Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12/18/2013
10:06 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

My 5 Wishes For Security In 2014

Security skeptic Dave Piscitello tells why his end-of-year InfoSec predictions are like a fine wine.

Year-end security predictions are really hard for InfoSec practitioners, in no small part because so many security matters linger for years without improvement or resolution. I've chosen five issues that have long legs (think "wine"). Here’s my wish list for how these might play out in 2014:

  • All governments will concede that IP addresses are not personally identifiable information. Sorry, IP addresses are different from telephone numbers. In the majority of use cases, they are ephemeral, assigned behind NAT boxes. They change as often in mobile societies as the chairs citizens occupy while mainlining espresso. They’ll become even less unique if Carrier-Grade NAT adoption trumps native deployment of IPv6. And speaking of CGN…
  • Opposition to Carrier-Grade NAT (CGN) will consolidate. If NATs opened Pandora’s box, CGN unleashes the dogs of hell. More worrisome than the technical issues CGN raises is how badly CGN breaks openness and interferes with popular applications. Fundamentally, ISPs use CGN as a tradeoff between IPv4 addresses that are scarce and ports that are not only plentiful but fully controlled by the carrier. The effect on net neutrality is potentially chilling. NLnet Labs director Olaf Kolkman explains in a presentation on IPv4 as a Strategy that "the CGN-based architecture cannot be neutral any longer because the address-scarcity cannot be fixed by investments or market competition."
  • National and global wailing over surveillance programs will give way to informed debate over how best to achieve balance, transparency, and accountability. While I don’t want to diminish the importance of revelations of collection or misuse, we seriously need to let go of the outrage and indignation, acknowledge that "none or all" are not practical solutions, and define acceptable parameters of behavior. This thoughtful analysis of surveillance is a good example of what I mean.
  • Legislators will heed educators and skeptics of STEM and embrace liberal arts as worthy and necessary elements of balanced education. I work in InfoSec alongside respected colleagues who earned philosophy, physics, psychology, and political science degrees. I recently met former concert and improv flautists who are rock-solid privacy experts. STEM-centric education won’t fill the short-horizon shortfall of cybersecurity talent -- and my head spins when I imagine the unintended consequences over the long term. For example, consider how critical trust and ethics are in cooperative society in general and InfoSec in particular. If you set yourselves on a course where only science matters, when and how do you teach ethics? If you must evangelize STEM, at the very least change the "T" to trust and "E" to ethics.
  • All invested communities will resist the temptation to solve the privacy/surveillance problem using technology (encryption) alone. To do so would avert an arms race or a proliferation of poorly conceived, possibly proprietary encryption-based solutions that offer rights or intellectual property protection, personal data protection, or protection against tracking and warrantless information collection.

I hope you’re able to enjoy time away from InfoSec this holiday season. Consider this wish list when you return in 2014, and let’s start the informed debate right here and now.

Dave Piscitello has been involved with Internet technologies (broadband access, routing, network management, and security) for over 35 years.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
12/20/2013 | 1:28:11 PM
Re: STEM & liberal arts
I think the obsession with STEM is more common among policy makers and parties with commercial or defense interests than among educators. Whenever there is a perceived shortage of a profession - law, medicine, teaching - there always seem be calls for "solutions" like STEM that promise to quickly fill the perceived shortage. 

People outside information security imagine that if we had several hundred thousand more InfoSec professionals then the Internet would "be secure". I don't think it's this simple. I do think that we need to raise awareness  and set expectations about privacy in education if we want a society that makes intelligent or informed choices about how technology and information is used.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/20/2013 | 7:44:53 AM
Re: STEM & liberal arts
What about the computer science and engineering schools? Do you think there is enogh emphasis on the liberal arts in the standard curriculum to provide context to the ambigious technical issues we're grappling with ( like security and privay) today? On the other hands liberal arts could do also a better job teaching people that technology is more than just sending snapchats or email from a smartphone. 
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
12/18/2013 | 2:15:43 PM
Re: STEM & liberal arts
Thanks Marilyn,

I think the narrow focus that STEM suggests is not as universally shared among InfoSec practitioners as we're led to believe. Many of my colleagues have excellent programming skills, but programming isn't the only basis from which we can develop amazing forensic or investigatory skills. I'll speculate that many successful InfoSec companies or departments are diverse background and multi-disciplinary.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/18/2013 | 10:22:23 AM
STEM & liberal arts
Dave -- There are so many thoughtful and provactive wishes on your list that I don't know where to begin to comment.  Given that I come from a liberal arts and not a STEM, background I'll jump in there. I can't say how gratifying it is to hear a technologist make the case for a balanced education. Yes, science matters but most of today's most vexing issues surrounding technology (think NSA & privacy) are not going to be revolved by a technology solution. We definitely need to change the "T" and "E" in STEM to trust and ethics. 
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-20092
PUBLISHED: 2021-05-13
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
CVE-2020-21342
PUBLISHED: 2021-05-13
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
CVE-2020-25713
PUBLISHED: 2021-05-13
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
CVE-2020-27823
PUBLISHED: 2021-05-13
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27830
PUBLISHED: 2021-05-13
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.