Issue link: https://securitytechnologyexecutive.epubxp.com/i/107544
COOL AS McCUMBER By John McCumber Published by Cygnus Business Media, Inc. Return of the Hacker The old days of worst-nightmare scenarios have come back to the forefront of IT security I t was the mid-90s, and almost every briefing, presentation, discussion and overview began with a hacker "war story." Some were true, but most were technology legends. After the hacker anecdote, it was pro forma to make the case that the anecdote is a statistical likelihood for your audience. This opening act was a constant — whether the purpose of the presentation was to educate or sell. Eventually, audiences recognized this hackneyed approach, and the anecdotal FUD (fear, uncertainty and doubt, for you n00bs) factor became largely discredited. In retrospect, the old FUD anecdotes made sense. Computer security was a relatively new profession, and there weren't any relevant large-scale studies or statistical analyses to aid in making informed risk decisions. Anecdotes were all we had at the time, so we focused on finding and identifying malicious threats that could be encoded and updated in security software that would, in turn, detect and eliminate the culprit code. However, you can only do that after the malicious code had been discovered, then a signature was programmed and pushed out to the security applications for enforcement. It was (and is) a clumsy and inefficient system. The effort was organizing lengthy lists of all possible technical vulnerabilities within operating systems, utilities, applications, protocols and software/firmware. These lists were then used by IT managers to remediate the vulnerabilities as best they could. It is a thankless, never-ending litany of problems to be resolved, or at worst, ignored. The threat landscape has changed dramatically over the last few years, and the hacking stories have been reinvented as "big news." Silicon Valley start-ups and venture capitalists are again in a committed relationship, as companies spring up to hire these next-generation hackers to seek out and identify the new, more stealthy threats that easily circumvent traditional preventive security technologies. Some package their findings as services, while others use this intelligence to populate a variety of security products. It is something of a white-hat hacker rebirth. The problem is that ultimately, no one wants to waste time tracking every possible human threat. There is little or nothing organizations can do to mitigate and prosecute them all — especially those originating in foreign countries. Watch for technology to quickly move to automate this remediation, and the cycle will repeat. ❚ John McCumber is a security and risk professional, and author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. E-mail him at Cool_as_McCumber@cygnusb2b.com. 32 SECURITY TECHNOLOGY EXECUTIVE • January/February 2013 www.SecurityInfoWatch.com EDITORIAL Group Publisher ...................................................Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nancy.brokamp@cygnus.com Editorial Director/Editor-in-Chief/Publisher ............................. Steve Lasky 800.547.7377 ext. 2221 • steve.lasky@cygnus.com Managing Editor.........................................................................Paul Rothman 800.547.7377, ext. 2226 • paul.rothman@cygnus.com Contributing Technical Editors David G. Aggleton, CPP Kevin Beaver, CISSP Ray Bernard, PSP, CHS-III Ray Coulombe Robert Lang, CPP John R. McCumber Robert Pearson, CPP Ronald Worman Editorial Advisory Board Christopher B. Berry, CPP, VP Global Security & Safety, Henry Schein Inc. George Campbell, Emeritus Faculty Advisor, Security Executive Council Eric W. Cowperthwaite, CSO, Providence Health & Services Elizabeth Lancaster Carver, Member Svcs. and Projects Mgr., Security Executive Council Richard L. Duncan, CPP, Dir. Security, Hartsfield-Jackson Atlanta Int'l Airport John B. Leavey, Director of Corporate Security, AIG Karl Perman, Director of Security, North American Transmission Forum Art Director.......................................................................Elizabeth C. Barbieri Production Manager ............................................................. Jane Pothlanski 631-963-6296 • jane.pothlanski@cygnus.com Audience Development Manager........................................... Wendy Chady SUBSCRIPTIONS CUSTOMER SERVICE Toll-Free (877) 382-9187; Local (847) 559-7598 Email: Circ.SecTechExec@omeda.com SALES CONTACTS Midwest Sales Ryan Olson 800.547.7377 ext. 2719 ryan.olson@cygnus.com East Coast Sales John Lacasale 800.547.7377 ext. 6288 john.lacasale@cygnus.com West Coast Sales Bobbie Ferraro 310.545.1811 bobbie.ferraro@cygnus.com Display Sales Erica Finger 800.547.7377 ext. 1324 erica.finger@cygnus.com LIST RENTAL Elizabeth Jackson 847-492-1350 x18 • ejackson@meritdirect.com CYGNUS REPRINT SERVICES To purchase article reprints please contact Nick Iademarco at Wright's Media 1-877-652-5295 x102 or e-mail niademarco@wrightsmedia.com SECURITYINFOWATCH.COM Group Publisher ......................................Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nancy.brokamp@cygnus.com Managing Editor ............................................................... Joel Griffin 800.547.7377 ext. 2228 • joel.griffin@cygnus.com Site Manager .............................................................. Rob Hammond 800.547.7377 ext. 2227 • rob.hammond@cygnus.com CYGNUS BUSINESS MEDIA CEO, John French CFO, Paul Bonaiuto EVP Public Safety & Security, Scott Bieda VP Events- Public Safety & Security, Ed Nichols VP Production Operations, Curt Pordes VP Audience Development, Julie Nachtigal VP Technology, Eric Kammerzelt VP Human Resources, Ed Wood www.SecurityInfoWatch.com