E-Mail-
Dan Geer
Cutter Consortium Summit
- Summit 2001: Panelist, Information Security
- Summit 2004: Keynote Speaker, Risk Analytics
For more
by Dan Geer, visit the Cutter Consortium
Bookstore:
-
Daniel E. Geer is an entrepreneur,
author, scientist, consultant, teacher, and
architect. He ran the development arm of MIT's
Project Athena, where Kerberos, the X Window System,
and much of what we take for granted in distributed
computing was pioneered by his staff on his watch.
For 15 years he has provided high-level strategy in
all manners of digital security and on promising
areas of security research to industry leaders,
especially in engineering and finance. He is a widely
noted author in scientific journals, the lay press,
and at book length. Dr. Geer has testified before
Congress on multiple occasions and has served formal
advisory roles for the Federal Trade Commission, the
National Science Foundation, the Treasury Department,
the National Research Council, the Commonwealth of
Massachusetts, the Department of Defense, the
National Institute of Justice, and the Institute for
Information Infrastructure Protection. Dr. Geer holds
several security patents, plus an Sc.D. in
Biostatistics from Harvard and an S.B. in Electrical
Engineering from MIT. He serves both fiduciary and
nonfiduciary roles for a number of promising
startups.
SUMMIT 2004
- Why Information Security Matters
-
An interview with Dan Geer,
Senior Consultant, Cutter Consortium
-
In this interview, Dan Geer explains the importance
of information security today and how IT
organizations can help their enterprises manage it as
well as measure the efforts to manage
it.
-
Q: In the Executive Report, you address how
information security is "unique." In a nutshell, why
is it unique?
-
It is "location independence," in that it transcends
limits in both space and time. It transcends them in
space in that, on the Internet, every sociopath is
your next-door neighbor. It transcends then in time
in that the rate constants of attack in cyberspace
are, literally, orders of magnitude removed from
anything with which we are historically familiar. In
short, it is physics.
-
Q: You also address how information security
leaders come from other fields. What fields in
particular, and how can IT leaders and managers learn
from the expertise in those fields to assist
information security efforts?
-
At the present time, everyone who is a leader in
information security came at this field from
somewhere else. This will not be true in the future
when we are replaced with people who were actually
trained for it. While this formalization may improve
total fielded skill, this moment -- right now -- is
the moment of maximum hybrid vigor in this field. As
we are obviously way behind the demand curve for
information security, it is crucial that the field
borrow as much as it can from other fields so as to
make all deliberate speed. To name just a few, we
must steal everything we can from public health,
civil engineering, portfolio management, quality
control, accelerated failure time testing, and so
forth while we our field includes its historic
maximum of able cross-trained practitioners.
-
Q: In your report, you cite the importance of
metrics in helping manage information security. What
factors are important for an IT organization when it
tries to measure the security of its information
systems and manage infosec efforts?
-
Besides the truism that you cannot manage what you
cannot measure, we have to move from counting bad
things to a degree of sophistication in information
security risk management that approaches the degree
of sophistication in financial risk management. This
is a research-grade topic, but the way you make
progress is start from where you are. We are already
able to take primitive measures, e.g., vulnerability
counts, patch latency, and/or cost data on risk
reduction measures. Even acknowledging these
measures' weakness, if they are collected
methodically then they can yield trend data that is
meaningful. We are really at the point where "Do
something" is good advice.
-
Q: You also cite problems with "patch
management" practices. How is that increasingly
becoming a problem?
- Patching has two principle problems: If reliability matters to you then you don't install anything without test yet patching is becoming more monotonically more urgent. At the same time, patches by their very existence advertise vulnerabilities so that unpatched systems are in great and increasing danger once the patch is released for the very fact that it was released. While one can make best efforts, it is increasingly unlikely that anyone can keep up much longer. With the increasing fraction of machines on the Internet that are effectively unmanaged (home users and pirated operating systems), patch status is net worsening while at the same time patch-to-exploit latency is decreasing.
