Feeds

Experts: Network security deteriorating, privacy a lost cause

One suggestion: 'Don't armor the sheep, hunt the wolves'

Choosing a cloud hosting partner with confidence

Ethernet Summit Internet and network security is bad, and it's going to get worse before it gets better. To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants.

"We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not our biggest problem," Brocade Communications chairman David House said at a future-forcasting panel during the Ethernet Innovation Summit this week in Mountain View, California. "Our biggest problem is cyber security."

When talking about security, House wasn't referring to privacy – that game has already been lost. "Give it up," he said, "it's over – everybody's going to know everything."

Every click you make on the web is already being tracked. "Right now, Amazon and Google know everything about everything you do, and the ads that pop up are all related to stuff that you have been looking at or you thought about," House said. "They already know about you."

But that's not the problem. "Guess what? Larry Page doesn't give a damn about you or any of that information," he said. "It's just a computer out there that knows about you." You're not that computer's target, your buying habits are. "This is just a bunch of data and big data and databases that's marketing to a market of one."

If not Page – or, rather, his all-seeing computer – then who should we be worried about regarding our privacy? According to House, it's hackers. "Everything is going to be known about you, and the guy who can hack into it is going to know everything about you," he said. "It's the hacker you need to worry about, not Google itself."

The way that we've architected our networks has exacerbated the privacy problem, House argues. "We've been spending the last 40 years abstracting up from the piece of wire to higher and higher levels," he said, "and virtualizatIon and software-defined networks are just another layer of abstraction that we're putting into the environment."

All that abstraction is providing more and more ways for hackers to break into networks. "Every one of these layers is a tunnel that people can go through to access things that they shouldn't have access to," he warned.

At another Summit session, a gaggle of security execs expressed equally pessimistic concerns. For example, Alan Kessler, CEO of data-security company Vormetric, has given up on traditional security measures. "Building a fortress around you network no longer works," he said. "The bad guys are already inside. They already have access to your network – in fact, you may have hired them."

Kessler also is of the opinion that the advent of cloud computing has brought with it another threat layer. "Even if you're confident that you're running your data center, you can trust your people, what if your data is in someone else's cloud? How do you know whether the systems administrator who's managing that server is someone you can trust?"

From Kessler's point of view – and remember, his company is in the data-security business, so he's paid to be paranoid – you can't. Merely protecting your network from intrusion isn't the way to ensure security. Instead, you should focus on locking down your data, and not just your network.

That data-lockdown point of view is shared by Jason Brvenik, VP for security strategy at SourceFire, a – surprise! – network security company. He also said that one glaring proof of the sorry state of network security is the unconscionably long time between when a network is compromised and when a company becomes aware of that fact – one Verizon study put the average time of that gap at over 100 days.

Brvenik said that companies need to use improved analytics to gather more detailed visibility into network activity, and to better share information about how they've been compromised. If they do, he said, "We can close that gap down. We can close it to weeks. We can close it to days. For some organizations we may even be able to close down it to hours or minutes."

Brian Smith, CTO and cofounder of security analytics software vendor Click Security, agreed with Brvenik about information-sharing. "People tend to be very secretive about their security threats," he said, "and we need as an industry to start sharing that knowledge more, because the attackers are essentially businesses – they've developed a piece of software and then they want to make a return on investment on it."

The attackers do that, Smith said, by attacking one company, then another, then another, and so on, profiting on each attack. "We want to collapse that economy," he said – and if a compromised company would share with other companies details about how it was compromised, it would make it more difficult for attackers to achieve their business goal of a healthy ROI.

But no security scheme will work unless a company has well-trained network-security techs on its payroll – and there aren't that many of them to go around.

Most organizations, Smith said, simply realize, "Oh, we should worry about security – and then they appoint one of the IT guys, and say, 'You're now head of security – and, oh, by the way, you haven't lost your day job'." That won't cut it, he said. Instead companies need to invest in training, education, and "professionalization" of network-security administrators.

Training users, however, is a lost cause. As Manish Gupta, SVP of products at "next-generation threat protection" developer FireEye put it, "You can't put restrictions on users. It has never worked in the past, and it'll never work in the future." Or as Kessler put it, if you have a user who wants to run down the hallway with scissors, a security professional's job is to help them do that as safely possible, because they're still going to run with scissors.

Smith also said that a more vigorous attack on hackers was needed. "I think that for the last 20 years or so we've taken the approach as an industry of trying to armor the sheep. I think we need to start hunting the wolves," he said.

"We have tried to make the devices more secure by putting anti-virus [software] on them, by putting controls in the network that prevent breaches," Smith said.

"And the fact is that the bad guys just figure out ways around them." Those preventative measure have been so ineffective that a Verizon breach report concluded that only 5 per cent of intrusions were uncovered by security processes.

"Of the sixty billion dollars that the industry spends on IT security," he said, "they detect one in twenty intrusions that compromise those devices."

So, more training, better data-lockdown, improved analytics, shortened intrusion-detection times – oh yes, and wolf-hunting. These measures all might help, but as for now the problem remains.

Until all those measures – and likely more – are accomplished, well, as Brocade's House put it, "Security is going to get worse." ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.