Know your enemy

Computer Weekly asked five of the world's leading IT security experts from business and academia to identify what they consider...

Computer Weekly asked five of the world's leading IT security experts from business and academia to identify what they consider to be the biggest threat to IT security over the coming 12 months. Here we present their answers and their advice on what IT managers can do to keep systems safe

Threat: The ever-increasing danger of old attacks
Bruce Schneier, chief technology officer at Counterpane Internet Security and author of Applied Cryptography and Secrets and Lies

In computer security, the older attacks never go away and the newer ones just get worse, writes Bruce Schneier, chief technology officer of Counterpane Internet Security. The most serious problem in computer security is not the newest attack, but the ever-increasing tsunami of all the old attacks that continue to do damage.

Consider buffer overflows. These incursions are one of the oldest tricks in the book. They were first talked about as early as the 1960s and were known by the security literati even earlier than that. In the 1970s, they were often used as a point of attack against early networked computers. In 1988, the Morris worm dropped 10% of the hosts on the Internet with a buffer overflow attack.

Today, over a decade after Morris and about 35 years after these attacks were first discovered, buffer overflows are still an enormous problem. Most attacks on the Internet are buffer overflows, even though there are automatic programs being developed which will find and fix them.

There are many attacks more subtle, and harder to fix, than buffer overflows. But they're still here, and they're still causing damage.

In 1995, Web site defacements were major news. Today, there are dozens of Web site defacements every day which go unnoticed. In 1998, the story was credit-card number thefts. CD Universe failed as a company partly because of it lost credibility following a credit-card number theft. Today, millions of credit card numbers are stolen via the Internet, but it's not news any more.

1999 was the year of the Trojan. Back Orifice was going to be the death of the Internet. Today there are dozens of Trojans, many of them nastier than Back Orifice, that the popular press ignores. In 2000 it was denial-of-service (DoS) attacks. These are some of the oldest and easiest attacks in the book. They're as old as the Internet. That February co-ordinated, distributed DoS attacks easily brought down several high-traffic Web sites, including Yahoo, eBay, and CNN. Today, there are thousands of DoS attacks on the Internet every week.

Last year you had to be a self-directed, self-infecting, self-modifying Internet worm to make the news. This year it'll be something different. I don't know what will make the news, but I do know that it will be bigger and badder and nastier than what came before. I do know that it will include a lot of the same tools and techniques that were used before. And I do know that the entire industry will be blind-sided by it, even though it will have no excuse for not seeing it.

What can we do to minimise the damage? Nothing. We can't even get software companies to reliably produce code without buffer overflows. We can't get software companies to reliably produce security patches that work without breaking other things. If we can't solve the simple issues, how can we even hope to deal with the complex ones?

The greatest danger we face is the ever-growing tsunami of past problems. Every year it gets larger, and every year the damages grow.

Threat: Hype
Ross Anderson, head of information security research at Cambridge University's Computer Laboratory

When considering your IT security budget, don't believe the hype. So says Ross Anderson, head of information security research at Cambridge University's Computer Laboratory. Anderson, who last year published a book on security engineering, believes many companies spend too much on over-hyped security technology, but fail to focus on important areas such as adequate internal controls.
"Over the 15 to 20 years I have been interested in information security the pattern has not changed much," he says. "There are relatively few real attacks, but large amounts of hype about those that happen and a particularly heavy push by whoever is selling the protection technology reckoned to be the next big thing."

The technology hype cycle has turned from dial-back modems in the early 1980s to anti-virus software in the late 1980s and most recently firewalls and public key infrastructure (PKI), says Anderson.

"This probably leads to over investment in these areas, coupled with under investment in less glamorous matters such as decent internal controls," he suggests. "Given that technologies such as firewalls and encryption tackle only a minority of the typical firm's security problems, the ebbing of that particular tide is to be welcomed."

However, Anderson says, there will only be a short breathing space before the next big thing arrives so companies need to ask themselves whether they are spending too little on security, as the suppliers say, or too much.

He believes many companies get it about right, or if anything, spend too much on security. He points to recent research from Kevin Soo Hoo, a security expert at Stanford University, which suggested that simple, cheap measures such as turning on screen-locking features are much more worthwhile than the large projects, such as PKI to support network encryption, that many security suppliers prefer to sell.

"The overall message is probably that the average company may be spending slightly too much on security, and might be able to spend a bit less if they spent it smarter," Anderson says. "Refining this message must surely be of some value to industry."

If the security supplier community does not stop scaremongering to boost sales of their products, regulators may have to step in, according to Anderson.

"Security scaremongers tell us on Wednesday that e-mail is so easy to tap on the Internet that we should beware for our credit-card numbers, but on Thursday the FBI says tapping e-mail on the Internet is so hard that it needs a special 'Carnivore' box at each ISP," he says.

"If tapping e-mail is really so much harder than opening the physical mail, are the dozens of encryption companies selling anything of value? Or should the stock market regulators be taking a closer interest in their promoters?"

  • Interview by Daniel Thomas

Threat: Wireless Lans
Graham Titterington, senior analyst at Ovum

The biggest threat to information security over the next 12 months will come from wireless Lans, according to Graham Titterington, senior analyst at Ovum. "It's a fast growing problem," he says. "We've got a very insecure channel that's being deployed without due consideration for the security problem."

When the wireless Lan comes out of the box the encryption is turned off. Titterington says half of the companies deploying wireless Lans leave it that way, depriving themselves of even the most basic encryption, and the other half are reliant on inadequate security. He points to the Wired Equivalent Privacy (Wep) security protocol - the standard specified in the IEEE Wireless Fidelity standard 802.11b - which, he claims, is inherently flawed and "cryptographically unsound".

Titterington says a key problem is that Wep uses a shared encryption key on all devices. The small amount of random encryption used for each packet - rather than boost security levels - actually adds a weakness as combinations are often replicated. "The mechanics of it are very easy to crack basically," he says. It will usually only take about 20 seconds of captured transmissions to crack into the wireless Lan and "even an unlucky hacker will only need a few minutes".

Exacerbating the situation is the problem of "poor user understanding compounded by the way organisations are organised". This in part stems from a lack of centralised control and management, with different departments deploying wireless Lans and using them for different purposes.

The fundamental problem with wireless Lans, however, is that the signals are generally transmitted 100 metres from the antennae. Deploying inadequate security dramatically increases the risk of "drive by hacking". Getting into a network is "very easy", says Titterington. All you need is a wireless-enabled laptop and some cracking software downloaded from the Internet. Eavesdropping is the first level. The next step involves hackers impersonating genuine users, adding network traffic and modifying existing traffic. At this level there is a very real danger of launching a denial of service attack.

If the wireless Lan is being used solely as a communication tool the risk is limited. However, that risk increases dramatically once the wireless Lan is integrated with mainstream applications. And, according to Titterington, it doesn't matter if your network conforms to 802.11 a, b or even g, the risk is the same. It also applies to Bluetooth wireless technology, which has traditionally had a shorter range.

To protect against this threat, Titterington says companies should look at deploying IPSec products. IPSec is essentially a compromise, however, as it is heavy on processor time and bandwidth. In the short- to medium term, companies should look out for Temporal Key Integrity Protocol (TKIP) products. These should be available later this year. "TKIP won't get many people jumping for joy though," says Titterington, as it is still essentially a compromise, offering better security than Wep but at a heavy cost to performance.

The Advanced Encryption Standard (AES) using elliptical encryption should be available next year. "This should significantly enhance the efficiency of the IPSec procedures, bringing it within the boundaries of what is acceptable in a wireless Lan environment," he says.

Another thing to look out for is offset code book technology, which Titterington predicts will be twice as efficient as the AES approach. The problem here is that three different companies have filed for different patents and are currently involved in a "punch up". "The real solution is still some way off," he says. For now, companies should bite the bullet and deploy IPSec but be aware that productivity will take "a heavy slugging".

  • Interview by Karl Cushing

Threat: Worms
Chez Ciechanowicz, course director of the information security MSc programme and member of the Information Security group at Royal Holloway, part of the University of London

The biggest threat over the coming year will come from worms. So says Chez Ciechanowicz, course director of the information security MSc programme at Royal Holloway College. He believes we will begin to see much more sophisticated and effective worms which instead of exploiting two or three vulnerabilities like Code Red could exploit many, causing massive damage. "I think the situation will get worse and the speeds at which these worms will spread will increase," he says.

However, Ciechanowicz is wary of using the term "flash" worms. These are the subject of considerable debate at the moment and not a little hysteria. A common line being bandied around is that these flash worms will be capable of bringing the Internet to its knees in 15 minutes. This might be somewhat beyond the pale for Ciechanowicz but he does believe some of the elements of these worms will become reality.

One characteristic he thinks future worms will develop is the ability to build up a hit list of vulnerable targets before they are released to maximise the speed at which they can spread. Ciechanowicz also fears that such worms would be able to communicate this information to each other via encrypted links once in the wild. "Ultimately, if you can automate the whole process of scanning for and attacking vulnerable systems, then that is an extremely effective way of operating," he says.

But can it be done? "There are a lot of warped individuals out there and a lot of them are undoubtedly very talented," Ciechanowicz says. "How effective anti-virus vendors will be at stopping them remains to be seen." A major problem is that software is becoming increasingly complex, with lots of lines of code that can be exploited and it's becoming increasingly difficult to ensure that there aren't weaknesses in all that code. "This problem will probably remain with us for a long time," he says.

A related problem is that users want more and more functionality and this also creates more areas to be exploited by viruses and malicious code writers. According to Ciechanowicz, advances in automated proof techniques are needed and manufacturers must devise more secure operating systems. The situation is improving, he says, and we can expect to see very secure operating systems "in the fullness of time". In the meantime, companies can minimise risk by doing all the conventional things like regularly updating anti-virus software and patches and developing a comprehensive security strategy.

Unfortunately, "There's no simple answer," says Ciechanowicz, adding that, for the most part, the extent to which companies are protected against such worms will depend on the importance they place on information security. Sadly, all too often information security is seen as an afterthought.

  • Interview by Karl Cushing

Read more on IT risk management