Hackers to concentrate on moving targets

Published 22 May 2008

Security maven Howard Schmidt says more must be done to bolster mobile defenses

Those who toil in IT security would
know that in a long career in both the public and private sectors, Howard
Schmidt has earned a reputation for being one of the world’s foremost
authorities on computer security. Schmidt first made a name for himself as an
expert in computer crime while working for the FBI. As head of the bureau’s
Computer Exploitation Team, he gained recognition as a pioneer in computer
forensics and computer evidence collection. Next he headed up the U.S. Air
Force’s Computer Forensic Lab and Computer Crime and Information Warfare
Division. His involvement with national security continued
with his appointment in December 2001 as the vice chair of the President’s
Critical Infrastructure Protection Board and as the Special Adviser for
Cyberspace Security for the White House. Schmidt has also worked in the private
sector. He served as chief information security officer at online auction giant eBay, and as chief security officer for
Microsoft, where his duties included forming and directing the Trustworthy Computing Security Strategies Group. Today, Schmidt divides his time between his role as chief executive of R&H
Security Consulting
, delivering speeches, and writing. One of his
main messages is that the IT industry has to take more responsibility for
security. “We have a huge dependency on applications these days, and our
expectation is that the suppliers will do more to secure them,” he told ITWeek’s David Neal. “Or, you can look at the infrastructure that we
use, and ask, ‘Why don’t the ISPs just block infections, or bad networks?’.” While
vendors and service providers have a responsibility to provide security, this
does not get users off the hook. “As consumers we have to do things to be
better protected. We have to follow through on the work being done by the
vendors, and the applications,” he said.

Schmidt said he has been impressed
by the steps the industry has taken to combat online threats. “Look at
phishing, for example. I have multiple email accounts, but phishing mails only
ever end up in my spam folder, not my inbox. Should one get through and I click
on the link, I am presented by a warning, and then, should I ignore that, it is
likely that my browser will block my access anyway,” he said. The threat
landscape is constantly changing, Schmidt warned, with mobile applications
likely to be the next prime target for hackers. “I don’t carry a laptop around
much anymore, but I do carry two mobile devices. Companies are releasing SDKs
for developers to use so there are lots of mobile applications out there, but
this also means that there are lots of applications for the bad guys to
exploit. I don’t know if the industry has put much focus on protecting them,”
Schmidt said. Another problem he has with mobile devices relates to the
increasing amount of storage they offer. As business users have come to rely on
these devices more and more, so the amount of potentially sensitive data stored
on them has increased. “What do you do about encrypting that?” he asked. “Very
few manufacturers make software protection for mobiles.”

Schmidt believes organizations are
far too reliant on patching to secure their systems — a situation that he
feels simply cannot be allowed to continue for much longer. “Patching is frustrating,
but as we get better at secure coding the need to do this will become less. But
now, we have to work in a much more reactive way, applying fixes as and when
they are released. Often it can cost more to run a software solution than it
does to buy it. We need to be looking forward. Looking for ways to prevent
things from happening in the first place, not after they become an issue,” he
said. Asked whether new regulations such as a breach notification law would
help to improve standards of system security, Schmidt agreed — up to a point.
“Breach notifications would be of benefit, but the requirement must be
consistent. In the U.S., individual states make their own [rules] and there is a lot of
complexity, which makes things difficult to manage,” he said. For Schmidt, though,
the one sure-fire way to minimize online threats is the adoption of two-factor
authentication — a form of logging on that requires both a password and some
form of physical token. “I said two years ago that passwords and logins should
have been declared dead already. People use the same password with their bank
and their e-mail accounts, despite the fact that these may not be as secure as
each other. [If bad guys get hold of a password] they will try them against all
of your accounts,” he said. “If we move away from the log-in/password method a
lot of the low-hanging attacks would be reduced.”