How the good guys fight the security arms race

Bret Hartman has over 25 years of experience building data security systems and protocols for some of the biggest authorities and companies in the world. During his career as an US Air Force officer he was assigned to the National Security Agency where he helped create the Department of Defense Trusted Computer System Evaluation Criteria (Orange Book) and was co-author of Object Management Group's Corba Security specification.

As CTO at security company RSA, Hartman is responsible for defining the corporate security technology strategy for RSA's parent company EMC. RSA and its staff of about 2,000 work with several of the UK's high-street banks and more than 90 per cent of Fortune 500 companies. Its revenues for the fourth quarter of 2007 grew 30 per cent year-on-year, reaching $148m.

silicon.com caught up with Hartman on a recent trip to London where he warned that traditional approaches to data security will no longer cut it in the age of the increasing number of cyber attacks.

Biggest security holes in corporate IT systems
Hartman: The biggest chronic issue we hear these days is the fact that sensitive data in organisations is no longer under central control of the IT organisations. The data is spread everywhere. You hear about people saving sensitive financial data on their USB or emailing out somebody using Gmail and sending that information. It's almost impossible for enterprises to prevent employees from being a sieve and sending out sensitive corporate data outside of the environment. That is an enormous hole and most organisations do not even have an understanding about how much data is exiting the company.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

We will come in and monitor email traffic for a few days to monitor what data is actually exiting a corporation, looking for, say, financial data, and the results are almost always horrifying. They had no idea and they will look at it and say 'this can not be right' because say there have been over the last few days about 10,000 such emails. It's back to not enough understanding of how exposed those environments are.

It's very common, a lot of security has more to do with stopping stupid things from happening then preventing any hostile threat. First let's just reduce the level of stupidity.

Securing the perimeter
It is the erosion of the perimeter, the movement away from perimeter-based security where security is enforced at the edge of systems by methods such as a firewall.

These are still important but the way that people build systems these days is far more distributed. It's very difficult to distinguish what sensitive data is inside the data centre and what is outside. I think the challenge is moving from that perimeter-based security to what we call information-centred security, it's really about protecting the information correctly. The security world and information security does a very poor job of exploiting that information itself to protect it. To them it's just an opaque bunch of bits.

A content-based approach looks at the data and recognises how it can be adequately protected - for example by looking at a message and recognising does this email message contain a harmless message, credit card number or somebody's sensitive healthcare data? It's a huge challenge but also a great opportunity to do a much more effective job of protecting information.

New data security threats
Emerging threats do come from the fact the world is a bigger, more-tech place. Those threats from things like botnets that once might have been a silly academic exercise have become a real issue. That is much more of an information-based threat, it is a far more sophisticated attack and because they can exploit data for profit it's worth their while. The other issue is on the topic of insider attack, in an interconnected world everybody is an insider. So everybody potentially has the ability to abuse their privilege.

So it comes back to taking an information-centred approach to security, being able to view that content and being able to analyse content and look at behaviour.

This behaviour-based approach is the other important aspect. What we call adaptive authentication for example is used extensively today in banking and widely deployed for lots of customers. That's all about behaviour, rather than just locking in with user ID and password - which are terrible for checking identity. Adaptive authentication is the idea of watching your transactions for suspicious behaviour. So if you are doing online banking and you are at home on your bank account and then five minutes later there's a transaction on the other side of the world with you requesting a wire transfer, that's suspicious behaviour.

Click here for page 2 of this article…