Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Embedded

Net security: Urgent, but at what cost?

Posted: 16 Dec 2002 ?? ?Print Version ?Bookmark and Share

Keywords:network security? it security? information infrastructure? cyber attack? security protocol?

There is no doubt that concern about the security of the "information superhighway" has increased significantly after the terrorist attack in the United States. For example, while IT and security executives, as well as the general public do not agree as to the likelihood of a cyber-terror attack, they are more or less in agreement in the view that U.S. businesses are not prepared for such attacks.

According to Mario Correa, director of network security policy at the Business Software Alliance in New York, a recent survey by his organization found that 47 percent of IT professionals felt that the likelihood of such an attack on the information infrastructure would happen in the next twelve months, vs. 19 percent who did not think it was likely. Just as disturbing, 45 percent do not think U.S. businesses are prepared, vs. 18 percent who were confident in current security protocols.

The same survey showed that among the security specialists in the IT departments, more than 60 percent were expecting a serious attack on the information superstructure somewhere. Among the general public, only 25 percent thought a cyber-terror attack was likely but almost 40 percent did not feel all that confident we were prepared.

There are good reasons for this concern. According to John Carbone, vice president of marketing at Green Hills Software Inc., as far back as 1997, the National Security Agency conducted a simulated cyber attack demonstrating that in only four days they could have taken control of the major power grids in Chicago, Los Angeles, New York, and Washington.

And after the September 11 attack, investigations by the FBI and other agencies revealed that Al Qaeda had penetrated security on numerous systems in the U.S. in order to monitor and collect data from high-tech companies, utilities, and government offices. Carbone points out that the United States Energy Department has identified eight scenarios for successful supervisory control and data acquisition (SCADA) attacks on electrical power grids using tools readily available on the Internet.

Even without direct threats, there are still good reasons to be concerned about the security of the network computing infrastructure, said Madeleine Campbell, security technology manager, at the Information Technologies Division of BTG Inc. "Remember, the Internet was not designed to be a secure environment. Rather, it was a barebones non-secure set of protocols designed to operate within a secure environment," she said. "There is a big difference between the two."

Part of the problem is also the rapid growth--not just in the number of users - but the number of different types of users and in the number of Websites. How does a company or organization know with any exactness the extent of its network sprawl, the number of dead end streets, the unguarded intersections, and the unauthorized connections?

Legitimate activity

Another aspect to the Internet and Web growth that makes it difficult to manage security is determining exactly what a legitimate message or activity is or is not. "Coming up with a clear set of standards as to what is allowable and what is not won't work," said Taher Elgamal, chief technical officer at Securify Inc. "The needs of individuals and organizations connected to the Internet are so diverse that such a cookie cutter 'one size fits all' approach will not work. What is not allowable in one environment and indicative of a potential security problem may be perfectly OK in another context."

What is necessary, he said, is to find some method of efficiently analyzing the traffic, as well as quickly and accurately determining the potential problems, developing a set of policies and initiating them as quickly and as broadly as possible. "That means automating this whole process as much as possible, so that the solutions can be initiated as fast as the problems occur," he added.

- Bernard Cole

EE Times

Article Comments - Net security: Urgent, but at what co...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top