Skip Links

Network World

Andreas Antonopoulos

Security: Risk and Reward

By Andreas M. Antonopoulos

Antonopoulos is a senior vice president and founding partner at Nemertes Research, a leading independent technology research firm. Contact him.

This column is also available as an e-mail newsletter called Security in Practice. Sign up to receive the newsletter here:

Georgia cyberwar overblown
08/19/08
Last week Russian tanks rolled into South Ossetia while Russian bombers were taking out critical communications infrastructure. But even before the first tank rolled across the disputed borders, another war was brewing in cyberspace.
What you don't know about security can hurt you
08/05/08
In reading an early release of an information-security survey conducted by the RSA Conference, two findings caught my attention.
No excuses -- encrypt all laptops
07/22/08
No more excuses: If you're not encrypting laptops, you are not applying due diligence.
Security tribulations breed guilt by association
07/08/08
The headline read “Google loses employee data.” It caught my attention as I thought of all the implications this has for all the other data Google stores. A headline like that hits a nerve, I take it personally, because like most of us I immediately think of my search history from the last 10 years.
Communal security?
06/24/08
I’ve visited quite a few countries in Asia over the last two years. In the various airports I passed through I often saw people wearing surgical masks. I also saw “fever checkpoints” in most major airports. These checkpoints have infrared cameras that show a thermal false color picture of passengers as they are funneled through immigration. The signs surrounding the checkpoints indicated that the purpose was to identify people with a fever so as to screen for various types of flu (avian or other). This is classic perimeter control, network access control even, applied in the real world.
A question of trust and identity
06/10/08
What is the right balance between security and privacy? This is a common starting point in many policy discussions, especially in government. It’s a trick question because it presets the conversation as a balancing act between two values as if they are antithetical – they are not. In practical terms, privacy is security.
Less is more (secure)
05/27/08
Complexity is the enemy of security. Simple systems are inherently more secure than complex solutions.
Which IT security skills are most important?
05/13/08
I often hear from IT executives that it is hard to recruit and retain 'good security people.' Many lament the shortage of skills in this area and cannot reconcile the skills offered with the positions that need to be filled. Is there really a shortage of good security people? Or just a mismatch in the skills and the jobs?
Security preparedness instead of threat prediction
04/29/08
In the last column I talked about the challenge of trying to predict attacks, and how that approach leads to "anti-X" security strategies that are rapidly made obsolete by each new wave of threats.
Attackers are thinking outside the box
04/16/08
Security expert Andreas Antonopoulos explores the challenge of figuring out what the next big security attack will look.
Security in a bubble
03/18/08
Sometimes small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.
Virtualized security: the next frontier
03/11/08
Companies are adopting virtualization technologies at a faster and faster rate. They are virtualizing servers, desktops, storage, networks. But one aspect of infrastructure has been lagging – very few companies address the growing demand for virtualized security.
Privacy and the coming backlash
02/27/08
Network World security columnist Andreas Antonopoulos discusses the growth of identity theft and the need in the United States for stronger privacy protection.
Network threats develop 'antibiotic' resistance
02/12/08
The scientific field of biology has provided many useful metaphors, such as "virus" and "infection," for the study of malware. Many researchers have used biology and evolution science to create innovative defenses against malware, in many ways simulating the functions of biological immunity systems. I find that biological sciences and especially evolution provide some great insights into the behavior of malware, malware creators and malware defenses over longer periods of time. I also see a lot of parallels between the evolution of malware and the evolution of darknets (stealthy P2P networks).
When it comes to security, chaos may be your friend
01/29/08
Viruses and other malware are getting better at evading antimalware systems despite the sophisticated behavioral-analysis systems that are used to detect them. This week a rogue trader in France was able to hide a growing loss until it reached $7 billion and was impossible to hide. What do these two events have in common? Both exploit the predictability of defenses to evade detection.
Floating data offers unique security challenges
01/15/08
You've probably already read the news of a company planning to use container ships as floating data centers. The plan is similar to the modular shipping container data centers. Only instead of parking them in your back lot, you moor them to a nearby pier. The company, International Data Security, is planning to deploy the first such data-ship next to Pier 50 in San Francisco.
Security: What will be hot in 2008?
12/19/07
There are two ways to predict the future with 100% accuracy. You either have the power to shape the future to your predictions (the God method) or you make your predictions vague enough so that they fit most conceivable outcomes (the Nostradamus method). For those of us without omnipotence and with a desire to write something meaningful, that leaves the alternative: extrapolate from in-depth research, solid statistics and current trends and hope for minimum volatility (disruptive innovation or externalities) in the outcome.
Convenient credit = security threat
12/05/07
There were more than 20 major data compromises in the last three months that went almost completely unreported. Eventually we all become resigned to the fact of identity theft/loss. But I’m not giving up so easily.
Re-assessing risk (The crown jewels are almost worthless)
11/19/07
A popular expression in security circles is to equate critical company intellectual property with the crown jewels. The crown jewels are protected by many layers of security, but the truth is that they make very poor targets for theft because they are far too distinctive to fence. To sell such items, a thief would have to take great risks and heavy discounts. Yet, in most information security risk-assessment methodologies we measure the loss impact for the company and ignore the gain potential for the thief.
Encryption is the name of the game
11/06/07
Up to now we’ve used encryption to protect against criminal elements, but what about using it to protect our data from service providers?
Divided we fall
10/23/07
I’ve always believed in the importance of maintaining a well-designed emergency response capability. For many years I helped organize security operations centers (SOC), computer emergency response teams (CERT) and incident response teams (IRT). No company is ever 100% secure. Breaches happen and will continue to happen. “Secure” companies are the ones that are able to efficiently and effectively mitigate the damage from a security incident. Looking back, I would probably do things a bit differently now. A key difference would be the balance between company privacy and involvement of law enforcement.
Combining work and play threatens business security
10/10/07
Nine-to-five is quickly becoming a quaint memory in many workplaces. Flex time, teleworkers, road warriors and home offices are increasingly blurring the distinction between "my time" and "work time." That means more work is done during off-hours but also that more "play" is done during work.
Service-oriented security
09/25/07
Attackers are making a lot of money stealing identities and they are developing ever more sophisticated attack networks. If we are to defend against this escalating threat we have to stop trying to match each move and work toward a broader strategy. That means working to build a security infrastructure that brings to bear all our defenses in a coordinated way. Breaking the silos in security is not easy, but we are already doing something very similar with our enterprise apps. Enterprises are using service-oriented architectures (SOA) to break monolithic applications into components, creating composite applications and integrating business processes. A few weeks ago I wrote about how companies are building security into SOA. An even more interesting topic is how we can build SOA into security.
The black market for identity theft
09/11/07
A while back I looked at the maturing market dynamics of cybercrime black markets and found that as professionals have come to dominate the hacking scene, a whole series of black markets have emerged.
Security-oriented architectures?
08/28/07
SOA is one of those buzzword acronyms that mean so many things to so many people it’s hard to pin down what it is. Nevertheless, many large enterprises are integrating applications and building applications using XML, Web services and rudimentary service-oriented architectures. But what about security?

Most Read

View more Most Read

Videos

rssRss Feed

Latest News

rssRss Feed
Get instant email notification when white papers, webcasts, executive guides are added to our library. Stay informed and up-to-date with the latest on IT Technologies with Network World's Resource Alerts.
Partner Content

Brilliantly simple security and control solutions for email, web and endpoint

www.sophos.com

Stopping data leakage

Learn how to exploit your current security investment to control the information that flows into, through and out of your network.

Download the white paper.

Why detection rates aren't enough

Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.

Download the white paper.

Unauthorized applications: Taking back control

Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?

Download the white paper.