Experts: Network security deteriorating, privacy a lost cause

One suggestion: 'Don't armor the sheep, hunt the wolves'

Ethernet Summit Internet and network security is bad, and it's going to get worse before it gets better. To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants.

"We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not our biggest problem," Brocade Communications chairman David House said at a future-forcasting panel during the Ethernet Innovation Summit this week in Mountain View, California. "Our biggest problem is cyber security."

When talking about security, House wasn't referring to privacy – that game has already been lost. "Give it up," he said, "it's over – everybody's going to know everything."

Every click you make on the web is already being tracked. "Right now, Amazon and Google know everything about everything you do, and the ads that pop up are all related to stuff that you have been looking at or you thought about," House said. "They already know about you."

But that's not the problem. "Guess what? Larry Page doesn't give a damn about you or any of that information," he said. "It's just a computer out there that knows about you." You're not that computer's target, your buying habits are. "This is just a bunch of data and big data and databases that's marketing to a market of one."

If not Page – or, rather, his all-seeing computer – then who should we be worried about regarding our privacy? According to House, it's hackers. "Everything is going to be known about you, and the guy who can hack into it is going to know everything about you," he said. "It's the hacker you need to worry about, not Google itself."

The way that we've architected our networks has exacerbated the privacy problem, House argues. "We've been spending the last 40 years abstracting up from the piece of wire to higher and higher levels," he said, "and virtualizatIon and software-defined networks are just another layer of abstraction that we're putting into the environment."

All that abstraction is providing more and more ways for hackers to break into networks. "Every one of these layers is a tunnel that people can go through to access things that they shouldn't have access to," he warned.

At another Summit session, a gaggle of security execs expressed equally pessimistic concerns. For example, Alan Kessler, CEO of data-security company Vormetric, has given up on traditional security measures. "Building a fortress around you network no longer works," he said. "The bad guys are already inside. They already have access to your network – in fact, you may have hired them."

Kessler also is of the opinion that the advent of cloud computing has brought with it another threat layer. "Even if you're confident that you're running your data center, you can trust your people, what if your data is in someone else's cloud? How do you know whether the systems administrator who's managing that server is someone you can trust?"

From Kessler's point of view – and remember, his company is in the data-security business, so he's paid to be paranoid – you can't. Merely protecting your network from intrusion isn't the way to ensure security. Instead, you should focus on locking down your data, and not just your network.

That data-lockdown point of view is shared by Jason Brvenik, VP for security strategy at SourceFire, a – surprise! – network security company. He also said that one glaring proof of the sorry state of network security is the unconscionably long time between when a network is compromised and when a company becomes aware of that fact – one Verizon study put the average time of that gap at over 100 days.

Brvenik said that companies need to use improved analytics to gather more detailed visibility into network activity, and to better share information about how they've been compromised. If they do, he said, "We can close that gap down. We can close it to weeks. We can close it to days. For some organizations we may even be able to close down it to hours or minutes."

Brian Smith, CTO and cofounder of security analytics software vendor Click Security, agreed with Brvenik about information-sharing. "People tend to be very secretive about their security threats," he said, "and we need as an industry to start sharing that knowledge more, because the attackers are essentially businesses – they've developed a piece of software and then they want to make a return on investment on it."

The attackers do that, Smith said, by attacking one company, then another, then another, and so on, profiting on each attack. "We want to collapse that economy," he said – and if a compromised company would share with other companies details about how it was compromised, it would make it more difficult for attackers to achieve their business goal of a healthy ROI.

But no security scheme will work unless a company has well-trained network-security techs on its payroll – and there aren't that many of them to go around.

Most organizations, Smith said, simply realize, "Oh, we should worry about security – and then they appoint one of the IT guys, and say, 'You're now head of security – and, oh, by the way, you haven't lost your day job'." That won't cut it, he said. Instead companies need to invest in training, education, and "professionalization" of network-security administrators.

Training users, however, is a lost cause. As Manish Gupta, SVP of products at "next-generation threat protection" developer FireEye put it, "You can't put restrictions on users. It has never worked in the past, and it'll never work in the future." Or as Kessler put it, if you have a user who wants to run down the hallway with scissors, a security professional's job is to help them do that as safely possible, because they're still going to run with scissors.

Smith also said that a more vigorous attack on hackers was needed. "I think that for the last 20 years or so we've taken the approach as an industry of trying to armor the sheep. I think we need to start hunting the wolves," he said.

"We have tried to make the devices more secure by putting anti-virus [software] on them, by putting controls in the network that prevent breaches," Smith said.

"And the fact is that the bad guys just figure out ways around them." Those preventative measure have been so ineffective that a Verizon breach report concluded that only 5 per cent of intrusions were uncovered by security processes.

"Of the sixty billion dollars that the industry spends on IT security," he said, "they detect one in twenty intrusions that compromise those devices."

So, more training, better data-lockdown, improved analytics, shortened intrusion-detection times – oh yes, and wolf-hunting. These measures all might help, but as for now the problem remains.

Until all those measures – and likely more – are accomplished, well, as Brocade's House put it, "Security is going to get worse." ®

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022