New Readers

 Home News and World Report Buyers Guide Global Excellence Technology Case Studies Editorial Awards About Info Security
Critical mistakes still happening in IT security and the threats most enterprises are least prepared to subvert

CERIAS is the premier academic multidisciplinary research center in information security. The center’s 85 faculty have produced over 175 Ph.D. graduates in the field since its founding in 1998 – over 20% of the U.S. output in that time period.  Working with a variety of commercial and government partners, CERIAS researchers and educators focus on fundamental issues of privacy, cyber security and digital investigations.

Purdue University is one of the nation’s leading land-grant (public) universities, with over 65,000 students registered at campuses throughout the state (almost 40,000 at the main campus).  It is well known for its programs in engineering, agriculture, science, aviation, and management.

In the following interview, Eugene H. Spafford, Professor and Executive Director of the Center for Education and Research in Information  Assurance and Security (CERIAS), discusses 1:1 with Info Security PG, Editor-in-Chief of Info Security Products Guide, critical mistakes still happening in IT security and the threats most enterprises are least prepared to subvert.

Info Security PG: What security threats are most enterprises least prepared to subvert?

Eugene H. Spafford: Too many organizations are not well prepared for insider abuses.  Attacks may be totally the fault of insiders, they may simply be facilitated by insiders, or they may be the result of outsiders gaining access to an insider’s credentials.  In any of these cases, organizations often don’t have the controls in place to identify these problems early, and they don’t have the structures to properly contain the damage from the attacks.  We see repeated instances of theft of IP, subversion of processes, and even sabotage committed from insider accounts.

Info Security PG: What are some of the most common but critical mistakes still happening in IT security?

Eugene H. Spafford: There is too much attention focused on the perimeter, and keeping “things” from getting in.  However, there is no real perimeter anymore with portable systems, thumbdrives, networked cell phones, and the like, and thus the defensive posture is faulty.

Everything is put online and networked, and this is a mistake because it makes everything potentially accessible and vulnerable to attack.  Along with this, everything is put on common platforms to make it cheaper and simpler to manage – and often sharing the same vulnerabilities.

There is no overall plan for security based on risk and sensitivity.  Not everything needs to be protected the same way or at the same level of intensity; defenses should be focused where the need (and potential loss) are greatest.

Info Security PG: Why does the overall security landscape appear to be getting worse instead of better?

Eugene H. Spafford: There are many reasons, but I’ll list three.

First, we continue to deploy badly-designed and poorly protected systems, using add-ons and patches as an attempt to provide protection.  In large part this is dictated by the market, but that in turn has been driven by decisions to obtain and operate systems on the basis of acquisition cost or compatibility with legacy applications rather than based on quality and security.  These systems are growing more complex and widely deployed for critical purposes, and the poor design decisions are thus increasingly exposed.

Second, the number of people connected to the Internet is growing, and that growth is international in scope.  We are not seeing a corresponding growth in law enforcement personnel and tools to address cyber offenses.  Thus, there is little disincentive for any of these many users to keep them from behaving in unethical or criminal manners.

Third, many organizations are simply writing off the losses and building them into their cost of operations.  There are thus reduced (or no) incentives for them to change their behavior or employ better technologies.   The losses are also generally hidden from the larger community, and so there is no external pressure, either.

Taken together, we have a situation where the victims are unwilling to invest to improve their security, there is an increasing supply of emboldened attackers, and the direct costs of failure are spread over a larger population thus hiding their magnitude.  It is no surprise that the situation is not improving.

Purdue University
West Lafayette, IN U.S.A.

Founded in: 1869

Bookmark and Share