'Bad guys winning' in security

With easy access to tricks and techniques that aid online crimes, cybercriminals increasingly trumping security experts responsible for IT security, observes HP security exec.

SINGAPORE--Cybercrooks are winning the fight to keep the Internet a safer environment for enterprise IT systems but these "parasites" can never completely corrupt their hosts, giving the "good guys" a way to reverse the situation.

Hugh Njemanze, vice president and CTO of security solutions at Hewlett-Packard, said the current security landscape is in favor of cybercriminals because of the easy access to "tricks and techniques" used to breach online IT systems such as the ones Sony suffered these past two months.

Furthermore, easy collaboration over the Internet has evolved into a maturing, "customer-centric" business model in which hacking tools purchased can be refunded if proven ineffective, Njemanze told ZDNet Asia in an interview Monday.

Additionally, the Internet was "never designed to be bullet-proof", he said, noting that security professionals can only retroactively patch holes when these occur and constantly work to improve the system.

Njemanze, formerly co-founder and CTO of security software company ArcSight which was acquired by HP last September, added that enterprises are also less inclined to share details of security breaches, if any, with others in the industry. This reluctance makes it tougher for security vendors and professionals across industries and verticals to collaborate and combat the onslaught of cybercrimes, he said.

All these factors have resulted in the "bad guys winning" the security battle today, he surmised.

However, he expressed optimism that the "good guys" will get it right and rectify the situation in time to come. He explained that cybercriminal organizations are essentially "parasites" and, however effective, will not be able to completely "eat away" at "the host", which in this case is the IT industry.

Asked where the weakest links are in today's IT systems, Njemanze replied: "Many companies are still leaving their backdoors open and windows slightly ajar." For example, he noted that IT departments are still not deploying system patches upon availability and not keeping their security up-to-date for fear of disrupting the company's system.

The HP executive also urged companies to resist the temptation of implementing costly, large-scale security projects before first monitoring their IT environment.

He explained that many companies resist changing the passwords of legacy applications architected for mainframes because they are afraid of "breaking" the software, and have no Cobol developers on hand to fix it. But, rather than monitoring these apps to find out if there are breaches, IT heads leave things "to chance" and choose instead to invest money in large-scale security projects.

This is a waste of time and effort, he noted, as monitoring systems take just days and weeks to deploy compared to the months and years needed to implement major projects.

Improving private-public collaboration
Elaborating on what the ArcSight team is currently working on, Njemanze pointed to two areas of focus: improving the speed of collating logs and analyzing data, as well as improving collaboration between private and public sector organizations.

He said organizations today loathe to share security information with each other because of the additional costs and resources needed to "sanitize" the relevant data. To address such concerns, he revealed that HP is looking to develop software that will automatically identify and match similar security breaches between two or more organizations, without having to reveal all raw log reports. Once identified, organizations will be notified and their IT teams can use these similar experiences to collaborate and improve their defenses, he noted.

According to Njemanze, this technology could be available in months or years rather than decades, but declined to disclose more details.