Ranum: Be Serious about Cybersecurity

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

In part two of a two-part interview, Marcus Ranum, the CSO of Tenable Network Security, discusses:

• The conflict between banks and businesses over "What's reasonable security?"
• Healthcare organizations' greatest security challenges;
• The government's role in ensuring cybersecurity.

See part one of this interview for insights on today's biggest security threats to businesses and consumers.

Ranum, since the late 1980s, has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. Welcome to part to of my exclusive interview with Marcus Ranum, CSO of Tenable Network Security. In this part we talk about specific threats to banking institutions, healthcare organizations and government agencies. Let's return now to my conversation with Marcus Ranum.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

On another topic entirely, one of the biggest stories this year in financial services has been the ACH fraud and the legal issues that have come up because of it. We have got businesses and banks that have squared off over the question of "reasonable security." In your opinion, who has got the greater responsibility here, is it the business or the bank?

MARCUS RANUM: This is a huge problem, and this is something that I first started talking about how this was going to play itself out as soon as people started talking about electronic commerce. The issue really is that the endpoints that people are using are just simply not good enough. It's 2010, and we still have operating systems that get infected with malware and keystroke loggers and stuff like that. As long as you have got endpoints that are so easily compromised, then you are going to have this problem. It doesn't really matter whose fault it is, you are going to have this problem because the endpoint has to be a reliable terminal, and it's not.

So my guess at what is going to happen with this is that the banks and the merchants are going to argue back and forth, and in the cases where the banks are able to use their superior financial leverage, the merchants will just get an updated terms of service -- "h]Here you go and by the way, if you have a problem keeping your password secure, then too bad." In situations where the merchants are able to drive enough business, then they will be able to put some controls in there.

Of course, the obvious answer to all of this stuff has always been to use some kind of two-factor authentication, and it has been offered over and over again on the commercial side, and on the consumer side with things like the PIN Pad cards that were available for Ebay and for some of the online stock trading companies. And the consumers just haven't taken it up because, "oh gosh, it's oh so inconvenient."

Well, I think what I think is going to wind up happening is that people are going to realize that waking up one morning and finding that their bank balance is $200,000 or $300,000 dollars smaller is "oh so much more inconvenient."

That balance is going to start to swing back a little bit the other way. I was involved in a case last year where I talked to a gentleman who had his stock account accessed as part of a pump and dump scheme, and as it all turned out he had gone with the low cost provider because he didn't like the trading costs of the larger providers that indemnify the user against that kind of thing. Basically, he cost himself a couple hundred thousand dollars in order to save $9.95.

FIELD: Unfortunately that's happening more often than we can even keep track of.

RANUM: It's a huge problem, and I think what happens with these kinds of things is that once they become a big enough drag on the economy, then they become something that people are aware of, and then people will be a little bit cooler about it.