Several computer and Internet security experts warned this week that while threats are on the rise and the lag time between vulnerability and attack is shrinking, government and the private sector have failed to team effectively on Internet security, leaving infrastructure and systems susceptible.
Internet Security Systems reported in its quarterly risk summary that the number of serious security incidents increased 13.7 percent from the first quarter. Blaming known vulnerabilities that have not been addressed and the difficulty of patching software and system holes, ISS said companies are not keeping up.
At the same time, Internet security experts — including former national adviser Richard Clarke — have condemned a lack of action by the U.S. government, claiming the bureaucratic shuffle of the Homeland Security Department has left infrastructure more vulnerable to attack.
“We have a clear and present danger right now that needs to be addressed,” Vanguard Integrity Professionals CEO/CTO Ronn Bailey told TechNewsWorld. “Waiting is not going to take that away.”
Infrastructure at Risk
Bailey, who announced the formation of a team of technology partners to do what he claims the federal government is failing to do, said the public sector’s commitment to Internet security has evaporated since the President’s Critical Infrastructure Protection Board was folded into the nation’s Department of Homeland Security.
Bailey said that with almost all of the board’s staff now gone and several key positions unfilled, the federal government has failed to implement its own strategy to secure the Net.
He did note that work by security associations and standards organizations is bolstering infrastructure protection, but added that such efforts take years. He said the growing alliance of technology leaders being formed to secure the Internet is currently made up of 11 companies and 12 organizations.
Moving to the Mainframe
Bailey said securing Net infrastructure historically has centered on locking down the Internet and various computer systems, leaving out an important element of the equation: mainframe computers.
“We need to have a focus on the security of mainframe systems,” he said. “They are the core of this critical infrastructure; that’s where the critical information is.”
Claiming that security on mainframes is weaker today than it was five years ago, Bailey condemned the removal of mainframe security references in a report he wrote for the federal government.
While he called viruses and DOS-type attacks a “nuisance,” Bailey said more serious computer security breaches often go unreported by companies, perpetuating complacency over nonphysical threats.
Despite the emphasis on security since the attacks of 9/11, Bailey warned that the current lack of attention to network security could be costly.
“An attack against the financial infrastructure of this country could cause an economic crisis across the world,” he said.
ISS reported that even as security officials are calling for greater emphasis on network protection, the gap between software and systems vulnerabilities and methods of attack is narrowing.
“We are seeing a more efficient distribution mechanism than before,” ISS X-Force intelligence manager Paul Piccard told TechNewsWorld. “The tools are getting distributed quicker and into the hands of attackers quicker than before.”
ISS blamed the majority of attacks on known vulnerabilities that go unaddressed and the difficulty of keeping up with patching. The security company also said it expects an increased risk from attackers targeting “emerging Internet communities,” such as broadband access from home offices, wireless technology users and file-sharing applications.