Marcus Ranum on Today's Top ThreatsPart 1 of a Two-Part Interview with the Information Security Thought-Leader
- Why we're more at risk today than we were a year ago;
- Threats posed by social media and new portable devices;
- What we should learn from the recent iPad incident.
Ranum, since the late 1980s, has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.
TOM FIELD: What are the biggest security threats to consumers and businesses today? Hi, this is Tom Field, Editorial Director with Information Security Media Group. This is Part 1 of a two-part interview with Marcus Ranum, CSO of Tenable Network Security. In this part we talk about the biggest security threats today, including social media, portable technology and the recent iPad Breach and what that means. Marcus, we first talked sometime back in 2009. It is a pleasure to talk with you again today.
MARCUS RANUM: It's good to be back.
FIELD: We talked last time about security threats and what was current, and I guess to revisit the topic I want to paraphrase Ronald Reagan: "Are we safer online today than we were a year ago?"
RANUM: Well it's kind of hard to put that on a single axis, but I would say that the answer would have to be no, and the reason is because we've got this dynamic that we play out in internet technology, and I think in computing in general, where the security practitioners seem to constantly be running along behind whatever is the leading edge or the cutting edge, and kind of going "No, no, wait stop," and trying to fix things. So, what tends to happen is that the folks who are out designing stuff on the cutting edge are busy creating problems for us faster than we can fix them, so we're mostly trying to fix the old problems that they haven't managed to make worse yet.
FIELD: So, when you look around, what do you see as the biggest security threats to consumers and businesses today?
RANUM: Well, I think malware is a huge problem. It has been a huge problem for a long time, and I think a lot practitioners saw this threat kind of bearing down on us for almost a decade or so. I'm a little concerned about complacency in malware, because I think what is happening -- certainly on the consumer -- malware has gotten a lot better in the last five or six years. I think what has happened is people are kind of going, "Well, my computer is not blue-screening very much; I must not have malware anymore." And what is really happening is that they've got better stealthier more reliable malware that just doesn't blue-screen their computer.
FIELD: Marcus, I want to ask you about some specific threats that have come up in recent times and get your thoughts on them. Social media for one. Everybody is dabbling in social media. Some organizations have policies, some don't. What do you see as sort of the real threats and maybe the ones that aren't as real as we would like to think they are?
RANUM: Well, there are some real problems. I mean, one of the issues with social media, of course, is information control and the problem of information leaking out. Organizations that don't have a very tight grip on who is allowed to speak for the organization -- you know they're going to encounter problems when somebody starts a blog or somebody in the marketing department just starts twittering whatever they think they should be tweeting at any particular moment. So there's the issue of media control and corporate relations, and that's actually a pretty serious problem. There is also the other problem of information leakage, which that one kind of surprises me. And if we look at it from a corporate standpoint, if corporations are allowing people to go update their Facebook pages from inside the corporate perimeter and during office hours, of course information of what they are working on is going to leak out. That seems kind of obvious.
FIELD: How about portable technology, Marcus? One of the things that strikes me is a number of the breaches that we have seen in healthcare in particular have been because of data leakage on portable technology, something has been misplaced or stolen.
RANUM: That's a huge problem again, but every time I see an article that says, "Laptop lost; administer of defense secrets found in lost luggage" or "medical data found on laptop in back of car"... The real question is, "Why is that data on a laptop?" It's not the laptop getting lost, because laptops, iPads, iPhones -- all of this stuff is going to get lost, or it's going to get stolen. That is what happens to it. So, the problem is if an organization has got information that needs to be controlled, why is it that the stuff is getting copied down on these kinds of portable devices? Maybe the organization should be starting to look at what they can do to track people who are pulling down copies of the customer database and stuff like that. That is constantly amazing to me again. Organizations are concerned that their sales secrets are going to leak, and then they give all of their sales guys a BlackBerry. Well, what do you think is going to happen?
FIELD: Another one that really got the headlines recently is the so-called iPad breach. It got lots of headlines, lots of attention; what was really important about that?
RANUM: Oh, there were a couple of things that were important about that. One of them is having a good fallback plan when something goes wrong - that is always a really good idea. It does really illustrate how devastating an information leak can be, and how quickly you can do a tremendous amount of public relations damage. I think in that situation it was probably not Apple that came out looking bad. And, of course, from a simple sales standpoint, it appears to have absolutely no affect whatsoever on the extremely successful launch of the product, which is another point that we information security people have to keep track of, and ultimately this is all about driving a successful business, and security takes back seat to a product that six million people are lining up to buy.
I think from a software engineering standpoint the only other thing that this shows is that the worst thing you can is to push code out, because that is really what we are talking about here was on that website. If you push code out that really hasn't been very carefully checked and gone through some pretty rigorous quality assurance and testing, as soon as it becomes available to the internet, the bad guys are going to subject it to all that quality control and testing for you whether you like it or not. So you may as well factor that in to part of your development cycles, and I think I'm seeing a trend in a lot of organizations now that are doing anything web based to be a lot more serious about doing code analysis and design reviews before they push any of their software out to the public.
FIELD: This concludes Part 1 of our two-part interview with Marcus Ranum, CSO of Tenable Network Security. Stay tuned for Part 2 in which we talk about businesses and banks and how they are squaring off over the question of reasonable security; healthcare organizations and the challenges they face as they pay more attention to information security now; and finally the federal government and its role in ensuring that we really are more secure a year from now than we are today. Until then, for Information Security Media Group, I'm Tom Field. Thank you very much.