1999: the year of computer security—maybe
- By William Jackson
- Dec 14, 1998
What was hot in 1998? Security products. What will be hot in 1999? Security policies.
Spending on network security worldwide this year will likely jump 53 percent from last
year to $1.85 billion, according to DataQuest Inc. of San Jose, Calif. It is expected to
grow to $2.98 billion next year and reach $5.18 billion by 2000.
Unfortunately, many managers have not progressed beyond the product-buying stage. In a
survey this year of 1,600 information technology professionals by PricewaterhouseCoopers
LLP, 73 percent reported security breaches during the past year, but fewer than one in
five had a comprehensive security policy.
Senior management has not said, Lets face up, said Alan
Paller, director of research for the Sans Institute Inc. in Bethesda, Md. They say,
Lets buy tools.
No single product or technology will ensure security, said Peter H. Goldman, federal
sales manager for Secure Computing Corp. of Roseville, Minn. Products require policies to
be effective, he said.
But indications are that the products-rather-than-policy attitude is shifting. Secure
Computings professional services division has more work than it can handle, Goldman
said. Growth in security services is limited only by the availability of qualified
professionals, he said.
The need for new and improved security products is here to stay. New forms of attack
drive the development of new products, said Ray Suarez, product marketing manager for
Axent Technologies Inc. of Rockville, Md., maker of the Raptor Firewall.
For instance, in the last few years, there has been a real push for audio and
video support, Suarez said.
And the newest release of Raptor guards against recently publicized vulnerabilities in
Microsoft Outlook 98 and Outlook Express 4.x e-mail.
The increasing use of virtual private networks that allow remote network connections
over the Internet and replace modem banks also is increasing the demand for perimeter
defenses such as firewalls, Suarez said.
We are confident that our products are secure, he said. But
unfortunately, technology cant solve all your problems.
Properly configuring hardware and software, and implementing and enforcing security
policies are essential to making even the best products work, Suarez said.
But many agencies have been unwilling or unable to undertake the labor-intensive and
sometimes costly step of setting up and enforcing security policies, Suarez said.
Theyre not going to do anything until the risk becomes great enough,
For some, the risk increased with Solar Sunrise, the Defense Departments code
name for Februarys well-publicized intrusion of the Pentagons computer systems
by a trio of teen-age hackers. In testimony before the Senate Governmental Affairs
Committee in June, Lt. Gen. Kenneth Minihan, director of the National Security Agency,
called Solar Sunrise a classic example of an unstructured hack.
The attackers used tools and techniques readily available on Internet hacker
bulletin boards, Minihan said. Although these attacks were moderately
disruptive, the good news is that the vulnerabilities exploited are relatively easily
But no one had bothered to fix them before the attacks.
Minihan warned that the country is engaged in an information-age conflict that requires
an active defense of critical information infrastructures. Such a defense requires
that we have the best possible intelligence on the capabilities and intentions of
potential attackers, he said.
Much of that intelligence has been freely available for years. Secure Computing
sponsors a road show in which hackers-turned-security-experts address federal audiences.
The recurring observation is that the old attacks, such as those used in Solar Sunrise,
still work because agencies are not closing the back-door systems gaps and loopholes they
William Jackson is a Maryland-based freelance writer.