1999: the year of computer security—maybe

What was hot in 1998? Security products. What will be hot in 1999? Security policies.


Spending on network security worldwide this year will likely jump 53 percent from last
year to $1.85 billion, according to DataQuest Inc. of San Jose, Calif. It is expected to
grow to $2.98 billion next year and reach $5.18 billion by 2000.


Unfortunately, many managers have not progressed beyond the product-buying stage. In a
survey this year of 1,600 information technology professionals by PricewaterhouseCoopers
LLP, 73 percent reported security breaches during the past year, but fewer than one in
five had a comprehensive security policy.


“Senior management has not said, ‘Let’s face up,’ ” said Alan
Paller, director of research for the Sans Institute Inc. in Bethesda, Md. “They say,
‘Let’s buy tools.’ ”


No single product or technology will ensure security, said Peter H. Goldman, federal
sales manager for Secure Computing Corp. of Roseville, Minn. Products require policies to
be effective, he said.


But indications are that the products-rather-than-policy attitude is shifting. Secure
Computing’s professional services division has more work than it can handle, Goldman
said. Growth in security services is limited only by the availability of qualified
professionals, he said.


The need for new and improved security products is here to stay. New forms of attack
drive the development of new products, said Ray Suarez, product marketing manager for
Axent Technologies Inc. of Rockville, Md., maker of the Raptor Firewall.


For instance, “in the last few years, there has been a real push for audio and
video support,” Suarez said.


And the newest release of Raptor guards against recently publicized vulnerabilities in
Microsoft Outlook 98 and Outlook Express 4.x e-mail.


The increasing use of virtual private networks that allow remote network connections
over the Internet and replace modem banks also is increasing the demand for perimeter
defenses such as firewalls, Suarez said.


“We are confident that our products are secure,” he said. “But
unfortunately, technology can’t solve all your problems.”


Properly configuring hardware and software, and implementing and enforcing security
policies are essential to making even the best products work, Suarez said.


But many agencies have been unwilling or unable to undertake the labor-intensive and
sometimes costly step of setting up and enforcing security policies, Suarez said.


“They’re not going to do anything until the risk becomes great enough,”
he said.


For some, the risk increased with Solar Sunrise, the Defense Department’s code
name for February’s well-publicized intrusion of the Pentagon’s computer systems
by a trio of teen-age hackers. In testimony before the Senate Governmental Affairs
Committee in June, Lt. Gen. Kenneth Minihan, director of the National Security Agency,
called Solar Sunrise a classic example of an unstructured hack.


“The attackers used tools and techniques readily available on Internet hacker
bulletin boards,” Minihan said. “Although these attacks were moderately
disruptive, the good news is that the vulnerabilities exploited are relatively easily
fixed.”


But no one had bothered to fix them before the attacks.


Minihan warned that the country is engaged in an information-age conflict that requires
an active defense of critical information infrastructures. “Such a defense requires
that we have the best possible intelligence on the capabilities and intentions of
potential attackers,” he said.


Much of that intelligence has been freely available for years. Secure Computing
sponsors a road show in which hackers-turned-security-experts address federal audiences.
The recurring observation is that the old attacks, such as those used in Solar Sunrise,
still work because agencies are not closing the back-door systems gaps and loopholes they
depend on.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above