Bruce Schneier « SecureThinking

Posts tagged Bruce Schneier

Tuesday, August 24, 2010

Schneier on Security – What Does Bruce Have to Say about Cyber Security?

By Tara Savage, Global Security Marketing Manager, BT

The threats posed to national and economic security from cyber space are a hot topic of conversation this year. But how do you separate the hype from the issues that matter?

This September, the University of Nebraska College of Law will address this and other issues relating to cyber space and outer space security during its annual conference in Washington, D.C. (September 9 -10).

BT’s Chief Security Technology Officer and industry luminary, Bruce Schneier, will be leading the keynote conversation at this year’s conference. Joining Bruce will be Stewart Baker, formerly Assistant Secretary of Policy for the Department of Homeland Security.

While this panel is scheduled for September 9^th, you can catch up on some of Bruce’s thoughts on the psychology of security and its effect on risk at Schneier on Security.

Thursday, June 3, 2010

Has the Cyber War Threat been Exaggerated?

By Pete Russo, Senior Marketing Manager, BT Global Services

Almost every time you pick up a newspaper, you read how cybersecurity should be at the top of every company’s list of top concerns.

However, there are some who would say that this is up for debate. So, a debate is scheduled. Intelligence Squared U.S. (IQ²US) is presenting a debate entitled, “The Cyber War Threat Has Been Grossly Exaggerated,” on Tuesday, June 8, in Washington, D.C.

On one side will be Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), and our very own Bruce Schneier, Chief Security Technology Officer, BT, and internationally renowned security author, who will debate in favor of the proposition.

On the other side of the debate will be Vice Admiral (ret.) Mike McConnell, former director of National Intelligence from 2007-2009, and Jonathan Zittrain, Professor of Law at Harvard Law School and co-founder of the Berkman Center for Internet & Society.

Sponsored by Neustar, the debate will be in formal Oxford debate style. Neustar is sponsoring the event to help deepen understanding about cybersecurity needs.

If you want to see the debate live, visit the IQ²US website for tickets. If you can’t make it, look for an international broadcast on Bloomberg Television beginning on June 14 or listen for it on National Public Radio. Newsweek, IQ²US’s print and online media partner, will also feature coverage of this special debate in its magazine and on www.newsweek.com. Of course, we will also post content following the event on SecureThinking, so check back following the event.

Thursday, May 20, 2010

Key players in private cybersecurity

By Pete Russo, Senior Marketing Manager, BT Global Services

A recent article in the Washington Post included a list of key players in the federal cybersecurity community. According to author Tom Temin, the mix of players includes experts from academics, the military and the technology and intelligence arenas.

His list includes:

Lt. Gen. Keith B. Alexander — director, National Security Agency, who is soon to be appointed as leader of the new Pentagon Cyber Command
Rand Beers — Homeland Security undersecretary for the National Protection and Programs Directorate
James A. Lewis — director and senior fellow, Technology and Public Policy Program, Center for Strategic and International Studies
Allan Paller — director of research at the SANS Institute, a local education and cyber certification nonprofit. Paller keeps track of all of the major online threats, including programming mistakes that make for insecure software
Ronald Ross — senior computer scientist at the National Institute of Standards and Technology
Howard Schmidt — White House cybersecurity coordinator
John Streufert — deputy chief information officer and chief information security officer, State Department

But what about the private sector? If we had to list key players on the private side of the fence, we would start with (please forgive) Bruce Schneier, security expert and cryptographer.

Who would you include on this list? Please drop us a comment and let us know.

Monday, May 10, 2010

Everything Old is New Again

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

In March 2008, Marcus Ranum and Bruce Schneier wrote a “Face-Off” piece for Information Security that debated whether ongoing consolidation of security products under increasingly-large aggregate vendors was a bad thing (Marcus) or irrelevant (Bruce).

This April, Symantec announced two more additions to its portfolio – long-time encryption software provider PGP Corporation, and GuardianEdge, a provider of endpoint encryption tools for hard drives and other mobile devices. We should reasonably assume that these capabilities will continue to be offered in stand-alone form for at least two to three years, but there are obvious synergies where, for example, PGP/Universal might be integrated into the MessageLabs mail gateway services, or GuardianEdge may become an add-on capability for the consumer market by way of Symantec’s AntiVirus platform.

Our focus, however, is on the enterprise market, and whether adding these capabilities to the overall Symantec portfolio is likely to be a good thing for the company (increased sales, better margin), the customer (more capability from an existing vendor, better inter-product interaction), or the industry (fresh opportunity in newly-vacated market segments).

Presumably Symantec believes they can capture increased margin by having a lower overall cost of sale, better retention, and more growth potential, among other financial metrics. By extension, they therefore believe that these sorts of products still have a useful lifespan ahead of them, which is slightly ironic given that PGP’s prior dalliance with McAfee (then Network Associates) ultimately led to PGP co-founders buying the assets back and re-launching as a privately-held firm.

GuardianEdge doesn’t have quite the same “been there done that” history with large corporate owners, but their customers may have similar questions: Will we still be able to buy the same product, with the same ability to influence the roadmap, at the same or better pricing? Will PGP continue to support the Internet Engineering Task Force (IETF) and have an open-minded architecture, compatible with every major enterprise platform?

The reality is that, even if changes occur and certain customers become alienated as a result, new customers will come forward to take their place. The focus, instead, should be at the industry level. Consolidation, particularly in the security space, is often an indication that a solution has become mainstream, or worse, may be headed towards commoditization. Security solutions require innovation and non-traditional analysis of business problems in order to find a good fit for a new tool or service. Opportunity exists in areas where creative thinking isn’t held back by convention, or the status quo, or the need to satisfy corporate procurement agents.

That said, I hope the PGP brand survives. Most of us in the security space have stories that somehow involve PGP — whether it was “exporting munitions” in the form of carrying copies of algorithms through airports, or first being asked to sign someone else’s public key whom we respected. Undoubtedly, these weren’t the activities of corporate customers – they were too esoteric, too complicated, altogether too nerdy – but they were all part of creating a demand for encryption and privacy tools which are now, many years later, much more widely available, and sanitized for normal users’ protection.

Assuming the actual quality of the implementations remains high (and that is a BIG assumption), that is probably the best we should reasonably anticipate for any particular security tool that becomes essential to our routines. The challenge, really, is finding a new way to establish that essential quality, in response to the latest challenge and opportunity.

Tuesday, February 2, 2010

Ranum and Schneier Discuss Compliance and Social Network Security

By Pete Russo, Senior Marketing Manager, BT Global Services

By now we’re pretty familiar with the face-off debates between Marcus Ranum and Bruce Schneier, chief security technology officer, BT. Usually they’re being asked about the BIG security questions, like the future of the security industry and will it exist in five or 10 years’ time. But, at the Information Security Decisions Conference in October, they got into slightly more down-to-earth territory with discussions about whether compliance mandates enhance security or are simply part of the on-going theater — and whether social networks at work are a dangerous security mistake.

In keeping with his writings on the generation gap in thinking about security, Bruce is not as skeptical as you might think about the integration of secure social networking into business. In his opinion, social networks in business are inevitable, just as security mistakes will be – so we need to take the plunge and get started on the learning curve.

On compliance, Bruce is more skeptical about whether industry and government mandates are ushering in good security practices, but at least they are forcing companies to buy security products and services in order to meet requirements. In other words, compliance is good for security, if only by accident.

To view the entire Ranum-Schneier talk, click here.

Thursday, November 5, 2009

What’s the hype?

Pete Russo, Senior Marketing Manager, BT Global Services

So, what’s all the hype in the security industry? With the increased importance of securing our nation’s cyber infrastructure, BT’s Bruce Schneier was recently interviewed by Elinor Mills of CNET News to discuss the FUD and hype associated with the security industry. As always, Schneier’s opinions and critical eye are a no-nonsense reality check for the industry.

The SecureThinking group wanted to take this opportunity to point out three critical questions Mills asked regarding vulnerability, smart grid and the importance of cybersecurity as a national priority and the interesting thoughts provided by Schneier during the interview:

Mills: Does it seem to you like our critical infrastructure, government, and corporate networks are just as vulnerable to attack as they were 15 or 20 years ago? Are we making any progress in that area? Schneier: If anything, they’re more vulnerable because there’s more of it and it’s more critical. We’re making some progress against specific attack tactics, but I don’t think we’re making any real progress overall against the broad threats. Cybercrime is still getting worse.

Mills: Do you think the smart grid will be secure or just offer more ways for attackers to disrupt things?
Schneier: “Secure” isn’t an absolute; there’s just more secure and less secure. I think the smart grid will be more secure than some of the older systems it will replace, but less secure than others. It will defend against some attacks, and some accidents, and it will certainly offer attackers additional ways to disrupt things. This doesn’t mean it isn’t a good idea, mind you. Security considerations are just one of the things that should influence the decision to implement a smart grid.

Mills: How much of a priority should cybersecurity be, if at all?
Schneier: It should be a major priority. More and more of society – government, corporate, and personal – is in cyberspace. Cyberspace is now where you go if you want to steal money, engage in espionage, or disrupt corporate and government operations. The real world is still more important, but cyberspace is increasingly important.

We’d love to hear your thoughts on Schneier’s comments. How vulnerable is this country to a major cyber attack? Is smart grid a good idea? And, what are the security and other considerations that should influence the decision to implement a smart grid?

Tuesday, November 3, 2009

Prevention, Detection, Response: Solera Network Survey Reminds Security Practitioners to Focus on the Whole Attack Cycle

Tom Le, Director of R&D, Managed Security Solutions Group, BT Global Services

Solera Networks and Trusted Strategies recently released a survey which concluded more than 85% of large enterprises (having 1000 or more network nodes) have had a major incident in the past 36- months or expect to have one in the next 36-months (http://www.soleranetworks.com/news/survey-despite-expected-attacks-most-networks-are-unprepared-for-quick-response/). The survey also found that more than 40% of large enterprises believe it will take 2 to 10, or more, days to determine the full scope of an incident.

At first glance the report paints a familiar theme of organizations needing “more security,” however, the hidden lesson from the survey is that security should be treated as a process, and not a product. “The trick is to reduce your risk of exposure regardless of the products or patches,” Bruce Schneier wrote in 2000. The fact that more than 85% of large enterprises have had or expect to have a major incident in a 6-year period should not be surprising, just as it should not be surprising that a retailer will have a major theft incident, or that you may be involved in a major car accident in a 6-year (or any other arbitrary) period. The reality is bad things have some probability of happening and the goal of “good security” remains to mitigate that risk.

While the survey does not include details of what technologies or services the respondents use, it does find that “few organizations are capturing and recording enough data to be useful during an investigation.” While the focus on the survey is the need for adding network forensics to help an organization respond to an incident, we could certainly broaden the scope of the conclusions to suggest that most companies may be focusing too much attention on prevention, not enough on response, and even less on detection. Detection is the key component that connects prevention and response as detailed in Bruce Schneier’s Secrets and Lies: Digital Security in a Networked World.

Detection, or threat monitoring, has many different flavors but at its core it requires that organizations monitor all of their logs, including Windows and Unix hosts, logs from firewalls, routers, and switches, application and database logs, and deploy intrusion detection systems to look for attacks on the network. In addition, organizations need the ability to analyze and correlate all of this event data and provide actionable alerts to IT security staff.

What is unique about detection vs. prevention and response is that of all three components, detection is the most easily outsourced to a service provider such as BT. Most organizations can enable effective, global, 100% passive threat monitoring within a matter of days utilizing BT’s Managed Security Solutions. If we accept the reality that security incidents will happen as a matter of course, then we should focus on security processes to manage risk. The Solera Networks survey is a great reminder that many organizations focus too much on prevention and are still thinking of security as a product.

Friday, September 11, 2009

Five Questions About Security

Bruce Schneier, CSTO, BT Global Services

Over the last couple of years I’ve been exploring the idea that security is both a feeling and a reality and that by failing to account for the psychology of security, we’re missing a crucial aspect.

The reality of security is founded in mathematics based on the probability of different risks and the effectiveness of different countermeasures. But security is also a feeling, based not on probabilities but on your psychological reactions to both risks and countermeasures. For example, you might feel safer when removing your shoes at airport security gates, or you might not. More generally, though, you can be secure even though you don’t feel secure. And you can feel secure even though you’re not.

Security problems are, by definition, inherently complex. The best way to solve complex security problems is to break them into smaller and simpler steps. In Beyond Fear [Copernicus Books, 2003], I outlined five key questions that put all security choices – made by governments, companies or individuals – into context, showing the trade-offs that are required and their consequences.

A Five-Step Approach

We can go part of the way to demystifying security by breaking it down into smaller and simpler steps. Each of the five steps contains a key question that helps you focus on your particular security choices, whether they involve the purchase of new security software or a company-wide implementation of specific countermeasures. The five questions help you determine which kinds of security make sense and which don’t.

1. What are you trying to protect?
This question might seem basic, but a surprising number of people never ask it. Answering the question effectively means understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system, and a nation against terrorism are all different security problems requiring different solutions.

2. What are the risks to those assets?
Answering this question involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it and why.

3. How well does the security solution mitigate those risks?
This is another seemingly obvious question, but one, I believe, that is routinely ignored. If the security solution doesn’t solve the problem, it’s no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.

4. What other risks does the security solution cause?
This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.

5. What costs and trade-offs does the security solution impose?
Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.

If you apply these five questions to some of today’s critical security challenges, you end up with some surprising and often counterintuitive conclusions. Contrary to popular belief, security is not mysterious, nor even difficult. What is difficult is separating the hype from what really matters.