The Sad And Increasingly Deplorable State Of Internet Security
by David Piscitello and Stephen Kent
Posted 5/16/2003; Published 2/2003

Abstract:

At a time when we claim to be more focused on security than ever before, when the media routinely conjures images of forensic experts pursuing cyber-criminals in a dazzling game of network cat-and-mouse, and when we are readying the global IP infrastructure to carry all things voice, video and data, the title of this article no doubt constitutes a disturbing claim. But the sad reality is that overall, Internet security really is in horrible shape, arguably worse than ever before.

Internet security is, well, lame, and the situation may get worse before it gets better, if indeed, improving security is even achievable.

Today, the vast majority of the security problems that plague us arise from three sources: insecure architectures, poor software engineering and sloppy management by users and systems administrators. Only by analyzing and committing ourselves to mitigate these root causes will we ever improve Internet security.

It is conceivable that Internet security will improve, but there are many obstacles to overcome, and both users and vendors must “get religion” before substantial progress is likely. Vendors must focus more on reliable, secure designs and implementations, and less on time to market.

Vendors and users alike would benefit from a “feature moratorium.” Instead of adding still more features to products that are already feature-heavy, invest a commensurate effort to make software more secure and reliable. We speculate that software engineering would actually improve and ultimately, better products would be implemented in reasonable time frames at reasonable costs.

Users, system and network administrators must become more disciplined, better able to account for the hardware and software and associated configuration data that characterizes computing environments. Archival practices must be improved; in particular, administrators and users alike must learn to appreciate the importance of saving working configuration data along with their other mission-critical information. ISPs must do a better job of configuration management for their components, and must offer attack tracing and traffic filtering capabilities to assist subscribers in response to distributed denial-of-service (DDoS) and other attacks where subscriber resources cannot suffice.

What could cause this to happen? One possibility is that the insurance companies will begin to reward vendors and service providers who take significant steps to reduce the vulnerabilities of their products and services, and that the legal system will begin to impose liability on those who create these problems by their negligence in product design.

About the authors:

David Piscitello is president of Core Competence, Inc., and is an internationally recognized expert in security technology and founder of the Internet Security Conference.  Dr. Stephen Kent is chief scientist, Internet Security at BBN Technologies, and has been involved with network security R&D for more than 20 years.

Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at http://www.webtorials.com/reg/.