CyberSecurity Institute

A plan is under way in the ever-evolving National Cyber Security Division of the DHS to extend the tenure of Andy Purdy, the group’s interim chief, and augment the position with a part-time outside consultant with direct ties to the private sector. The move, observers say, would enable the division to tackle head-on such prevalent issues as security vulnerability.

The effort is the result of a power vacuum created when Amit Yoran resigned last month as NCSD director. Subsequently, Purdy, one of Yoran’s deputies, was appointed interim director of the NCSD. It now appears that top DHS officials are content to leave him in that position for now and, contrary to early reports, are in no hurry to find a permanent replacement for Yoran.

Purdy, a longtime veteran of federal government service, is known for his ability to work inside the Beltway and get things done—a skill vital to moving the National Strategy to Secure Cyberspace forward, insiders say.

“That is a solid move,” said Alan Paller, director of research at The SANS Institute, based in Bethesda, Md. “They wouldn’t have done that if they were going to bring in someone else right away.”

But Purdy will not be going it alone. Howard Schmidt, former chairman of the now-defunct President’s Critical Infrastructure Protection Board and now chief security officer at eBay Inc., is working with US-CERT as a consultant to the DHS and will be advising Purdy and others.

Schmidt, who also served as Microsoft Corp.’s chief security officer and is a former federal agent, is among the more respected members of the security community, both inside Washington and in the private sector. His involvement with the DHS will be indirect and on a part-time basis, but his presence gives the department a trusted conduit into the private sector, a necessity to implement its strategy.

One area where cooperation with the private sector is key is in the effort to reduce vulnerabilities.

http://www.eweek.com/article2/0,1759,1677370,00.asp?kc=EWRSS03119TX1K0000594

“Enterprises are more exposed than a year ago.The hackers have won!” said Eli Barkat, managing director of venture capital firm BRM Capital, who has been involved in investing in security firms. Barkat cited a lack of innovation in the security industry as why the situation has not improved.

Mike Dalton, president of McAfee in Europe, the Middle East, and Africa, agreed that the security situation is dire, but said that innovation was not necessarily the roadblock. A major problem is a lack of integration in security products, he said.

And while all the experts predicted further consolidations among security companies, that will not necessarily lead to more comprehensive, integrated products, they said. “Today the security business is very diverse and very complex,” said Phillip Dunkelberger, president and CEO of encryption company PGP. “You have four or five different point solutions and they don’t all work together.”

Yanki Margalit, president and CEO of digital rights management provider Aladdin Knowledge Systems, agreed that enterprises are more exposed than ever, but did not put the blame squarely on security companies’ shoulders. There are so many threats,” Margalit said. Part of the remedy would be widely available tools that help developers check the security of the applications they are building, commented Barkat, adding that he hopes Microsoft takes a leading role.

On the subject of the software giant, the experts were divided on the work the company is presently doing on the security front. “Microsoft is clearly not doing a good job at security. Most people in this room who work in security have their jobs because of Microsoft,” Dalton said. They did a horrible, terrible job (in the past) but now they are serious. I believe that they will be a very strong security player and force the rest of the industry to be niche players,” Margalit said.

While the speakers gave no clear direction on the path the industry needs to take to truly alleviate companies’ security woes, they did have some words of advice.

Invest in integrated security products and avoid security appliances whose architecture changes after a few years, Barkat said.

Forget about white lists, which normally refers to a list of e-mail address from which you agree to get mail, thinking they are safe.

You will fail if you try to define everything you can do, Margalit said.

“We need to get out of the defense mode and allow companies to go on the offensive,” Dunkelberger said.

Despite the various opinions, on one point at least everyone seemed to agree. “The existing security situation sucks,” Barkat said, to resounding nods from attendees.

http://www.nwfusion.com/news/2004/1012etreent.html