Eugene Spafford, one of the nation's leading experts on information security, is director of the Center for Education and Research in Information Assurance and Security at Purdue University. Network World Senior Editor Carolyn Duffy Marsan recently sat down with Spafford at his West Lafayette, Ind., office to talk about the latest security threats and what network executives can do to mitigate them. Here are excerpts from their conversation:
What do you see as the top three information security threats that are most likely to hit U.S.-based multinationals?
One of the biggest threats we have right now is deployment of resources intended either to save on cost or enhance features without thinking through the consequences. VoIP and wireless fall in this category. They have failure modes that are very different than what they are replacing and are not well understood. Perceived cost advantages are driving these technologies, but that is overcoming the caution that should be in place. That's a threat not in the sense of a particular attack, but it is a systemic problem that leads to weakness in security posture and therefore may lead to attacks.
A second threat is a softening, if not disappearing, of the network perimeter. For a long time, we were able to get some semblance of securing the enterprise by establishing firewalls and [demilitarized zones] and maintaining the somewhat guarded perimeter. Now with BlackBerries, PDAs, wireless, executives traveling and using the Internet in hotel rooms, and people with VPN access from home systems, the perimeter is an illusion. But security policies and technologies have not kept up with that change. A big vulnerability in many environments is that you still have policies and people viewing the enterprise as protected with a firewall, and that's simply not the case.
A third threat is an overreliance on a small set of suppliers. We have too many enterprises that have everything running on the same hardware, the same operating system, the same database, the same network routers. Even their security systems are from one vendor. I don't mean to pick on a particular segment of the market or a particular vendor, but we see this homogeneity up and down the stack. The difficulty this brings is that the whole organization can fall with a weakness or failure of one platform type. That's very bad from an operational security point of view. This trend is driven by cost and convenience, but people simply aren't thinking about the potential cost of dealing with a disaster. Not having diversity in place applies to everything from viruses to break-ins to denial of service to potentially even bad bugs and vendor failure.
What steps should IT executives take to minimize these threats?
With any new technology, there should be a thorough understanding of the risks and the trade-offs. Some network systems are more fragile in the case of a fire or water main break than a similar twisted-pair telephone network. Those kinds of things need to be understood as risks before someone deploys the technology. That simply isn't being done in many environments. IT executives have to understand the risks extend outward beyond their enterprises when they're talking about these things, because they are infrastructure issues.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment