According to Seminole, Fla.-based consultant Winn Schwartau, “Because we do not know the value of protection, we cannot trust it 100 per cent in any environment.”
Schwartau, an information security consultant, the president of Interpact Inc., and founder of information security Web site Infowar.com, made his remarks during an exclusive security panel lunch with Network World Canada at the recently held Network World Live! show in Toronto. He said that in order to gain that trust, there are time elements that need to be considered. The way for companies to solve their security issues is to first realize that time is the essential factor.
Schwartau explained that the classic models of information security were developed by the military in the ’70s and ’80s, and were based upon classic conventional military defences 5,000 years old. It is what he calls ‘fortress mentality’, which is “building high walls around the cities, to protect them from the marauding masses. Look at the Great Wall of China…the Berlin Wall – what were they? Failures. Absolute failures.”
As an analogy for the situation for e-commerce sites today, Schwartau offered the following scenario: a store opens up for business.
“If a bad guy comes in, how do you know he’s a bad guy?” he asked. “Is it coming in that is the problem? No – it’s his behaviour.” Because, he said, unless he pulled a gun on you, or attempted to steal something, you would have no way of knowing he had malicious intentions.
“When we look at networks today, it’s all about behaviour. You could have every bad guy in the world going down to Amazon, and maybe 50 per cent of them are going to buy a book. And you’re not going to pay any attention to them whatsoever as long as their credit card passes, and they don’t start trying to beat on your electronic door,” he said.
There are firewalls, PGP, password protectors, and routers…all these defensive products that are static, Schwartau explained. They are the fortress mentality products which are hopefully configured correctly, but more than likely are not.
Mark McArdle, vice-president of security software development for Waterloo, Ont.-based MyCIO.com, an ASP which provides security services, was also at the lunch. He agreed with Schwartau.
“[A firewall] is a tool, and if it’s poorly configured, it’s almost worse than no firewall at all, because you have a false sense of security,” he said.
Part of the problem is that while the good guys need to sew up thousands and thousands of holes, the bad guys only need to find one weakness to get in. Using a firewall is just not going to do it, Schwartau said.
“You can’t measure a firewall. The manufacturer can put out the most perfect thing in the world,” he offered. “Yet you give it to a user, and all he has to do is hit the wrong…button once and the entire functionality [that the firewall is there to provide] is dead, gone, history, period.”
What security also comes down to, according to Schwartau, is reaction time. For the sake of his example, Schwartau said, “Let’s for the moment say that the firewall is useless – totally useless, because we cannot prove it. We don’t know.” That makes it as effective as a plate window in a jewellery store – one smash, and the bad guy is in.
But he noted that the window is likely not the only form of defence a store would have – it would have a camera, and likely a sonic or movement alarm as well.
“These are sensors, and in our world…we call them detection. Whether it’s intrusion detection at the perimeter of the network, looking for the bad guys and bad guy stuff on your firewalls and routers, or it’s intrusion detection inside the network looking at the behaviour…the object of the exercise in both the jewellery store case and in our case is: how fast can we say ‘oops!'”
How long does detection take? According to Schwartau, nominally, it’s easy to say that any good detection mechanism will detect something in about a second. So once the bad guy has been detected, another time component comes into effect: the amount of time it takes to react to that detection.
Even if the detection time is good, the reaction time needs to be as well. Once an intrusion is detected, Schwartau said, someone has to be paged, or woken up in the middle of the night. It could be lunchtime; it could be a holiday; that person may need to travel to a place to make the necessary repairs…all of this factors in to the amount of time it takes someone to react.
“What does that mean for the bad guy? Opportunity to hang around inside the networks and do whatever the heck he wants to do until finally someone gets in there and finds him and stops him. And by then he has already planted a Trojan if he’s smart. He’s erased his tracks — if he’s smart and done his homework.”
From there, he said companies need to make a decision. Do they want to grow and build their own security systems? Do they have the staff and budget to do so? Or do they want to hire a trusted third party to handle the detection and reaction times for them?
McArdle noted that the feedback from his customers has been that while the technology might be there, companies can’t get enough people to staff effectively and use the tools as they were designed to be used, making third parties a wise choice.
“If you look at the state of e-commerce companies right now, one of the reasons I think we’re in such a big mess when it comes to the security of these sites, is that they have been pushing, and consumers have been pushing…(for functionalities),” McArdle said. “Security has always sort of been a secondary consideration.”
And while McArdle noted that Microsoft is one company that has been listening to customers and adding feature-rich functionality, Schwartau said, “Putting Microsoft and security in the same sentence is an oxymoron.”