To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: January 7 Bonus SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************

                      SANS NEWSBITES BONUS ISSUE

               Important Trends Shaping Security In 2002

Volume 4, Bonus Issue January 7, 2002

***********************************************************************

What's happening to information security jobs? What are the new
threats? What's coming in technology? In management?

We asked members of the NewsBites' editorial board (Gene Schultz,
Marcus Ranum, Bill Murray, Stephen Northcutt, and Roland Grefer),
the FBI's National Infrastructure Protection Center (Bob Gerber and
Jeff Tricoli), Bruce Schneier, and David Foote to help answer these
questions by sharing their choice for the most important trends shaping
security in the coming year. Not surprisingly, given the sources,
these are authoritative, thoughtful assessments. Also in this issue
you'll find a description of several upcoming SANS security education
events that can help you take advantage of, or at least survive,
forces changing the shape of information security.

                                      AP

CONTENTS
1. Bruce Schneier on liability
2. David Foote on the changing job market for information security
   professionals
3. FBI's National Infrastructure Protection Center (Bob Gerber and Jeff
   Tricoli) on the threat outlook
4. Bill Murray on a range of changes including replacing penetration
   testing with continuous monitoring.
5. Marcus Ranum on automated patching
6. Roland Grefer on new applications of biometrics
7. Gene Schultz on the death of PKI and changes in consulting
8. Stephen Northcutt on accountability
9. Northcutt on SANS security education programs
10. Alan Paller on the 8 top trends this year in security

 --1. Bruce Schneier
The top security trend of 2002 is liability. In 2001, a Federal
judge forced the US Department of the Interior to sever its Internet
connection, because it couldn't adequately protect private data. Other
judges are issuing restraining orders against companies whose networks
were the inadvertent launching pads for attacks. Microsoft sees
this trend; their "responsible disclosure" rhetoric is an attempt
to shift responsibility away from the companies that build insecure
products. Through fairer contracts, insurance arrangements, and
judicial action, accurate responsibilities for security problems will
be apportioned. And many of the existing power balances in security
will topple as a result.

Bruce Schneier is the Chief Technology Officer of CounterPane
Technologies. He designed the popular Blowfish encryption algorithm and
his Twofish was a finalist for the new Federal Advanced Encryption
Standard (AES). Schneier is the author of six books, including
the security best seller, "Secrets & Lies: Digital Security in a
Networked World."

 --2. David Foote
Knowledge of the technical side of security has long dominated security
job evaluation and defined compensation levels, but the following
qualities will soon rival technology in influencing pay for security
pros: being adept at corporate politics; possessing business skills
and aptitudes; having good relationship management, communication,
and collaborative team skills; project management experience; and
being able to market, sell and negotiate outcomes.

Workers holding security certifications averaged 8.3% of base
salary for skills bonus pay they received in 3Q 2001, up from
7% in the first quarter. Most responsible for this growth
has been the SANS-GIAC family of security certifications. We
anticipate more accelerated growth in security certification
pay over the next two years, and predict that average premium
bonus pay there will top the average for all certifications
in the survey by the beginning of next year. (These trends are
extracted from his November 28 article at the SearchSecurity site:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci783646,00.html)

David Foote is a former Gartner Group analyst and now leads the Foote
Partners team that compiles and publishes the only continuous quarterly
IT salary and hot technical skills survey research currently available
in North America.

 --3. The FBI's National Infrastructure Protection Center -
      Outlook for 2002
(i) Computer attacks will be more frequent and sophisticated, often
exploiting several vulnerabilities at once. Malicious code will
propagate autonomously, at increasing rates that could threaten
entire networks.

(ii) Attackers will increasingly target computer network components
like routers and non-traditional protocols in order to compromise
systems and disrupt service.

(iii) There will be increased awareness of vulnerabilities and
efforts to remedy them before they are exploited. The time between
vulnerability awareness and first exploit, however, will continue to
shrink in the near term.

(iv) Wireless technology will become the new arena for old attacks
and new exploits.

The National Infrastructure Protection Center (at the FBI) has
developed the most respected cyber threat monitoring, response,
and mitigation capability in the world by combining in-house talent
with a consortium of top security researchers at public and private
organizations.

 --4. William Hugh Murray
2001 to 2002 Security becomes proactive rather than reactive,
restrictive rather than permissive, professional rather than
para-professional, infrastructure and "defense in depth" rather than
patching and fixing nodes, special purpose boxes rather than general
purpose systems. Strong authentication based on PK certificates
and tokens must replace passwords for privileged controls and
business-to-business applications. It is time to scan all objects,
in and out, at the perimeter and the desktop rather than only
mail, only attachments, only in, and only at the firewall or the
desktop. End-to-end encryption must replace reliance on media, link
(e.g., WEP) encryption, and gateway-to-gateway (e.g., VPN). Automated
routine vulnerability assessment must replace ad hoc penetration
testing and rigorous and continuous traffic monitoring must replace
ad hoc "intrusion" detection.

William Hugh Murray is one of the most prolific writers and speakers
in the information security field. During his twenty-five years with
IBM, Bill headed the support team for RAC-F (IBM's mainframe security
product) and wrote one of the most widely used security assessment
checklists.

 --5. Marcus Ranum
Big changes - few, but important and slow changes are happening. In
2001 we saw the beginning of awareness on users' parts (and even
security practitioners - finally!) that patches are not an effective
way to deal with security flaws in software. There are too many
administrators who are now simply giving up, when confronted with
daily patch installs. Which means 2002 is the year we'll have the
opportunity to do something about it. My guess is that we'll begin
to see a flood of self-patching software. Instead of requiring users
to intervene, the programs of the future will quickly install their
own security patches and notify users "you're safe." Of course this
won't be perfect but if you consider the number of sites that never
install patches at all, or that have given up on patch installation,
it's a step in a good direction.

Marcus Ranum is the Chief Technology Officer of Network Flight
Recorder. He developed the first commercial firewall and later, the
Gauntlet firewall. He is also credited with inventing the concept of
the proxy firewall, used today by most firewall vendors

 --6. Roland Grefer
Triggered by the events of and following September 11th, 2001, another
push/surge for broader application of biometric identification has
been started and will continue. This includes general face matching
surveillance technology as deployed during the Super Bowl at Raymond
James Stadium in Tampa last January, as well as Iris and finger
print scans, currently in use/tests at major U.S. airports. Emerging
technology enhancements and combinations of several methods will
reduce the vulnerability to replay attacks and minimize the risk
of "false positives", while keeping the usability high through a
reasonably small amount of "false negatives".

Roland Grefer is a security consultant in Germany.

 --7. Eugene Schultz
(i). 2002 will be the year in which the public key infrastructure
movement will functionally die. Plagued by problems such as
non-interoperability of products and failure to consider business
drivers, the PKI movement was (unfortunately) doomed from the start.

(ii). 2002 will be marked by major advances in intrusion detection.
The intrusion detection community will continue to move away from
the simple signature-based systems that are currently so prevalent.
Rule- and profile-based intrusion detection will start to become
more dominant. There will also be increased government funding for
intrusion detection research.

(iii). There will be continued, massive change in the security
consulting industry. Many start-up companies will continue to go out
of business, leaving the major consultancies in control of the services
(e.g., managed services) that so many start-up companies originated.
The result for clients will be increased cost, but also increased
stability and reliability.

Eugene Schultz is a Principal Engineer with Lawrence Berkeley
National Laboratory and also teaches computer science courses at the
UC Berkeley. He is the author of important books on Windows Security
and Incident Handling and he founded the US Department of Energy's
Computer Incident Advisory Capability (CIAC)

 --8. Stephen Northcutt
In 2002 the IT community will reevaluate best practice. The downturn
in the economy has already increased pressure from management to know
why their investment in information security isn't yielding better
results in the face of attacks like Code Red and Nimda. Employees with
specific technical skills, e.g. ability to configure a firewall or
router, or harden a UNIX or Windows IIS system will be in the best
position in the coming year. As for technology, I expect to see a lot
of attention focused on making the right choice of operating system
for key servers and on how those servers are configured and maintained.

Stephen Northcutt served as the Information Warfare Officer at the US
Ballistic Missile Defense Organization, wrote the best selling book
on Intrusion Detection, and directs the SANS Institute's education
and skills certification programs.

 --9. Northcutt on Security Education at SANS

I have been greatly impressed by the new breed of manager, the folks
who really know their stuff at the technical level in the industry -
both in large organizations and at consulting firms. They are becoming
more and more common - a very encouraging sign. One such manager
came up to me at Cyber Defense Initiative East in Washington, DC.
He won his GIAC Intrusion Detection Certification as part of the very
first intrusion detection certification class in 2001. He told me how
impressed he was with the new six day, hands on, intrusion detection
immersion curriculum. He said his employees were "getting it. They are
coming back to work with the lights on. You can see it in their eyes".

Sometimes it's difficult to be sure that educational material is
both current and directly relevant, but by using in-the-trenches
practitioners who are also great teachers, we've been surprisingly
successful in staying true to the SANS promise that you will be able
to put the material to work as soon as you get back to the office. In
fact, one attendee just wrote us a note saying that, while attending
his track, he didn't think the program was really going to be very
applicable to his company, that is, until he stopped by work the
night after the last class. He decided to connect the class intrusion
detection machine to his network and immediately was shocked to see
a hacker in the process of creating new directories on one of his
systems. His exact response was, "Holy Smokes, Batman! I am a SANS
convert." (His note and many hundreds of other written validations
of the value of SANS programs are available to you if you need them
to persuade either yourself or your managers that there is no other
comparable training available in the industry. Every track at SANS,
from the most basic to the most advance, follows the SANS promise:
you'll be able to put it to work when you return to the office.)

Although SANS education focuses on technical skills, a survey of
attendees at the Washington and San Francisco SANS conferences in late
2001 showed that more than 40 per cent of all attendees managed teams
of at least four people. In other words, many managers are working
to improve their technical skills.

We realize of course that students are looking for different things
in their training. Some want the most intense training environment
possible, to learn as much in as short a period of time as possible.
Others really enjoy the experience of the huge annual conferences
with vendor exhibitions and any number of evening events. Others are
seeking to learn, but also to relax a bit, perhaps needing a bit of
a vacation from the office grind. We try to design conferences to
meet each of these needs.

In the next three months, we'll have three large training events,
along with several smaller programs. To help you choose, here's a
quick recap of the three larger programs.

=========================
SANS Aloha IV, January 28 - February 2 in Honolulu is a more laid
back offering of four of our most popular tracks. Airfares and hotel
rates for Hawaii have never been cheaper, for further information:
http://www.sans.org/Aloha4.htm

=====================================================
SANS Computer Security Bootcamp 2002, February 9 - 14 in Monterey CA is
the most intense learning environment that most security professionals
will ever experience. Courses run during the day and special Bootcamp
sessions run at night. If you are seeking advanced security education
that gives you the tools, tips and techniques to get up to speed fast,
then this is the ideal training opportunity for you. Most people who
have attended SANS conferences in Monterey say it is the best place in
the country to go to a conference - especially with the program running
right next to Fisherman's Wharf. http://www.sans.org/Bootcamp.htm

=============================================
The Annual SANS Conference, April 1 - 7, 2002, in Orlando Florida is
our most complete offering of courses and other educational activities.
SANS2002 will feature eleven tracks including, for the first time,
our completely rewritten and updated forensics track. The SANS annual
conference is one of the few SANS programs where you can mix and match
courses from multiple tracks. In addition, if you attend one of the
tracks, you get a complete technical conference (featuring several
of the highest rated speakers in the industry) focusing on the newest
developments in security, *** at no cost ***. The technical conference
sessions run in the mornings and evenings before and after the
courses so you can attend both your training track and the technical
conferences without spending extra days or extra dollars. And SANS
largest vendor exhibit is also part of this giant program. Orlando in
early April is a great way for the family to recover from a cold winter
- - and the plane fares are very economical as Disneyworld celebrates
the Disney parks' 50th anniversary. http://www.sans.org/SANS2002.php

We look forward to seeing you at one of our upcoming training events.
They are all listed at http://www.sans.org.

 --10. Alan Paller's Top Security Trends for 2002

Part of my job as SANS research director is to continuously poll
the community to learn what new challenges they face and how they
are meeting those challenges and to keep a running list of the most
important new trends. Many of these trends were already described
by other authors above. But repetition helps identify which might be
most important.

(A). Linux pulls ahead in operating system security and IBM's support
gives it big-company acceptability for critical applications.
Why? Because (1) the National Security Agency (NSA) released
a security enhanced version of the Linux kernel into the open
source community; (2) testers found the security enhancements
protected them against being damaged by common attacks even
if they did not patch their systems against those attacks, (3)
the Linux development team (under Linus Torvalds) is engineering
the enhancement capabilities into the kernel, and (4) IBM spent
millions this year building the NSA enhancements into commercial
code and has beginning a major marketing campaign. More information:
http://www-106.ibm.com/developerworks/security/library/s-selinux/?dwzone=security

(B). Automated security patching affects millions of users.
Why? Microsoft's XP operating system automatically fetches new security
patches (trickling them down and announcing to the user when they have
arrived). Other operating system vendors have the same capabilities
under development because users no longer believe their claims that
"automated patching is impossible for complex operating systems."
Highly skilled security professionals will still choose to add patches
manually, but people with fewer skills will come to rely on automated
patching.

(C). Organizations install system security sentries that block access
by systems that have not been hardened.
Why? This approach protects your important users from careless
people who do not take minimal steps to improve the security of
their systems. And it takes the politics out of security. One major
government laboratory that has already implemented a "Just Say No"
program finds that people adapt rapidly, and the inevitable complaints
drop off quickly. It's not that hard to comply with minimum security
configuration standards once they are established.

(D). Organizations order systems initially configured to meet security
benchmarks.
Why? As "just say no" systems begin to proliferate, users will decide
it is too much work to harden every box after they buy it and will,
instead, require organizations to meet a minimum set of requirements -
probably a combination of those developed by the Center for Internet
Security (http://www.cisecurity.org) and their in-house experts.

(E) Business and government will intensify their cooperation.
Why? The security problem cannot be solved by either one alone and
organizations like NIPC, the Critical Infrastructure Assurance Office,
and the Office of Homeland Defense have made it easy for commercial
organizations to cooperate with government and for government to share
data with commercial organizations. Most importantly, the best of the
ISPs (those likely to survive) will build strong partnerships with
government because they can protect their customers only by being
good citizens and protecting the Internet from their own rogue or
careless customers.

(F) Middle management security jobs decline, while salaries for
individual contributors increase sharply.
Why? This has already happened, in some cases radically, during 2001
and is continuing into at least the first half of 2002. It is caused
by a combination of three forces (i) Middle management jobs overall
are under pressure. For example AT&T announced on Friday that it would
drop 5,000 additional jobs, more than half among middle managers. (ii)
Middle managers in security who do not have modern technical security
skills can do little to improve security directly; they are forced
to ask others to do it. When jobs are scarce, and managers have to
make choices, they choose those who can do the job. In the exact
words of a (recently released) middle manager in security at a
major insurance company, "They told me [the reason for my being
made redundant was] that the operations people were fully capable of
writing security policies and that I could not harden a firewall or a
UNIX system." (iii) Continuing shortages of people who can prove they
have the skills to do the necessary security work will keep salaries
and premiums high for those who can.

(G) Security auditors will take on more monitoring roles
Why? As security departments lose staff, the only people left to
monitor security are the auditors. And audit departments have been
hiring technical people at a rapid rate. Initially they were hired to
do penetration testing, but their jobs will shift to more continuous
testing.

(H) Penetration testing and periodic vulnerability scans give way to
continuous vulnerability testing and configuration control.
Why? Penetration testing has a terrible track record. Testers often
succeed using social engineering which tells the organization almost
nothing about what needs to be corrected. Periodic vulnerability
scans miss everything that happens between them. New tools will
monitor continuously for widely accepted minimum security standards.
Penetration tests will, however, continue to be used on newly deployed
systems and those being attacked. As a related trend, consulting firms
are already starting to find their clients asking less for penetration
testing and policy development and more for actual configuration
improvement and continuous monitoring, and that requires technically
proficient staff that can do the hard work of securing systems and
configuring firewalls.

(I) [In three to five years, but sooner would be better] Large-scale,
infrastructure and configuration-based security improvements are seen
as cost savers instead of overhead, and companies take on security
improvement projects with the enthusiastic support of top management.

===

- From all of us in the SANS family, we hope 2002 brings you and your
families health and satisfaction in all your endeavors.

==end==

Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8Ocx4+LUG5KFpTkYRAgWJAKCJLRsX9oHB6I/hXddMVPn/JYuliACdHHWF
zRqFhoD79oCMmqSUmT+BY7A=
=apzc
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]