Senior vice-president and chief security officer, AT&T

There can’t be too many people who know AT&T Inc.’s network and infrastructure better than Edward Amoroso. The senior vice-president and chief security officer for the U.S. telecom giant goes back 22 years to Bell Laboratories.

Amoroso was in Ottawa last Wednesday speaking at the Cyber Security: Proactive Defence of Critical Systems and Information conference hosted by the Conference Board of Canada. Afterward, he took time to outline his vision of deeper but simpler IT security strategy and an end to the endless cycle of attack-fix-attack fix.

* A few years ago, says Amoroso, the tech community’s security fixation was on worms and viruses. The problem was, “nobody was doing a very good job of patching.” As system patches dribbled in, administrators had to decide whether to implement them case by case; they’d tend to wait for “superpatches,” leaving the system unpatched until a number of problems could be fixed in one fell swoop. “We found the worms and viruses took advantage of that situation and we had to change our behaviour,” he said. “We’ve become superpatchers.”

* But while enterprises are superpatching their way to safety, there’s another problem — the vast number of users with broadband access and little or no security administration. His mother, for example, doesn’t care about updating security flaws. “She just wants to get onto the Internet and use her word processor,” Amoroso says. That’s how the botnet threat – networks of hundreds or thousands of unsecured PCs commandeered to send scam e-mail and distribute malware — has arisen. “It is the No. 1 problem on the Internet in my estimation.”

* Amoroso says the potential danger of a volume-based denial of service attacks is still high. “Maybe 95 out of 100 (enterprises) probably don’t have sufficient protection (against DoS attacks),” he says. Gigabit Ethernet connections among data centres, virtual private networks and the like are still vulnerable against an attacker who can round up – by organizing or compromising – enough machines to bombard the network. “If you get enough traffic at that gateway — and it’s not that much traffic,” it’s easy to overwhelm the gateway. The individual enterprise approach of hanging a technological defence onto a connection won’t stand up to a 3Gbps attack.

Read more

For more articles on security issues, visit IT World Canada’s Security Knowledge Centre

Internet service providers, though, can track and redirect suspect volumes of traffic to a “scrubbing” site. “It’s like a shock absorber for the Internet,” he says. It isn’t necessarily easy for the ISP, but it’s easy for the customer, he says, “(and) fundamentally, that’s what telecommunications is all about.”

* In 2000, George Gilder published Telecosm: How Infinite Bandwidth Will Revolutionize Our World, which became phenomenally influential among network thinkers. “You can replace the seven-layer smart network with a much faster, dumber, unlayered one,” Gilder wrote. “Let all messages careen around on their own. Let the end-user machines take responsibility for them. Amid the oceans of abundant bandwidth, anyone who wants to drink just needs to invent the right kind of cup.”

As a result, says Amoroso, carrier companies “got into just pushing light” – focusing on packet loss and latency — and letting the intelligent edge worry about everything else. “So many groups with cybersecurity teams are trying to solve the same problem,” he says. “Any one of us, as an engineer, would tell you that’s about as inefficient as it gets.”

All attacks pass through the carrier infrastructure, he says, and that’s where the focus should be. “Security is one of those things that’s best attended to in a centralized area,” he says. “You don’t send grandpa out on the roof to watch for incoming. You get a police force.”A firewall is no longer a firewall. I don’t know what it is.Edward Amoroso>Text

* But selling this to enterprise, which has an ownership attitude toward security regimes, gets pushback — “Not a little bit of pushback, a lot of pushback. This message is a very bitter pill to swallow,” he says. But if an enterprises want to try to stop denial of service attacks without working with their carriers, he challenges them to explain how they’ll do it. How do you keep children off inappropriate Web sites, when you can’t be there all the time and they’re often more technologically sophisticated than you? “In partnership with the carrier at the DSLAM or the headend,” Amoroso says, and that applies to the enterprise connection, too.

* Firewalls and intrusion detection systems are evolving to do tasks they weren’t conceived for in the first place, Amoroso says. A typical enterprise might have 100 gateways to untrusted connections. Originally, a firewall was designed to act as a choke point for a single connection. “A firewall is no longer a firewall,” he says. “I don’t know what it is.”

There’s a fast food company AT&T works with, Amoroso says, that’s moved to more IP connectivity for drive-through service. Each restaurant now is a node in need of a protective regime. “Rather than do that, we can load-balance firewalls onto their VPN,” he says, with four or five security nodes in a circle around thousands of restaurants. “We’re just managing the capacity and capital,” he says, while the restaurants can update their own policies. “We’re handling the gearhead side of it…We’ve found that SMBs absolutely love this.”