzed).
Furthermore, these systems often focus on detecting such attacks,
but are less capable of mitigation and prevention.  While reactive
approaches will never go away, the security industry is actively
investing in proactive systems that can provide first-strike protection
against all categories of Internet-based threats.  We expect to see
the emergence and initial deployment of such new proactive technologies
in the year ahead.

***********************************************************************
Greg Akers and John N. Stewart
Greg Akers, SVP, CTO Security and Strategic Services, Cisco Systems
John Stewart, Director, Information Security, Cisco Systems

Security, both awareness and interest, will continue on its upward
trend for 2003. As organizations face increasing attacks, both
in frequency and complexity, they will impose a related increased
demand from providers and vendors to answer the challenges faced. As
individuals suffer lost productivity and increased annoyance, they
will demand answers from their providers.

On the technology front, intrusion detection will move from a
detection/reactive market (IDS) to a protective market. Adaptation
methods will begin to protect against an attack as opposed to just
warning of one. The solutions will be in cooperative technologies --
where a proactive system talks to the defensive system and combined,
they mitigate attacks and require lower human intervention.

Mobility will continue to change the face of security. Traditional
methods to protect can no longer be only network based, but must
push protection to include host and application. The lines between
what a device is and how it is used are blurring. A cell phone is
rapidly becoming a hand held computer, connected both by cellular
technology and by IP. A phone is rapidly becoming a laptop, or a
microcode and Java driven application platform. These devices can be
infected by a virus, worm and can ultimately become a weapon. A worm
can affect IP phones.  Perimeter protecting with firewalls isn't the
only solution. Protecting with Defense In Depth, where application,
host, and network work in concert, is essential at multiple levels.

It will be the busiest year yet in precedent-setting cases for Internet
attack damages, liability for ISPs, loss of productivity due to such
things as abusive email, how to recoup lost revenue when a DDoS attack
is launched. The question will be: what will be the total cost and
impact of these attacks?



===end===

Edited by:
Alan Paller and Barbara Rietveld

-- 
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org