C3 Show Sees Search for Simple Security

Reporter's Notebook: The C3 Expo offers products, services and seminars galore addressing the increasingly vast area of computer security. But what do IT managers and business users need most?

Chasing down viruses and building better spam filters are worthwhile pursuits. But computer security vendors can also make a mark for themselves by figuring out ways of taking more of the hands-on security burden off of customers shoulders, according to attendees at this weeks C3 Expo in New York City.

To be clear, C3 Expo (Corporate and Channel Computing Expo), a trade show that made its debut at the end of June, is not a security conference. The first-year crowd at Manhattans Javits Center consisted mainly of IT managers, VARs and business users, as opposed to security professionals.

Yet security was a topic that just about everyone seemed to be thinking and talking about, regardless.

Heres one type of comment heard often at the show: Computer security is a complex discipline, and one which is changing so fast that its hard for many IT administrators to keep up to speed, let alone consumers and office users.

David Hooley, a corporate buyer for ACI Systems Inc., got down to brass tacks.

"Whats the main security problem today? Its end users who dont know enough about security. For instance, theyll give away their passwords to just about anybody who wants to know," he said.

/zimages/2/28571.gifRead more here about offerings at the C3 expo, including mobile and wireless vendor applications.

Lenny and Mary Ginsburg, both past presidents of the NYPC users group, didnt mince their words, either. According to the Ginsburgs, many new PC users come into their group not even knowing what anti-virus software is supposed to do. Nor are newbie members aware of the role of the personal firewall.

"They say, Firewall? I have a brick wall in my living room. So what do I need with a firewall?" said Lenny Ginsburg, a retired CPA who now does computer consulting for accounting firms and other small businesses.

When asked their opinions, attendees came up with a variety of suggestions for dealing with change and complexity in computer security, including "all-in-one" security solutions, hardware and software with built-in automated security features, and more and better computer training.

As for the vendors at C3 Expo, some said theyve already picked up on the opportunities inherent in the all-in-one approach. For IT administrators, Network Box Corp. conducted the North American rollout of a product and managed services offering already being sold in Europe and the Asia-Pacific region.

The offering is designed for periphery security—the sort of security administrators perform in an effort to keep hacker exploits from entering corporate networks, said Scott Rosen, president of Network Box in North America, in an interview with Ziff Davis Internet News on the show floor.

Capabilities include firewall, VPN, and anti-spam and anti-viral protection; content filtering; and intrusion detection and prevention. Customers range from small and midsize businesses to Fortune 500 organizations, according to Rosen.

In a similar spirit of unified security, but with consumers in mind, Panda Software showed its TruPrevent Personal 2005 suite at C3s ShowStoppers press event. Like Pandas TruPrevent Corporate 2005 suite for IT organizations, the suite for home users includes Pandas TruPrevent, a "proactive" intrusion prevention technology, said Patrick Hinojosa, Pandas general manager.

Consumers, in particular, need help with security, Hinojosa said, quoting industry research indicating that more than 40 percent of home users dont even use anti-virus software.

For IT managers, the challenges are different. After all, computer security is generally part of their jobs. But theyre up against a lot of change and complexity, too, as anyone could see by looking at the list of seminars offered at C3 in the Security Track alone.

Crypto 101. Computer Forensic Primer. The NSA InfoSec Assessment Methodology. How to Measure & Benchmark Your Business Continuity and Disaster Recovery Programs. Exploring J2EE (Application) Security. Smart Cards and Strong Authentication. Computer Security and Privacy Regulations. The list went on.

Moreover, a track called Mobile High-Speed Data for the Enterprise contained a couple of security-oriented sessions, too. So did a track on Regulatory Compliance. Yikes.

During one conference session, IT administrators peppered moderator Sondra J. Schneider—founder and CEO of Security University—with questions about downloadable software upgrades, and managing passwords and patches.

In response to a question about Bluetooth security, a panelist cited the Schmoo user groups Web site, which he described as containing a download of Bluetooth sniffing software along the lines of the NetStumbler software of Wi-Fi wireless.

At the end of the class, Schneider demonstrated a product from Grid Data Systems that she said converts user passwords into software algorithms unique to each session.

Some vendors at C3 pursued market sweet spots by introducing products targeted at specific subcategories of security technology.

For example, CRU-DataPort of CRU Acquisitions Group LLC unveiled a removable drive enclosure called the DataPort 10, for taking information completely offline, plus a new hardware-based encryption device known as DataPort EnDrive.

Also inside the exhibit hall, Strike Force Technologies Inc. displayed its identity management suite. The newest module in the suite, GuardedID, protects against keylogging attempts, said George Waller, executive vice president of Strike Force.

/zimages/2/28571.gifClick here to read about IBMs report of an increase in phishing attacks.

In another meeting at ShowStoppers, DataVelocity played up the security features built into its Erudition risk reduction suite.

Officials on hand at the booth said the suite is particularly good at dealing with internal security threats, a market opportunity they view as still relatively untapped.

Threat reduction capabilities in Erudition include activity logging and automatic detection of application failures, Ziff Davis Internet News was told. And the suite also automates routine help desk requests for account creation and back-up operations, for instance.

Also at ShowStoppers, company reps for Citrix Systems Inc. pointed out that the latest edition of their GoToMeeting conferencing software contains pop-up blocking software, also for securitys sake.

Mary Ginsburg, a journalist in the health care field who also freelances as a computer trainer, said she thinks its a good idea for ISVs to build security features into their application software, "as long as these features dont conflict with something else."

Yet by and large, the Ginsburgs said, they would like to see even greater simplification for end users. And theyre not alone.

Lenny Ginsburg wondered aloud whether PC makers might be willing and able to embed security features, updatable through firmware upgrades, directly into computer chips. When Mary Ginsburg pointed out that PC manufacturers "face a lot of pressure to get products out at the right price," Lenny Ginsburg suggested that maybe an all-in-one security hardware add-on device, created specifically for end users, might do the job.

To be sure, the concepts of an all-in-one security model, automated security features and end user training arent new. But computer security problems are on the rise, and industry recognition of their importance appears to be widening, even to vendors outside of the security industry.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.