Hacking expert Ron Nguyen, the director of Foundstone Professional Services out of Plano, Tex., described the security problem as one nearly impossible to win because enterprise customers, along with SMB and consumers, do not put enough resources into ensuring secure computing environments.
For the enterprise, security is under-budgeted across the board and it is also under-staffed, said Nguyen, who is in Canada on a three-city speaking tour to customers and channel executives in Toronto, Ottawa and Montreal.. This puts IT managers way behind the security learning curve. Time is another factor and IT administrators continually play catch up with the hacking community.
A lack of education makes SMB users and consumers easy targets for virus writers, hackers, phishing scammers and others, he said.
The on-going consolidation of hacking community has created an underground ecosystem with threats and vulnerabilities are bought and sold. This consolidation enables the bad guys to work together and in most cases beat the release dates of the security patches.
“The bad guys are well funded, organized and we are losing the battle,” Nguyen said.
McAfee acquired Foundstone, which makes software for detecting and managing software vulnerabilities, in 2004 for US$86 million in cash. Last year, McAfee attempted to build on the Foundation acquisition by buying Preventsys, a Carlsbad, Calif.-based company, markets its Security Risk Management System to large corporate customers.
Nguyen has not given up all hope, however. There is one strategy called White list/black list that may give the good guys a leg up in the battle, he said.
The White list/Black list works with digital signatures and would allow, for example, 200 applications and files open to users on a desktop PC and then block everything else out.
“The White list/Black list is a paradigm shift. There is a list of good apps and files and everything else is black listed and this could prevent attacks,” Nguyen said.
He acknowledged that a company such as Microsoft continually updating its operating system and its applications would test this strategy. But for the uneducated user, which is still the top target amongst the hacking community, the White list/Black list could lower the risk for consumers.
For enterprises, the White list/Black list strategy may not make much of a dent because most of their IT environments are too sophisticated.
“This is not a silver bullet, but a piece of the puzzle,” Nguyen said.
The White list/Black list plan is still vaporware, but when developed can be a good compliment to security defenses, he said.
“Usually companies have a layered approach with perimeter security and intrusion detection. Think of this as some sort of anti-virus program that looks for only good things to run on your desktop,” Nguyen said.