Threats shift to databases

Cryptography has diminished somewhat in importance as threats to information security shift from eavesdropping to attempts to gain control of computers and networks, a cryptographic expert said this week at the Gartner IT Security Summit in Washington, D.C.

Bruce Schneier, chief technology officer at Counterpane Internet Security, said protecting data while it is stored on networks and PC computers has emerged as a greater threat than unauthorized sniffing of data packets as they are transmitted over a network.

Data stored in databases is vulnerable, however, and fewer than 10 percent of databases are encrypted, said John Pescatore, vice president for Internet security research at Gartner. Pescatore moderated a discussion on information security threats with Schneier and Gartner analysts Jay Heiser and Christian Byrnes.

The problem of insecure software could be solved if enough time and money were spent on making it secure, Schneier said. But he said he is pessimistic that organizations are going to be able to step off the treadmill of security patching any time soon. "We are fighting an arms race, and the bad guys are moving faster," he said.

Schneier said the value of having the government regulate information security is that it helps senior level officials make information security a priority among many competing demands. "That's why regulation works," he said.

The best regulations, Schneier said, specify a result and avoid prescribing a mechanism for achieving that result.

On the government’s role in improving cybersecurity, Schneier said, one of the most effective ways the government could improve cybersecurity would be to use its considerable purchasing power to demand secure software in every software request for proposals. “We would all benefit,” he said.