By Alex Ritman
The RSA Security conference gave a gloomy outlook on future network security issues. Attacks won't go away, but will just get more complicated, and more costly.
|~|charneysmall.jpg|~|“Products will evolve and we will have to build new threat models as the environment continues to change.” Scott Charney, Microsoft's Chief Security Strategist|~|While science will disassociate the connection, the temperature in Vienna seemed somewhat colder around the time of the RSA Security conference. It may have been mid October, but there was an extra chillness in the air with arrival of the IT industry’s top security brass and their messages of impending doom.
Jayshree Ullal, Cisco’s senior VP and head of systems, kick started her keynote session with a grim outlook on any future security hopes. “The minute you solve it, there’s always the next one. “It’s not just antivirus anymore,” claims Ullal. “It’s blended threats, be it worms, viruses, spyware, malware, Trojans.” This growing complexity of attack was one of the main themes of the event.
Ullal says responses to security threats have improved, however, it is not enough. Viruses such as the Nimda, that hit networks in 2001, took 336 days to fix, while one of the latest intrusions, the Zotob worm, took just five days. “But even five days is too long,” says Ullal. It was this thinking that had led to Cisco’s idea of networks with built-in security features. “Three years ago none of our routers had security in them, whereas today it is between 10%-40%,” says Ullal.
Cisco used the RAS event to launch the second phase of its Network Admission Control (NAC) solutions. NAC is Cisco’s two-year-old project that aims to develop “self-defending networks”, enforcing security compliance on user devices before they can gain access to the LAN. Under NAC, companies can allow network access only to compliant and trusted endpoint devices.
The second phase, NAC II, adds support to Cisco’s Catalyst switches and wireless devices. In addition to this, a new partner programme gets around the problem of having to install NAC client software onto PCs. Companies will instead be able to use auditing software from Qualys, Symantec and Altiris to check the health of any client wishing to gain access to the LAN.
Stuart McIrvine, director of corporate security strategy at IBM, a NAC client, spoke of the benefits of such a process. “Is security complex, absolutely. One of the ways that you manage around this area of complexity is you start to put more capabilities into the systems to manage and defend themselves. A customer doesn’t want to buy 14 security solutions and deploy them individually. There needs to be mechanisms and capabilities within the infrastructure to provide self-defending capabilities.”
McIrvine looks at the security of the end point device. “If that security posture is not in compliance with the company’s security policy, it’s not just a case of locking that device out, it’s a case of understanding why that device is out of compliance and then fixing it.”
Future warnings came from Microsoft’s security chief, Scott Charney. With the arrival of IP networks, he claims phones could soon be just as vulnerable as PCs. He says he doesn’t see the end of security vulnerabilities happening anytime soon. “Products will evolve and we will have to build new threat models as the environment continues to change.”
Next generation IP-based telephone network will see the telephone become more than just a dumb terminal, and moves more power to the edge of the network. Charney warns that while such a move will help drive business innovation as people create new applications, it also carries new threats.
Cisco emphasised the need for network self-defence, but another issue being pushed heavily was one of identity protection. According to the VP of Verisign’s authentication services arm, Nico Popp, the internet was being used increasingly for financial matters, but the security technology employed was still old. “Identity theft in the US is costing around US$500 million, and this is increasing by 20% each year.” He warned that all online businesses could face a severe backlash if consumers decide that the internet is not a secure medium for exchange.
Popp was showing off his company’s token, used to generate one-time passwords and as an identity verifier, both security tools for making online transactions. A deal with eBay signed just weeks before the conference will see the online auctioneer deploy up to one million VeriSign tokens to users of its payments-processing subsidiary PayPal.
Earlier in the year, mobile operator MTC-Vodafone in Bahrain signed a security consulting services agreement with Verisign. “We did everything from nuts to soup for them,” says Suheil Shahryar, Verisign’s director of global securities consulting. “We tested the system against hackers, set up a security organisation, trained people, set up the architecture which we can then manage.” He claimed that Saudi Arabia was the largest in terms of demand from the region, with banks requiring the highest levels of security, and hinted that VeriSign was looking to open a Dubai office in the near future.
Shahryar says that while the Middle Eastern market lags behind Europe by about two years, it is a big growth area. “Things that didn’t fly in Europe do in the Middle East.” He mentions the PK1 encryption standard as one of these, something he describes as “the most foolproof method of securing information”.
Sharing Cisco’s outlook, Sharyar believes security threats were never going to go away and could never be totally covered. “If there’s not a fault in the system, then it’s the people.” He said that all IT managers and security suppliers could do was put as many different layers of defence in front of the network, likening the tactic to a medieval castle, with the moat, the drawbridge, and the walls.
Future issues could involve terrorists. “It hasn’t reared its head yet, but it’s only time before they move into hacking,” says Shahryar, who it could become one of the major areas of threat in the Middle East.
In the meantime, a major concern, and one highlighted by others during the show, was denial of service (DoS) attacks on websites. Companies that rely on constant visitor traffic and uptime for their revenue streams have come under increased attacks from cyber gangs threatening to inundate a web site with traffic until the server cannot cope, sending it offline. In regions where gambling websites are legal, several companies including UK-based BetFair have been targeted in such a way.
A report published in October by Gartner said gambling sites often paid up, as they were small, and without the resources to cope with the levels of downtime threatened. “These sites are often targets for denial of services extortion attacks such as, ‘Transfer US$5000 into this Swiss bank account and we will stop bombarding your site’,” the report claimed. In theory, any web-based business relying on online transactions for revenues is susceptible to denial of service extortion attacks. It said that mobile service providers would need to prepare for DoS attacks, as they may soon be targeted by an ‘SMS storm’. Swamping a network with text messages from a PC, such an attack could seriously affect coverage should it bombard mobile phones in a single cell.
The conclusions from the RSA Security conference were very much in the realm that things were not going to get better. ||**||