After reading the article "Solutions for the Mailstream" by Mr. Kellett and Mr. Edwards [Feb. 2006], I continue to be amazed, but not surprised, by the attitudes of analysts and security vendors alike toward the business community with regards to security. The predominant attitude appears to be one of arrogance. The assumption is that the tools and methodologies are present and they work. If an organization is breached in some manner, it was because they failed to implement the methodologies properly. It's essentially their fault.
The reality, however, is that a complex patchwork of non-interoperable products have been created on top of a failing reactive approach to security. Usability and implementability in real business environments has long been secondary.
There is no more glaring example of this than in this article, where PKI is mentioned as being a viable solution to the email security problem. They then quizzically state, "Few organizations have made it available to their users." What island have they been hiding on?
Users have their own funny way of determining what works aside from what vendors and analysts think. Businesses will not turn their processes inside out for security. This has been demonstrated time and time again, and you would think the vendor/analyst community would be listening and adjusting...not!
If the vendors continue down the the path of complexity and reactivity with the analysts in tow, and continue to make end-users a back burner priority, they will all do so at their own peril. The only problem is that businesses and ecommerce are likely to be dragged into the mess as well.
Lance Edelman, Atlanta, GA
Dear Jim Carr: Thank you for your skillful work in informing the public about some of the emerging dangers in the realm of cyberattacks. I thought your article ["Cyberattackers take aim," Feb. 2006] did a good job of capturing the key points that I was trying to make when we spoke on the phone. This is a tricky subject to write about, and you do it well.
Scott Borg, director and chief economist, U.S. Cyber Consequences Unit
While searching for solutions for IM security on a small and/or individual basis, I came across your website (www.scmagazine.com), which presented SIMP as the only program reviewed showing IM message encryption. Further research brought me to a product by ZoneAlarm-famed ZoneLabs: IMsecure Pro, which not only provides the user with message encryption, but also offers a far more complete IM security suite. I was wondering why no review of this product was ever made. The article that led me to this product was dated 2003, so it isn't new.
Albert Silver, via email
Technology Editor Jon Tullett replies: When we reviewed SIMP [in 2004], there were already a number of products supporting IM encryption; we did not intend to imply that SIMP was the only option, but included it in the IM security group test as an interesting open source take on the problem of securing IM traffic.
Today there are many options for encrypting instant messages. Most of the commercial offerings include encryption out of the box, as do IM security gateways, which apply security policies to corporate IM.
We published a more recent group test of IM security products in September 2005 (available at www.scmagazine.com), most of which support encryption. Another group test will appear later this year.
Righting a wrong
I find the sophistication and entertaining quality of Peter Stephenson's Opinion columns to be written in an insightful manner. As an aficionado, I agreed completely with his recent premise [Feb. 2006] regarding more experienced security experts aiding and sharing best practices with newer security professionals.
I am compelled to express some discontent regarding
Mr. Stephenson's use of the phrase "young Turk" as a metaphor for up-and-coming security experts as being a bit out-of-bounds.
One only needs to review the history of this "nickname" to understand that "young Turks" was associated with any brash group of young usurpers; modernly, it takes on another disenchanting meaning as well.
The "young Turk" movement is synonymous with the Armenian genocide circa 1915 when 1.5 million Armenians were destroyed by this regime.
Possibly, Mr. Stephenson would note the scholarship of newer colleagues not only in infosecurity, but also world history as well.
Bill Lehrer, CISSP, via email
To hack or not to hack
When I read the "Letters" section of your magazine, I sometimes agree with what readers are saying and sometimes I mildly disagree.
After I read Simon Janes' letter ["Tsunami hacker," Feb. 2006], I was filled with rage. Simon obviously does not understand the circumstances involving Daniel's case.
I would like to see an article in SC Magazine that describes Daniel's case, the nature of the alleged crime, and the travesty that followed. After your readers find out about the witch-hunt known as the U.K. Computer Misuse Act of 1990, they should think twice before accessing a website hosted in the U.K. or trying to peak under the covers of a phishing attack.
Kevin Flanagan, CISSP, CISA, security solutions architect, RSA Security, Inc.