CIPS Connections
9/5/2003
9:31:28 AM
World's Foremost Security
Technologist Speaks...
Interview with Stephen Ibaraki, I.S.P.
This week, Stephen Ibaraki, I.S.P., has an exclusive interview with Bruce Schneier, unquestionably the world’s foremost security
technologist and Founder and Chief Technical Officer for Counterpane Internet
Security, Inc., (http://www.counterpane.com).
Amongst his many accomplishments, on June 12, 2003, an independent panel of
judges awarded Bruce, the Secure Computing Lifetime Achievement Award.
Previous winners have included Rivest, Shamir, and Adleman, the three
founders of RSA.
Due to his world-renowned expertise, Bruce, on June 25, 2003, testified
before the Hearing of Homeland Security Subcommittee.
Bruce’s free monthly e-mail newsletter, Crypto-Gram is the most widely read
security newsletter, with more than 90,000 readers. It can be found at http://www.counterpane.com/crypto-gram.html.
Bruce’s first book, Applied Cryptography, is the seminal work in its
field, has sold more than 200,000 copies, and has been translated into five
languages. Amongst his eight books, Secrets & Lies: Digital Security
in a Networked World is a best seller with more than 80,000 copies sold.
His latest book, published in September 2003, is Beyond Fear: Thinking
Sensibly About Security in an Uncertain World. It tackles both the big
and small problems of security: home security, counterfeiting, terrorism,
etc.
Discussion:
Bruce, I have long heard of your work as an internationally-renowned security
expert. So, we are very privileged to have you with us doing this interview.
Thank you!
Q: Your work with encryption algorithms is well known. Can you tell us more
about your work in this area and where you see your work heading in the
future in this area?
A: These days most of my work is more in how systems of security work, most
notably systems that involve people. But I still do mathematical cryptography
once in a while. My most recent algorithm is called Helix, and is an attempt
to design a single algorithm that does both encryption and authentication. I
guess this involves people, too, because I am trying to use mathematics to
solve a common problem in security programming.
Q: What have you discovered in your work on how systems of security work?
A: It’s far less important to understand how a security system works than to
understand how it fails. Security failures are important both because
attackers use those failures to attack systems, and because failures prevent
legitimate users from using the same systems. Much of my latest book is
devoted to discussing system failures.
Q: What is Counterpane?
A: Counterpane Internet Security, Inc. does Managed Security Monitoring. The
basic idea is that on your network are all sorts of devices: security and non
security. All of these devices produce audit logs, millions of lines of audit
logs a day. These logs need to be looked at, because hidden amongst those
millions of lines are footprints of attackers. (If you’ve ever had a
forensics team come into your company after an attack, you know this is true.
What the team does is go through the audit logs and figure out how the
attackers broke in, where they went, what they accessed, etc.) By examining
the logs, you can figure out what an attacker did. The idea behind
Counterpane is that if you can read the logs in real time, you can figure out
what the attacker is doing. That’s what we do. We collect a network’s logs:
firewall logs, IDS logs, etc. We analyze them in real time. And we catch
network intruders before they can do damage.
Q: What are your future plans for Counterpane?
A: Counterpane is continuing to evolve; currently we’re developing several
new services that tie into our core monitoring service. We’ve developed a
vulnerability scanning service, which not only benefits the customer; it also
gives us additional information about the customer’s network allowing us to
monitor them better. We’ve developed a device management service, which also
works in concert with monitoring. And we’ve developed something called Active
Response, where Counterpane takes defensive actions on behalf of the customer
in the event of a security incident. We plan on rolling all of these services
out in the coming months.
Q: Where do you see the area of security heading in two years, and five
years?
A: On bad days, I see security heading down the path of ineffective and
counterproductive measures that make people feel better without actually
increasing their security. Thing like photo-ID requirements on airplanes
don’t make us more secure against terrorism, while at the same time they make
us more vulnerable to invasions of privacy. On good days, I see a more
systemic approach to security. I see systems that are designed properly,
based on actual threats and taking into account actual trade-offs. Positive
bag matching on airplanes is a good example of this.
Q: What are biggest traps or pitfalls or common mistakes with regards to
security?
A: The most common mistake is misunderstanding the security system: how it
works, how it fails, and what level of security it provides. Many people
actually believe that photo-ID checks on airplanes helps combat terrorism,
despite the ease of obtaining a photo ID, despite the fact that the false
alarms have greatly inconvenienced many, and despite the fact that all the
9/11 terrorists had photo IDs. On the IT side, many people believe that
because they have a firewall they’re safe. As long as people don’t understand
the details of security systems, they’re going to be unable to make sensible
security trade-offs.
Q: What are the most common methods of attack and what are the best security
measures or countermeasures against these attacks? Can you provide a basic
outline for a systematic approach to security?
A: Throughout history, the most common method of attack is to go after the
people. Even in this age of computers and networks, attacks that target the
users are likely to be the most effective. And sadly, there are often no
countermeasures except education and understanding…something very difficult
as systems get more technological.
Q: Based upon your years of experience working at the highest levels, what
advice would you give to IT professionals on security issues?
A: Don’t panic.
Q: What top tips can you provide to others that helped you in your path to
success?
A: Be true to the truth. It’s easy to be sidetracked by rhetoric, but in the
end the truth wins out.
Q: Businesses are seeing many technologies in their strategic paths? What
advice, regarding security, would you give to businesses as they plan their own
evolution in the future? Do you have specific technologies and processes they
should watch out for and implement?
A: Security is a trade-off. You can have as much security as you want, as
long as you’re willing to make the trade-offs necessary to get it. This means
that too much security is just as bad as too little. If, for example, you
have no security, you lose too much money to attackers. If you have perfect
security, it costs too much money. In the middle there’s a sweet spot:
adequate security for a reasonable cost. And the security manager can’t find
this sweet spot because he doesn’t see the big picture. He might advise you
to strip search all customers coming into your store because it will improve
security, but he’s not going to see that if you do that you won’t have any
more customers. Most security decisions have nothing to do with security;
they’re business decisions. I spend a lot of pages of my latest book on this,
because it’s really important.
Q: Why did you get into writing books? Can you discuss the main themes with
each one including any tips you can provide? What books are you planning for
the future?
A: I write books because I feel that I have something to say, and I believe
that I can say it in a way that can be understood. I’ve written about eight
books, but only three of them are ones I consider to be major works. These
three books mirror my career, starting with something very specific at the
core of security and slowly moving outwards. Applied Cryptography is a book
about cryptography: mathematical data security. Secrets and Lies is more general; it’s a book about computer and network
security. Beyond Fear is more general still; it’s a book about the totality
of security.
Right now I have no book plans for the future. I don’t know how I can
generalize from here. But if I know myself, I’ll have an idea in a couple of
years.
**Thank you Bruce for sharing with us, your vast experience, wisdom and
knowledge. It has been a real pleasure discussing security with you.
|
|