Eugene Spafford, one of the leading experts on information security, is director of the Center for Education and Research in Information Assurance and Security at Purdue University. Network World Senior Editor Carolyn Duffy Marsan recently sat down with Spafford at his office to talk about the latest security threats and what network executives can do to mitigate them.
What do you see as the top three information security threats that are most likely to hit multinationals?
One of the biggest threats we have right now is deployment of resources intended either to save on cost or enhance features without thinking through the consequences. VoIP and wireless fall in this category. They have failure modes that are very different than what they are replacing and are not well understood. Perceived cost advantages are driving these technologies, but that is overcoming the caution that should be in place. That's a threat not in the sense of a particular attack, but it is a systemic problem that leads to weakness in security posture and therefore may lead to attacks.
A second threat is a softening, if not disappearing, of the network perimeter. For a long time, we were able to get some semblance of securing the enterprise by establishing firewalls and [demilitarized zones] and maintaining the somewhat guarded perimeter. Now with BlackBerries, PDAs, wireless, executives traveling and using the Internet in hotel rooms, and people with VPN access from home systems, the perimeter is an illusion. But security policies and technologies have not kept up with that change. A big vulnerability in many environments is that you still have policies and people viewing the enterprise as protected with a firewall, and that's simply not the case.
A third threat is an overreliance on a small set of suppliers. We have too many enterprises that have everything running on the same hardware, the same operating system, the same database, the same network routers. Even their security systems are from one vendor. I don't mean to pick on a particular segment of the market or a particular vendor, but we see this homogeneity up and down the stack. The difficulty this brings is that the whole organization can fall with a weakness or failure of one platform type. That's very bad from an operational security point of view. This trend is driven by cost and convenience, but people simply aren't thinking about the potential cost of dealing with a disaster. Not having diversity in place applies to everything from viruses to break-ins to denial of service to potentially even bad bugs and vendor failure.
What steps should IT executives take to minimize these threats?
With any new technology, there should be a thorough understanding of the risks and the trade-offs. Some network systems are more fragile in the case of a fire or water main break than a similar twisted-pair telephone network. Those kinds of things need to be understood as risks before someone deploys the technology. That simply isn't being done in many environments. IT executives have to understand the risks extend outward beyond their enterprises when they're talking about these things, because they are infrastructure issues.
Regarding the disappearance of the network perimeter, they have to change their mind-sets to protecting the individual hosts or to building well-defined enclaves. The whole enterprise is no longer an island; it's an archipelago of islands that need to be protected individually, even down to the single-machine level. This means that you have to treat all of those machines as outside your perimeter for purposes not only of protecting them but of protecting your other machines from them. So when somebody comes back in with a laptop after they've been off-site, you can't trust it simply because it's a company-issued laptop unless you have applied specific control measures. This mode of thinking has to go down to the individuals who are using the systems.
For the homogeneity threat, even though it is contrary to some cost-containment measures and may increase the need for training or personnel, there should be some level of diversity in every infrastructure that's considered critical. This includes servers and routers and other appliances. This helps ensure that some of your infrastructure will be maintained so that you can send and receive e-mail and surf the Web even if one of your common configurations is completely blown away by some kind of attack or some kind of bug. It also limits internal damage if something gets into your systems. It can't sweep through everything. Also, the fact that you have a trained employee on different kinds of architectures means that you're more nimble to take advantage of advancements because you are not locked into a particular solution. There's a business advantage in the longer term to having some diversity in place.
What's the worst-case scenario for a multinational company?
I'm not sure I can actually say what's the worst case from an information security point of view. But something that would be bad would be an unobserved, automated attack that gets into the enterprise and because of a lack of internal controls or because of network homogeneity sweeps through the enterprise. The attack might slowly corrupt the data on a lot of machines so it isn't observed right away and you can't depend on yesterday's backups to help. Or it might do a massive ex-filtration of data such as company proprietary information, budgetary information, or it violates privacy issues. Or the attack coordinates some kind of massive denial-of-service or spam attack against a government or a major industry partner and causes them significant economic damage that they are forced to try to recover. All of those things would be very bad and could occur altogether. The only solution is to get a patch and shut down everything in the company and bring it back online. For most organizations, this scenario would be catastrophic in terms of the extent of the damage. If you add to the fact that the systems may have corrupted data, disclosed data or brought harm to an external entity that is going to want some kind of recompense, this would be a pretty grim scenario.