Infosecurity Europe 2006: 25th-27th April 2006, Olympia, London.Are Security Products 'Lemons? Luther Martin
Luther Martin (February 9, 1748–July 8, 1826) was a politician and one of United States' Founding Fathers, but refused to sign the Constitution because he felt it violated states' rights. , Voltage Security George Akerlof George Arthur Akerlof (born June 17, 1940) is an American economist and Koshland Professor of Economics at the University of California, Berkeley. He won the 2001 Nobel Prize in Economics (shared with Michael Spence and Joseph E. Stiglitz). shared the 2001 Bank of Sweden Prize in Economic Sciences in Memory of Alfred Nobel Bank of Sweden Prize in Economic Sciences in Memory of Alfred Nobel: see under Nobel Prize; for a table of the winners of the prize, see Bank of Sweden Prize in Economic Sciences in Memory of Alfred Nobel (table). for Ns analyses of markets with asymmetric information Asymmetric Information Information available to some people but not others. Notes: In other words, the asymmetric information is held by only one side, meaning someone is keeping a secret. . Akerlof's 1970 paper, 'The Market for 'Lemons,' describes how markets in which the seller has more information than the buyer tend to fail. His reasoning, when applied to second-hand cars, gives us the following situation. Suppose that all second-hand cars are worth [pounds sterling]10,000 if they are in good repair, but half of them ('Iemons) actually need [pounds sterling]2,000 worth of repairs, yet buyers cannot tell the difference between the good cars and the lemons. In this case, we should expect buyers to pay [pounds sterling]9,000 for a secondhand car Noun 1. secondhand car - a car that has been previously owned; not a new car used-car auto, automobile, car, motorcar, machine - a motor vehicle with four wheels; usually propelled by an internal combustion engine; "he needs a car to get to work" , since they expect to have to spend an average of [pounds sterling]1,000 on repairs. So the imperfect knowledge of the buyers has set the market price of second-hand cars at [pounds sterling]9,000. But at this price, those who have cars that are actually in good repair will not be inclined to sell their cars. After all, their car is worth [pounds sterling]10,000, but they can only get [pounds sterling]9,000 for it. This means that all of the cars offered for sale at [pounds sterling]9,000 will be the lemons and the difference in information between the buyers and sellers has resulted in a situation that benefits only those who are selling lemons. The declining quality of the cars offered for sale will eventually result in the lowering of buyers' expectations, and as the market becomes dominated by lemons it may even fail altogether. IT security is similar the second-hand car market in that there is often a considerable difference in knowledge between buyers and sellers. Corporate IT security staff are typically extremely busy supporting their users and often do not have time to learn the details of exactly how many security technologies work, while the firms that produce security technologies need to understand the same technologies at a fairly significant level to make products that function and interoperate with others. This makes it extremely easy for knowledgeable IT security vendors to make claims that their customers do not have the expertise to challenge. If an imbalance in information exists between the buyers and sellers in a situation like this, microeconomic mi·cro·ec·o·nom·ics n. (used with a sing. verb) The study of the operations of the components of a national economy, such as individual firms, households, and consumers. theory predicts a market failure, and the way to prevent this failure is to correct the imbalance of information. To avoid a market failure for IT security products, we need to reduce the imbalance of the information between vendors and their customers, much like the market for second-hand cars has developed ways to deal with its own challenges. One way to address this problem is for security professionals to take the time to gain substantial knowledge of security technologies and the products that implement it. Unfortunately corporate IT security staff are not always able to invest the time and effort that is required to thoroughly learn a new technology before they need to implement and support it. An alternative to developing inhouse expertise is for the buyers of security technology to hire an expert consultant to help them through the acquisition process. A good consultant can help them ask the right questions of a technology vendor, filter the responses for marketing hyperbole hyperbole (hīpûr`bəlē), a figure of speech in which exceptional exaggeration is deliberately used for emphasis rather than deception. and intentional omissions, and prepare the buyer of the technology for the potential challenges that they will face when implementing the technology. It is even possible that having a consultant on their side can tip the balance of information in favor of the buyer and away from the seller. In the market for consulting services Noun 1. consulting service - service provided by a professional advisor (e.g., a lawyer or doctor or CPA etc.) service - work done by one person or group that benefits another; "budget separately for goods and services" , however, we have the same problem that we have in the market for other goods and services In economics, economic output is divided into physical goods and intangible services. Consumption of goods and services is assumed to produce utility (unless the "good" is a "bad"). It is often used when referring to a Goods and Services Tax. : how do we know that a consultant is not the consulting equivalent of a lemon? In many cases we are trying to find someone with expertise that is much greater than our own, so it can be particularly hard to accurately judge their qualifications. This is why finding consultants is often handled through trust relationships. IT security managers needing specialized consulting services can use their personal networks to get recommendations for qualified consultants, or they can rely on the judgement of someone else whom they trust This is the model that accountancies successfully leveraged for many years before regulatory concerns separated the auditing and consulting sides of their business. can rely on the judgement of someone else whom they trust This is the model that accountancies successfully leveraged for many years before regulatory concerns separated the auditing and consulting sides of their business. Another alternative is for corporate IT staff to develop the expertise themselves. This has the additional benefit of keeping the expertise in-house after the initial purchase and deployment of the technology is complete, which tends to give the IT staff a better ability to provide ongoing support for the technology. On the other hand 'learning new security technologies is expensive and time-consuming. Even if we do not include the cost of formal classroom training, the time and effort needed to understand a new technology can be significant. Because of this, learning a new technology to the depth required to provide the background needed to adequately understand vendor claims can be prohibitively expensive. And since not all new security technologies will be suitable for use at all businesses, unless the effort spent learning new technologies is carefully and narrowly focused, it is easy to spend time and money on learning technologies that provide little or no useful benefits to the mission of an IT security organization. So the lessons from Akerlof's Nobel Prize-winning research provide insight into the importance of highly-qualified IT security professionals. They also provide insight into the possible implications if technology vendors are able to take advantage of a disparity in information relative to their customers. The results can be far-reaching and damaging to both the IT security industry as well as the economy as a whole, and security professionals should understand their role in addressing the challenges that this situation can cause. Corporate email ...... the next generation Neil Burgess For the American vaudevillian and female impersonator, see Neil Burgess (comedian). Neil Burgess (born 1966 in Manchester, England) is an actor best known for his portrayal of the character "Barry Scott" on the United Kingdom and Ireland version of the television There has been a subtle yet distinct in IT managers focus regarding email in recent months. 'Despite the growing volumes of spam E-mail that is not requested. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). , viruses and email generally, many leading IT managers now have these problems firmly under control and are considering what will be the next leap forward regarding the effectiveness of email within their organisation. "The next generation functionality that is either already available, or is shortly to become available to the corporate IT department, will focus on managing the flow of vital information to key areas of the business, rather than simply filtering unwanted incoming email. The Past 'Although appliances, software & managed service solutions have all evolved their products, Managed Service Providers (MSPS MSPS Mega-Samples Per Second MSPS Million Samples Per Second MSPS Michigan Society of Professional Surveyors MSPS Modular Synthesis Plug-In System MSPS Million Symbols per Second MSPS mobilization stationing and planning system (US DoD) ) have become increasingly relevant for corporate IT Managers given the model's excellent track record. Moreover, MSPs are able to take advantages of economics of scale offering multiple AV and, in Email Systems' case, multiple Spam protection layers, that otherwise could not be afforded within the context of an in-house solution. "Two recent examples illustrate this point. Firstly the Sober.Z outbreak resulted in a 100% increase of filtered traffic whilst over 10 different variants of the Bagle virus were reported within a 12 hour period--yet in both cases, the MSPs were able to continue to filter their clients' mail without 'leakage'. The Present 'One could certainly argue that these aren't actually past problems--spam levels continue to rise and virus traffic remains wholly unpredictable. Additionally, the more recent threat of Distributed Denial of Service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DDOS See denial of service attack. ) attacks have become increasingly commonplace. Despite this, the reality is that compliance, availability of email, storage, data theft and mobile access are really the current subjects which IT Managers now feel the need to address. 'So which services are currently emerging to provide leading edge solutions to these issues? Email Systems solutions include: Enhanced Systems Monitoring -- Pro-active reporting via SMS (1) (Storage Management System) Software used to routinely back up and archive files. See HSM. (2) (Systems Management Server) Systems management software from Microsoft that runs on Windows NT Server. and other presence protocols, such as SIP/RSS based feeds, enable IT managers to view and therefore react to information Secure content management -- IT managers are able to manage rule sets, search attachments and find rule violations inside embedded Inserted into. See embedded system. data System integration -- increased integration with the corporate knowledge base enables greatly enhanced policies to be maintained by the MSP (1) (Management Service Provider or Managed Service Provider) An organization that manages a customer's computer systems and networks which are either located on the customer's premises or at a third-party datacenter. End user empowerment -- Enabling enhanced control regarding management of messages that have been blocked and proactive rules to alert or reroute mail, based on presence or email content for example. The future? 'Some MSPs will shortly launch filtering solutions for non email based technologies that have traditionally been deployed within the organisational boundary ie messaging web filtering Blocking access to unwanted Internet content. Businesses can block content based on traffic type. For example, Web access might be allowed, but file transfers may not. Content can also be blocked by site, using lists of URLs cataloged by content that are updated frequently. and VoIP. Mitigating the Enemy Within Arii Tammam, Promisec Ltd Why should you have an enemy within your network? When companies recruit employees or allow contractors to use their networks, the screening process is normally quite rigorous and checks the integrity, honesty and reliability of individuals. So why should enemies exist inside an organisation? There is no specific answer and the reasons why insiders attack and damage their own networks are numerous, in most cases it is for personal gain or revenge. The form of the enemy can take many shapes, ranging from ignorance to malicious intent. The National Hi-Tech Crime Report 2005 cites that 96% of the illegal and illegitimate ILLEGITIMATE. That which is contrary to law; it is usually applied to children born out of lawful wedlock. A bastard is sometimes called an illegitimate child. use of computer resources occurs within the corporate network. Users that are unaware of security issues can cause irreversible damage without even being aware of what they have done. Using unapproved un·ap·proved adj. Not approved or sanctioned: an unapproved vaccine; an unapproved protest march. media has been a source of numerous installations of malicious surveillance and remote control applications, for example: -- Spyware Keyloggers Bots Trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
One of the most recent cases involved an Israeli couple who have been extradited from Britain to face charges on developing and selling a Trojan horse See Trojan. Trojan Horse hollow horse concealed soldiers, enabling them to enter and capture Troy. [Gk. Myth.: Iliad] See : Deceit (application, security) Trojan horse to Private Investigators working for large corporations to spy on their competitors. The Trojan horse in this case was sent, attached to an email or on a CD, to low level employees, whose curiosity caused them to open the item and thus launch malicious code. The Trojan then embedded itself within the network, silently transmitting data to a remote server where the perpetraters could retrieve the information. It took over a year to be discovered. The types of threats that originate within the corporate network are numerous and happen for a number of reasons. However, the common denominator common denominator n. 1. Mathematics A quantity into which all the denominators of a set of fractions may be divided without a remainder. 2. A commonly shared theme or trait. for all of these threats to be carried out is the need for a device connected to the network to actually cause damage. How to deal with the threats The logical answer should therefore be to secure all of the devices mentioned above and to limit their use, A system is therefore needed that is easy to manage, transparent to users and does not overload your network resources. Clientless Endpoint Security Management or CESM CESM Certified Environmental Systems Manager (NREP) CESM Centre d'Etudes Sous-Marines (Saint-Florent, Corsica, France) CESM Cheese Eating Surrender Monkey for short provides most of the answer. CESM does not require the use of any clients on workstations or servers to provide effective security nor does it require physical presence in front of any device. CESM provides a set of tools that allows inspection of all endpoints within an organisation and identifies all of the installed applications, processes, services and devices per workstation. This includes a level of device protection such as prevention of USB USB in full Universal Serial Bus Type of serial bus that allows peripheral devices (disks, modems, printers, digitizers, data gloves, etc.) to be easily connected to a computer. mass storage devices or any device that has a memory capacity behind it. Control over other on board or attachable devices that can be used to transfer information both into and out of the workstation is also necessary. The solution should provide remote rernediatk)n capabilities which reduce the time of administrators to physically repair infected machines. Finally, it should provide round the clock monitoring for any deviation from the set usage policy. Additional features of CESM prevent tampering tampering The adulteration of a thing. See Drug tampering. with a workstation's security profile by hardening hardening, in metallurgy, treatment of metals to increase their resistance to penetration. A metal is harder when it has small grains, which result when the metal is cooled rapidly. applications installed on a workstation. For example, Anti-Virus clients or personal firewalls or any other application can be hardened by defining registry values and maintaining them in the 'enabled' state ensuring their continuous availability. In summary a solution like this should be able to control which applications are allowed to be used, whether devices are allowed to be used on a specific workstation or not, have the ability to remove applications or kill processes that may be harmful or damaging to an organisation and verify that security applications are indeed present and enabled on each and every workstation in the organisation. RELATED ARTICLE: Eye of the Storm 4.5 ... Network Management Suite Entuity, Inc., have released the Eye of the Storm (EYE) version 4.5, its network management suite providing automated, continual discovery of network devices and topology topology, branch of mathematics, formerly known as analysis situs, that studies patterns of geometric figures involving position and relative position without regard to size. with integrated fault and performance management. The new version is able to discover and control firewalls, servers, hosts, and VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. gateways, delivering increased reach, depth, and control which will benefit both enterprises and system integrators through increased network efficiency and, ultimately, ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). . EYE 4.5 now includes the capability to discover and place under management firewall devices, VPN Gateway devices, as well as heterogeneous servers and hosts. By capturing explicit system and device details in the integrated EYE CMDB CMDB Configuration Management Data Base CMDB Composite Modified Double Base (Propellant) CMDB Control and Monitor Display Builder CMDB Call Management Database , version 4.5 offers a trusted source of extended FT network asset information to other applications participating in an end-to-end management solution. The release also includes enhancements for customizable application access control to ensure security and compliance to company standards. EYE's management reach extends further across the network in version 4.5 with a new module supporting firewalls, starting with support for Nokia Firewall devices. Following automated discovery, complete inventory, and performance details are populated pop·u·late tr.v. pop·u·lat·ed, pop·u·lat·ing, pop·u·lates 1. To supply with inhabitants, as by colonization; people. 2. into the EYE CMDB. Dynamic utilization of resources including memory, disk and CPU CPU in full central processing unit Principal component of a digital computer, composed of a control unit, an instruction-decoding unit, and an arithmetic-logic unit. are monitored and recorded to provide actionable information for capacity planning Determining the required future configuration of hardware and software for a network, datacenter or Web site. There are numerous capacity planning tools on the market used to monitor and analyze the performance of the current hardware and software. , hardware/software upgrade or replacement, software/firmware patching, and overall better maintenance. Application Access and Compliance Security for application access and compliance are a topical concern to many organizations, particularly with applications that run in distributed environments. EYE 4.5 gives network operations greater control to the functionality available or visible to various EYE users. User access control within this version has been enhanced to provide multiple group and privilege levels The concept of privilege level refers to protecting resources on a CPU. Different execution threads can have different privilege levels that grant access to resources such as memory regions, I/O ports, and special instructions. to distinct application functionality. For a distributed environment with a local manager, administrative authority can be selectively delegated to provide adequate access without compromising overall security. www.entuity.com |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion