From Security To Sanity - InformationWeek
IoT
IoT
Business & Finance
News
2/16/2007
01:15 PM
50%
50%
RELATED EVENTS
The Real Impact of a Data Security Breach
Aug 02, 2017
In this webcast, experts discuss the real losses associated with a breach, both in the data center ...Read More>>

From Security To Sanity

What breakthrough does AT&T senior VP and chief security officer Ed Amoroso want from vendors? Try a bit of sanity. He spoke last week with editor-at-large Larry Greenemeier.

InformationWeek: Patching software has become widely acceptable, but can IT vendors and the industries they serve continue this way?

Ed Amoroso, AT&T's senior VP and chief security officerAmoroso: "Patch," unfortunately, is a euphemism for "error," for "mistake." And when you think of it as, "Here's a patch, and all I need is this little piece of software and everything will be all right," I think that glosses over what it is that we're really talking about here. Until you've lived through a problem that's exploited through one of these errors, you just don't get it.

InformationWeek: What's at stake for users who don't commit themselves to patching software as quickly as possible?

Amoroso: If you don't patch within a day or so, there are umpteen exploits all over the Internet that can be grabbed and put in a worm or botnet, harness, and just aimed at [unpatched] computers. Once you're caught, you now have a bot running on your computer. AT&T Labs estimates that on any given day there is a minimum of 10 million bot-infected PCs actively targeting other systems for the purpose of infecting, sending [distributed denial-of-service] attacks, sending spam, etc. That strikes me as a cancer on the Internet.

InformationWeek: How do we break this cycle?

Amoroso: The only way we'll ever get to the point where the software that powers our infrastructure is fully secure ... is to treat software engineering as a legitimate discipline. We completely underestimated how difficult it is to write software correctly.

InformationWeek: Is there some innovative new security technology that can put IT departments on equal footing with those attacking their systems?

Amoroso: I encourage [vendors] to recognize that when a building is crumbling, you don't build scaffolding around that building to prop it up. You figure out why the building is crumbling. We don't need more innovation, we need more sanity to recognize that we've got vulnerabilities in our software, and systems that are so complicated that you have no clue how people get in. ...

InformationWeek: How do chief security officers best work with CIOs?

Amoroso: We're usually joined at the hip, with many common goals. If you have a good CIO, ... then that CIO is going to be extremely demanding and not put up with holes in infrastructure, not put up with obvious problems, gaps in services, and so on.

Amoroso: "Patch" is a euphemism for "mistake"

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll