0167-4048/03 ©2003 Elsevier Ltd. All rights reserved. 515

Brian McKenna

Editor, Computers & Securityb.mckenna@elsevier.com

Preview of Compsec 2003, 30 Oct-1Nov, Queen Elizabeth II ConferenceCentre, Westminster, London, UK

This year’s Compsec aims to map out the nearfuture of IT security, offering a practical guideto action on current and upcoming threats. Itaddresses some of the frameworks ofinformation security — privacy and regulation— and looks at the latest in technologies fromintrusion detection through authentication towireless. Conference programme directorBrian McKenna previews the event.

In a sticky summer season of internet wormseating corporate networks, Bill Cheswick, chiefscientist at network testing company Lumetaand co-author of security bible Firewalls andInternet Security: repelling the wily hacker, hasbeen sanguine.

“The Internet is a giant research project —thank you all for participating — and it has acertain resilience built into it in the shape ofnetwork security experts. When somethingreally bad happens – not just another boringvirus – but something really new andinteresting, the experts come forward and get itfixed.

“For example, when the Morris worm came outin 1988 groups came together, dissected it, andsorted it out in three days”.

Cheswick is speaking in the ‘Future threats,new methods of attack, and defence strategies’session at Compsec 2003 along with: RichardFord, from the Florida Institute of Technology;Jay Heiser, chief analyst at TruSecure; MartinSadler, Lab Director, HP Laboratories; andRene Pluis, principal consultant, Ernst &Young.

Today’s internet is a more complex beast than1988’s. We now have a nightmarishly complexsystem of interconnected company networks

systems, rogue wireless access pointsbroadcasting business secrets, and users wholeave unencrypted handhelds in taxis and clubs.And that’s when they’re not shooting up virusesinto the company network from cyber cafés viaVPNs.

Moreover, the time between the disclosure ofvulnerability in code and its exploitation hasdramatically compressed over the last two years.Code Red, in July 2001, exploited avulnerability known for six months, while MSBlaster was wreaking damage this August justthree weeks after disclosure.

To make matters still worse, as corporates moveto a world of web services — where programmesand data are made available from a business’sweb server — then enterprise software, such asSAP or PeopleSoft, will become more of atarget.

New vulnerabilities at businessprocess level

Martin Sadler, director of security research atHP Laboratories in Bristol fails to shareCheswick’s equanimity. “A lot of the newvulnerabilities will open up at the businessprocess level, and most of the internetcommunity is not even aware of what is goingon in that space.”

Sadler says this is because most “traditionalnetwork security gurus who come up throughcomputer science are focussed on the lowerends of the stack”.

And that is where most network securityprofessionals learn their craft. Sadler says:“when new vulnerabilities appear at the topthere isn’t an internet community that can getthose things fixed. Ask those people whatPeopleSoft does or what SAP systems do andyou will probably draw a blank.

Web services set to provokenew threats

COSE 2206.qxd 11/09/2003 11:46 Page 515

516

Web services set to provoke new threats

“People worry about Microsoft code , but whatabout these enormous applications that sit ontop – these are company powerhouses. And yet,how many people really understand the securitybehind these systems?”

Sadler concurs that the “next generation ofattacks will be co-ordinated and focused —stacking up the vulnerabilities and using socialengineering. It’s not joined up at the moment— we’ve got sniping.”

Jay Heiser, chief analyst at managed securityservices and consulting company TruSecure,doesn’t see a joined up threat emerging from so-called ‘cyber-terrorism’, but does say that the“automation of malicious code is a benefit” tohacktivists in political lobby groups.

Looking at the threat landscape as it is likely toshift over the next six months, Heiser predicts“an increase in parasitic attacks, where hostilecode is used to steal some resource from primaryand secondary victims. The secondary victimgets infected and the code steals their identity,their network access and bandwidth, orprocessing speed. Spammers are actively doingparasitic attacks, and have been doing so for thelast six months".

Like Sadler, Heiser stresses the importance offocusing ‘up the stack’ as we move to a world ofweb services. He stresses, too, the problem (andopportunity) entailed by the fact that “no one

has an overall view; there is a different personresponsible at each level of the stack”.

Privacy in question

The keynote speakers at Compsec 2003 willalso be directing their gaze to the near future.Dame Pauline Neville Jones will be talkingabout ‘what is coming down the pike’, whilstIan Angell, professor of information systems atthe London School of Economics, will beaddressing the ‘rise and rise of the chief securityofficer’.

Angell will argue that “terrorism, narcoticstrafficking, and the shenanigans at Enron andAndersen have given governments the morallegitimacy to invade corporate privacy withimpunity.... Forget about hackers - a company'sreal security problem is the consequences ofintrusion by government!”

Compsec 2003 will, in keeping with this,address the flip side of the security coin, privacyin several sessions. Iain Andrews, head ofinformation security, Fujitsu Services will speakon the challenge of ensuring privacy. SarahGordon, senior research fellow, SymantecSecurity Response will present a survey ofprivacy attitudes among US, UK, and EUinfosec professionals. And Richard Hunter,vice-president and research director, Gartnerwill peer into the ‘world without secrets’.

Brian McKenna

COSE 2206.qxd 11/09/2003 11:46 Page 516