If Peter Neumann thought any more about risk, he’d probably be a gambler instead of a computer scientist. Instead, he feels it’s IT professionals who are gambling these days—gambling with the security of systems, and doing it with the odds against them stacked higher than they can imagine.

A 10-year veteran of Bell Labs, where he worked on the predecessor to UNIX, and a 31-year veteran of SRI’s Computer Science Lab, Neumann has testified before Congress on security issues on at least four occasions. SRI, an independent, nonprofit research institute based in Silicon Valley, performs contract research and development for government agencies, commercial businesses, and nonprofit foundations.

Neumann’s involved in everything from network security and reliability to voting-system integrity and the social implications of privacy in his role as a principal scientist at SRI and co-chair of the ACM Advisory Committee on security and privacy, In June of this year, the National Institute of Standards and Technology (NIST) awarded Neumann the 2002 Computer System Security Award.

TechRepublic’s Howard Baldwin recently caught up with him at his summer retreat on Martha’s Vineyard to get his thoughts on enterprise security.

TechRepublic: What should CIOs be thinking about and doing regarding security?
Neumann: CIOs need to be educated. The first thing they ought to do is learn about the risks and threats they’re vulnerable to. Every point of the public infrastructure is vulnerable, whether it’s a corporate information system or a telephone system or nuclear power plants or air traffic control, all of it. And as soon as you put it on the Internet, it’s more vulnerable and fair game [for attack]. If it’s stand-alone, it’s safer, but you still have insider issues. A system is never immune to misuse from insiders or outsiders, no matter how carefully it’s designed and implemented.

For this very simple reason, most of the public infrastructure is riddled with security flaws. You can’t trust much on the Internet, and if you extend that to the information systems that corporate America depends on, you’ve got a problem.

The vendors are saying that everything is wonderful. Microsoft says that if you use its 100 security patches, everything will be wonderful. The fact that there are that many means it’s crap, and they haven’t found or can’t talk about one thousand others.

TechRepublic: What are some best practices you recommend?
Neumann: Look, CIOs want anonymity and accountability, and they want the system to be immune from denial of service. But it’s trivial to bring the system down when it’s on the Internet. The so-called best practices have to do with how often you change passwords, but not how often you think about the passwords flying around the network, where they’re easy to sniff. Best practices have been so palliative, so there’s no real security anywhere. Right now most people consider best practices to be buying the same system everyone else has. You can stick your head in the sand all you want.

The best practices that should be invoked are so vastly beyond the state of commercial system software and security, it’s almost useless to talk about them. Take user authentication. You should never use passwords—you should use a cryptographic authentication system. And even that has drawbacks. I analyzed an international corporation that was using token authenticators [an additional, machine-generated security mechanism]. They thought it had improved their security, yet they had built a system with a gigantic vulnerability. I discovered I could piggyback on the encrypted authenticators and I could replay the password on another part of their network within 90 seconds [to gain access]. They had a gigantic window of vulnerability.

TechRepublic: What about biometric systems?
Neumann: You still get bad error rates from face recognition systems. With fingerprint systems, you can use a gummy fingerprint—one that’s been lifted off another surface—to spoof the system. You can fool 80 percent of the systems 100 percent of the time.


TechRepublic: Surely you can’t be suggesting we throw up our hands.
Neumann: No, look at the NIST Web site about the Common Criteria project. This represents 15 years of effort from the Department of Defense and others to establish criteria for security. These are the best practices, but very few meaningful systems have been evaluated against these criteria. If none of the vendors are following that, then there’s no way you can say, hey, I need a high-end, secure system. The vendors say it’s too costly, and nobody wants it because they’re happy with the crap that’s out there. But they wouldn’t say it in those words.


TechRepublic: The Enron scandal has focused a lot of attention on accounting irregularities. Are we going to have to have a similar catastrophe relating to security?
Neumann: That’s a good comparison. People are starting to turn over rocks because of Enron, and every one has problems under it. The computer security system is the same, except the problems haven’t reached a visible magnitude. No one’s had the electronic Pearl Harbor, the meltdown of their corporate system relating to security. I once testified in front of the Science Committee of the House of Representatives with the chief security guy from one of the major banks. He said there’s never been an unreported intrusion problem, but I know of quite a few of them. Banks are all extremely antsy about customers finding out what happens, but they’re legally required to report these things. If you think they’ve all been reported, you have a good imagination. It’s a patent untruth.


TechRepublic: What else can CIOs do?
Neumann: There are three key aspects: authentication, authorization, and accountability. You could ratchet up authentication. If you perceive an insider problem, you should ratchet up access and authorization controls, the same way that you protect your accounting systems from everyone in the company. Accountability is pretty miserable for most systems. You have no idea where a break-in came from because the IP address is spoofed. The overhead for audit trails is considerable, so some people turn it off. Those are the basics, which every CIO should already know. The problem is that best practices are oriented toward legacy technologies, as opposed to Internet technologies. Everyone’s trying desperately to get caught up.


TechRepublic: It sounds like CIOs have to be like lawyers and think of every contingency.
Neumann: You really have to be proactive. If you don’t, you get blindsided. The Department of Defense talks about strength and depth in military capacity. What we have is weakness and depth, because there are so many weak links. A lot of this falls apart by itself, in part due to bloatware.


TechRepublic: Are you optimistic about any facet of security?
Neumann: Yes. I’m optimistic about people who have the patience to think about what they’re doing. Most people are lazy and they rush into things. I’m not optimistic about computer security. Most of the efforts don’t address the problem. You can patch a bad system until you’re blue in the face.