Skip Links

Network World

Andreas Antonopoulos

Security: Risk and Reward

By Andreas M. Antonopoulos

Antonopoulos is a senior vice president and founding partner at Nemertes Research, a leading independent technology research firm. Contact him.

This column is also available as an e-mail newsletter called Security in Practice. Sign up to receive the newsletter here:

Communal security?
06/24/08
I’ve visited quite a few countries in Asia over the last two years. In the various airports I passed through I often saw people wearing surgical masks. I also saw “fever checkpoints” in most major airports. These checkpoints have infrared cameras that show a thermal false color picture of passengers as they are funneled through immigration. The signs surrounding the checkpoints indicated that the purpose was to identify people with a fever so as to screen for various types of flu (avian or other). This is classic perimeter control, network access control even, applied in the real world.
A question of trust and identity
06/10/08
What is the right balance between security and privacy? This is a common starting point in many policy discussions, especially in government. It’s a trick question because it presets the conversation as a balancing act between two values as if they are antithetical – they are not. In practical terms, privacy is security.
Less is more (secure)
05/27/08
Complexity is the enemy of security. Simple systems are inherently more secure than complex solutions.
Which IT security skills are most important?
05/13/08
I often hear from IT executives that it is hard to recruit and retain 'good security people.' Many lament the shortage of skills in this area and cannot reconcile the skills offered with the positions that need to be filled. Is there really a shortage of good security people? Or just a mismatch in the skills and the jobs?
Security preparedness instead of threat prediction
04/29/08
In the last column I talked about the challenge of trying to predict attacks, and how that approach leads to "anti-X" security strategies that are rapidly made obsolete by each new wave of threats.
Attackers are thinking outside the box
04/16/08
Security expert Andreas Antonopoulos explores the challenge of figuring out what the next big security attack will look.
Security in a bubble
03/18/08
Sometimes small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.
Virtualized security: the next frontier
03/11/08
Companies are adopting virtualization technologies at a faster and faster rate. They are virtualizing servers, desktops, storage, networks. But one aspect of infrastructure has been lagging – very few companies address the growing demand for virtualized security.
Privacy and the coming backlash
02/27/08
Network World security columnist Andreas Antonopoulos discusses the growth of identity theft and the need in the United States for stronger privacy protection.
Network threats develop 'antibiotic' resistance
02/12/08
The scientific field of biology has provided many useful metaphors, such as "virus" and "infection," for the study of malware. Many researchers have used biology and evolution science to create innovative defenses against malware, in many ways simulating the functions of biological immunity systems. I find that biological sciences and especially evolution provide some great insights into the behavior of malware, malware creators and malware defenses over longer periods of time. I also see a lot of parallels between the evolution of malware and the evolution of darknets (stealthy P2P networks).
When it comes to security, chaos may be your friend
01/29/08
Viruses and other malware are getting better at evading antimalware systems despite the sophisticated behavioral-analysis systems that are used to detect them. This week a rogue trader in France was able to hide a growing loss until it reached $7 billion and was impossible to hide. What do these two events have in common? Both exploit the predictability of defenses to evade detection.
Floating data offers unique security challenges
01/15/08
You've probably already read the news of a company planning to use container ships as floating data centers. The plan is similar to the modular shipping container data centers. Only instead of parking them in your back lot, you moor them to a nearby pier. The company, International Data Security, is planning to deploy the first such data-ship next to Pier 50 in San Francisco.
Security: What will be hot in 2008?
12/19/07
There are two ways to predict the future with 100% accuracy. You either have the power to shape the future to your predictions (the God method) or you make your predictions vague enough so that they fit most conceivable outcomes (the Nostradamus method). For those of us without omnipotence and with a desire to write something meaningful, that leaves the alternative: extrapolate from in-depth research, solid statistics and current trends and hope for minimum volatility (disruptive innovation or externalities) in the outcome.
Convenient credit = security threat
12/05/07
There were more than 20 major data compromises in the last three months that went almost completely unreported. Eventually we all become resigned to the fact of identity theft/loss. But I’m not giving up so easily.
Re-assessing risk (The crown jewels are almost worthless)
11/19/07
A popular expression in security circles is to equate critical company intellectual property with the crown jewels. The crown jewels are protected by many layers of security, but the truth is that they make very poor targets for theft because they are far too distinctive to fence. To sell such items, a thief would have to take great risks and heavy discounts. Yet, in most information security risk-assessment methodologies we measure the loss impact for the company and ignore the gain potential for the thief.
Encryption is the name of the game
11/06/07
Up to now we’ve used encryption to protect against criminal elements, but what about using it to protect our data from service providers?
Divided we fall
10/23/07
I’ve always believed in the importance of maintaining a well-designed emergency response capability. For many years I helped organize security operations centers (SOC), computer emergency response teams (CERT) and incident response teams (IRT). No company is ever 100% secure. Breaches happen and will continue to happen. “Secure” companies are the ones that are able to efficiently and effectively mitigate the damage from a security incident. Looking back, I would probably do things a bit differently now. A key difference would be the balance between company privacy and involvement of law enforcement.
Combining work and play threatens business security
10/10/07
Nine-to-five is quickly becoming a quaint memory in many workplaces. Flex time, teleworkers, road warriors and home offices are increasingly blurring the distinction between "my time" and "work time." That means more work is done during off-hours but also that more "play" is done during work.
Service-oriented security
09/25/07
Attackers are making a lot of money stealing identities and they are developing ever more sophisticated attack networks. If we are to defend against this escalating threat we have to stop trying to match each move and work toward a broader strategy. That means working to build a security infrastructure that brings to bear all our defenses in a coordinated way. Breaking the silos in security is not easy, but we are already doing something very similar with our enterprise apps. Enterprises are using service-oriented architectures (SOA) to break monolithic applications into components, creating composite applications and integrating business processes. A few weeks ago I wrote about how companies are building security into SOA. An even more interesting topic is how we can build SOA into security.
The black market for identity theft
09/11/07
A while back I looked at the maturing market dynamics of cybercrime black markets and found that as professionals have come to dominate the hacking scene, a whole series of black markets have emerged.
Security-oriented architectures?
08/28/07
SOA is one of those buzzword acronyms that mean so many things to so many people it’s hard to pin down what it is. Nevertheless, many large enterprises are integrating applications and building applications using XML, Web services and rudimentary service-oriented architectures. But what about security?
The cost of compliance
08/14/07
Regulatory compliance is a form of asymmetric warfare. It will always be faster and cheaper for Congress to create new regulations than it is for businesses to comply with them. After all, the infamous Section 404 of the Sarbanes-Oxley Act is only a few sentences, but carries an enormous punch.
A knack for network access control
07/31/07
Network access control is a huge topic of discussion in IT and a focus of activity among vendors. Over time, the acronym has become almost generic through overuse and the definition varies.
Virtual servers: More or less secure?
07/16/07
Virtualization is quickly being adopted in many different industries. As virtual machines move from testing and development roles into production, security becomes ever more important. Virtual servers are no less secure than regular servers, and may provide additional security by compartmentalizing applications.
E-discovery and records retention
07/02/07
How do we balance the needs of regulatory compliance and litigation with the rising cost of retaining electronic records? You won’t like the answer.

Most Read

View more Most Read

Videos

rssRss Feed

Latest News

rssRss Feed
Save The Date!
What They Are Saying

The Diane's of the industry should be acknowledged for their understanding of why products fail when...- Anon

Join the Discussion