infosec

Issue #44

Last Update March 2, 2006

Technology InfoSec2003 by Sten Grynir The Information Security Conference held in December at the Javits Center in New York highlighted the computer industry’s response to a wide variety of threats against private, corporate and internet data. The workshops, conference sessions and exhibitors made clear the industry's priorities: to secure corporate networks from outside intrusion; to secure email; to protect against viruses at the server and desktop levels; and to improve security for wireless networks.

Managing an extended corporate network is a difficult task. Every server and desktop machine is a potential security hole that could admit hackers and viruses. With hundreds of servers and thousands of desktops in even a modest corporate network, the task of security administration is almost overwhelming. Firewalls must be maintained to a common standard, operating system and application security patches must be applied on a timely basis, and unauthorized software installation must be prevented. Performing these tasks on a machine-by-machine basis is all but impossible. Many of the vendors exhibiting at InfoSec2003 showed remote system management tools that allow the updating and installation of security features on a mass basis from a central source.

Hardening corporate email facilities involves several considerations: preventing email-borne viruses from infecting the system; suppressing spam; and, most import, shielding internal email from outside eyes. A large number of exhibit vendors provided products that supported these considerations. These email concerns are similar to the concerns generated when using the internet to tie together geographically dispersed portions of internal networks, and vendors also offered VPN (Virtual Private Network) solutions. VPNs work by establishing an encrypted connection between two parts of an internal network, with the encrypted traffic flowing securely over public internet paths. VPNs are also necessary if corporate users are to be allowed to connect to the corporate network from home or when on the road. In this case, the home computer or laptop contains software to connect securely and encrypt all data (including logon IDs and passwords) traveling between the user and the corporate network.

Conference sessions and workshops followed several tracks. Dealing with hackers, establishing security Best Practices, enhancing web security, and understanding the cyber-terrorist threat were all discussed. In addition, keynote and General Session speakers for each conference day brought their personal views and experience to conference attendees. Particularly outstanding was a talk given by Marcus Ranum, a cyber-security expert with both private industry and government experience. Entitled “The Myth of Homeland Security”, Ranum exposed the boondoggle that the Department of Homeland Security has become, accusing it of providing the semblance of protection rather than being effective at enhancing real security. Acknowledging that defending the country, its citizens and its infrastructure from terrorists is a dauntingly difficult task, he nevertheless showed, with detailed examples, that the goals, organization and activities of the Department failed every rational test of effectiveness and sound management. During the question period that followed, session attendees from government and the private sector not only voiced agreement, but provided examples of their own supporting his points.

InfoSec2003 provided an effective overview of what has become a critically important function in American economic (and social) life – the protection of our data and communications from internal and external tampering. It is notable, however, that little or no attention was paid at this conference to protecting our private information from government snooping.