InfoSecurity Conference focuses on management, mobility

“Management” and “mobility” were words on the tips of many attendees’ tongues at the InfoSecurity 2003 Conference and Exhibition in New York, as leading security technology vendors displayed products for managing security devices, combating spam and securing mobile devices.

Frustration with difficulty managing security devices and security risks posed by mobile devices such as PDAs and cellular telephones is driving demand for new products and features bolstering traditional protections like firewalls and intrusion detection systems, according to interviews with those at the show.

A number of companies displayed technology for managing data produced by increasing numbers of security products deployed on corporate networks. Companies like Ubizen NV, OpenService, Consul Risk Management and Network Intelligence showed such products and services.

Securing mobile users was also a major concern of attendees and exhibitors. Heightened attention comes as corporations are equipping more employees with laptop computers, BlackBerry pagers and smart phones that give them constant access to network resources. Increasingly, those devices are serving as entry points for worms and viruses, said David Mortman, director of global security at Siebel, during a panel discussion Wednesday.

“Seventy percent of our workforce has laptops and is mobile, and laptops break the (network) perimeter,” he said.

After a recent outbreak of the Blaster worm, Siebel was forced to protect its network from infection by stopping mobile workers as they came to work and requiring them to run a scanning program to detect copies of the worm on their laptops. Siebel stopped about 30 or 40 instances of Blaster from reaching the corporate network, Mortman said.

But companies are looking for more automated ways to deal with threats posed by mobile workers, according to Gerhard Eschelbeck of Qualys, who also participated in the panel discussion.

To meet those needs, companies are investing in new kinds of remote access technology. For example:

* Nokia used InfoSecurity to display Secure Access System, a VPN product based on Secure Sockets Layer that lets companies set up access policies that take into account the mobile user’s identity, location and type of device used for network access, said Steve Schall, director of security application product management at Nokia.

Companies can use a client integrity scanner component of the Secure Access System to determine whether a mobile user’s operating system is adequately patched and whether antivirus definitions are up to date. Lower levels of network privileges can then be assigned to users who do not satisfy those criteria, Schall said.

* InfoExpress, in Mountain View, Calif., showcased similar technology in its CyberGatekeeper product, a server that sits between VPN users and a corporate network and enforces security policies such as anti-virus updates and configuration on remote clients.

* Control Break Intl. of Houten, Netherlands, displayed technology for protecting data on remote devices. The company’s SafeBoot uses two-factor authentication and proprietary technology to validate a user’s identity before allowing the SafeBoot-protected device to start.

The focus on securing mobile devices points to larger security problems posed by the use of embedded operating systems on a wide range of devices, from cellular telephones to automated teller machines and SCADA systems that control critical infrastructure, said Pete Lindstrom, Spire Security LLC in Malvern, Pennsylvania.

“The idea is becoming apparent that embedded operating systems need to be evaluated and understood and profiled,” he said.

Such devices are often not connected to the Internet directly, but to enterprise networks, creating a “leaky network” that can allow viruses and worms in, as happened in August when automated teller machines at two customers of cash machine manufacturer Diebold were infected with the Welchia worm, Lindstrom said.

Scott Yelich, a Unix administrator at a large Wall Street investment banking firm, attended the exhibition to search for Unix and Linux security products. But he was also looking for technology that secures mobile devices, he said.

Holding out his BlackBerry pager, by Research In Motion, Yelich noted that the device can be programmed to send instructions back to his computer at work via e-mail, but his company does not currently use products that would spot such activity, which could be used to launch attacks or spread infections.

The sheer number of new security products and mobile computing devices that companies are deploying is forcing changes in the way network security administrators manage security, said Lance Braunstein, chief information security officer at Morgan Stanley Dean Whitter & Co., who gave a presentation on the best security practices.

Administrators are increasingly looking to automate manual processes and invest more money in workflow and policy management technologies, he said. The interest he saw in technology such as software patch management systems highlights the desire for products that will reduce the administrative overhead associated with securing systems, Lindstrom said.

“Patch management is extremely hot lately because (patching systems) is an operational pain in the neck right now,” he said.

The proliferation of specialized security devices is also forcing a reconsideration of the long-accepted notion of buying “best in breed” technology to solve network security problems, Braunstein said. Companies such as Morgan Stanley are increasingly willing to settle for technology that is not “best of breed” if it offers seamless integration with other security functions, he said.

Lindstrom agreed, saying that network security is fast evolving from an arcane practice to a science, and that security administrators are being held to account for costs associated with it.

“We’re seeing a move from security being a black hole of lost dollars to it being a cost-benefit risk assessment in the enterprise,” he said.