Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Network Security. Its Not About the Technology

Five years ago a firewall was all you needed for security on the Internet. Back then, no one had ever heard of denial-of-service attacks shutting down Web servers, let alone common gateway interface scripting flaws and the latest vulnerabilities in Microsoft Outlook Express. But in the wake of recent years came intrusion detection systems, public-key infrastructure, smart cards and biometrics. New networking services, wireless devices and the latest products regularly turn network security upside down. It's no wonder CIOs can't keep up.

What's amazing is that no one else can either. Computer security is a 40-year-old discipline; every year there's new research, new technologies, new products, even new laws. And every year things get worse.

I'm here to tell you it's not about the technology.

Network security is an arms race, where the attackers have all the advantages. First, potential intruders are in what military strategists call "the position of the interior": the defender has to defend against every possible attack, while the attacker has to find only one weakness. Second, the immense complexity of modern networks makes them impossible to properly secure. (Yes, I said "impossible," not "difficult.") And third, skilled attackers can encapsulate their attacks in automatic programs, allowing people with no skill to use them.

The way forward is not more products but better processes. We have to stop looking for the magic preventive technology that will avoid the threats, and embrace processes that will let us manage the risks. And that doesn't mean more prevention; it means detection and response.

On the Internet this translates to constant monitoring of your network. In October 2000, Microsoft discovered that an attacker penetrated its corporate network weeks earlier, doing untold damage. (Microsoft has been reticent about the exact details.) Administrators discovered this breach when they noticed 20 new accounts being created on a server. Then they went back through their audit records and pieced together how the attacker got in and what he did. If someone had been monitoring those audit records - from the firewalls, servers and routers - in real-time, the attacker could have been detected and repelled at the point of entry.

Monitoring also means vigilance; attacks come from all over and at all hours. It means that experts need to continuously monitor with the tools and expertise at hand to figure out what is happening. Throwing an intrusion detection system onto a network and handing a system administrator a pager isn't monitoring any more than giving a bucket to the guy at the other end of a fire alarm replaces a fire department.

Prevention systems are never perfect. No bank ever says: "Our safe is so good, we don't need an alarm system." No museum ever says: "Our door and window locks are so good, we don't need night watchmen." Detection and response are how we get security in the real world, and it's the only way we can possibly get security on the Internet. CIOs must invest in monitoring services if they are to maintain security in a networked world.

Bruce Schneier is founder and chief technical officer at Counterpane Internet Security, a managed-security monitoring company. He is also the author of Secrets and Lies: Digital Security in a Networked World (Wiley, 2000). You can subscribe to his free monthly e-mail newsletter, Crypto-Gram, at www.counterpane.com/crypto-gram.html.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Counterpane, Counterpane Internet Security, Gateway, Microsoft, Vigilance

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Miercom Report - Plug and Play Switches
    Avaya engaged Miercom to evaluate the plug and play features and ease of configuration of the ERS 4548GT- PWR Edge Switch. The energy efficiency of the ERS was compared to similar switches and is discussed in this report as well. Read on.
    Learn more »
  • Get Control: make document management an integral part of your overall IT strategy
    As a government business process manager, you are expected to do more with less. A savings opportunity that is often overlooked is your imaging and printing environment. This is because print costs are fragmented and rarely quantified in full. HP Managed Print Services (MPS) is a tried and tested approach to reducing these costs by increasing user-to-device ratios, getting the right mix of devices in the right places, and reducing tech support and help desk inquiries. Read more.
    Learn more »
  • Transforming Your Business by Transforming Your Processes
    In this white paper, we build on the “Intelligent Guide to Enterprise BPM: V olume One” in which we described the three entry points where you can begin to build true Enterprise BPM. In this white paper we explain the value of Process T ransformation, the entry point to strategy and design. Successful implementation of Process T ransformation will mean you have successfully documented, standardized, harmonized, managed—as well as analyzed and improved—your business processes. T he next two white papers will detail the other two entry points: Process Automation and Process Intelligence.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.