E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


INTERNET TOO COMPLEX TO SECURE, SAYS EXECUTIVE

Source: NetworkWorld Fusion News

Posted on July 14, 2001

      When he goes to Washington, D.C. next week to testify before the U.S. Congress on computer and Internet security, Bruce Schneier, the CTO of Counterpane Internet Security, would like to tell them that such efforts are currently done poorly and with the wrong goals.

      He will also tell Congress that "the Internet is too complex to secure," as he said in a speech on the last day of the Black Hat Briefings security conference here Thursday.

      "Often when I tell people that, they get very disturbed," he said. But nonetheless, "we're losing ground every year," because every new product is less secure; every new level of complexity or integration makes a product less secure, he said.

      Events seem to bear out his conclusions: despite there being more computer security companies and software than at any other time, viruses, worms, Web page defacements and other security incidents are seemingly happening more often than ever before.

      This is because security is approached with the wrong attitude, he said.

      "One of the reasons we do security so poorly on the Internet is because we think if computers are involved, it's magic," but it's not, Schneier said. Applying the same principles used in physical security to Internet security will be more effective, he said.

      "Firewalls will never prevent unauthorized network access. That's OK: We can't buy a device that will prevent murder (either)," he said.

      Current computer security practices are too focused on prevention, leading to ineffective measures, he said.

      "If you want to secure your house, you wouldn't get thicker walls."

      Rather, in the physical world, security is implemented to manage risks, not to try to eliminate them, he said. Grocery stores accept that some shoplifting will occur, but try to compensate for it by using security devices, employees and insurance, he said. Despite all this, they accept that shoplifting will never be eliminated. This is good business, however, because the alternatives would be unworkable, he said.

      Computer security must adopt the same stance, but hasn't yet, he said. "When (computer) security decisions are made, it's only more or less secure, it's not smarter or dumber (business)."

      Despite the industry's incorrect philosophical bent, Schneier sees hope on the horizon in the form of monitoring and response systems, insurance and law enforcement.

      Rather than focusing energies and budgets on prevention, computer security efforts ought to be spread across prevention, detection and response, he said. Though prevention is important, it is not foolproof, he said. Having the other two features will help manage and mitigate risks, he said.

      "Detection, response - if it works well enough - makes up for shoddy prevention," said Schneier, whose company, Counterpane, sells a security monitoring service.

      Additionally, Schneier sees more companies turning to the insurance industry for Internet or e-business insurance, a move that will drastically impact computer security.

      "I believe insurance will make a great difference in computer security," he said. "Since the turn of the century, the insurance industry has driven what sort of security you have."

      In this case, insurance companies will force their clients to make product purchase decisions based on security, which, in turn, will lead to more secure products. Schneier doesn't expect this development to happen for three to five years, however.

      Lastly, Schneier said that the continued prosecution of computer crime will create a deterrent effect which will reduce such crime.

      "If crime doesn't pay, then people are less likely to do it," he said.

      "The online world isn't any different than the offline world," and it ought to be secured the same way, he said. Perhaps Congress will take note.




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.