Q&A: Improved Security Requires IT Diversity

Why SaaS is Vital to Email and Web Security Long Tail Supplier Collaboration - What's In It For You? E-Mail As a Service: Time for Another Look? Case Study: Simplified DR Planning and Implementation Virtualized iSCSI SANs: Flexible, Scalable, Enterprise Storage for Virtual Infrastructures Case Study: Consolidating Servers While Keeping Them in Sync with DR Sign up to receive Security Resource Alerts

November 24, 2003 (Computerworld) -- In his recently released book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, 2003), security guru Bruce Schneier argues for a more common-sense and less technology-centric approach to both IT security and physical security. In this interview with Computerworld, Schneier shares his views on IT security.

You recently co-wrote the report "CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Poses a Risk to Security." Would you have written it if the world had been standardized around another operating system? Of course. The problem is not specific to Microsoft; it's a general problem of monocultures. The security risks would be no different if the country standardized on Macintosh System 10 or Linux. The security risks were the same in 1989, when the Morris worm propagated freely in an Internet that standardized on Unix.

Are there benefits to having a homogeneous IT environment that outweigh the potential risks? In some ways, it's a judgment call. The question is whether you don't put all your eggs in one basket, or you put all your eggs in one basket and guard the basket. In balance, I think that the risks of a monoculture in operating systems outweigh the advantages.

Last year you wrote about the need to fix network security by hacking the business climate. What did you mean? Network security is plagued by good technical solutions that just don't work. Companies install firewalls but don't configure them properly. Network administrators don't install patches. Software companies don't write secure software. The problem here is not technical, but economic.

What do you mean when you say that secure software is an economic problem? The economics of security is such that the effects of insecurity are largely an externality -- the costs aren't borne by the companies making the security decisions.

Bruce Schneier, president at Counterpane Internet Security Inc.

The only way we can fix computer security is to fix this economic problem. We need to take the companies in the best position to fix all these security problems -- the software manufacturers - and make it in their best interest to do so. For years I've advocated software liability as a way to do this. Once a company like Microsoft is liable for damages as a result of its software vulnerabilities, you can be sure that they'll start taking those vulnerabilities seriously.

But don't users have a responsibility as well? It's clear that Microsoft doesn't bear 100% of the responsibility for these problems. But it is also clear they don't have a zero percent liability. That is what the courts should decide. Courts do this all the time. How much contributory negligence is each party responsible for?

What's to be done about the patching problem? There is nothing that can be done. There are too many patches, they don't work very well, and companies can't keep up. Blaming companies for not installing patches is blaming the victim -- it's not right, and it's not fair. Software quality needs to improve; patching after the fact no longer works.

Why hasn't technology helped make us physically safer? Technology hasn't made us safer because safety is not a function of technology. Real security comes from people. Technology is just a security tool. There are lots of examples post-9/11 where [people have assumed] that technology will solve their problems. People think that magic technology will make them safe. That is not the case.

You argue that the focus should not be so much on threat avoidance but on risk management. What do you mean by that? Security is always a trade-off: What are you getting vs. what are you giving up? Sometimes more security makes sense, and sometimes less security makes sense. When people think about security, they inherently think in terms of this risk management trade-off mentality. It doesn't matter how effective a security system is at avoiding the threat. If a security system does not make business sense, it's not going to be installed.


How can companies move from the threat-avoidance IT security model to risk management? All it takes is for the CFO to be in charge of security. The last thing you want is for security people to make these sorts of security decisions, because they don't have a broad enough view. You need a financial person to look at the risks, the risk reductions and the costs.

Why is it so hard for companies to get IT security funding these days? From the point of view of the CEO, the risks aren't very great. It's just not worth spending a lot of money on security. That view is changing as we speak, however.

What's driving that change? The increasingly public Internet epidemics. It's in the news all the time.

Why are companies having such a hard time measuring the effectiveness of their IT security efforts? It's hard to measure how effective security is. If no one ever robs your home, does it mean that your home security is good, or does it mean that no one has bothered trying? In some ways, you make your best bet based on houses around you or in your neighborhood or by measuring comparables. The problem is that there is no standard benchmark against which to measure your own security. Even worse, if you have had no successful attacks, you might get your budget slashed because "obviously" there's no need.

What's your position on full disclosure of vulnerabilities? The only reason that software companies are paying attention to vulnerabilities and issuing patches is because of full disclosure. Before researchers started publishing vulnerabilities publicly, software companies would routinely deny that the vulnerabilities existed. Full disclosure is what's getting them to take security seriously, and it's what's keeping them honest.
Yes, it also helps the bad guys. But the benefits grossly outweigh the disadvantages.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Improved Security Through IT Diversity

"You see, this is why we love our Macs. I had a good chuckle when I read..." Read more... "Dear me. Just because I recently talked about Windows XP SP3's virtues and vices, some people seem to think I've..." Read more... Read more Security posts or See all Blogs

HP-EDS deal spurs range of customer reactions FAQ: What does the HP-EDS deal really mean? Microsoft fixes critical Windows, Word flaws More top stories...

Review: Which 3G network is the best? Restaurant chain served up payment card data to hackers End appears to be near for Philly Wi-Fi network

Your help desk career: Dead end or launching pad? A role on an IT help desk is what you make of it, tech pros say — just don't get too comfy. The darker side of Webmail Web-based e-mail may be exposing you to privacy and security dangers you didn't sign up for. Performance showdown: Flash drives versus hard disk drives Ever been tempted to replace the mechanical hard drive in your laptop with a shiny new solid-state disk? Our expert did so, and here's what he found. Xerox touts erasable paper, smart documents PARC showed erasable paper and other technologies that adds intelligence to documents with raw text. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Eliminate SPAM, Gain Productivity Get this white paper now! (Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. New Fujitsu High-End Itanium Windows- and Linux-Based PRIMEQUEST Servers Offer the Utmost in High Availability New Fujitsu High-End Itanium-Based PRIMEQUEST Servers Offer Industry-Leading System Management for Linux and Windows Symantec State of the Data Center Report 2007 View more whitepapers

• Improved Security Through IT Diversity

• HP-EDS deal spurs range of customer reactions
• FAQ: What does the HP-EDS deal really mean?
• Microsoft fixes critical Windows, Word flaws
• More top stories 

Security Management Zone Security management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones



Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day. New baits



Computerworld Technology Briefing: An open-source path to optimal virtualization Looking for a virtualization strategy that offers both the flexibility and reliability to meet the demands of mixed-source environments? Look no further than the fast-emerging open virtualization approach backed by some of the biggest names in enterprise computing. Together they are pointing the way toward higher data center performance without higher costs. Download this briefing



In Security There's plenty of talk about how to behave during a Customs search of your computer and gear, but Jon Espenschied's got tips for securing your data (and privacy) before you reach the border. Click here to read the latest column by Jon Espenschied