Security chiefs declare war on cyber criminals

What can SMBs take from the RSA 2006 IT security show?

Bill Gates opened this year’s RSA IT security conference with a pledge to offer leadership to the IT industry on security. The forthcoming Windows Vista OS will be strongly secure, he said. “Security is the area that jumps out as the thing we have spent the most time on.”

His company would, he said, share more of its expertise in future. His address to the RSA conference in San Jose spoke of Microsoft’s commitment to a ‘trust ecosystem’, to engineering for security, to simplifying security, and to making platforms secure.

Gates opened his keynote by wishing delegates Happy Valentine’s Day, and mentioning an alternative offer he had declined: hunting with the hapless Dick Cheney, who had accidentally shot a 78-year-old friend the previous day.

In the next but one keynote, Gates’ great rival Scott McNealy, chair and CEO of Sun Microsystems, expressed his disappointment that the Microsoft chief had failed to mention his own invitation to go hunting.

In a knockabout speech, McNealy presented one of the nightmares facing a newly appointed security system administrator: finding yourself working in an all-Microsoft shop.

The Sun chief deplored the ‘Frankensteins’ of patched together datacentres, on the one had, and the ‘Dolly the sheep’ environment of the desktop. “There is just not enough genetic diversity on the client side,” he said.

McNealy went on to rail against the “barriers to exit” prevalent, in his view, in the enterprise IT environment, and trumpeted his own company’s commitment to open source “from day zero”. Sun is, he averred, organically committed to sharing, and is dedicated to the cause of “ending the digital divide”.

He announced a new crypto accelerator product, to be released later in 2006, and called Solaris 10 the “most secure operating system in the world”.

Meanwhile, Microsoft’s chairman and chief software architect stressed recent successes in the war against spam, and urged his audience to drive wider deployment of SenderID. And he highlighted the addition of computational proof to emails in new versions of Outlook as an anti-spam move.

But the main Microsoft demonstration at RSA betokened a war on passwords. Microsoft is working with others, such as VeriSign, to establish a metasystem around digital identities. With that in mind, the company will roll out a smartcard system, dubbed InfoCard.Gates said InfoCard will support Internet Explorer 7 on Windows Vista, due out later this year, as well as Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and R2.

He also demonstrated the information bar in Internet Explorer 7 turning either red or green as warning or assurance. This feature has been co-developed with VeriSign, whose chair and CEO, Stratton Sclavos, showed off the same functionality on day two of the show.

Cisco’s CEO John Chambers opened the second day of RSA 2006 with a double assertion that IT has come back as a number one change driver in global business, and that security is central to that. He beat the drum for the necessity of partnering and integration, pointing to the 65-plus members of Cisco’s Network Admission Control programme, and the 15 security acquisitions the company has executed in the last year. “We have to partner,” he said, “we have to go beyond the typical Silicon Valley mindset of doing it all yourself”.

RSA president and CEO Art Coviello spelled out, in his keynote speech, the context driving all this talk of sharing and partnering - the rise of revenue-driven cyber criminality, focused, above all, on identity theft. “We need to go on the offensive” against increasingly sophisticated and well organised online criminals, he urged.

Lest this rhetoric sound a bit overheated, ISS’s chief technology officer Chris Rouland described the growing threat from revenue-driven cyber criminals as a cold reality, and not one to be dismissed as over-hyped.

“2005 saw the sunset of the self-propagating, self-navigating internet worm. That was replaced by revenue-generating malicious code”, he said. “For-profit hacking to the mass market saw its real debut in 2005”.

Rouland described how the company’s X-Force research team, and collaboration with law enforcement, has discovered that “hackers are beginning to evade intrusion prevention systems, and are investing heavily in doing that because they have become mainstream.

“Our enterprise customers are very concerned that hacking and malicious code writing have moved into a for-profit mode. In 1998 the top concern was ‘my web page will be defaced’. The top concern now is ‘my intellectual property will be stolen and sold’.

“So, it’s more about data protection, with less concern about the Windows bug of yesterday. And they are also concerned about web application security and global device security”.

But the cyber-crime wave is the real deal, he said. “Take the top spam guy in Russia who was assassinated - was that someone tired of getting spam? Or was it because the spammer did not pay his botnet bill? My money’s on the latter.”

Finally, “In 2006, bot armies will replace the worm,” he said.

Read more on IT risk management