RSA paints grand picture that reveals product shortcomings today

Security executives face greater threats, stiffer financial consequences

San Francisco — IT executives who flocked to the RSA Conference '07 this week heard vendors pledge to help protect information no matter how it is accessed, but evidence of the technology needed to accomplish this was hard to find on the exhibit floor.

Microsoft Chairman Bill Gates described the need for “trustworthy computing," a set of coordinated technologies embracing infrastructure and applications. Separately, RSA president Art Coviello spoke of a future that includes security as a coordinated part of the network fabric, not an add-on supplied by one or a series of individual devices. “The value of security as a stand-alone solution is diminishing," he said.

Yet vendors promoted products — network access control devices, intrusion-prevention systems (IPS), database security products and identity management tools — that if not stand-alone, also didn’t fulfill the grand designs called for in the tone-setting speeches.

Cisco took a stab at moving beyond individual technologies with announcements about integrating its IPS with its security client, but that was just a step along the way to delivering on a defense-in-depth strategy.

Meanwhile, many of the 15,000 attendees were told that the security threats they face are becoming more sophisticated and capable of inflicting devastatingly costly harm. This puts pressure on companies being asked by customers and partners to boost their online offerings, said John Thompson, chairman and CEO of Symantec. “Consumers will demand that enterprises conform to a certain level of security before they will connect," he said.

That pressure is understood by eBay Marketplaces’ CISO David Cullinane who talked during a show session about the challenges of developing secure Web-commerce applications quickly. “We want code that’s written properly, but other factors matter. The rate of change [in Web business applications] is amazing and the throughput is mind-boggling. If you do too much security, you bog down the Web site," Cullinane said.

The problem goes beyond business-to-customer interactions, said Caleb Sima, a member of the Secure Software Forum and co-founder of SPI Dynamics, who also spoke at the conference.

“If you’re a business where users browse the Web [legitimately] and hackers take over a browser, they can use it as a tool to look at the internal network and send data outside the network," he said.

This can lead to hackers stealing from individual users, Sima said. For instance, once a browser is commandeered, the hacker can crack passwords and learn a user's activities on the Internet. “They can go to and trade your stock while you’re logged in . . . and you won’t know it," Sima said.

All this leads to issues of corporate liability for damages done due to corporate security breaches, said Ben Wilson, an attorney who co-chairs an American Bar Association committee on information security. That could mean enormous penalties against businesses that fail to protect personal data, he said.

State laws vary as to how much security businesses must have in place to protect data and whether they have to notify customers whose data is compromised, Wilson said. That makes taking legal action tricky, for example, for those who might live in Florida but whose bank compromises their personal data in a breach in California.

In addition, criminals who steal data such as customer credit card numbers, Social Security numbers and account numbers are learning to hang onto the data for more than a year to increase its value, said Jon Stanley, whose Cape Elizabeth, Maine, firm specializes in database breach cases.

“It’s the vintage wine syndrome," he said. “You wait until it ages."

By waiting until the heat is off, the data is more valuable. Typically, heightened credit monitoring goes away after a year, he said, at which time those with the compromised data can use it with less fear of getting caught. They then sell the data to people who want to exploit it.

That is when people whose data has been stolen will start suffering real damages, which is the legal test for whether they can sue to get their money back, Wilson said. And that is when they will sue companies responsible for losing the data for potentially huge sums of money, which could be further boosted by regulatory fines, he added.

The RSA Conference also had space for the non-technical, including warnings from BT Counterpane CTO Bruce Schneier that network security executives need to watch themselves to make sure their decisions are made using fact and reason, not fear and emotion.

“We make bad security tradeoffs when our feeling and our reality are out of whack," he said. “You can see vendors and politicians manipulating these biases." In the world of business, human psychology plays a strong role in decisions about acquiring security defenses as well, he asserted.

Schneier acknowledged that security is an art in which experts have to decide what network elements or data warrant the most stringent protection. “We make these tradeoffs every day," he said.

But in making those tradeoffs, security pros should not give in to emotion and intuition. Most people are optimistic that they won’t be the victim of an attack even though they know an attack is possible, he said. “We tend to think we’ll be luckier than the rest."

Learn more about this topic

RSA HQ '07

Bruce Schneier casts light on psychology of security


Hackers find a wealth of victims on corporate Web sites


Cisco focuses on security products integration


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.