Security Watch | Matt Hines » Security guru Clarke: safe networks don't exist

June 26, 2007 | Comments: (0)

Security guru Clarke: safe networks don't exist

TAGS: Security

Remember that 80's classic War Games? You know, the one with Matt Broderick and Ally Sheedy about a California teen who hacks into a Pentagon war simulation computer WOPR (for War Operation Plan Response)? Well, former White House cyber-security expert Richard A. Clarke told a gathering of enterprise executives and data protection specialists that they should load it up in their NetFlix queue and watch it...very carefully. Why? because the movie gives a good depiction of how porous most enterprise networks are these days, Clarke said.

Speaking to the assembled crowd at the ongoing InfoWorld Enterprise Data Protection Forum in New York, Clarke said that IT leaders have to accept the fact that their IT systems are being infiltrated -- no matter how well they are being defended -- even if they can't yet detect the means by which they're currently being hacked.

Clarke said that his years in the federal sector convinced him that there is no such thing as an IT network that cannot be penetrated by outsiders or manipulated by insiders.

After showing military leaders at the Pentagon that their most valuable systems were being violated during the 1990s and convincing the government to adopt arly intrusion detection systems (IDS), the problem has only grown more severe, said Clarke.

"If you're on a network, someone can get in, no matter how much you spend on firewalls and intrusion detection systems, if you're connected to the Internet someone can get in," Clarke said. "I used to have a hope that all we had to do was come up with the perfect architecture and the best series of best practices and force government agencies to adopt it; it's been proven to me that no network is secure, there are amazing and surprising ways to get onto any type of network."

"All of the information on your network is available to someone who wants it or is willing to pay the price for it, even if there is no evidence they can do it," he said. "That's hard to prove but I think it's true."

Clarke said that the data breaches that get reportedly publicly are merely the "tip of the iceberg," with many more happening without even being noticed by the firms that are being victimized.

He encouraged chief information security officers (CISOs) and other security workers to go to extreme lengths to show business leaders that they are not sufficiently protected by most technologies available today, no matter how much money they've spent.

(Among the teaching tools Clarke recommended were his own novel "Breakpoint," and a newly re-released version of the 1980s computer hacking/sci-fi classic "War Games," to which he contributed to a new introductory segment.)

The expert said that going to any length available to demonstrate the porous nature of today's technologies will help security workers gain the attention and budgets they need if the efforts help convince business how dire the data security problem has become are successful.

"There's a need to find non-traditional ways of telling the story to your CEO, CFO, and the board about what a data breach means, that it is going on even if you can't prove it, that the most valuable information on your network is getting to your competition," said Clarke. "When they are convinced, have a solution kit in pocket of what you need and want them to do; encrypt data on the network, encrypt e-mail, encrypt data at rest, and use egress filtering as belt and suspenders approach; have some sort of role-based two- factor authentication."

"Otherwise, tell them they will end up not knowing when this happens and that they are becoming a victim of what I'm convinced is going on, on any corporate network of significant value," he said.

"Don't tell business leaders that you can solve the problem, that you can make the network completely secure," said Clarke. "That's not true, whether or not you can persuade people it's true, you shouldn't try, because someday somebody will see through it."

"If you're simply trying to protect endpoints, there will still be a breach on your network," he said. "The message has to be - 'we'll try to secure the network, but never fully succeed;' we need to start securing what's on the network."

"Not everything is equally important," said the expert. "Not everything on the network is as important as everything else, there is a point of diminishing returns; begin protection with what is important, even though the cost of encrypting everything still fairly minimal."

Posted by Matt Hines on June 26, 2007 10:48 AM

RATE THIS ARTICLE: