Anticipating Threats Ineffective in Enhancing Security

By Ellyne Phneah
ZDNet
November 19, 2012

SINGAPORE--Companies looking to predict cyberthreats to fend off attacks will not improve their IT systems' security robustness as the criminals responsible will evolve and develop their technologies accordingly.

Speaking at a seminar here Monday, Bruce Schneier, chief security technology officer at BT, said technology has affected the balance of society and social mechanisms such as law and punishment, which help keep people in check so they will not commit crimes, online or otherwise.

For instance, the Internet has given rise to anonymity and made it easier for cybercriminals to perpetrate their attacks without getting caught, Schneier observed.

In response to these online threats, IT security professionals and law enforcement agents often try to predict what kind of cyberattack will hit them to better prepare their network security is robust and catch the online intruders, the executive added.

The two related developments has resulted in a "large gap" in IT security, given that the company's efforts to predict an online attack will only spur cybercriminals to adapt and come up with new strategies to breach its system, he explained.

"The more you try to squash [cybercriminals], the more they [will] evolve. Every complex ecosystem allows new actors, whether on the good side or bad side, to displace old ones," Schneier said.

London Olympics infrastructure "caught offguard"
Schneier's view was reinforced by Phil Packman, general manager of BT's security advocacy and operations engineering, who related the company's experience in maintaining the Web site and infrastructure security for the London 2012 Olympics. BT was the official communications services partner for the event.

According to Packman, BT had expected very complex cyberattacks on both its Web site and IT infrastructure. As such, the security tools used and the security team had been programmed to tackle these difficult threats.

In reality, though, the team suffered numerous "simple but stealthy" attacks and they were unprepared to deal with such "trivial" threats. Some examples include a 2 megabyte (MB) distributed denial-of-service (DDoS) and hacktivist campaigns on Facebook by teenages using low-level technologies, he recounted.

The network security for the Olympics had also been determined two years before the actual event took place in 2012 and any changes to the system had to go through multiple layers of regulatory and government approvals. By comparison, cybercriminals had a lot more room and freedom to develop new technologies and tools to find a way round the security measures, Schneier explained.

Packman suggested that to keep up with the pace cybercriminals are refreshing their attack methods and knowledge, companies need to share threat intelligence so they can keep up and close the gap.

In a world where tech innovations take place at a fast pace, organizations should be adaptable and respond quickly when a new threat hits the systems, Schneier added.

earlier story: One Man's Crusade to End the Hysteria over Cyberwar
later story: Reacting May Be Best IT Security Solution
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..