With the help of our US Editorial Advisory Board, we are focusing on those eminent IT security professionals who are not only out and about around the globe bringing attention to the various issues that surround cyberspace, but also tirelessly working to thwart cybercriminals' attacks on organisations and private citizens.
These are the players who continue to influence others in the industry and help to evolve thinking around various IT security issues and threats.
Johannes Ullrich, chief research officer, SANS Internet Storm Centre. With his group of "handlers," Ullrich tracks threats to the internet by correlating and analysing logs from contributors worldwide. As a result, he consistently interacts with users, designers and other developers to help internet users stay clear of the newest attacks. His early warning system has led to the discovery of many well-known threats, such as Code Red, Ramen and other worms.
During 2005, one of the most complex challenges he faced was the DNS cache poisoning problem. "The main approach to solving challenges like this is an open and global collaboration," he says. "With the Centre, and our "diaries," we are able to disseminate information very rapidly. In return, we get a large number of experts to work on the questions we pose. To solve the DNS cache poisoning issue, we had experts in the US, South America, Europe and Asia involved."
He explains further that getting early warnings about the newest threats out to organisations does not depend on agreement among experts or users, but helps to trigger readers to write in with their own observations. "So we do not wait until we have all the answers before we post something," he says.
For example, only a few readers initially wrote in voicing concerns about DNS cache poisoning, but when the warning was posted to the site, others corroborated the observation. "In the end, people sent us logs from servers used in the attack, and our handler in Korea was provided access to the DNS server at the core of the attack," he recalls.
Howard Schmidt, president and CEO of R&H Security Consulting. As former Cyber Security Advisor to the US White House and former vice-president and CISO of eBay, Schmidt travels widely to highlight IT security problems and their possible resolution. As well as his current post at R&H, through which he had been contracted as the chief security strategist with the US-CERT Partners Program, he has recently found himself debating with Bruce Schneier (below) about how far software developer's/vendor's accountability extends to the security holes that are missed in the software they write. While he says his comments were taken out of context, that hasn't stopped Schneier from using them as a launch pad to tout his own opinions on the subject.
Bruce Schneier, CTO of Counterpane Internet Security. The seemingly constant industry buzz surrounding Schneier is well-deserved. With a trail of bestselling books in his wake and two encryption algorithms, Blowfish and Twofish, to his credit, Schneier is well-placed to discuss IT security-related issues in his free monthly newsletter Crypto-Gram.
Most recently, he questioned reported comments made by Howard Schmidt about holding programmers personally accountable for insecure code. Schneier believes that the software manufacturers should be liable, even if the additional costs for making products more secure fall on consumers. He says that more secure solutions would be cost-effective in the long run, since users already pay more than they bargained for to fix holes in products they have deployed.
Mary Ann Davidson, CSO of Oracle. Talking of software vulnerabilities, Oracle has had its share this year, but Davidson is working with a team inside the firm to try to eliminate these, deliver fixes that are easier for customers to administer, and trumpet the need to reduce software coding flaws overall. Davidson has said that an audit standard would help to develop more secure software. To audit software properly and consistently, she believes standards bodies, such as the National Institute of Standards for Technology (NIST), must establish benchmarks to help guide the software industry to make safer software. Additionally, she encourages customers to seek from their vendors lock-down configurations of products they have purchased, and is going so far as to convince them to demand secure configurations during the overall procurement process with their software vendors.
Frank Fanzilli, Jr., former MD and global CIO of Credit Suisse First Boston. One of our Editorial Advisory Board members says that "this guy really gets technology in corporate America."
Although retired, he seems busier than ever. As well as serving on the boards of the Open Source Development Labs, nLayers and a few others, he is now also heavily involved with various IT security companies through venture capitalist groups for which he serves as an advisor.
Additionally, he speaks at a slew of high level industry events. Not only is he very influential, but he has a strong knowledge and understanding of security requirements related to business undertakings – meaning he is far from just a security practitioner who pushes IT security practices for their own sake.
In the end, for him IT security is a requirement of doing business today – a concept he continues to promote beyond his former high-profile post at Credit Suisse First Boston.
Others who are making a difference
Paul Simmonds, head of global security for ICI, has been one of the most active founder members of the Jericho Forum, the user group that gave us the term 'deperimeterisation' and which is starting to set the security agenda across the world. Jericho has the backing of the world's biggest IT users, and their views are already having an influence on the way vendors are designing their products.
Richard Clarke, CEO of Good Harbor Consulting and former security advisor to four US presidents, has been an active figure in global anti-terrorism, intelligence and cybersecurity activities for more than three decades. Famously outspoken, he continues to fiercely criticise those who fail to comprehend the need for information security. Besides frequenting the conference circuit, he has published a fictional account of terrorism in the US, The Scorpion's Gate.
Professor Fred Piper, although now officially retired, Fred Piper is still having a huge impact on the direction taken by the infosec industry. A veteran of the encryption world, Piper pioneered the Master's Course in Information Security at Royal Holloway College, earning a global reputation for excellence. He is a driving force behind the establishment of the Institute for Information Security Professionals, expected in early 2006.