Bogus security promises and how to detect them

Data leakage, smartphone malware, hotspot threats are discussed by security analyst Nick Selby

Is compliance with regulations and industry standards as big a security driver as most vendors think (or claim)?

What we are seeing is that yes, compliance is driving budgets. The problem there is that it is also driving security purchases, and that in turn means that businesses are allowing the government and MasterCard to set their priorities for them. Now, unless you ARE MasterCard, we think that's kind of a bogus way to proceed. But your question sadly I answered with a "yes." What we would like to see more of is use of compliance and rule sets to get actually secure as opposed to merely comply. PCI for example is really, really prescriptive, and 90 per cent of it is stuff you should do anyway.

How fast are enterprises catching up to the increasing complexity of wired/wireless networks? Security solutions are getting obsolete faster? How does one design a good solution keeping the economics in mind?

One investment banker we spoke with talked about this in terms of perimeterization and I think that it counts here. It's not really about where (wired or wireless) the attack is coming from, it's about what is being attacked. I mean, if a guy shot you, would you care if he drove or took the subway? We've been saying now for some time that the decade old paradigm where there is a big red circle and everything inside is goo and everything outside is bad - is and must give way to a new way of thinking. A look at the enterprise - even small companies like The 451 Group, which has 90 people in five offices and two countries - rely increasingly on Web-based applications that face towards the public Internet. Our workers are mobile, and insist on the same experience whether in the office or in the airport, and that means that we need instead lots of little circles - firewalls around our crown jewels, database transaction monitoring, multi-factor authentication, user-level authentication to data from our database, endpoint firewalls etc. So we're clearly moving towards the time in the enterprise world where nearly all connections are made essentially as remote ones, whether you're at the racetrack or on the 16th floor of corporate HQ. That means rethinking how we perimeterize, how we protect the endpoints and how we secure the connections from the endpoint, through the Web application firewall, through the Web-based application, back to the secure data repository, so that each link in the transaction (using the term to mean "computers exchanging stuff" not "someone buying something") is secured as much as is reasonably possible.

How about some insight on wireless security? Use WEP/WPA/WPA2 and call it good? Or is there some Big Dark Secret about wireless security that enterprises need to know and vendors aren't telling us?

Actually no. WEP isn't good enough. My litmus test is that if I can break it - and I am truly, truly untalented - then it sucks. So WEP sucks. I also think that people have been saying this for quite some time - WPA or better is not really a secret; it comes out of the box. I think that wireless IPS and understanding from a user and infrastructure perspective what wireless is around and connectable and connected to by your employees is really important.

What about WEP at home? I live in a sparsely populated area, WEP should be fine or am I misguided?

The latter, sorry. It comes to this: do you want to explain to the group of FBI agents who are milling about your living room and eating your donuts that you didn't mean to be the conduit for child porn they've been watching for six weeks? Or just set your router to WPA and be a lot more reasonably protected? An interesting question, too, is whether WEP or an unprotected Wi-Fi access point is actually breaching the Patriot Act. What if a Danish terrorist used your unprotected connection to send back illegal cookie recipes to Copenhagen? Are you sending material comfort and aid to the enemy? I would not want to argue that in a room at Gitmo.

Is Vista going to seriously dent the AV market by making it non-essential?

I think that we're seeing the effects of Vista now in the dynamic that has been taking place within the AV industry, and it hasn't really, like, DONE anything yet. But we are seeing a nascent industry pop up around support for things that Vista ALMOST does, and I think that we can expect to see the second and current third tier of AV vendors making products that expand or enhance the built-in features of Vista to make them more usable or sensible.

Is it safe at all to recommend to the mobile workers about using wireless hot spots when they're out and about?

The idea of letting our users out and about on public hotspots is one that gives me the willies but is also one we can't really get away from. I think that securing endpoints - and again we're back to the next generation of those second tier AV and endpoint agent guys again, using firewalls and behavioral detection methods at the endpoint and on the application side is crucial. It's a huge question that goes back to the earlier answers about perimeterization and goes forward to how we will be connecting and getting that fat-client experience over the next couple of years that people are increasingly demanding.

What do you see as the biggest up and coming security technology and why?

This will sound ho hum but I have been really excited about Voltage's new Format Preserving Encryption [disclosure: Voltage is a customer of The 451 Group], because it lets companies that process credit cards and have legacy systems which might be capable of only holding 16 digit numbers for a card number (as opposed to a long encrypted string) to convert credit card numbers to encrypted numbers. Voltage claims that the algorithm they use to make the conversion is as hard to reverse as is AES 128, and shows a long proof drawing on work that's been in the public domain for a long time. I think that identity-based encryption itself is another good step forward.

What about antivirus for the smartphone?

I think that the earlier question asked started to get towards that, and we do see that this will increasingly become a threat. Interestingly I think that this will go after the coolest and most popular kinds of fat mobile clients first, which could be a real shock if EVERYONE is trying to break a certain piece of gear at once. But immediately? I wouldn't run out and buy anything today, but I would watch and wait and see, with increasing interest depending on how cool my smartphone is.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about ACTAES EnvironmentalAhnlabBigFixBitDefenderCrownEndPointsEquifaxFBIFinjanF-SecureGFI SoftwareGoogleGrisoftIntelIPSIT PeopleKasperskyKasperskyLeaderLeaderLumensionMastercardMcAfee AustraliaMicrosoftNICEOFTPandaParadigmPostiniPricewaterhouseCoopersPromiseSigmaSkypeSophosSymantecTrend Micro AustraliaUtimacoUtimacoVIAYahooZimbra

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Network World staff

Latest Videos

More videos

Blog Posts