TORONTO — IT middlemen have to demand more from their users and the vendors that supply their products in order to get a handle on security issues, according to the Bank of Montreal‘s chief information security officer.
The problem, he said, is one of communication as much as it is of troubleshooting security flaws and managing patches.
“”It’s really a change of lifestyle,”” he said. “”It’s a literacy issue. Do you need to have a driver’s licence to own a PC? Are we going to get to that in the next generation?””
Garigue said that BMO doesn’t use the term PC (as in personal computers), preferring “”corporate computers”” to stress that the machines employees use are the property of the bank and are to be used sensibly.
It’s a matter of communicating that to users and inculcating the importance of security protocols, he said. He described the relationship between corporation and user as a “”social contract”” — one where the expectation is responsible use of technology at all levels. “”From the consumer to the mainframe, there has to be an alignment of trust mechanisms,”” he said.
He likened it to the PIN number associated with a bank card. It’s understood that the number is important and that it’s the user’s job to protect it.
The difficulty remains, however, in effectively getting this message out because you can’t have the techies, “”the geeks in the basement,”” talking to users because they aren’t effective communicators, Garigue said.
But accountability also flows up to the vendors that supply the products in the first place.
According to Jack Sebbag, general manager of McAfee Canada, there were 29 high- to medium-risk viruses recognized in 2002-2003. In the first seven months of this year, there were 39.
“”The forecast of the second half of this year is that this will continue,”” said Sebbag.
John Weigelt, Microsoft Canada’s chief security advisor, likened the problem to “”an escalating arms race. The trick is to try to change the rules of the game.””
One of those is to recognize patterns in various viruses, worms and trojans and develop fixes for them before they are allowed to proliferate.
McAfee has a division called the Anti-virus Emergency Response Team (AVERT) which has been in existence for years, while Microsoft’s initiative, Trustworthy Computing, was born in 2002. Bill Gates famously sent out a memo to his employees on Jan. 15, 2002, calling for security to be built into products from the ground up.
Microsoft has attempted to respond to security threats, but hasn’t always been successful in delivering those responses to users. The problem, said Carol Terentiak, security strategy and response manager for Microsoft Canada, is often one of communication. “”With (the Blaster virus), we had the patch in place, but nobody knew about it.””
She added that Microsoft has become more cognizant that it’s not enough to develop a patch to fix a security flaw, you have to successfully communicate to users that it’s available.
“”I think the vendors are starting to recognize that they have to share a lot more information,”” Garigue said.
He said that standards bodies like OASIS and the W3C are driving vendors towards developing compatible solutions that can address security across platforms and may be more effective in a regulatory capacity than government.
However, the security landscape is constantly shifting. Microsoft’s next operating system, code-named Longhorn, will work on somewhat different principals to those that have preceded it. Extensible Markup Language (XML) will be built directly into the source code and an object filing system, once called Cairo, will dictate the way information is stored on the hard drive. As well, user interface code and application code will be severed, separating the tasks of graphics-based development from application development.
“”I have no clue what security will look like when we get to that,”” said Garigue.