In Complete Darkness - The Genesis of a New Vision:
In just one night, 50 million people sitting in the dark dramatically changed the future of computer security for the 21st century. On August 14, 2003 America witnessed the largest power outage in its history. In less than two minutes, cities from New York to Cleveland, Detroit to Toronto had been disconnected from their electrical grids and plunged into sudden blackness.
After four months of sifting through factual and anecdotal evidence, findings would show that improperly pruned trees and bugs in alarming software were ultimately responsible for the power surge that took 100 power plants offline. A previously unknown software bug in a power plant alarm system made itself known, taking the power grids offline, forcing countless businesses to close and dramatically impacting the productivity of a large area of the United States and Canada.
To the information security industry, the most notable result of this accident had nothing to do with the 50 million people directly affected by the outage or the wide swath of the country immobilized by this event, but rather with what the rest of the nation did as they watched. Commerce in California and Colorado continued to function while people in Boston worked and shopped, one eye on the news, but barely effected. The rest of the country's power supply grids held and remained completely unaffected by the massive blackout.
A Dramatic Epiphany for Change:
An epiphany of profound import resulted as the rest of the country went about its business, an epiphany that dramatically changed how corporations and the nation secure their computing infrastructures. The ability of the rest of the country to carry on despite the loss of several key hubs caused some in the security industry to take notice and action.
What happened that day, laid the foundation for what is the perfect security solution: one that ensures that the compromise of a single system will not take down the entire computing network of which it is a part. A robust approach that eliminates the spread of any viral intrusion between systems and preemptively defends against both known and as of yet unknown forms of intrusion in the presence of escalating attacks.
The Tipping Point:
For computer users, 2003 would turn out to be a very bad year and the precursor to an even more ominous 2004. In 2003 the Blaster and SoBig viruses hit the Internet causing millions of systems to become infected only to be followed by the introduction of the Sasser virus in the spring of 2004. Clearly the war on computer viruses was being lost. The capabilities and abilities of hackers' intrusion efforts were outpacing existing security technology and businesses were the sacrificial lambs.
Since the dramatic increase in malicious attacks begun in 2003, the security industry has fought to redefine itself and regain an edge. Every day corporations live with the fact that the scales are "severely tipped" in favor of an information security event that could significantly impede day-to-day operations. Such an event could negatively impact corporate revenues, generate customer-eroding press coverage, contaminate precious compliance standing, and eat into profits at record rates. Security personnel live with the knowledge that they will never work in an environment where software is free of flaws, employees will comply with their security training and mandates, and where hackers can't buy the same software their businesses rely on.
Technology has created this environment of insecurity through the very benefits it sought to provide. The resulting chaos of this viral epidemic has forced corporations and government agencies to demand new solutions to combat an invisible enemy with very good technology skills, excellent intelligence, and far too much time on their hands. These attackers, hackers and "script kiddies" attack a corporations' perimeters, infrastructures and employees with nothing more than "paparazzi and profit" on their minds. The trick is how to break them of this "habit" and effectively take away their edge. The solution, much like the power outage of 2003, lays in examining the whole not the parts.
Much has been written about the motivation behind hackers but to be honest does it really matter? Universally they are persona non grata no matter what intent they have or attack vector they use. What all companies want is for the problem to go away.
The Elephant and the Tiger: The New Security Stance
On extremely rare occasions, there have been documented cases where a starving tiger will attack an elephant. If desperate enough, the tiger will leap on the back of the elephant only to be shaken off time after time with little or no effect on the elephant. After a few attempts the tiger, now exhausted and sensing futility, will leave the elephant alone and seek easier prey. It is this same sense of absolute futility that must be created in order to deter electronic attackers.
Like the elephant, our corporations typically take a defensive posture to protect their infrastructures. This stance gives the more agile, technically savvy and offensively minded attackers (the tigers) an upper hand but only if allowed. In order to break the nefarious habits of cyber attackers and reverse the escalating tide of viral threats, new approaches must be put into place that do not rely on prior knowledge (rules or heuristics) or sacrificial reactions (inoculations and patches) to prevent these attacks. Solutions are needed that are designed to preemptively undermine and directly inhibit the attacker's techniques.
If attackers, regardless of their methods, see little or no effect resulting from their best efforts, "the tiger" will gradually grow tired of attacking "the elephant" and move onto other prey. Over time, the great effort and expense associated with achieving such minimal results will leave the attackers unmotivated and ultimately broken of their habit while corporations continue to deliver the goods and services that fuel their success. It is this basic premise that sets the foundation for the future of information security, a future based upon the principles of continuity and survivability.
Effective security solutions must move away from attempting to stop intrusion by guessing what the next attack vector will be and focus on creating environments (elephants) that will show no visible manifestations of intrusion regardless of some unforeseen or exposed weakness. If the tiger (hacker), with all of its stealth, cunning and speed cannot bring down its prey, the prey has won before the battle has even begun.
From Analogy to Reality:
Only recently are information assurance professionals starting to heed the lessons of 2003 and accept the reality of what the Internet has brought to our doorsteps. Armed with the knowledge that code will always be flawed, people will always be "socially engineered", and that hackers are consumers, computer scientists are starting to look at solutions that provide viral containment, delivering systemic continuity and control. Forward-thinking corporations are beginning to realize and accept that there are no 100% security solutions but that 95% can be nirvana if their computing infrastructures continue to perform through any kind of cyber-weather.
Both private corporations and public organizations are moving toward preemptive command and control solutions and away from reactionary approaches. These solutions not only reduce the threat of enterprise-wide disruption but support compliance efforts, licensing, and the governance of corporate resources. Armed with flexible technologies that concentrate on system cleanliness and data marshalling, companies are reclaiming their resources and becoming the elephants that tigers fear so much.
In just one night, 50 million people sitting in the dark dramatically changed the future of computer security for the 21st century. On August 14, 2003 America witnessed the largest power outage in its history. In less than two minutes, cities from New York to Cleveland, Detroit to Toronto had been disconnected from their electrical grids and plunged into sudden blackness.
After four months of sifting through factual and anecdotal evidence, findings would show that improperly pruned trees and bugs in alarming software were ultimately responsible for the power surge that took 100 power plants offline. A previously unknown software bug in a power plant alarm system made itself known, taking the power grids offline, forcing countless businesses to close and dramatically impacting the productivity of a large area of the United States and Canada.
To the information security industry, the most notable result of this accident had nothing to do with the 50 million people directly affected by the outage or the wide swath of the country immobilized by this event, but rather with what the rest of the nation did as they watched. Commerce in California and Colorado continued to function while people in Boston worked and shopped, one eye on the news, but barely effected. The rest of the country's power supply grids held and remained completely unaffected by the massive blackout.
A Dramatic Epiphany for Change:
An epiphany of profound import resulted as the rest of the country went about its business, an epiphany that dramatically changed how corporations and the nation secure their computing infrastructures. The ability of the rest of the country to carry on despite the loss of several key hubs caused some in the security industry to take notice and action.
What happened that day, laid the foundation for what is the perfect security solution: one that ensures that the compromise of a single system will not take down the entire computing network of which it is a part. A robust approach that eliminates the spread of any viral intrusion between systems and preemptively defends against both known and as of yet unknown forms of intrusion in the presence of escalating attacks.
The Tipping Point:
For computer users, 2003 would turn out to be a very bad year and the precursor to an even more ominous 2004. In 2003 the Blaster and SoBig viruses hit the Internet causing millions of systems to become infected only to be followed by the introduction of the Sasser virus in the spring of 2004. Clearly the war on computer viruses was being lost. The capabilities and abilities of hackers' intrusion efforts were outpacing existing security technology and businesses were the sacrificial lambs.
Since the dramatic increase in malicious attacks begun in 2003, the security industry has fought to redefine itself and regain an edge. Every day corporations live with the fact that the scales are "severely tipped" in favor of an information security event that could significantly impede day-to-day operations. Such an event could negatively impact corporate revenues, generate customer-eroding press coverage, contaminate precious compliance standing, and eat into profits at record rates. Security personnel live with the knowledge that they will never work in an environment where software is free of flaws, employees will comply with their security training and mandates, and where hackers can't buy the same software their businesses rely on.
Technology has created this environment of insecurity through the very benefits it sought to provide. The resulting chaos of this viral epidemic has forced corporations and government agencies to demand new solutions to combat an invisible enemy with very good technology skills, excellent intelligence, and far too much time on their hands. These attackers, hackers and "script kiddies" attack a corporations' perimeters, infrastructures and employees with nothing more than "paparazzi and profit" on their minds. The trick is how to break them of this "habit" and effectively take away their edge. The solution, much like the power outage of 2003, lays in examining the whole not the parts.
Much has been written about the motivation behind hackers but to be honest does it really matter? Universally they are persona non grata no matter what intent they have or attack vector they use. What all companies want is for the problem to go away.
The Elephant and the Tiger: The New Security Stance
On extremely rare occasions, there have been documented cases where a starving tiger will attack an elephant. If desperate enough, the tiger will leap on the back of the elephant only to be shaken off time after time with little or no effect on the elephant. After a few attempts the tiger, now exhausted and sensing futility, will leave the elephant alone and seek easier prey. It is this same sense of absolute futility that must be created in order to deter electronic attackers.
Like the elephant, our corporations typically take a defensive posture to protect their infrastructures. This stance gives the more agile, technically savvy and offensively minded attackers (the tigers) an upper hand but only if allowed. In order to break the nefarious habits of cyber attackers and reverse the escalating tide of viral threats, new approaches must be put into place that do not rely on prior knowledge (rules or heuristics) or sacrificial reactions (inoculations and patches) to prevent these attacks. Solutions are needed that are designed to preemptively undermine and directly inhibit the attacker's techniques.
If attackers, regardless of their methods, see little or no effect resulting from their best efforts, "the tiger" will gradually grow tired of attacking "the elephant" and move onto other prey. Over time, the great effort and expense associated with achieving such minimal results will leave the attackers unmotivated and ultimately broken of their habit while corporations continue to deliver the goods and services that fuel their success. It is this basic premise that sets the foundation for the future of information security, a future based upon the principles of continuity and survivability.
Effective security solutions must move away from attempting to stop intrusion by guessing what the next attack vector will be and focus on creating environments (elephants) that will show no visible manifestations of intrusion regardless of some unforeseen or exposed weakness. If the tiger (hacker), with all of its stealth, cunning and speed cannot bring down its prey, the prey has won before the battle has even begun.
From Analogy to Reality:
Only recently are information assurance professionals starting to heed the lessons of 2003 and accept the reality of what the Internet has brought to our doorsteps. Armed with the knowledge that code will always be flawed, people will always be "socially engineered", and that hackers are consumers, computer scientists are starting to look at solutions that provide viral containment, delivering systemic continuity and control. Forward-thinking corporations are beginning to realize and accept that there are no 100% security solutions but that 95% can be nirvana if their computing infrastructures continue to perform through any kind of cyber-weather.
Both private corporations and public organizations are moving toward preemptive command and control solutions and away from reactionary approaches. These solutions not only reduce the threat of enterprise-wide disruption but support compliance efforts, licensing, and the governance of corporate resources. Armed with flexible technologies that concentrate on system cleanliness and data marshalling, companies are reclaiming their resources and becoming the elephants that tigers fear so much.
s
Ken Steinberg is the founder and CEO of Savant Protection. He brings a track record of over two decades in computing and high technology. As founder of the company in 2004, Steinberg has responsibility for its day-to-day operations, overall direction, as well as its technological and business strategies. Prior to Savant, he held senior positions with DEC, Hughes, Hitachi, Softbank and at the John Von Neumann Super Computing Center for the National Science Foundation.
A thought leader in the security/encryption field, Steinberg has addressed national tradeshows including Networld + Interop and HDI. He has also been a radio personality, columnist and contributing author to several regional newspapers and technology publications.
Ken Steinberg is the founder and CEO of Savant Protection. He brings a track record of over two decades in computing and high technology. As founder of the company in 2004, Steinberg has responsibility for its day-to-day operations, overall direction, as well as its technological and business strategies. Prior to Savant, he held senior positions with DEC, Hughes, Hitachi, Softbank and at the John Von Neumann Super Computing Center for the National Science Foundation.
A thought leader in the security/encryption field, Steinberg has addressed national tradeshows including Networld + Interop and HDI. He has also been a radio personality, columnist and contributing author to several regional newspapers and technology publications.
No comments:
Post a Comment