ORLANDO, Fla.-- Security pros are constantly weighing whether a
new security policy could be costly to employee flexibility and
productivity. But in recent years, one expert says, less
flexibility appears to be the new standard as vendors protect their
products from Web-based attacks -- and it could stifle
technological innovation.
"The Internet has so many different moving parts and so many
different independent hands involved that it's too difficult for
anybody to do anything to make it more secure," said Jonathan
Zittrain, professor of Internet governance and regulation at Oxford
University and co-founder of the Berkman Center for Internet and
Society at Harvard University.
While personal computers and devices are protected by firewalls
and security software, attackers are finding other avenues of
attack. Device makers are responding by locking down devices and
configuring them to automatically update, but the result is less
flexibility for their owners, Zittrain said. Like a home appliance,
the devices can be easily used by their owners, but little can be
done to update the internal software or configure them to make them
work better.
"There's a movement to turn the PC into things like the Tivo or
BlackBerry, which are tethered to their maker," Zittrain said. "The
makers of a device are now determining what you can do with
it."
 | | | | | The Internet has so many
different moving parts and so many different independent hands
involved that it's too difficult for anybody to do anything to make
it more secure.
Jonathan Zittrain
professor of Internet governance and regulationOxford
University |
| | | | | |
| |
|
Zittrain gave the opening keynote at the Infosec World Conference
and Expo, where security pros are gathering to attend a variety of
sessions to learn about securing applications and systems from
growing Internet threats. Zittrain's hour-long presentation was
more like a history lesson, showing how computing devices and the
Internet got its start and why the growing complexity of the
Internet has increased dangerous threats and could result in less
productivity.
Zittrain talked about his work as co-director of
StopBadware.org, a Web site that
is aiming to be a central clearinghouse for research about Websites
that are configured to immediately dispense malware when visited.
The goal is to slow the spread of malware by getting the sites
labeled by Google and other search aggregators if they contain
spyware or deceptive adware, he said. So far more than 31,000 Web
sites were found to be configured to dispense malware when visited.
Still, the complexities of the Internet is making enforcement of
rules and regulations virtually impossible, Zittrain said.
To deal with Web uncertainties, vendors are turning their
software into a service, to protect it from vulnerabilities that
can be exploited by attackers. Zittrain and other experts who are
studying what can be done to better secure systems and devices from
Internet attacks say Internet service providers need to take a
greater role in securing Web traffic.
"You don't want to let your channel of communication rules be
the same channel for executable code," Zittrain said. "One hopes
that ISPs take a greater responsibility."
For now, some companies are locking out employees from certain
productivity tools and some vendors are tightening their grip on
their proprietary software. So far the strategy is helping defend
against the bad guys, said Cleveland Greene, a Department of
Defense systems analyst based in San Antonio, Texas.
"You've got to increase security and you're going to realize
that trade-off, which means employees will be locked into their
specific business process," Greene said. "If we're gong to win the
battle you've got to accept that trade-off."