Forwarded From: Will Spencer <wspencer@dmwgroup.com>
1999: The Year Of Computer Security -- Maybe
Newsbytes; 12/15/98
WASHINGTON, D.C., U.S.A., 1998 DEC 15 (Newsbytes) -- By William Jackson,
Government Computer News. What was hot in 1998? Security products. What
will be hot in 1999? Security policies. Spending on network security
worldwide this year will likely jump 53 percent from last year to $1.85
billion, according to DataQuest Inc. of San Jose, Calif. It is expected to
grow to $2.98 billion next year and reach $5.18 billion by 2000.
Unfortunately, many managers have not progressed beyond the
product-buying stage. In a survey this year of 1,600 information
technology professionals by PricewaterhouseCoopers LLP, 73 percent
reported security breaches during the past year, but fewer than one in
five had a comprehensive security policy.
"Senior management has not said, `Let's face up,' " said Alan Paller,
director of research for the Sans Institute Inc. in Bethesda, Md. "They
say, `Let's buy tools.' "
No single product or technology will ensure security, said Peter H.
Goldman, federal sales manager for Secure Computing Corp. of Roseville,
Minn. Products require policies to be effective, he said.
But indications are that the products-rather-than-policy attitude is
shifting. Secure Computing's professional services division has more work
than it can handle, Goldman said. Growth in security services is limited
only by the availability of qualified professionals, he said.
The need for new and improved security products is here to stay. New
forms of attack drive the development of new products, said Ray Suarez,
product marketing manager for Axent Technologies Inc. of Rockville, Md.,
maker of the Raptor Firewall.
For instance, "in the last few years, there has been a real push for
audio and video support," Suarez said.
And the newest release of Raptor guards against recently publicized
vulnerabilities in Microsoft Outlook 98 and Outlook Express 4.x e-mail.
The increasing use of virtual private networks that allow remote network
connections over the Internet and replace modem banks also is increasing
the demand for perimeter defenses such as firewalls, Suarez said.
"We are confident that our products are secure," he said. "But
unfortunately, technology can't solve all your problems."
Properly configuring hardware and software, and implementing and
enforcing security policies are essential to making even the best products
work, Suarez said.
But many federal agencies have been unwilling or unable to undertake the
labor-intensive and sometimes costly step of setting up and enforcing
security policies, Suarez said.
"They're not going to do anything until the risk becomes great enough, "
he said.
For some, the risk increased with Solar Sunrise, the Defense
Department's code name for February's well- publicized intrusion of the
Pentagon's computer systems by a trio of teenage hackers. In testimony
before the Senate Governmental Affairs Committee in June, Lt. Gen. Kenneth
Minihan, director of the National Security Agency, called Solar Sunrise a
classic example of an unstructured hack.
"The attackers used tools and techniques readily available on Internet
hacker bulletin boards," Minihan said. "Although these attacks were
moderately disruptive, the good news is that the vulnerabilities exploited
are relatively easily fixed."
But no one had bothered to fix them before the attacks.
Minihan warned that the country is engaged in an information-age
conflict that requires an active defense of critical information
infrastructures.
"Such a defense requires that we have the best possible intelligence on
the capabilities and intentions of potential attackers," he said.
Much of that intelligence has been freely available for years. Secure
Computing sponsors a road show in which hackers-turned-security-experts
address federal audiences. The recurring observation is that the old
attacks, such as those used in Solar Sunrise, still work because agencies
are not closing the back-door systems gaps and loopholes they depend on.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Dec 21 08:39:52 1998