Plugging Holes in Security
Chris Klaus is one of those people you love to hate. While still in college, he came up with the idea for a new kind of software that would probe computer networks for security holes. The resulting product, Internet Scanner, was the first widely available vulnerability assessment tool. In 1994, Klaus founded Internet Security Systems Inc. to market what had become a wildly successful application. Seven years later, ISS is going strong, and Klaus, now chief technology officer of the Atlanta company, is preparing to push ISS deeply into the red-hot area of managed security services. Senior Writer Dennis Fisher spoke with Klaus last week about his plans for the near future and how companies sabotage their own security.
eWeek: Theres been a lot of hand wringing about the security issues with the wireless LAN protocol. Is it as bad as everyone thinks?
Klaus: Id say so. There was a very minimal amount of security thought put into the wireless LAN system. It can be implemented securely, but most people just deploy it straight out of the box and dont bother with the security. Some of our researchers went out and drove around Atlanta with some wireless LAN gear and picked up more than 80 access points and could read all of their traffic. And only four of them even had the encryption available.
eWeek: And with the boom in adoption of wireless technology, thats probably not going to get much better.
Klaus: No. Pretty soon, you wont be able to hide from wireless. The threat is changing so fast, its hard to keep up.
eWeek: Do you find that companies are becoming more security-conscious these days with all of the publicity around DoS [denial-of-service] attacks and viruses?
Klaus: Its hard to say. Most companies havent thought about security to the extent that they should. Going into some of these big companies, its pretty scary. Security is a back-burner item.
eWeek: How big of a threat do you consider things like DoS attacks and worms?
Klaus: Theyre real problems and shouldnt be underestimated. People need to work with their ISPs [Internet service providers] to develop a response plan for big events like DoS attacks. But, in a lot of cases, good, upfront network design can prevent these problems.
eWeek: Whats the most common mistake you see when youre assessing a companys security?
Klaus: They get ahead of themselves. You have to start with a penetration test, then design and deploy the system. You cant skip that first step. A lot of customers dont know enough about security to realize what the problems are.
eWeek: ISS has been moving into the managed security market lately. Is that an area that you think will continue to grow?
Klaus: Definitely. With intrusion detection, the technology is complex, and understanding what it means requires an expert, and a lot of companies dont have those. Managed security services give customers access to those experts.
eWeek: What kind of new services do you have in the works?
Klaus: Later this year, were going to combine our intrusion detection and vulnerability assessment tools into one service. A lot of attacks are against machines that arent vulnerable to that particular exploit, and its a waste of time for the security guys to respond to an alert about it and try to track it down. But unless they have the vulnerability assessment data, they wont know that until they do the research.