Dark Readings editorial advisory board held a meeting at last weeks RSA Conference in San Francisco, bringing together security experts from several different walks of life. During the meeting, hackers, industry analysts, and enterprise security people discussed some of the chief problems facing security managers today, and their views on the industrys greatest obstacles. The following are excerpts from that conversation.
Botnets are the chief exploit facing IT managers today, according to Ira Winkler, security expert and author of Spies Among Us.
"Botnets are screwing everything up. They are the source of the attacks that crashed the DNS servers [last week], they are the source of spam, denial of service attacks, and every other malicious attack. They are a hell of a driver for the [security] industry, but they are the last thing we need. And nobody wants to take responsibility for them, from law enforcement down to the average user."
Internet service providers should play a greater role in stopping botnets, Winkler suggests. "If they want to profit from the Internet, they should be responsible for at least noting that 70,000 ACK messages from grandma might not actually be her data. Some people say we should blame the user, but how can we do that? Others say we should blame the criminals, but we already have laws on the books for that, and its not doing any good."
The industry should develop ways to make end users more responsible for the damage they cause, Winkler says. "After theyve clicked on that phishing link for the fifteenth time, maybe we should blame them and take their computer away."
Rob Enderle, principal analyst at the Enderle Group, agrees. "People like that are the big problem right now. Theyre not part of the solution, so theyre a major part of the problem. Everything were doing right now as security people is trying to mitigate the fact that people are stupid. The only way to fix that is to make people not be stupid."
Companies should make users accountable for their security knowledge, requiring them to get training and punishing them if they fail to meet that requirement, he suggests.
RSnake, a security researcher who founded ha.ckers.org and sla.ckers.org, disagrees. "I used to work for eBay, and we spent millions and millions and millions on user training, he recalls. The end result was it didnt do any good."
The problem, notes Jordan Wiens, a security engineer at the University of Florida, is that the threat against users is always changing, which makes training difficult. "If its changing that fast, can you really train users in any meaningful way?"
Winkler says there needs to be accountability across the board. "If a user doesnt have the latest software updates and hasnt done the patches, the ISP should knock them off," he suggests. "Theyre creating a hazard to everybody else by having a wide-open system. End users dont have a right to the Internet, especially if they are behaving in an unsafe manner. The ISPs should be responsible for monitoring their users. Vendors should be responsible for their products. Law enforcement should be responsible for having enough resources to go out and catch the criminals."
Its ironic that end users can be trained to drive a car -- which is significantly more complex and potentially dangerous than using a PC -- but they cant learn how to recognize spam, Winkler observes. There should be greater training in schools, and perhaps users should actually have to be licensed to go on the Web, he adds.
Enderle agrees that end users who act irresponsibly should face tough consequences. "If eBay users act in an insecure fashion, suspend their memberships," he says. "When I was at IBM, we had a series of security problems and we couldnt get over them. Finally, we said, 'If you make this mistake, youre fired on the spot,'" he recalls. "The problem cleared up almost overnight -- we had to fire about fifteen people, but after that was over, people were following the policy."
RSnake pointed out that such an approach could be detrimental to business. "If you drop customers for being idiots, then youre going to end up with a lot fewer customers."
But Enderle notes that fewer high-risk customers could also result in fewer problems, which results in lower costs.
The surest way to solve security problems is to take them out of the users hands, RSnake maintains. "SQL is a good example," he says. "We took that out of the developers hands, took it out of the users hands, and put it behind the firewall. Training, by itself, doesnt work. In fact, phishers actually like training, because it makes users feel more confident that they know what theyre doing, when they really dont."
"You cant expect the user to have any input into the security equation -- it just doesnt work," RSnake says. "It has to be taken out of the users hands and built into the browsers, into the ISPs that route the traffic, into the operating system that has to render the pages. When you take it out of the users hands, its suddenly far more scalable, easier to update, and easier to adapt."
But no single technology maker can solve the problem, either, RSnake says. "One person cant flip the switch and make the Internet more secure," he observes. "Its going to take a team effort of companies fixing browsers, fixing operating systems, fixing patch management issues. Firewalls need to be configured to prevent any-any [communication] on Port 80. There are all kinds of weird security measures that need to be taken to reduce the overall attack vector."
Most companies have yet to deploy Web application firewalls, for example. "Not that I think they do much good, but its something," RSnake says.
So what else can IT do to protect the company from the growing number of threats out there? "First, dont let the local admin genie out of the bottle," says RSnake. Second, companies should try to separate internal Web sessions from public Internet sessions, either by forcing the browser to establish a new session or maybe even by forcing users to access the public Internet over a separate device, he advises.
IT people can also use tools to recognize when changes have been made to systems internally, Winkler says. "A tool like Qualys works pretty well for that."
Corporations should also be careful about allowing users to walk out of the building with laptops and USB drives, experts say. "I had one university client that experienced Slammer on a Friday, cleaned it up over a weekend, and on Monday it was all over the network again," Winkler recalls. "Thats because all the grad students brought it in on their laptops."
IT people should also remember that good security can yield a good return on investment, Winkler observes. "Youre reducing risk (and cost) when you eliminate software on users machines that they dont need, like SQL Server or IIS," he notes. "If you cut spam and spyware, youre cutting bandwidth costs. You dont have to see it as overhead. There can be a real cost savings here."
Tim Wilson, Site Editor, Dark Reading