-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *********************************************************************** SANS NEWSBITES BONUS ISSUE Important Trends Shaping Security In 2002 Volume 4, Bonus Issue January 7, 2002 *********************************************************************** What's happening to information security jobs? What are the new threats? What's coming in technology? In management? We asked members of the NewsBites' editorial board (Gene Schultz, Marcus Ranum, Bill Murray, Stephen Northcutt, and Roland Grefer), the FBI's National Infrastructure Protection Center (Bob Gerber and Jeff Tricoli), Bruce Schneier, and David Foote to help answer these questions by sharing their choice for the most important trends shaping security in the coming year. Not surprisingly, given the sources, these are authoritative, thoughtful assessments. Also in this issue you'll find a description of several upcoming SANS security education events that can help you take advantage of, or at least survive, forces changing the shape of information security. AP CONTENTS 1. Bruce Schneier on liability 2. David Foote on the changing job market for information security professionals 3. FBI's National Infrastructure Protection Center (Bob Gerber and Jeff Tricoli) on the threat outlook 4. Bill Murray on a range of changes including replacing penetration testing with continuous monitoring. 5. Marcus Ranum on automated patching 6. Roland Grefer on new applications of biometrics 7. Gene Schultz on the death of PKI and changes in consulting 8. Stephen Northcutt on accountability 9. Northcutt on SANS security education programs 10. Alan Paller on the 8 top trends this year in security --1. Bruce Schneier The top security trend of 2002 is liability. In 2001, a Federal judge forced the US Department of the Interior to sever its Internet connection, because it couldn't adequately protect private data. Other judges are issuing restraining orders against companies whose networks were the inadvertent launching pads for attacks. Microsoft sees this trend; their "responsible disclosure" rhetoric is an attempt to shift responsibility away from the companies that build insecure products. Through fairer contracts, insurance arrangements, and judicial action, accurate responsibilities for security problems will be apportioned. And many of the existing power balances in security will topple as a result. Bruce Schneier is the Chief Technology Officer of Counterpane Internet Security, Inc., a Managed Security Monitoring company in Cupertino, CA. He designed the popular Blowfish and Twofish encryption algorithms; and is the author of six books on security and cryptography, including the security best seller, "Secrets & Lies: Digital Security in a Networked World." --2. David Foote Knowledge of the technical side of security has long dominated security job evaluation and defined compensation levels, but the following qualities will soon rival technology in influencing pay for security pros: being adept at corporate politics; possessing business skills and aptitudes; having good relationship management, communication, and collaborative team skills; project management experience; and being able to market, sell and negotiate outcomes. Workers holding security certifications averaged 8.3% of base salary for skills bonus pay they received in 3Q 2001, up from 7% in the first quarter. Most responsible for this growth has been the SANS-GIAC family of security certifications. We anticipate more accelerated growth in security certification pay over the next two years, and predict that average premium bonus pay there will top the average for all certifications in the survey by the beginning of next year. (These trends are extracted from his November 28 article at the SearchSecurity site: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci783646,00.html) David Foote is a former Gartner Group analyst and now leads the Foote Partners team that compiles and publishes the only continuous quarterly IT salary and hot technical skills survey research currently available in North America. --3. The FBI's National Infrastructure Protection Center - Outlook for 2002 (i) Computer attacks will be more frequent and sophisticated, often exploiting several vulnerabilities at once. Malicious code will propagate autonomously, at increasing rates that could threaten entire networks. (ii) Attackers will increasingly target computer network components like routers and non-traditional protocols in order to compromise systems and disrupt service. (iii) There will be increased awareness of vulnerabilities and efforts to remedy them before they are exploited. The time between vulnerability awareness and first exploit, however, will continue to shrink in the near term. (iv) Wireless technology will become the new arena for old attacks and new exploits. The National Infrastructure Protection Center (at the FBI) has developed the most respected cyber threat monitoring, response, and mitigation capability in the world by combining in-house talent with a consortium of top security researchers at public and private organizations. --4. William Hugh Murray 2001 to 2002 Security becomes proactive rather than reactive, restrictive rather than permissive, professional rather than para-professional, infrastructure and "defense in depth" rather than patching and fixing nodes, special purpose boxes rather than general purpose systems. Strong authentication based on PK certificates and tokens must replace passwords for privileged controls and business-to-business applications. It is time to scan all objects, in and out, at the perimeter and the desktop rather than only mail, only attachments, only in, and only at the firewall or the desktop. End-to-end encryption must replace reliance on media, link (e.g., WEP) encryption, and gateway-to-gateway (e.g., VPN). Automated routine vulnerability assessment must replace ad hoc penetration testing and rigorous and continuous traffic monitoring must replace ad hoc "intrusion" detection. William Hugh Murray is one of the most prolific writers and speakers in the information security field. During his twenty-five years with IBM, Bill headed the support team for RAC-F (IBM's mainframe security product) and wrote one of the most widely used security assessment checklists. --5. Marcus Ranum Big changes - few, but important and slow changes are happening. In 2001 we saw the beginning of awareness on users' parts (and even security practitioners - finally!) that patches are not an effective way to deal with security flaws in software. There are too many administrators who are now simply giving up, when confronted with daily patch installs. Which means 2002 is the year we'll have the opportunity to do something about it. My guess is that we'll begin to see a flood of self-patching software. Instead of requiring users to intervene, the programs of the future will quickly install their own security patches and notify users "you're safe." Of course this won't be perfect but if you consider the number of sites that never install patches at all, or that have given up on patch installation, it's a step in a good direction. Marcus Ranum is the Chief Technology Officer of Network Flight Recorder. He developed the first commercial firewall and later, the Gauntlet firewall. He is also credited with inventing the concept of the proxy firewall, used today by most firewall vendors --6. Roland Grefer Triggered by the events of and following September 11th, 2001, another push/surge for broader application of biometric identification has been started and will continue. This includes general face matching surveillance technology as deployed during the Super Bowl at Raymond James Stadium in Tampa last January, as well as Iris and finger print scans, currently in use/tests at major U.S. airports. Emerging technology enhancements and combinations of several methods will reduce the vulnerability to replay attacks and minimize the risk of "false positives", while keeping the usability high through a reasonably small amount of "false negatives". Roland Grefer is a security consultant in Germany. --7. Eugene Schultz (i). 2002 will be the year in which the public key infrastructure movement will functionally die. Plagued by problems such as non-interoperability of products and failure to consider business drivers, the PKI movement was (unfortunately) doomed from the start. (ii). 2002 will be marked by major advances in intrusion detection. The intrusion detection community will continue to move away from the simple signature-based systems that are currently so prevalent. Rule- and profile-based intrusion detection will start to become more dominant. There will also be increased government funding for intrusion detection research. (iii). There will be continued, massive change in the security consulting industry. Many start-up companies will continue to go out of business, leaving the major consultancies in control of the services (e.g., managed services) that so many start-up companies originated. The result for clients will be increased cost, but also increased stability and reliability. Eugene Schultz is a Principal Engineer with Lawrence Berkeley National Laboratory and also teaches computer science courses at the UC Berkeley. He is the author of important books on Windows Security and Incident Handling and he founded the US Department of Energy's Computer Incident Advisory Capability (CIAC) --8. Stephen Northcutt In 2002 the IT community will reevaluate best practice. The downturn in the economy has already increased pressure from management to know why their investment in information security isn't yielding better results in the face of attacks like Code Red and Nimda. Employees with specific technical skills, e.g. ability to configure a firewall or router, or harden a UNIX or Windows IIS system will be in the best position in the coming year. As for technology, I expect to see a lot of attention focused on making the right choice of operating system for key servers and on how those servers are configured and maintained. Stephen Northcutt served as the Information Warfare Officer at the US Ballistic Missile Defense Organization, wrote the best selling book on Intrusion Detection, and directs the SANS Institute's education and skills certification programs. --9. Northcutt on Security Education at SANS I have been greatly impressed by the new breed of manager, the folks who really know their stuff at the technical level in the industry - both in large organizations and at consulting firms. They are becoming more and more common - a very encouraging sign. One such manager came up to me at Cyber Defense Initiative East in Washington, DC. He won his GIAC Intrusion Detection Certification as part of the very first intrusion detection certification class in 2001. He told me how impressed he was with the new six day, hands on, intrusion detection immersion curriculum. He said his employees were "getting it. They are coming back to work with the lights on. You can see it in their eyes". Sometimes it's difficult to be sure that educational material is both current and directly relevant, but by using in-the-trenches practitioners who are also great teachers, we've been surprisingly successful in staying true to the SANS promise that you will be able to put the material to work as soon as you get back to the office. In fact, one attendee just wrote us a note saying that, while attending his track, he didn't think the program was really going to be very applicable to his company, that is, until he stopped by work the night after the last class. He decided to connect the class intrusion detection machine to his network and immediately was shocked to see a hacker in the process of creating new directories on one of his systems. His exact response was, "Holy Smokes, Batman! I am a SANS convert." (His note and many hundreds of other written validations of the value of SANS programs are available to you if you need them to persuade either yourself or your managers that there is no other comparable training available in the industry. Every track at SANS, from the most basic to the most advance, follows the SANS promise: you'll be able to put it to work when you return to the office.) Although SANS education focuses on technical skills, a survey of attendees at the Washington and San Francisco SANS conferences in late 2001 showed that more than 40 per cent of all attendees managed teams of at least four people. In other words, many managers are working to improve their technical skills. We realize of course that students are looking for different things in their training. Some want the most intense training environment possible, to learn as much in as short a period of time as possible. Others really enjoy the experience of the huge annual conferences with vendor exhibitions and any number of evening events. Others are seeking to learn, but also to relax a bit, perhaps needing a bit of a vacation from the office grind. We try to design conferences to meet each of these needs. In the next three months, we'll have three large training events, along with several smaller programs. To help you choose, here's a quick recap of the three larger programs. ========================= SANS Aloha IV, January 28 - February 2 in Honolulu is a more laid back offering of four of our most popular tracks. Airfares and hotel rates for Hawaii have never been cheaper, for further information: http://www.sans.org/Aloha4.htm ===================================================== SANS Computer Security Bootcamp 2002, February 9 - 14 in Monterey CA is the most intense learning environment that most security professionals will ever experience. Courses run during the day and special Bootcamp sessions run at night. If you are seeking advanced security education that gives you the tools, tips and techniques to get up to speed fast, then this is the ideal training opportunity for you. Most people who have attended SANS conferences in Monterey say it is the best place in the country to go to a conference - especially with the program running right next to Fisherman's Wharf. http://www.sans.org/Bootcamp.htm ============================================= The Annual SANS Conference, April 1 - 7, 2002, in Orlando Florida is our most complete offering of courses and other educational activities. SANS2002 will feature eleven tracks including, for the first time, our completely rewritten and updated forensics track. The SANS annual conference is one of the few SANS programs where you can mix and match courses from multiple tracks. In addition, if you attend one of the tracks, you get a complete technical conference (featuring several of the highest rated speakers in the industry) focusing on the newest developments in security, *** at no cost ***. The technical conference sessions run in the mornings and evenings before and after the courses so you can attend both your training track and the technical conferences without spending extra days or extra dollars. And SANS largest vendor exhibit is also part of this giant program. Orlando in early April is a great way for the family to recover from a cold winter - - and the plane fares are very economical as Disneyworld celebrates the Disney parks' 50th anniversary. http://www.sans.org/SANS2002.php We look forward to seeing you at one of our upcoming training events. They are all listed at http://www.sans.org. --10. Alan Paller's Top Security Trends for 2002 Part of my job as SANS research director is to continuously poll the community to learn what new challenges they face and how they are meeting those challenges and to keep a running list of the most important new trends. Many of these trends were already described by other authors above. But repetition helps identify which might be most important. (A). Linux pulls ahead in operating system security and IBM's support gives it big-company acceptability for critical applications. Why? Because (1) the National Security Agency (NSA) released a security enhanced version of the Linux kernel into the open source community; (2) testers found the security enhancements protected them against being damaged by common attacks even if they did not patch their systems against those attacks, (3) the Linux development team (under Linus Torvalds) is engineering the enhancement capabilities into the kernel, and (4) IBM spent millions this year building the NSA enhancements into commercial code and has beginning a major marketing campaign. More information: http://www-106.ibm.com/developerworks/security/library/s-selinux/?dwzone=security (B). Automated security patching affects millions of users. Why? Microsoft's XP operating system automatically fetches new security patches (trickling them down and announcing to the user when they have arrived). Other operating system vendors have the same capabilities under development because users no longer believe their claims that "automated patching is impossible for complex operating systems." Highly skilled security professionals will still choose to add patches manually, but people with fewer skills will come to rely on automated patching. (C). Organizations install system security sentries that block access by systems that have not been hardened. Why? This approach protects your important users from careless people who do not take minimal steps to improve the security of their systems. And it takes the politics out of security. One major government laboratory that has already implemented a "Just Say No" program finds that people adapt rapidly, and the inevitable complaints drop off quickly. It's not that hard to comply with minimum security configuration standards once they are established. (D). Organizations order systems initially configured to meet security benchmarks. Why? As "just say no" systems begin to proliferate, users will decide it is too much work to harden every box after they buy it and will, instead, require organizations to meet a minimum set of requirements - probably a combination of those developed by the Center for Internet Security (http://www.cisecurity.org) and their in-house experts. (E) Business and government will intensify their cooperation. Why? The security problem cannot be solved by either one alone and organizations like NIPC, the Critical Infrastructure Assurance Office, and the Office of Homeland Defense have made it easy for commercial organizations to cooperate with government and for government to share data with commercial organizations. Most importantly, the best of the ISPs (those likely to survive) will build strong partnerships with government because they can protect their customers only by being good citizens and protecting the Internet from their own rogue or careless customers. (F) Middle management security jobs decline, while salaries for individual contributors increase sharply. Why? This has already happened, in some cases radically, during 2001 and is continuing into at least the first half of 2002. It is caused by a combination of three forces (i) Middle management jobs overall are under pressure. For example AT&T announced on Friday that it would drop 5,000 additional jobs, more than half among middle managers. (ii) Middle managers in security who do not have modern technical security skills can do little to improve security directly; they are forced to ask others to do it. When jobs are scarce, and managers have to make choices, they choose those who can do the job. In the exact words of a (recently released) middle manager in security at a major insurance company, "They told me [the reason for my being made redundant was] that the operations people were fully capable of writing security policies and that I could not harden a firewall or a UNIX system." (iii) Continuing shortages of people who can prove they have the skills to do the necessary security work will keep salaries and premiums high for those who can. (G) Security auditors will take on more monitoring roles Why? As security departments lose staff, the only people left to monitor security are the auditors. And audit departments have been hiring technical people at a rapid rate. Initially they were hired to do penetration testing, but their jobs will shift to more continuous testing. (H) Penetration testing and periodic vulnerability scans give way to continuous vulnerability testing and configuration control. Why? Penetration testing has a terrible track record. Testers often succeed using social engineering which tells the organization almost nothing about what needs to be corrected. Periodic vulnerability scans miss everything that happens between them. New tools will monitor continuously for widely accepted minimum security standards. Penetration tests will, however, continue to be used on newly deployed systems and those being attacked. As a related trend, consulting firms are already starting to find their clients asking less for penetration testing and policy development and more for actual configuration improvement and continuous monitoring, and that requires technically proficient staff that can do the hard work of securing systems and configuring firewalls. (I) [In three to five years, but sooner would be better] Large-scale, infrastructure and configuration-based security improvements are seen as cost savers instead of overhead, and companies take on security improvement projects with the enthusiastic support of top management. === - From all of us in the SANS family, we hope 2002 brings you and your families health and satisfaction in all your endeavors. ==end== Please feel free to share this with interested parties via email (not on bulletin boards). For a free subscription, (and for free posters) e-mail sans@sans.org with the subject: Subscribe NewsBites To change your subscription, address, or other information, visit http://www.sans.org/sansurl and enter your SD number (from the headers.) You will receive your personal URL via email. You may also email with complete instructions and your SD number for subscribe, unsubscribe, change address, add other digests, or any other comments. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8OeyT+LUG5KFpTkYRAqQXAJ9ytEv2Eshtzfw9WWxTQqtJuAYpEwCcDaEc TOts/wsd72G7RfKAKZ9OK2A= =3kEZ -----END PGP SIGNATURE-----